Hackers are determined, resourceful and devious – so if you can’t beat ’em, join ’em. It may sound counter-intuitive but if you’ve got a system that needs to be put to the ultimate security test, you might want to hire some ‘white hat’ hackers (also known as penetration testers, or pen testers). They’ll launch their best and strongest attacks on your system, probing for weaknesses and exploring every vulnerability they can find.
Pen tests are always instructive but for best results, keep the following in mind:
1. Let hackers be hackers
It’s not a fair fight if your opponent’s hands are tied behind their back – and it’s not a fair pen test if your hackers are restricted in their methods. Too many pen tests are hampered because the client places significant limits on what the pen testers can do. Phishing, social media and other ‘human intel’ attacks are often restricted as the company doesn’t want to inconvenience, distress or embarrass employees.
It’s a noble sentiment but it means your pen test won’t be able to deliver a true measure of your security posture. We all know the even the strongest security technology can be foiled by a careless user – your security training, culture and awareness are just as important as your hardware and software.
2. Know what you’re testing
So many attack vectors, so little time … it’s always helpful to be clear on what specific aspects of your security you want to test. Are you checking regulatory compliance? Testing your existing security systems with an eye on the upgrade cycle? Does your InfoSec team need data to inform and revise your security policy? Or do you just want a view of your security posture and its effectiveness?
Being clear about what you want to achieve from the test, and communicating that information clearly to the pen testing team, will help make sure the pen testers are working with you to be most effective.
3. Be legally smart
Some businesses – especially those with savvy in-house legal teams – resist pen testing because they’re concerned the results could become part of the discovery process in a lawsuit. It’s a legitimate concern but there’s a simple way to address it – let your law firm hire the hackers.
If outside counsel hires them and delivers the report to you, then it is privileged communication and is immune from legal discovery. You’ll still get your test results and be able to action any recommendations; you’ll be legally covered; and everyone will benefit from the improved security.
‘Hiring’ a team of hackers can be the best thing you do to strengthen your network security. Do your homework on the firm you hire and follow the tips above, and you’ll end up with a sound picture of where your security is doing its job—and where you should start immediately patching the holes.