The word “hacker” carries a negative connotation to many people, but hacking – even with the intent of breaking through security – is not always malicious.
There are situations where hacking can help improve a data center’s cybersecurity.
White Hats, Red Teams, and Pen Tests
Ethical hackers look for security flaws in a system to help a company fix a problem.
“A red team might embrace the concept of ethical hacking for finding a problem before an attacker would,” said Chris Kennedy, CISO and VP of customer success at AttackIQ, a cybersecurity company. It allows a data center to plug the security hole before the bad guys can find it.
There’s a broad spectrum of activity and skill levels involved here, he said. For example, automated tools could be used to look for known flaws in systems and applications. At the opposite end of the spectrum, talented engineers can reverse engineer applications.
“They can look for how credentials are managed, for flaws in the protocols used for communications,” he said. White hat hackers can also be deployed to try to break through a data center’s physical security, or emulate insiders and try to steal data.
It all depends on the cost-benefit analysis and what the data center wants to achieve, Kennedy said. “Most people don’t want to pay the cost – and take on the risk – of hiring ninjas to drop through the ceiling. If someone falls through a duct, there are liabilities. And it can scare an employee.”
Most often, he said, a physical pen test (“pen” is short for “penetration”) would simply involve confirming that the badging system works and that door locks are secured. The hackers would know tricks to get around these controls people who installed and are managing the system might not have thought of.
Take magnetic door locks for example. “They operate off of motion sensors,” he said. “I’ve witnessed a pen test where folks took a yard stick with a piece of paper stuck on it and wriggled it under the door, and it snapped open the lock.”
But data center managers should take some precautions before hiring white hat hackers, Kennedy warned.
That includes investigating the pen testing company’s reputation and its policies for vetting employees.
The penetration test should also have a clearly defined scope, he said. “How far do you want them to go? Do you want them to see the crown jewels – or just get next to the crown jewels?”
The data center needs to decide how the penetration test will be monitored. Will the security operations center be aware of what’s happening and watch as the hacking activity takes place but doesn’t sound the alarm? Or do you want to also find out whether they will notice that they’re under attack?
Data centers should plan ahead for protecting themselves in case something goes wrong.
“Ethical hackers are people just like everyone else,” said Morey Haber, CTO at BeyondTrust. “While their intentions are good, their testing can have undesirable consequences.”
For example, if a system was moderately secure before the test, an ethical hacker might accidentally leave it in a vulnerable state after the test. If not remediated, it can make it easier for real attackers to break in, he said.
Ethical hackers document what they do, and “if the documents are not secured and treated as sensitive, they can be used as a blueprint for a breach by real threat actors,” Haber said.
Hackers – even ethical ones – talk to each other. After all, they’re only human, and non-disclosure agreements will only go so far.
“While non-disclosure agreements will prohibit the naming of names, the methods are normally fair play for papers and conferences,” he said. “This exposure helps the community at large but also educates threat actors on successful techniques to try.”
To reduce these risks, data centers should work with trusted and reputable firms, said Jason Albuquerque, CISO at Carousel Industries, a Rhode Island-based technology consulting firm.
The penetration testing firm you choose should have certifications in place, codes of ethics and conduct, and a structured process for clearly outlining the scope of the test.
“In the event that a security engineer encounters sensitive, personal, confidential, or proprietary information, their actions must be guided by a 100-percent focus on protecting the customer,” he said.
When Hackers Come Knocking
Sometimes, a white hat hacker shows up at your door without having been hired by your organization.
AttackIQ’s Kennedy recalled a situation where a friend of his encountered a hacker claiming they had penetrated the friend’s company security.
There was a system that had fallen off the radar patch management, he explained, and was publicly exposed. “A white hat hacker reached out to them and said, ‘I found this problem, would you provide compensation?'”
The friend ran a vulnerability scan, found the problem, and fixed it right away. “And they said thanks, we’ve identified the problem as well, so move along.”
If that happens to you, said Kennedy, the first step is to validate the problem. It could be as simple as running a scan, or it could require asking the hacker for more information.
“Reach out to the person,” he said. “In order for me to set the right bar of compensation, can you disclose what the asset is? You might have found a development asset where one of my developers was just fooling around, and it has no business value.”
The next step is to determine if the hacker is trustworthy. “Figure out if they are of malicious intent or are generally of a white hat hacker nature. The reality is that you might pay them, and they might turn around to disclose the vulnerability maliciously anyway.”
Experts recommend that data centers interested in seeing what white hat hackers might come up with sign up with reputable organizations like Bugcrowd, or another program that pays hackers to locate vulnerabilities in an ethical way.
“Bottom line, if the ethical hacker is able to report findings to the vendor on how to expose customer data or access protected systems, this is a good thing for everyone,” said Craig Lurey, CTO and co-founder at Keeper Security. “The ethical hacker benefits from the bug bounty and status ranking within the bug bounty program, and the vendor benefits from the increased levels of security.”
Hacking Back Is A ‘Stupid-Ass Idea’
If you are getting frustrated by seeing random criminals try to break into your data center day after day with no consequences, you might be tempted to take things into your own hands.
For example, ransomware victim Tobias Frömel recently hacked into his attacker’s command and control server and was able to get his hands on ransomware decryption keys for nearly 3,000 other victims, which he then shared with the public.
In another recent case, a hacker went after BriansClub, an underground marketplace for stolen credit card data, and made off with more than 26 million stolen records. The good-guy hacker then shared this data with security organizations that work with financial organizations to protect accounts.
While that may sound fun and potentially satisfying, security experts universally condemn hacking back.
“That’s against the law,” said AttackIQ’s Kennedy. Offensive response is the responsibility of law enforcement. “The best thing to do is report to the appropriate authority. Collect as much information as you can and maintain that information in a high-integrity way, so it can be used for prosecution. But it’s not advisable to hack back.”
It’s not just legal liability that should deter data center security staff from trying to hack back.
“It’s a stupid-ass idea,” agreed Chris Roberts, chief security architect at Active Networks, a deception and detection security company. “It should never be done.”
For example, the attacker might have left other backdoors into your system that you don’t know about. If you go after them, they might go scorched-earth and destroy everything they can find.
“But the biggest thing is attribution,” Roberts said. “Knowing who’s attacking you.”
If someone comes up to you on the street and hits you, attribution is typically clear-cut. You saw who did it. “But in the digital world,” said Roberts, “I can use three different computers from three different countries, and you might end up blaming some poor grandmother in France.”
He pointed to a report last week about Russian attackers masquerading as Iranian hackers. “We don’t know whose hands were on the keyboards,” he said.