Evolution of ethical hacking

Posted by Audit Advisory on 12/02/2013 at 2:24 PM in Cyber, Enterprise Risk Services, Risk, Security Permalink Comments (0) TrackBack (0)

89361829Today the average ethical hacker (or penetration tester) skillset is a lot more complex than “breaking into networks”.  This was an evolution and a response to the changing landscape of security. When I started, not once did I think I would find myself pretending to be someone I’m not, using pin-hole cameras, Neuro-linguistic Programing (NLP) and lock-picking as  part of my skillset. – I honestly thought I was a computer guy!

The rapid pace of change in the way organisations do business has developed new models, new services and new products that sometimes we wouldn’t have thought a decade ago.  As a side effect, this evolution however has also changed the playing field for criminal organisations  and has generated not only an amazing new way of doing business, communicating and going about our daily lives but also has provided  new opportunities for theft and fraud.

In the present day, Information has moved away from IT as much as Hacking has moved away from the classic portrayal of Mathew Broderick as the teenage hacker in the movie “War Games” or Angelina Jolie in “Hackers”. Today hacking is a multi-billion criminal industry, where you can buy bot-nets in bundles of hundreds and thousands, and subversive click-to-hack exploit kits that require no technical knowledge. 

There is an established pattern of organised crime focusing towards the human element in order to reach to the Holy Grail of Information, via sometimes evading traditional IT defences altogether, such as using social engineering techniques like Phishing.

However as cybercrime is becoming more involved and sophisticated so is cyber security.  It has become apparent that static, defensive measures, whilst important, no longer provide sufficient protection to address these dynamic, targeted threats to an organisation’s physical assets or digital information; we need to start engaging in what we could call a “cyber security transformation”.  By taking advantage of emerging and maturing techniques and technologies along with specialised skillsets we can improve our security posture as businesses by allowing for more proactive threat management and incident response.

It may sound complicated but we simply need to start thinking along with the three pillars of cyber security transformation:

• Awareness - Real time threat intelligence, identifying existing vulnerabilities and continuous  monitoring and service improvement.

• Preparedness – Being able to anticipate, assess, plan and prepare for a cyber-attack.

• Response –Attacks will happen. How do we respond, contain and manage the impact?

Ari DaviesAri Davies
Ari is a Senior Manager within Enterprise Risk Services with over 12 years of information security and ethical hacking experience.  Ari is an experienced penetration testing consultant and engagement manager with notable experience in extensive and complex multi-tiered security engagements as well as an extensive background in security operations. LinkedIn


Comments

The comments to this entry are closed.