Ethical Hacking: It's a Thing, Hedge Funds
At Eze Castle Integration we see thousands of due diligence questions about hedge fund technology and operations each year. The questions around security are getting more specific with investors wanting details about each layer of a firm’s security stack.
A new question we’ve seen pop up one or twice centers around whether a firm’s online systems have undergone an ethical hack. So what is ethical hacking and how is it different from penetration testing?
Going back to our trusty security dictionary, SearchSecurity defines ethical hacker (aka white hat hacker) as a “computer and networking expert who systematically attempts to penetrate a computer system or network on behalf of its owners for the purpose of finding security vulnerabilities that a malicious hacker (aka black hat hacker) could potentially exploit.”
The increased focus on all things cybersecurity related – cyber-attacks, cyber warfare and cyber terror – has even led to the creation of a Certified Ethical Hacker (CEH) designation, which hacking pros can earn by completing online courses offered by the EC-Council.
What’s the difference between a Penetration Test and Ethical Hack?
In most cases, ethical hacks are comparable to penetration tests in that an individual or company is hired to simulate a malicious attack against online systems to identify vulnerabilities. With potential security holes identified, hedge fund firms can remediate to help ensure their environments are solid and data is protected.
It is worth noting that when engaging in an ethical hack, you should understand how the white hat hacker stays current on exploits. According to McAfee’s CSO, many white hat hackers “use personas when gathering the latest exploits so that their real identity is not readily apparent to the underground. [Even with white hat hackers, firms are] touching part of the shady underworld of hacking.”
Penetration testing methodologies are becoming clearer. Just last week the PCI Securities Standards Council released a new Penetration Testing Guide “to help organizations establish a strong methodology for regularly testing security controls and processes to protect the cardholder data environment.” While focused on the credit card industry, guides such as this move the overall financial services industry closer to standards.
In investor due diligence questionnaires we’re seeing about hedge fund technology, the question of penetration testing is more common than ethical hacking at this point. However, at the heart of either question is how a hedge fund is securing its data and applications. Layers of security are essential – from the cloud to the user desktop.
What to know what else investors are asking about hedge fund technology and security? Read our 51 Common Due Diligence Questions.