‘The more things change, the more they remain the same’ is an old proverb that stands the test of time, even in this digital age. Two thousand years ago, Chanakya in Arthashastra- Book II, Chapter VIII, paragraph 67, listed out forty techniques of embezzlement. His intent was not to train embezzlers, instead, it was to educate auditors and help them catch embezzlements and design systems to prevent it.
In the digital world, ethical hacking is a concept like the auditor of Chanakya’s time who were trained to catch embezzlement by studying different methods of embezzlement. Likewise, ethical hackers test software for vulnerabilities to be fixed before they are adopted for real world usage. The primary objective of an ethical hackers is to identify all potential points of vulnerability in a software and prevent it from being hacked by unethical ‘hackers’ who may misuse the software’s vulnerability.
Intent is the only point that separates an ethical hacker from an ‘unethical’ hacker; while the former wants to protect the software and make it safe for all users, the later seeks to take advantage of the vulnerabilities in a software for their personal, often unethical gains.
Internet based software is a boon for the users as it is easily accessible, not very expensive and can be implemented in a short time span. At the same time, internet based software opens up untold risks of misuse that can have serious implications related not just to the availability of the software for future use but also to potential misuse of information in the software leading to financial losses to the owners, reputational blemishes to the parties concerned and endanger the personal safety of the individuals whose personal information are made public.
Twenty first century has seen significant progress made in automating the process of identifying vulnerabilities in software by automated VAPT (Vulnerability Assessment and Penetration Testing) tools. A plethora of tools are available both in the market and in the open source domain for conducting VAPT tests. Due to fierce competition and varied requirements of the users, there is no one leader in this space. Some of the leading players in this segment are Synopsys (Cigital), Acunetix, Checkmarx, Qualys, Rapid7, CA Technologies (Veracode), Hewlett Packard Enterprise, IBM, Whitehat Security, Trustwave, Contrast Security, Portswigger, Wireshark and Netsparker among others.
Like in all other automation suites, in VAPT tools too only what is known is automated. As new hacking techniques and practices evolve, ethical hackers keep pace with it by supplementing tool-based penetration testing with manual efforts that cover new, evolving and untried techniques. Hence the quality of ethical hacking that a software undergoes is a result of both the quality of tools used and the capability of the individual who supplements it.
Ethical Hacking for Company Secretaries
It goes without saying that any software used by Company Secretaries need to be safe and secure for, they deal in confidential information most of the time and in some specific instances with personal information too. This requirement is necessary not only for software accessed over the internet but also for desktop software as most desktops have internet access and hence can be “reached” by an unethical hacker.
To play it safe, Company Secretaries should ensure that the software they use which can be accessed over internet is certified for security and availability using standards like ISO for data security and confidentiality. Further, they need to ascertain if their software has undergone VAPT and the frequency at which VAPTs are conducted. The accepted industry standards on frequency is once a year or after every major enhancement, whichever comes earlier.
As their name suggests, company secretaries are required to keep their company’s secrets, and to ensure that that they protect the information in their custody, before they use any software, they need to be aware of and ask for VAPT reports from their software vendors to ensure that their corporate secrets are safe and secure.