Answers
Ethical Hacking
When it comes to threat detection and vulnerability assessment, organisations will use experts in the fields of computer and networking to test their systems. In essence, the ethical hackers (white hats) will try to penetrate a system on behalf of the owners in an attempt to exploit any existing vulnerability (Cobb, 2017).
1: Tools and techniques used
Several tools and technique exist that can be used by organisations to test and analyse their system’s vulnerabilities. Most common tools are used to capture and analyse traffic via communication channels which essentially outlines the threats and vulnerabilities. Moreover, these tools can either be software packages or hardware components that are installed in convenient locations across networking infrastructure. For Software tools, they are used to assess computers’ resources i.e. hardware, system and network to evaluate its strength in deterring threats such as malware infections. Examples of these tools include Protocol analyser and vulnerability testing tools (Snyder, 2017).
In addition to this, some of these tools use smart and deflection techniques to mitigate attacks on top of analysing them For instance, Honeypots will create decoys or traps to draw out attacks through threat system detection and deflection. Therefore, when using these tools, decoy computers or ICT systems will have data similar to the real system but will be isolated and monitored to serve as a bait for stopping threats e.g. hackers (black hats).
Nevertheless, these tools only capture and sometimes analyse the collected data, therefore comprehensive methods are needed to establish the assessment of the security policies in place. This outcome necessitates the need for assessment techniques, techniques that establish the basic system capabilities and functionalities to alert the users of changes or faults. A good example of these techniques is the Baseline reporting technique that analyses a system functionality revealing the vulnerability areas. Other techniques such as Code review will highlight the source code of a system to establish the foreseeable threats thus require experts with thorough knowledge of system architecture.
Furthermore, other prominent techniques will assess and analyse threats based on certain set criteria. For instance, an ethical team could test an organisation website through SQL injection exploitations. In essence, the team will assess how the system responds to certain threats. By definition, this technique is known as penetration testing as the said systems are tested using certain set standards. Finally, there are the security auditing tests that evaluate an organisation information system to attest its performance and standards (3pillar global, 2017). In this assessment technique, the evaluation process will have certain goals, policies and standards that the system needs to meet to be classified as an optimal system.
2: Offering reward for vulnerabilities
In many ways, offering reward to white hats to assess and determine vulnerabilities can lead to many good outcomes, more so, because of the reach (minimal limitations), mind-set and diversity seen. In essence, through these rewards, organizations in the past have discovered a wide range of threats including unknown threats that currently have solution due to the efforts of the ethical hackers. Moreover, the incentives offered serve as a motivation which then gauges the severity and originality of threats discovered which again improves our overall understanding of system’s security threats. In addition to this, it’s cheaper to use incentive to motivate external teams rather than to use internal resources for risk assessment (Zhao, Grossklags & Liu, 2015).
However, these incentives can also serve as a motivation to black hats who develop extensive security threats in order to acquire the rewards offered on top of their original earnings. Furthermore, most organizations will continuously spend on security measures to protect their resources which can further motivate the assessment teams to create and generate other security threats to up their pay (Algarni & Malaiya, 2015). Therefore, the so called white hats could exploit their mandate to strengthen an organization’s security system to increase their pay. Basically, by creating problems, they can then outline more vulnerabilities to the hiring organization.
3: Risks of vulnerability exploitation
First, the owners of the organisations expose the ICT system to attacks as they provide the necessary authentication needed to access their system. During attacks, access is usually the first step to conducting the malicious acts conducted by intruders. Moreover, the organisation risks other subsequent attacks as the credentials given to the exploitation teams may fall in the wrong hands. Unlike, the owners of the organisation, the exploitation teams may not hold the business’s resource in high regards as they are third party members. This outcome risks the organisation’s resources as they vulnerable to other subsequent attacks.
In addition to this, the organisations may hire individuals who may intentionally or intentionally introduce new system flaws that in the future serve as other avenues of attacks. These new flaws can even include physical damages to the components which again is another substantial risk. In essence, the owner is basically at the mercies of the hackers, which means they have minimal knowledge of the vulnerabilities they pose or even if they exist. As a risk, the owner has to trust the information presented to them regardless of the outcome. Moreover, they must also trust that the evaluation teams did not leave other vulnerabilities for their own exploits (Centos, 2017). In all, challenging individuals to exploit your system requires trust and high levels of ethical standards. Moreover, it’s not a measurable service which can have a fixed resource requirement which further increases the risk, particularly in funding.
4: Ethical hackers
From the overall definition of a hacker, this is a person who uses clever ways to solve certain problems. Therefore, regardless of the outlook they have, hackers will always have a nark for exploitation which in my view exposes one’s systems to many security threats. Moreover, consider an organisation that sources an ethical hacking team to assess their system for vulnerabilities and threats. It is hard to pin point the accuracy of the information they provide, for one, they could present many threats in an attempt to earn an extra pay. Furthermore, the intentions of the team as a whole may be good however, the individual outlook may sway based on personal ambitions. Therefore, an ethical hacker could leave certain vulnerabilities for later exploits.
Therefore, in my opinion, a hacker will always be a hacker, seeking to achieve his/her goals in the most convenient way. In essence, they could not be called hackers because they seek to exploit the system to further their course, regardless of whether they are considered white hats or black hats. Furthermore, to have acquired the so called role of an ethical hacker they must have undertaken some malicious roles which again, in my opinion, is hard to reform from despite the good intentions of the individual.
References
Algarni. A & Malaiya. Y. (2015). Most successful vulnerability discoveries: motivation and methods. Computer science department, Colorado state University, Fort Collins. Retrieved 13 April, 2017, from: https://www.cs.colostate.edu/~malaiya/p/SAM9766
Centos. (2017). Attackers and Vulnerabilities. Retrieved 13 April, 2017, from: https://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-risk.html
Cobb. M. (2017). Ethical hacking. Tech target. Retrieved 13 April, 2017, from: https://searchsecurity.techtarget.com/definition/ethical-hacker
Snyder. J. (2017). Testing and comparing vulnerability analysis tools. Tech target. Retrieved 13 April, 2017, from: https://searchsecurity.techtarget.com/Testing-and-comparing-vulnerability-analysis-tools
Zhao. M, Grossklags. J & Liu. P. (2015). An Empirical Study Of Web Vulnerability Discovery Ecosystems. Retrieved 13 April, 2017, from: https://www.ftc.gov/system/files/documents/public_comments/2015/10/00079-98131.pdf
3pillar global. (2017). Approaches, tools and techniques for security testing. Retrieved 13 April, 2017, from: https://www.3pillarglobal.com/insights/approaches-tools-techniques-for-security-testing
