Back in the ’90s and early 2000s, I had two acquaintances who called themselves “hackers.” Being a burgeoning geek girl myself, I kind of figured that they were affecting the moniker to be cool. Back then, the image of a hacker was different, more like the Robin Hoods of the Internet age. It was before we really knew how destructive those forces could be regarding the loss of identity information and the carnage inflicted across the globe by nefarious groups bent on destruction or collapsing infrastructures. Think only back to the Sony security breach or the nightmare with Epsilon data loss, and you know that the popular opinion is that hackers seem less like Robin Hood and more like Freddy Krueger.
Flash forward to today: One of those hackers has his own security firm and consults with companies on vulnerability testing and intrusion testing, highlighting their weaknesses and blind spots and helping them do network security audits.
In this capacity, for instance, he foiled a large corporate system by tricking one of the company’s own employees into holding a door open for him. Then he set up shop in an unused conference room, logged into the network and spent two days downloading gigabytes of proprietary and confidential data. No one ever even questioned him about what he was doing there.
When thinking about security and intrusion testing, you have to think like a bad guy. Law enforcement does it all the time, hiring criminal informants and infiltrating crime syndicates by going undercover (at least, this is what my years of watching Dexter and The Wire tell me). Speaking of crime shows, not all hackers are that altruistic. That other guy with whom I was acquainted? He’s currently incarcerated for terrorist-like activities.
Have you engaged in third-party vulnerability testing of your network defenses? What was the outcome? Is intrusion testing worthwhile? How frequently do you perform a network security audit? The comments are eager to hear about how you defend your company against the dark arts.