It’s an unfortunate truth. The holes in your IT security are most likely to be where you neither see them nor expect them. That means they’ll be outside the basic security arrangements that most organisations make. Firewalls, up to date software versions and strong user passwords are all necessary, but not sufficient. Really testing security is akin to an exercise in lateral thinking or even method acting. You have to look at your systems and network from the outside to see how a hacker or cybercriminal might try to get through or round the mechanisms you’ve put in place. And there’s more still to this inside-out approach to protecting your organisation.
The ‘hacker perspective’ approach is a specific example of the more general ‘black box’ testing technique for checking that software development projects are producing useful, usable software. Black box testing like this relies on an end-user point of view (a hacker point of view when it comes to security). It tests use cases and real life situations, and aims to provide enough coverage to give a reasonable level of confidence that quality (security) is sufficiently good. Its counterpart, white box testing, focuses on the technical mechanisms to make sure that each one is doing its job – but not necessarily that each one is doing the right job.
Figuring things out from a hacker point of view is therefore a better way to spot potential holes and vulnerabilities. But IT security managers shouldn’t forget the possibility of an attack or sabotage from the inside either. Terry Childs was convicted in 2010 after refusing to divulge critical password information to his employer, the IT department of the city of San Francisco. Although the facts are still being unravelled, it’s a case that shows how fragile security can become on the inside when single points of failure are created in the name of system or network protection. Whether you turn to ethical hacking, imaginative scenario testing or any other methods, if you really to be sure about your IT security, turn it inside-out, then test it again.