How to mitigate hacking on your core business
With this in mind, the upcoming Zimpapers and ZIE cyber-security conference will spread awareness on this aspect of ethical hacking among other topics that affect us as Zimbabweans at individual and societal levels with the aim being to also help us all b
IN the world we live in today, most organisations are aware of what hacking is and what risks and effects are related to it.
However, this article is not aimed at informing you as to how people can try to attack you or your organisation in the digital space.
That is one obvious eventuality and it is not a matter of “if”, but of “when” you can get compromised. What I would like to focus on is whether or not your company is prepared for such an event and if not, how you can possibly mitigate the impact of the hacking on your core business.
The ways in which cyber-security knowledge can help you prepare for an inevitable attack are multiple and diverse. They can include proper drafting of security-related policies, security configuration management, implementing a dynamic Incident Response Strategy, setting up a local Computer Emergency Response Team (CERT) and many more.
However, the one we will focus on in this article is penetration testing (pen testing) which is commonly referred to as ethical hacking.
In the simplest of terms, pen testing involves securing your systems by hiring people to try and find loopholes in said systems by hacking into them.
The pen testers then prepare a report and (most importantly) also give recommendations as to how best you can fix those loopholes.
In some countries, government and private organisations are actually required by law to undergo a pen test as frequently as they undergo an external audit (typically at least once a year) to ensure that they really are secure.
Digging a bit deeper, pen testing can be undertaken in any of three ways, namely; Black-Box, Gray-Box and White-Box pen testing.
For example, let’s say we run company XYZ. With Black Box pen testing, the pen testers are given no background knowledge of how our internal systems and networks are structured.
On the other hand, when it comes to White Box pen testing the pen testers are made aware of all the information they need regarding our internal systems.
Gray-Box is the hybrid of Black-Box and White-Box in that we share some information about our internal systems’ structure and withhold the rest.
So, as a manager, before you decide to have a pen test done on your systems, it is imperative that you first decide what type of pen test you need.
Another important question you need to ask is the particular methodology or standard that the pen testers are going to follow as they do their assessment.
There is a general misconception that if you are an ethical hacker, you simply walk into an organisation and start hacking anything you want. That is not true. There are known and recognised methods and standards such as the Open Source Security Testing Methodology Manual (OSSTMM) and the EC-Council LPT Methodology.
This gives a general framework of what activities are to be done during the security assessment exercise and they also give the clients peace of mind in knowing international best practices are being followed as they are opening themselves up to an albeit controlled attack by skilled hackers.
Everyday, a new article pops up in the news about how one company has had its website defaced or its database of clients leaked.
With this in mind, more and more companies are becoming security-aware and are including cyber-security mechanisms and tools within their budgets.
But more has to be done in preparation of the looming eventuality of a hack.
Considering the fact that Zimbabwe is still the current number one most hackable country on the Internet and also the number one country with the most pirated software installations, there is no better time to have the cyber-security discussion than the present. With this in mind, the upcoming Zimpapers and ZIE cyber-security conference will spread awareness on this aspect of ethical hacking among other topics that affect us as Zimbabweans at individual and societal levels with the aim being to also help us all be more cyber-aware.
This will not only ultimately benefit us as individuals, but Zimbabwe as a whole as well.
◆