So-called 'white hat' hacking and penetration testing techniques are designed to let the end user know about vulnerabilities on their network, but how can you guarantee that the information gleaned will not be used for illegal purposes?
We examine here why it's important to know who is operating within your network at a given time.

Today's blue chip organisations rely heavily on their computer networks to support day-to-day operations, not to say their very existence. There are indeed many different technologies which in-house security and IT specialists might implement to protect those systems, one of them involving the ethical – or 'white hat' – hacker.

In practice, an ethical hacker will use his or her hacking skills to try to break into a company's network, and thereafter uncover holes in its IT security. This can be achieved from the World Wide Web to ascertain what information is available there, or from inside the firewall (to find out what needs to be done to protect against internal attacks).

Rather than using this information for their own ends, ethical hackers will then report on their findings and provide advice on how to make the network more secure. This service is often referred to as penetration testing.

Are all testers hackers?
In some respects, you could say that penetration testing is simply a glorified term for hacking, and that all penetration testers are potential hackers. You are employing people to bombard your system with attacks to try and find weak points and holes. You have absolutely no guarantee as to how they will use this information, and whether they will use it for their own gain or yours. The only option that you have is the choice of who to use. Ultimately, the security or IT specialist must place his or her trust in a creditable company with a solid reputation.

It’s vitally important to know who is working on your network at any given time. Particularly in view of the Department of Trade and Industry’s recent announcement that it will not be regulating IT security consultants

To a certain extent ALL programmers are potential hackers – it's just about having a particular skill and deciding how to use it. With this in mind, managers should look at the nature of the people employed (both in terms of permanent staff and contracted penetration testers). References are essential – whether an individual calls him or herself a 'white hat' or a programmer is beside the point.

All companies have worries about ex-employees – and, indeed, employees using their inside knowledge for negative purposes – but it does become a huge concern when that person possesses the knowledge and ability to cause considerable damage.

Computer and systems hacking has been glorified by American films and urban myth. The hacker is portrayed as practising a black art with a grudge. Don't be fooled.

Source

SMT

Postscript

Iain Franklin is European vice-president at Entercept Security Technologies