Defining Ethical Hacking
Ethical hackers must always act
in a professional manner to differentiate themselves from malicious hackers. Gaining
the trust of the client and taking
All precautions to do no harm to
their systems during a pen test are critical to being a professional. Another
key component of ethical hacking is to always gain permission from the data
owner prior to accessing the computer system. This is one of the ways ethical
hackers can overcome the stereotype of hackers and gain the trust of clients. The
goals ethical hackers are trying to achieve in their hacking attempts will be
explained as well in this section.
Understanding the Purpose of Ethical Hacking
When I tell people that I am an
ethical hacker, I usually hear snickers and comments like “That’s an oxymoron.”
Many people ask, “Can hacking be ethical?” Yes! That best describes what I do
as a security professional. I use the same software tools and techniques as
malicious hackers to find the security weakness in computer networks and
systems. Then I apply the necessary fix or patch to prevent the malicious
hacker from gaining access to the data. This is a never-ending cycle as new
weaknesses are constantly being discovered in computer systems and patches are
created by the software vendors to mitigate the risk of attack. Ethical hackers
are usually security professionals or network penetration testers who use their
hacking skills and toolsets for defensive and protective purposes. Ethical
hackers who are security professionals test their network and systems security
for vulnerabilities using the same tools that a hacker might use to compromise
the network. Any computer professionals can learn the skills of ethical
hacking. The term cracker describes a hacker who uses their hacking skills and
toolset for destructive or offensive purposes such as disseminating viruses or
performing denial-of-service (DoS) attacks to compromise or bring down systems
and networks. No longer just looking for fun, these hackers are sometimes paid
to damage corporate reputations or steal or reveal credit card information,
while slowing business processes and compromising the integrity of the
organization.
Hackers can be divided into three
groups:
White Hats Good guys, ethical hackers
Black Hats Bad guys, malicious hackers
Gray Hats Good or bad hacker; depends on the
situation
Ethical hackers usually fall into
the white-hat category, but sometimes they’re former gray hats who have become
security professionals and who now use their skills in an ethical manner.
White Hats
White hats are the good guys, the
ethical hackers who use their hacking skills for defensive purposes. White-hat
hackers are usually security professionals with knowledge of hacking and the
hacker toolset and who use this knowledge to locate weaknesses and implement
countermeasures. White-hat hackers are prime candidates for the exam. White hats
are those who hack with permission from the data owner. It is critical to get
permission prior to beginning any hacking activity. This is what makes a
security professional a white hat versus a malicious hacker who cannot be
trusted.
Black Hats
Black hats are the bad guys: the
malicious hackers or crackers who use their skills for illegal or malicious
purposes. They break into or otherwise violate the system integrity of remote
systems, with malicious intent. Having gained unauthorized access, black-hat hackers
destroy vital data, deny legitimate users service, and just cause problems for
their targets. Black-hat hackers and crackers can easily be differentiated from
white-hat hackers because their actions are malicious. This is the traditional
definition of a hacker and what most people consider a hacker to be.
Gray Hats
Gray hats are hackers who may
work offensively or defensively, depending on the situation. This is the
dividing line between hacker and cracker. Gray-hat hackers may just be interested
in hacking tools and technologies and are not malicious black hats. Gray hats
are self-proclaimed ethical hackers, who are interested in hacker tools mostly
from a curiosity standpoint. They may want to highlight security problems in a
system or educate victims so they secure their systems properly. These hackers
are doing their “victims” a favour. For instance, if a weakness is discovered
in a service offered by an investment bank, the hacker is doing the bank a favour
by giving the bank a chance to rectify the vulnerability.
From a more
controversial point of view, some people consider the act of hacking itself to
be unethical, like breaking and entering. But the belief that “ethical” hacking
excludes destruction at least moderates the behaviour of people who see themselves
as “benign” hackers. According to this view, it may be one of the highest forms
of “hackerly” courtesy to break into a system and then explain to the system
operator exactly how it was done and how the hole can be plugged; the hacker is
acting as an unpaid—and unsolicited—tiger team (a group that conducts security
audits for hire). This approach has gotten many ethical hackers in legal
trouble. Make sure you know the law and your legal liabilities when engaging in
ethical hacking activity. Many self-proclaimed ethical hackers are trying to
break into the security field as consultants. Most companies don’t look favourably
on someone who appears on their doorstep with confidential data and offers to
“fix” the security holes “for a price.” Responses range from “thank you for
this information, we’ll fix the problem” to calling the police to arrest the
self-proclaimed ethical hackers.