Hack your network

It's a dangerous world out there - especially for IT organizations charged with protecting valuable data from would-be cyberthieves and vandals. During a less complicated time in IT's history, internal networks were simply walled-off from the outside world - serving communications needs among employees, but rarely beyond. But today's enterprises can no longer isolate their networks from the outside world; e-commerce, supply chains, mobile computing and many other requirements of business in the 21st century simply won't allow it to happen. The only path that security managers can realistically follow now is to harden their networks, applications, and operating systems as best they can, accept that there will always be some level of risk, and go on conducting business.

Back then, the term "hacker" first referred to knowledgeable and highly motivated geeks who were pushing computing forward. As personal computing spread, though, the term started to be applied to people who used their knowledge more mischievously. Within just a few years, "hacker" came represent a threatening entity determined to use his (or her - though not often) knowledge to do harm to your networks, systems, and data. The admirable hacker became the sinister hacker, and hacking became something to fear.

But not so fast. While it's still true that hackers who are bent on gaining access to internal networks are a menace, IT managers have also discovered that another type of hacker - the ethical hacker - is an indispensable force in their fight against this darker side of hacking.

Ethical hacks, sometimes called penetration tests, are simulations of real attacks on networks, systems, and applications. These simulations are designed to identify vulnerabilities in IT infrastructures in order to truly understand the effectiveness of current security controls. In fact, trying to measure a network's security without conducting an ethical hack is like trying to determine seaworthiness of a newly built boat without putting it in the water.

How important is an ethical hack in the IT manager's repertoire? In a recent survey of 202 IT professionals conducted by INS, only 8% of respondents said that there is no chance of their network being successfully hacked in the coming year. Though many tools on the market can help repel (or, worst case, recover from) these likely attacks, none is as powerful and effective as an ethical hack, which identifies points of vulnerability before the attacker finds them, enabling remediation before the fact, not during or after. Surprisingly, more than one-third of survey respondents either never conduct ethical hacks on their networks, or do so less than once a year. Why? The usual obstacle is lack of management support, although other factors, such as potential embarrassment from the findings, also enter the equation.