The 6 “Need- to- Knows” why and how to make use of Ethical Hacking
GDI.Foundation
A safer Internet for everybody and everywhere
GDI.Foundation
1. Why... The internet is plagued by criminal organizations. They take advantage of “simple” security problems than can be misused. Also the digital skills of criminals seems to develop rapidly. For example, in 2015 there were several digital attacks by criminals which were notable for their good organization, accurate implementation and technical sophistication1. In most cases criminals, and terrorists, want specific information to commit crime. Most often the main motivation is to gain financial benefit or to destabilize structures2. Ethical hacking is an additional instrument in IT security environment and can be deployed to prevent the digital misuse by criminals and minimize the opportunity to take away money or information due to the lack of IT security.
1 2
CyberSecurityAssesmentNetherlands (NCSC) Economic cyber espionage, cyberterrosisme, cyberextremisme (AIVD)
d.d. 16 feb. 2016
pag. 1
2. Ethical hacking organizations
is
applicable
for
all
types
of
Ethical hacking is applicable for all types of organizations to prevent fraud, digital terrorism, ransomware, malware infections, data breaches etc.. Not only the multinationals are a target but also smaller companies and individuals to gain financial benefit. However only a minority of organizations make use of the ethical hackers and their knowledge to prevent them self of criminal cases in various domains, or to develop intelligence how criminals can access the IT environment and data. The knowledge of the ethical hackers is often skipped in strategic analyses, threat assessment and during the evaluation of the vulnerabilities/ controls of their environment. This shows that the full potential of the ethical hacker is yet to be understood, developed and implemented.
d.d. 16 feb. 2016
pag. 2
3. Ethical Hacking is part of the IT Governance, Risk and Control & “Corporate Social Responsibility” Ideally, ethical hackers are involved in all stages of the IT governance to get more “in control” of the IT risk and controls. From a proactive identification of hacking threads (risk assessment), up to the most added value, evidence about the discovered “easy to get” vulnerabilities due to the lack of IT security. However in many cases the presence and know how of ethical hackers is not brought into the IT Governance, IT risk and control frameworks. Also rewarding a ethical hacker when being informed about a high risk vulnerability, is not yet part of the “Corporate Social Responsibility” of a company. Although the information (could have) saved the company and the community a lot of money a/o misuse of sensitive information, the reward for the work that's done is negligible or not even a thanks is being heard. This is a missed opportunity. By recognizing and involving the ethical hacker as a professional in all stages and as part of the Corporate Social Responsibility, the knowledge of the ethical hacker will be optimist in the advantage of everybody.
d.d. 16 feb. 2016
pag. 3
4. Wide-Ranging awareness about ethical hacking is essential The awareness about ethical hacking is needed at all levels in the organization: from basic- IT security awareness at the top of the organization to highly specialist (forensic) security expertise. To make the IT more secure it’s important that everybody in the organization is aware of the need to combine the knowledge of the different expertise. To unravel the vulnerabilities behind complex cross-border IT structures and to implement effective controls, the knowledge of all the different experts is needed. This includes the ethical hacker.
d.d. 16 feb. 2016
pag. 4
5. Cross-border is key to success in preventing hacking opportunities Criminals and terrorists are not limited by borders in the attacks to gain access. As long as there is Internet. In an everglobalizing world, organized crime (and terrorism) nearly always crosses borders. In 2015 many digital attacks were placed in a geopolitical context, such as the malware attacks related to the conflict in the Ukraine. Besides that, the outsourcing of IT across the world and the many connectives between devices and back office, makes it necessary to widen the view of risk and controls. The focus of a ethical hacker is also not limited by country borders, organizations or other limitations. Effective crossborder cooperation and exchange of information between the involved authorities, ethical hackers and organizations are essential to achieve success.
d.d. 16 feb. 2016
pag. 5
6. Global crime needs a global approach Besides cross-border cooperation, a global multidisciplinary approach is important to prevent the misuse of the data. The Internet opens up access to a world of information and resources, but also provides a global highway for organisations and criminals. The best results are delivered when all the different expertise are combined and the professionals work together by sharing the information and know how. The challenge is how to work together and inform each other in a global world. Agreements between governments how to act when a vulnerability response is being reported by an ethical hacker is an essential part in helping each other and sharing the information. Good agreements will give all the parties more assurance how to contribute to the common goal of increasing the security of information systems world wide. Embracing the guideline “Responsible Disclosure3” by the governments would be a good start in a global and multidisciplinary cooperation. It provides safeguards for hackers, researchers and organizations to inform each other and is a guideline about the do’s and dont’s for all the actors. With this it will be able to make use of the knowledge of everybody across the world who finds a vulnerability and wants to inform the ones that are at risk.
3
https://www.ncsc.nl/binaries/content/documents/ncsc-en/current-topics/news/responsibledisclosure-guideline/1/Responsible%2BDisclosure%2BENG.pdf
d.d. 16 feb. 2016
pag. 6
WILLING TO HELP..? We are a non profit organization that rely on contribution in the form of a donation, sponsorship and participating members. With your support we are able to continue our ethical hacking work and make it possible to reward others who helped in detecting, informing and advising organizations.
See for more information or if you want to help in any other way: GDI.Foundation/ Support Us
d.d. 16 feb. 2016
Mail
[email protected] [email protected]
pag. 7
