Security breaches can be costly and yet are difficult to quantify or to predict. IT security is often a hard cost to justify, particularly for those outside the IT industry, who perhaps aren’t aware of the risks and the consequences of poor security practices and how easy it is for an attacker to breach poorly [...]

The Sundaytimes Sri Lanka

The role of ethical hacking in changing the threat landscape

Focus On Security
View(s):

Security breaches can be costly and yet are difficult to quantify or to predict. IT security is often a hard cost to justify, particularly for those outside the IT industry, who perhaps aren’t aware of the risks and the consequences of poor security practices and how easy it is for an attacker to breach poorly defended networks. Many organisations focus their investments in revenue-generating technologies including emerging technologies such as virtualisation, cloud computing, and mobile devices to enable businesses with operational advantages, agility and efficiency, assuming that they will not be targeted and operating under outdated security practices. Further, some IT Departments also operate under pressure to deliver valuable solutions while managing shrinking budgets. All these factors lead to new security challenges.

Sujit Christy

Targeted and sophisticated attacks are an imminent threat and organisations have to face the challenge to fine-tune their security processes, policies, and architecture accordingly and continuously. Despite the prevalence of firewalls, IPS, anti-virus and other security technologies, many organisations continue to succumb to attacks. The attacks are dynamic in nature and the attackers are highly organised, skilled, and motivated. Further, the changing hacking tactics, myriad security vulnerabilities, evolving business practices, new business technologies and emerging security technologies have also made security requirements very complex. As a result of the complexity, the IT staff overlook or forget about obsolete systems, configuration errors, ad-hoc changes and unpatched systems, leading to high-risk network entry points. The complexity also creates numerous organisation-specific security challenges that are best solved by professionals with extensive expertise. This has prompted organisations to recognise the importance of human experience and analysis in best-of-breed security architectures.

Information security programmes in organisations have become a critical competitive factor. These programmes should include third party assessments by information security companies, which specialise in ethical hacking using human experience and analysis to find the overlooked vulnerabilities. These companies provide a variety of ethical hacking services with the objective of real-world assessments of security weaknesses, vulnerability, risk, and remediation options. The companies offer tremendous value in their ability to share their advanced security knowledge and expertise with organisations. These services enable organisations to fine-tune their security technologies, train and educate their staff and implement security practices to better protect critical systems and sensitive data. Hence, ethical hacking is an essential security practice that should be performed on a regular basis as part of the information security programme, with penetration testing being a good way for businesses to understand where they are vulnerable, allowing remediation of critical and often easy-to-fix issues.

But, ethical hacking expertise is expensive to cultivate, and organisations have to invest heavily to develop the skills of their internal auditors and security professionals. In addition to salary, there are numerous costs associated with ongoing training and skills development. This prevents most organisations from developing their internal expertise necessary to simulate real-world attack scenarios and cannot afford higher level of security expertise.

However, security auditors and security professionals with CISSP and CISA certifications working with third party consulting companies do maintain an up-to-date repertoire of hacking techniques to ensure accurate assessments and useful recommendations. Organisations can then leverage these expert recommendations to fix security vulnerabilities and implement security tools more effectively. Further, third party security auditors and security professionals perform ethical hacking regularly attend classes, seminars, conferences and workshops to develop and maintain their skills as part of their Continuous Professional Education (CPE) programmes. Organisations that do have internal security experts should also consider the insight provided by security auditors as a supplement to their existing security expertise. Hence, a growing number of organisations turn to security consulting companies to prevent security breaches and reputation damage by performing regular ethical hacking assessments.

(The writer is a Governance, Risk and Compliance professional and Director at Layers-7 Seguro Consultoria (Pvt) Ltd.
He can be emailed
at sujit@layers-7.com)

Share This Post

DeliciousDiggGoogleStumbleuponRedditTechnoratiYahooBloggerMyspace

Advertising Rates

Please contact the advertising office on 011 - 2479521 for the advertising rates.