- Contact Us
Have White Hat, Will Travel
“A young boy, with greasy blonde hair, sitting in a dark room…[T]he weary system cracker telnets to the next faceless .mil site on his hit list.”
On November 2, 1988, the infamous Great Worm wreaked havoc on a fledgling Internet. Robert Tappan Morris, Jr, who became the first person indicted under the relatively new Computer Fraud and Abuse Act, claimed in Court he was trying to, “demonstrate the inadequacies of current security measures on computer networks by exploiting…security defects.”
There certainly are better ways to point out security flaws than to launch a devastating malware attack. That said, how exactly do you figure out what might be exposing your computers and networks to threats?
Enter White Hat Hacking.
The term ‘hacking’ has a bad rep these days, and I’ve fundamentally given up trying to convince clients and students that it actually is an age-old, honorable role in our modern society (as opposed to ‘cracking’, like bad guys do to safes and data centers). There are indeed ethical hackers out there, protecting us by looking at bugs in code, finding weaknesses in our defenses, and informing the wider community.
One tool in the Good Guys’ arsenal is penetration testing. We’d prefer to discover our own vulnerabilities so incidents can be reduced in frequency and scope of impact, and trying to break into our own systems is a great approach.
Recently, the Federal Health and Human Services Office of Inspector General (OIG) released a report summarizing the, “penetration testing of eight HHS operating division networks.” Those tests were conducted by a third-party contractor and revealed that these organizations, “needed improvement to more effectively detect and prevent certain cyberattacks.” HHS now has four specific recommendations to address the findings so the department can better safeguard their sensitive data.
Not long thereafter, Oregon’s Department of Human Services announced that they had experienced a breach that potentially exposed 1.6M clients’ Personally Identifiable Information (PII), including full names and SSNs. One hopes the state will not only engage in a vigorous forensic investigation after the fact, but also work more aggressively to detect issues through their own pen-testing regime with a trusted external organization to mitigate future problems.
We must keep in mind, however, that such testing can’t prevent all leaks of private information. For instance, the Federal Emergency Management Agency exposed PII of disaster survivors according to the Department of Homeland Security’s OIG report last month. This incident was the result of an internal process failure rather than any malicious attack, which teaches us that in addition to ethical hacks of our own facilities, we require a compliance regime which examines policies and procedures and includes security awareness training to ensure they are followed properly.If your organization touches PII and/or Personal Health Information (PHI), it is imperative that crackers (greasy-haired or otherwise) do not enjoy easy access to your data. As it turns out, Compass IT Compliance has a posse of White Hats to help you. They can teach your employees how to behave more securely, assess your risk when it comes to HIPAA and other regulations, and test your systems to identify potential exploits and remediate them so attackers sitting in dark rooms have nothing to show for their efforts.