By Opinno Editor de MIT Technology Review en español. Yvonne Rodríguez.
Ethical hacking is becoming an unavoidable necessity for companies. This practice analyses the technological infrastructure of organisations, simulating ‘pirate’ attacks so as to assess the level of cyber security that they have in place.
At the beginning of 2019 it came to light that more than 700 million email accounts and passwords had been published, compiled in a database called “Collection #1”. It was a mass hacking that highlighted the need to be alert to cyber security.
Added to this event is the fact that, during 2018, there were massive attacks on companies that affected both the companies themselves and thousands of users and customers. The case of the Marriott hotel chain is one of the most remarkable. Although alarm bells started ringing in November last year, the theft of information had been taking place since 2014. That is to say that for four years hackers had access to customers’ personal and financial information: data such as names and surnames, passports, addresses and credit cards were exposed.
These are just two examples from among the hundreds of thousands that happened during 2018. The interactive map from Threat Cloud allows you to check in real time and on a country-by-country basis attacks that are occurring. On a single day, 23rd January 2019 there were 148,983,041 attacks. It is no wonder that companies have changed their priorities. According to AGCS’ Risk Barometer 2019, cyber attacks are among the primary concerns of corporations, together with the fear of losing profits. More and more companies are aware of the importance of cyber security day to day, and know that cyber attacks can endanger not only an organisation’s data, but also that of their customers and employees.
For this reason, ethical hacking is emerging as one of the most important trends in the industry. Not only that, companies are also beginning to realise the importance of training staff to reinforce cyber security. Systems are only as strong as the people that protect them. Cyber criminals are becoming increasingly creative, and it is already some time ago that firewalls and conventional antivirus software stopped being totally effective. The demand for security networks that really prevent malicious practices has made some hackers, so-called white hats, work for companies checking to see if their systems can resist offensives and improving them to make them practically impregnable.
Ethical hacking is, essentially, a computer security audit where the company hires a provider to draw up a report on possible vulnerabilities. That report will detail possible holes in a company’s information systems. The process entails several stages to ensure complete protection of infrastructure.
When an organisation decides to use the services of an ethical hacking firm, the first thing they should do is to sign a contract to define the scope, permissions, and opportunities of the collaboration. This document also outlines in writing that the company is giving hackers permission to perform these test attacks. It is a key element to ensure that the tests are performed without malicious intentions.
Among the points discussed in this collaboration agreement will be the systems or “zones” that the hacker should investigate and try to access. These areas can be software systems, servers, applications, equipment, and even the applications that customers of the audited organisation have installed on their devices.
Investigation and drawing up a plan of attack
Once the collaboration contract has been signed, the company conducting the audit will thoroughly examine all the options they have to attack the company. Both the hardware and software will be inspected, using all kinds of tools that identify potential pathways by which hackers could gain access.
One of the other means of investigation is talking to staff. By doing this, they find out about the sensitive information that is handled on a daily basis, from confidential data to bank figures and applications. In addition, the personal and professional profile of employees is studied, and their position in the business and even their hobbies are scrutinised. This approach gathers all accesses that pose a danger to the organisation’s systems and all the tools with which they could be accessed.
Once all of this data has been brought together, a plan of attack to test the security of the company is drawn up. This project is embodied in a document that the audited company will review with the hacker and that explains the steps to follow in order to perform the test attacks. This text is informative in nature and aims to prepare those involved – both management and employees – to avoid any confusion.
‘Pentesting‘and the elimination of risks
The cyber security experts attack various parts of the organisation’s systems with the aim of detecting faults, vulnerabilities and gaps. During this process, called pentesting or penetration test, security errors in both software and hardware are checked, looking for a place to gain access and take control of the computers or applications.
The origin of these gaps can be down to factors ranging from coding errors in programming to predictable passwords established by the users themselves. Hackers exploit these vulnerabilities through exploits, which are tools programmed for accessing these systems, and that will have been prepared thanks to the study carried out in the previous stage.
At the end of this process, the auditing company collects all of the successful trials within thepentesting and delivers a report outlining all the vulnerabilities detected and a plan for eliminating them. The next stage involves debugging the organisation’s security systems, and all of the vulnerabilities found are eliminated. Once complete, there is a follow-up to check that the vulnerabilities have been eradicated and that the company’s computer systems are secure.
2019 forecasts concerning cyber security are not as alarming as those of 2018, but there is special emphasis on hacking with economic and financial intentions. It is not intended to sow panic, but to raise awareness of the importance of protecting information. This is not only about the company itself, but the security of their customers and employees.