After a wonderful talk to some high-end tech guys from a large company, I suddenly realized it. Application Maintainers; programmers and to some extend system administrators are most of all scared by the thought of security and breaches of them.
The hacker mindset is one that is special; and potentially dangerous for companies to hire. After all; hiring a hacker means that they – most likely – are unsure about their (or their clients) information security integration. Asking someone (you don’t know very well personally in most cases) to hack their company and report each and every potential threat is a job that requires a lot of guts from the company that hires the hacker.
Companies and human beings aren’t ‘designed’ to do this. We rather hide, don’t spit our our opinions bluntly into the public and lay low… (See the bitcoin exchanges who collapsed after attacks recently) After all; you never know what this malicious hacker can do with the data… A hacker in many cases has a huge advantage against the company when you consider it in terms of bribes… The company will have to put their faith in the hands of the hacker they hire to do the job…
Sure; you can run an anonymous web test and order this from any website (including ours obviously), but than what… This only tells you what the world can see from the web. But what about the inside threats? Not many consider insiders to be dangerous too. What about that nice guy on the end of the hallway. How will he respond when the next firing-round takes place and he loses his job all of a sudden. What information can he access; what damage can he do?
An even worse case scenario, wicked minded as I am: What about leaving personal items on your desk. When someone who wants to do evil sees your car keys, he might take them, unlocks your car and puts the keys back on your desk. He than takes place on the backseat of your car and waits until you finish your work for the day. He than puts a gun to your head and tells you that he has some people with your family and will kill them if you don’t co-operate. He asks you to go back in and get sensitive corporate intelligence… This is just a simple example what can happen when you leave your car keys on the desk (or in your open purse) when you’re grabbing your next cup of coffee.
Aren’t the way employees act just as dangerous as hackers in that extend? A good ethical hacker is able to explain why he does what he does and how he will tell directors and management about issues found. More importantly; he will tell them immediately how to resolve the issues and how to prevent that sensitive data will be captured by those who intent to do harm against the organisation.
Food for thought: Do you wipe the whiteboard clean each time you leave the meeting room, or is there some information left that might be of interest for someone else?