In today’s complex digital world, so often subject to fraud and security breaches, it can be fairly said that “It takes a hacker to catch a hacker.” In this case, a hacker wearing a white hat.
“White hat hackers” or “ethical hackers” are technology good guys, who, according to www. techopedia.com, “Use their skills to improve security by exposing vulnerabilities before malicious hackers (known as black hat hackers) can detect and exploit them.”
Before we go any further about white hat hackers, though, why are there so many black hat hackers? According to a July 30, 2016, story on MSN.com, a San Francisco-based white hat hacker named Billy Rios said there were three reasons for malicious hacking:
- It’s easier than ever to hack into networks, especially smaller companies and institutions with limited security resources, and added to that the habit of many to put their personal information on their social media sites.
- There are more ways than ever to make money off of pilfered data.
- Hackers often operate “off source,” far away from the reach of authorities, and so it is very difficult to catch them.
This backdrop makes arguments in favor of using a white hat hacker all the more compelling.
White hat hackers can be valuable as consultants to a credit union CIO or CTO in planning effective security strategies and methodologies, identifying and eliminating vulnerabilities, and lending knowledgeable input during vendor selection. They can function as advisors to credit union Boards of Directors, to help them understand the climate and issues of cyber security today.
Hackers can offer you a competitive advantage, by providing a unique perspective on technology. The nature of their profession gives them thorough understanding of computer networks. In addition, hackers have a working knowledge of the “darknet,” where much of the hacker mayhem is created and distributed. But it is also a place where ethical hackers can find information that helps them and their clients create state-of-the-art system security.
As reported by Bloomberg, the work of white hat hackers has “Led to some of the most significant advances in securing the online world. Their findings have reshaped the way e-mail accounts, credit card numbers, and even ATMs and medical devices are protected from cyber-criminals.”
Interview With the Hacker
An interesting story on this topic appeared last year in Credit Union Times (“Ethical Hacking and Credit Unions”). Reporter Candice Reed interviewed Elliott Frantz, Founder and CEO of Virtue Security, New York, N.Y. The story quoted the Federal Financial Institution Examination Council (FFIEC) Examination Handbook: “High-risk systems should be subject to an independent diagnostic test at least once per year. Additionally, firewall policies and other policies addressing access control between the financial institution’s network and other networks should be audited and verified.”
In other words, put your security system under stress testing.
Frantz, who said he has worked with a number of east coast credit unions, stated “We do penetration testing of applications and network infrastructure. We assume the role of an attacker in many different situations, whether it is a remote attacker or an insider threat. While this testing is done in a controlled manner, our goal is always to gain…information that we shouldn’t.”
He added: “Credit unions have a slightly different risk profile than most financial organizations. Smaller credit unions often have to rely heavily on vendors to provide online services to customers. While this makes it easy to provide customers with online banking applications, it can be difficult to obtain security assurance when dealing with third parties….Some of the biggest threats to credit unions are only themselves. Many operate with very limited budgets for security.”
Finding an Ethical Hacker
Where do you find an ethical hacker?
As with any search for special knowledge and/or expertise, speak to your data security colleagues who have had prior experience with an ethical hacker. Seek out recommendations from those you know and trust.
And, there is a way to do due diligence to confirm personal recommendations.
Believe it or not, there are professional organizations dedicated to credentialing this type of service. One such organization is the EC-Council (International Council of E-Commerce Consultants), a leading cyber security certification body. EC-Council’s training programs include Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (C|HFI), Certified Security Analyst (ECSA), and License Penetration Testing (Practical).
Another example is (ISC)2, an international nonprofit membership association focused on a safe and secure cyber world. It is best known for its Certified Information Systems Security Professional (CISSP) certification, and includes a membership of more than 115,000 certified cyber, information, software and infrastructure security professionals.
Although this might sound overly simple, make sure your white hat candidate can translate hacker tech lingo into clear English that everyone from top management down will understand – the essential skill of any consultant. This, in combination with their technical skills, can make an (ethical) hacker a key resource in protecting yourself against the most determined cyberattacks.
About the Author
Terrence Griffin is Chief Information Officer of CO-OP Financial Services, a financial technology provider to credit unions based in Rancho Cucamonga, Calif. He can be reached at firstname.lastname@example.org or (866) 812-2872