Unless you first know what it is you are looking for and why you are hiring an outside vendor to hack your systems in the first place, chances are you won't get much out of the experience, said Arian Evan, a senior security engineer at FishNet Security. Sure, you will find out your network needs to be patched or there are X number of security holes, but if that information is not relatable back to the business in some form, it's pretty much useless.
"If you just want numbers, any of us can run a scan and give you results," agreed Paul Klahn, FishNet's director of assessment services.
To get the most from a test, putting results into a business context is imperative, said Klahn. Which holes are truly a security threat? How deep into the network can a hacker get via one of these holes? Which should be patched first?
Security holes can even be a necessary part of your infrastructure, allowing you to do business with partners, for example, so closing them up for security reasons may cause more headaches than the vulnerability. Your contractor should be able to appreciate this nuance.
Invariably, threats will be found, said Albert Decker, executive director of EDS's Security and Privacy services, and a former ethical hacker with 25 years in the business and a 99% success rate at getting around corporate security.
"It became roughly the equivalent of 'Can you throw this brick through a window?' and the answer is, invariably, unless you miss the window, it will break the glass," Decker said, commenting on his days as a hacker.
Because not much has changed since Decker was actually scanning code, the firm you hire should be able to provide you with a threat assessment and articulate remedies that take into account business needs. And, even then, the hack should be part of a larger security audit that looks at known vulnerabilities while comparing your IT governance policies and procedures against industry best practices.
The reason for this, said Jim Goddard, an ethical hacker at IBM, is simple: If you just hire a hack and do nothing else, on the day it's complete, you are no more secure than the day before the hack began. This is because hacking provides just a snapshot of your overall security. Yes, it can provide confirmation your security is good or expose unknown threats, but it can't tell you what those threats will be tomorrow. One configuration change and much of the hacker's work can be negated, agreed Decker.
"The use of hackers is essentially a point-in-time test for a continuous problem," said Decker. "It's only giving you one very narrow slice of your environment which could change, literally, the second after the test is completed."
There are four basic kinds of hacks you can have done, said Goddard:
For any of these tests, a reputable firm with clearly defined methodologies should be hired, cautioned Goddard. If a company can't tell you exactly how it conducts its business, move on. And never hire former hackers to do the work on the cheap. They may not be as reformed as they say and could leave back doors behind or worse, he said.
Scope & Limits
Once a vendor is selected (never use the RFP process for this type of work, cautions Evans, interview prospective companies), it is very important to outline and define the scope of the project -- you don't want the hacker deciding where to start and stop an attack. Delegate a point person with decision-making authority the hackers can contact day or night if problems arises and authority to continue is required.
But, perhaps most importantly, know what you are looking to get from the experience. Too often, said Decker, companies conduct these tests and feel they are secure. This is not the case. Ethical hacking is just another tool, not a panacea. If viewed as such, it will fall into its proper place alongside other security tools. If not, it can leave you far more exposed through either false feelings of security or outright damage to your systems.
"There's many, many different things we can do on a network that fall in or around 'ethical' hacking," said FishNet's Evans, " ... but, without that business case, its very hard to help the client make decisions about what technology services and perspectives they need."