2 days Ago
The term “hacker” understandably carries negative overtones, but not all hackers are bad guys. Ethical hacking might sound like a contradiction in terms, but it’s actually an important tool when it comes to an organization's cyber security . An ethical hacker, also known as a white hat hacker, is a security professional who, at the request of a company, mimics the tactics of a bad actor to try and find flaws in an organization's defences.
Once found, they can be mitigated before a criminal can take advantage. There's a growing demand for ethical hacking as the number of cyber attacks rockets. We look at the techniques ethical hackers use, and how they can benefit an organization.
Ethical hacking is a common cyber security activity in which a security professional attempts to break through an organization’s security systems to gain unauthorised access and potentially steal valuable data. The ethical hacker will use the same strategies and techniques as a malicious hacker — but rather than using any vulnerabilities they find for nefarious purposes, they’ll instead report their findings to the organization so that precautions can be taken in future. With a global rise in cyber attacks and ransomware, organizations are increasingly turning to ethical hackers.
Major hardware and software companies also use them to try and determine any vulnerabilities in their products; Google's Red Team, for example, simulates attacks, tests the products' defences and creates fixes accordingly. Malicious hacking is on the rise, with a recent report from Check Point Software finding that the number of cyber attacks globally rose by a whacking 44% last year. The perpetrators can be anyone from ransomware gangs to hostile nation states, who can use the access they’ve gained to steal data, crash systems or install malware.
They can cause immense damage, both financially and in terms of reputation. However, hacking doesn’t necessarily have to be a bad thing. The best way of dealing with cyber security risks is to spot the weak points and plug them before anyone else can exploit them for malicious intent.
And that's what ethical hackers do too, using exactly the same methods as the criminals — which means always staying at the head of the curve, aware of the newest techniques. Ethical hackers need a systematic mindset, and there are a series of stages to the process. The first is simply to familiarize themselves with the company’s systems, collecting public information and identifying domain names, IP addresses and network infrastructure.
Next comes the scanning phase, during which the ethical hacker uses a range of tools to scan the target system for vulnerabilities. That means identifying the various devices within a network, and how they’re connected, checking for open ports that could be exploited and scanning for known vulnerabilities in software and hardware. These vulnerabilities are then put to the test, using the same techniques that a malicious hacker would use.
Finally, a report is submitted. Ethical hackers are generally hired by an organization, but some work on a freelance basis, finding and submitting vulnerabilities through bug bounty programs run by the company. Ethical hacking is particularly widely used in industries that handle large quantities of sensitive data.
The finance sector, for example, holds highly sensitive banking information, while healthcare organizations store sensitive patient records. The tech industry, too, makes extensive use of ethical hacking to make sure their products are as secure as possible. Ethical hacking examples include penetration testing, focused specifically on breaching an organization’s defences.
Other activities include evaluating systems, applications and networks. Ethical hackers will also check for weaknesses amongst people and processes that make the organization more vulnerable to hackers, including weak passwords, failure to update systems and devices, and a lack of effective security training. Ethical hacking has saved the day in a number of cases — for example in 2019, when a team at Positive Technologies spotted a security weakness in Visa contactless cards that would have allowed hackers to bypass payment limits.
A subset of ethical hacking as a whole, penetration testing, focuses specifically on breaching an organization’s systems, networks or applications. This might mean attempting to inject malicious code into a website, carrying out denial of service attacks by trying to overload the system with traffic or trying to intercept traffic between two devices to steal sensitive information, known as a man-in-the-middle attack. System hacking involves hacking into individual systems, often using specialized commercial tools.
This may mean cracking passwords or obtaining them from databases of usernames and passwords exposed after a data breach, exploiting system vulnerabilities and installing malicious software. Internal testing looks for weaknesses amongst the people and processes within an organization, generally human error of one sort or another. This means looking for weak passwords, failure to update systems and devices and any lack of training that leads employees to fall victim to phishing scams and other types of fraud, or to carry out actions that compromise security.
Web application testing involves uncovering problems with websites and applications before they go live. This means looking for vulnerabilities such as SQL injection, cross-site scripting (XSS) and security misconfigurations. Ethical hackers will scan for weaknesses in network security, looking for open ports, vulnerable services or weaknesses in network protocols.
Similarly, they’ll check for vulnerabilities in wireless networks that could allow unauthorized access or the interception of data. The benefits of ethical hacking are clear: they allow an organization to discover its weak spots before they can be exploited. They can save organizations large sums of money, as well as protecting them from the loss of a good reputation.
As specialists, ethical hackers can often uncover vulnerabilities that internal security analysts might miss. They can prevent data breaches, improve corporate cyber security measures and build trust with customers, both in day-to-day operations and in new product launches. Ethical hacking also enables organizations to stay compliant with the growing number of global and industry-specific regulations and standards that demand regular security testing — again, potentially saving large sums of money in fines.
It’s possible for anybody with the right skills to set themselves up as an ethical hacker, taking part in the bug bounty programs run by major tech firms. Those discovering serious flaws in major software programs can net huge sums — sometimes in the millions of dollars. As for those skills — also needed, of course, for ethical hacking jobs — there's a number of specialist qualifications and certifications, including certified ethical hacker (CEH), Offensive Security Certified Professional (OSCP) Certification and CompTIA Cybersecurity Analyst (CySA+).
Ethical hackers can come from a number of different backgrounds — on occasion, it’s a question of poacher-turned-gamekeeper, with malicious hackers seeing the error of their ways. More commonly, they'll have a degree in computer science or a related field, along with more general experience in the cyber security industry. A fair number come via the military.
Bottom Line The term “hacker” understandably carries negative overtones, but not all hackers are bad guys. Ethical hackers follow the same tactics as malicious ones, but turn over their findings to help organizations strengthen their security. They can be hugely beneficial, often saving their clients from enormous financial losses.
.
