So far in this series, we’ve discussed what ethical hacking is and what to look for in someone you hire to test your code. Those are the initial considerations when starting the ethical hacking process, but now the hacker is done and has data for you to review. What happens next is all up to you. While ethical hacking is part of compliance, it’s not just a box to check off when testing is complete. You have to actually do something with the data yielded during the hacking process.
A vanity test is a useless, expensive waste of money. You are essentially bringing someone in to break into your systems, hunt you down and kill your business. You want them to figure out all of the bad things that are hidden in your system that you don’t know are there. Then you’re going to sit on that data and do nothing with it so you can check a box and say you did the test. It keeps you in compliance, so maybe you avoid a fine, but it’s really not doing you any good. And if something does happen, now you are actively negligent.
What you SHOULD do, once you have that penetration tester and they’ve gathered your data, is act on the intelligence you’ve been given. You no longer have unknown problems, you have known problems that need to be fixed. Otherwise, you’re just neglectful. The point of ethical hacking is to locate potential security problems, potential weak spots where an attacker could breach systems and gain access to sensitive information. So when you get data that tells you where those spots are, your first step should always be to address those areas and solidify the walls around sensitive data.
Ethical hacking should be done often, even companies that are hyper-secure should have, at minimum, annual pen testing. Someone should come in once a year and spend a few weeks really trying to go after you. It’s one of the safest procedures you can have, as long as you take the intelligence and data from ethical hacking and do something with it.
Aside from it being a waste of money when you don’t react to the data you’re given, it’s also a major security problem. As alluded to above, if a breach would occur at one of these weak spots, you are now negligent. Not only does a security breach cost you money in time, labor, legal fees, reparations and lost revenue due to loss of trust, but now you’re going to get fines too. Compliance bodies do not take kindly to ignoring known issues. Look at Capital One, fined $80 million for ignoring a known security problem which someone exploited and exposed millions of customers information. Do you have the assets to cover something like that? The vast majority of businesses do not have those resources.
If you look at the recent attacks on Twitter, Garmin, Reddit and YouTube, you will see just how bad things can get. And these are giant corporations with the resources to cover whatever madness is thrown at them. Small to medium sized businesses, and really most large businesses, really do not have the capital or assets to cover the expense of being breached. Remember, that Capital One fine is only the fine from the compliance body, it doesn’t include any reparations, legal fees or loss of revenue due to customers closing accounts. The number grows exponentially with those things included.
Don’t be actively negligent. When you do an ethical hack, which you should do at least on an annual basis if not more, respond to the data you are given. Make the necessary changes to ensure your product is secure and stable. This is the only way to ensure your business stays alive and sensitive information remains protected.