Subscribe to the CyberThreatPOV Podcast

Be Smart: Hire a Hacker

The job of IT

IT people, you are some of the busiest. Think about it. You’ve got to not only keep the lights on but you’re also expected to be an expert at wearing many hats. You’re often performing various roles within any given day—everything from help desk to systems administration to network administration and everything in between. Now throw Cybersecurity into the mix and woo, that’s a full plate.

Most IT people know that there’s a lot they don’t know. Many also recognize there’s a mess of hidden and unintended vulnerabilities lying in the weeds of their environments that cannot and will not ever be found by a vulnerability scan. That’s why it’s important to hire good hackers before the bad ones break in.

The job of a hacker

It’s definitely NOT like what you see in the movies. The job of a hacker, one with good intentions, is more about being an experienced, trusted partner than being a wiz-bag exploit slinger hiding in the shadows. My value to you and your firm, as a hacker, is to dissect, identify, validate, and articulate vulnerabilities so that you understand them and their root cause, know how to fix them, and know how to validate that they are truly resolved.

Hackers help you not only identify vulnerabilities but to validate them as well. We attempt to prove, through exploitation, that the vulnerability is real and assign risk based on a number of factors. That risk evaluation then helps you prioritize all the vulnerabilities in your firm. The same is not possible with just vulnerability scanning. In fact, many of the “exploits” that are carried out on pentests are a direct result of an informational finding. Vulnerabilities like open telnet servers would be an information finding on a Nessus vulnerability scan. However, if there’s a default or weak password, we now may be able to obtain internal access to your environment, from the internet through this telnet service!

The ROI of getting hacked

There are two ways this can go. You either pay a little bit first, or you pay a lot later. You either get hacked by the bad actors, and you pay a sum of money in remediation and restoration, potential fines and credit monitoring, and marketing to restore the firm’s image. Or you pay upfront by being proactive, doing due diligence, testing, and potentially (not guaranteed) not paying a lot later.

I’d argue that money is better spent up front, in the form of security assessments and testing that allow the good hackers to find gaps and vulnerabilities so they can be fixed before the bad actors even have a chance.

Hackers can’t save you, but they can be your ally

Hackers, the good ones, will not save you or stop your firm from getting attacked. We’re not going to prevent breaches. It happens even to the best organizations. But hackers can help to identify and evaluate serious vulnerabilities to determine the risk to your firm. Hackers can help you understand your systems and applications, and environment better so you can make fewer mistakes and introduce fewer vulnerabilities. As hackers, we are your ally, your trusted partner. We’re here, and we exist to help you protect your firm. We’re in this fight together, at your side.