Why do companies order hackers hacking their IT systems?

Against the backdrop of stories of large-scale cyberattacks against states, banks and smartphones of innocent citizens, the word “hacker” has become synonymous with a cybercrime. According to the initial definition, these were just powerful programmers who are proficient in the design of computer systems. Such it is easy to find now, and, moreover, there is even a whole branch of “ethical hackers” hacking IT-systems at the request of their owners.
They are far from as well known as their cybercriminals, but their services are in great demand among businesses and the public sector. For example, the program of the digital economy of Russia allocates 800 million rubles. on the work of white hackers who will look for vulnerabilities in government IT systems and IT products of different vendors. Interest is understandable, because the goal of white hackers is to tell the customer about the vulnerability until they are exploited by hackers-intruders.
How White Hackers Work
Market penetration tests (pentests – from English penetration testing) was formed not so long ago, recalls the director of business development of the company Positive Technologies in Russia, Maxim Filippov. At first the approach was superficial: some companies allowed themselves to issue reports of automated vulnerability scanners for research results, he complains.
But the market has evolved. Now penetration tests are divided into external and internal. In the first case, experts play the role of an attacker from the outside, trying to crack IT-systems of the customer from the Internet, says Vladimir Dashchenko, head of the research group of vulnerabilities of industrial automation systems and the Internet of things of Kaspersky Lab. Working with internal networks helps to look at IT systems through the eyes of an internal intruder (for example, a customer company employee), who initially has more data and more chances to inflict damage, continues Andrey Bryzgin, the head of Audit and Consulting at Group-IB.
Based on the results of the project, pentesters prepare a detailed report with the methodology, the progress and results of the study, confirm each vulnerability found – pictures of computer workstations, lists of accounts with fragments of extracted passwords, which can be verified from data owners, network equipment configuration files, says Bryzgin. He draws attention to the fact that the pentester does not fix the vulnerabilities discovered: this is the task of staff specialists, since they are the ones who are to operate the system.
Some contracts include a re-examination of results after staff experts eliminate defects. There is also the practice of cross-checking, when 2-3 companies consistently do one set of works, Bryzgin specifies, and the company fully pays each check. But in parallel to carry out two independent checks is not accepted, adds Dashchenko