In the US, over 600 million records containing sensitive personal information have been stolen since 2005.
According to IBM, the average software contains between 5 and 50 exploitable bugs in every 1,000 lines of code.
An average company experiences 62 security incidents every week.
3 out of 4 companies will be targeted by web application exploits.
62 percent of employees think it is acceptable to transfer corporate data outside the company.
It takes, on average, 32 days to resolve a cyber attack.
The average cost of a data breach in 2013 was $5.4 million.
These are scary statistics. And more scarily, we probably haven’t even seen the end of the era of the data breach. In many ways, traditional security tools such as firewalls, anti-virus software, SSL VPNs, and password complexity rules are no longer enough. To get ahead of the curve, many companies have started hiring their own internal hackers.
These security experts are known as “ethical” or “white hat” hackers (The term comes from old westerns – the good cowboy would always be the one in the white hat). These hackers are IT professionals with a desire to solve problems and to prevent malicious attacks on systems.
The theory behind ethical hacking is that organizations hire good guys that understand the bad guys (and in some cases used to be bad guys), since one must understand how the damage is being done in order to stop it. With this in mind, companies hire ethical hackers to intentionally try to break into their systems and breach their security. The hackers are given permission to try to destroy the company and gain as much access as possible into the systems and networks.
It’s the hacker’s job to find all the nooks and crannies that the bad guys want to exploit–and to exploit them first–then report to management. Doing all of this requires the same skill set that a malicious hacker would use to penetrate the organization’s security. For this reason, training in ethical hacking has gained popularity in recent years with books, classes, and even certification available to those with the knowledge and skills to become ethical hackers.
While the profession isn’t new, it’s popularity is. In fact, the government and banking industries have been using their versions of ethical hackers for decades. Employing the best and brightest and daring them to break into their networks. In fact, you’ve probably even heard of one of the most famous, and earliest, white hat hackers: Steve Wozniak (aka the “other Steve” at Apple).
Wozniak got his hacking start designing blue boxes, which bypassed telephone-switching functions in order to make free long-distance calls (probably not technically white hat, but it lead to more ethical endeavors). He improved his hacking skills further by designing the hardware and some of the software for the first Apple prototype. Meaning your iPod, iPad, iPhone, and MacBook Air may not have existed had Woz not chosen to use his hacking skills for good.
While ethical hacking is on the rise, companies without a white hat can still follow some simple guidelines to protect against data breaches:
1. Secure your web applications.
2. Develop and implement a technology security policy.
3. Educate employees and train them on how to handle confidential information.
4. Give your developers the tools and training they need to write secure code.