Enhancing organisation security through Hacking

         "Enhancing organization security through Hacking"

 1) Why “Hacking” in enhancing the organisation security.In todays IT society, major business cooperation and government sectors have become very dependent

on computers and Internet. In almost all the organisations, the day-to-day operation cannot proceed
without the use of computers and related application. The most important assets of the organisation
i.e. data and information is also stored in the computer systems. Therefore, the security of the computers
becomes the most important consideration. This is to mitigate the risk of losing the information
assets as well as crippling the day-to-day operation of the organisation.
In most organisations, significant amount of budget has been allocated to put in place measures to
address the computer security. Data protection has become a crucial part in the daily running of
the organisation. More and more organisation have deployed security software such as firewalls
or intrusion-detection system to help protect their computer network and information assets and to
quickly identify any potential attacks.
IBM Systems Journal states that “some organisations have realised that one of the best ways to evaluate
the intruder threat to their interests would be to engaged independent computer security professionals
to attempt to break into their computer system”. Through these attempts, the security
professionals can detect the loopholes and the weakness in the network infrastructure and within the
computer systems. Such actions are known as penetration testing or ethical hacking testing. These
vulnerabilities could result from poor or improper system configuration, both known or unknown
hardware or software flaws, and operational weaknesses in process or technical countermeasure.
These trained security professionals can analyse the data obtained from their penetration attempts
into the computer systems and able to identify the areas of weakness for rectification.

2 )Penetration Testing Process

Up until today, computer is still considered as a growing field, as it may be thought as immature;
there are chances when things dont work together well. Therefore, every computer program that
is developed and put in the market has to go through strings of strict testing process to ensure that it
is functioning properly.
The main objective of the penetration testing is to evaluate the strength and weakness of the systems
security set up and to report back to the owners any vulnerability or loopholes detected so that further
action could be taken by the organisation. The amount of business impact of a successful exploit
4
is also evaluated during the testing process. The penetration testing process is usually conducted
before the system is implemented and made public, therefore, preventing any possible and detectable
intrusion by the malicious hackers.
The penetration testing process can be conducted in two ways. The first one is black-box testing
which assume no prior knowledge about the system is required to be tested. The penetration testing
team must first determine the location and the extent of the systems before beginning their analysis.
This testing process is to simulate an attack from someone who is unfamiliar with the system. On the
other hand, white-box testing provides the team with complete knowledge of the infrastructure of the
system which is tested. This includes network diagrams, source code and IP address. In the testing
process, the situation whereby the attacker managed to obtain sensitive data or information on the
organisation is simulated.
During the penetration testing process, similar techniques and tools as used by the real hackers are
sometimes deployed to perform the hacking attempts. One of the key principles of these IT professionals
is to neither damage the system nor steal any confidential information from it. In practice,
there will be a contractual agreement of non disclosure to be signed by these IT professionals whereby
they are not allow to disclose any information covered by the agreement. The penetration team will
also present reports which include mitigation and suggestions to enhance the security of the computer
systems and its network infrastructure. IT professionals who perform this hacking process are usually
known as ethical hacker. Some examples include IT Security technicians testing the system for any
bugs and researchers testing the limits of a particular system.

3 )Risks of Penetration Testing and how to resolve it

Nevertheless, there are certain risks involved when the organisation allows a third party i.e., the
ethical hacker or penetration team to break into their system. Such risk might bring about a few
disadvantage situations to the organisation involved, which results in unwanted circumstances such
as losing valuable and confidential data. Some of the key risks include the following:

1. The ethical hacker may fail to identify significant vulnerabilities which are crucial in the running
of the system
2. Misunderstanding and miscommunications may result in the test objectives not being achieved
3. Testing activities may inadvertently trigger events or responses that may not have been anticipated
or planned for (such as notifying law enforcement authorities)
4. Sensitive security information may be disclosed, increasing the risk of the organisation being
vulnerable to external attacks.