Complacency Is Costly in the Security Biz
And that complacency is all a hacker needs to enter and exploit a company's systems, data and information. That's especially true when dealing with large organizations with less-secure branch offices or with small businesses that don't have huge security budgets in the first place, Conrad says.
Unfortunately, many companies don't understand the value of having hackers working for them, even as security breaches, data loss and state-sponsored cyber attacks dominate the headlines, says CBT Nuggets' Lee.
"The highly publicized Target and Neiman Marcus security breaches [and] the discovery of the Chinese hackers targeting the U.S. are the kinds of advanced, persistent threats companies face every day, and it can be expensive and time-consuming to proactively fight against them," Lee says. "But that's how these threats have to be handled," he says.
Education is the best weapon, Lee says. Certified ethical hackers can help businesses understand both the nature of the threats and the potential for disaster by discovering potential vulnerabilities and stopping attacks before they begin.
"The goal of most of the honest, white-hat folks is to become a penetration tester, to perform legal hacks on systems to determine vulnerabilities," says CBT Nuggets' Conrad. But many times ethical hackers' hands are tied, so to speak, by the legalities of contracts, privacy statutes and compliance concerns.
A License to Hack
"When an ethical hacker is contracted, oftentimes they must sign a legal contract based on an attorney's advice that defines the scope of the work they're doing, what data and systems they can and can't access, as well as the length of time they can devote to these hacks," Conrad says. In most cases, ethical hackers are given a few weeks in which to work, and that's just not enough time.
"It's such a challenge. Black-hat hackers sometimes take months and even years to create and deploy attacks; it's not like they are bound by traditional ethics codes," Conrad says. "The longer you can give a white-hat to work within your systems, the better, but many companies bury their heads in the proverbial sand and don't want to spend the money on doing so -- until it's too late," he says.
While some of the most obvious hacks and attacks can be found and exploited within a week, many of the more sophisticated attackers will ignore the "low-hanging fruit" and simply wait out businesses for weeks, months or years in order to gain the data or the access they desire, Conrad says.
While many businesses that employ white-hats will feel they're adequately protected because they've kept up with patches, antivirus, anti-spam and software updates and have hired an ethical hacker to address blatant vulnerabilities, they often find they've missed more complicated, less obvious vulnerabilities.
Sign up for Computerworld eNewsletters.