What is Ethical Hacking?

Black hat / White hat / Grey hat - was is it all about?

In order to understand the value and importance of ethical hacking, you must first understand what hacking is. 

What is hacking?

One useful definition offered by anti-malware provider Malwarebytes is:

“The gaining of unauthorised access to data in a system or computer, tablet, mobile phone or even entire networks”.

Hacking activities generally fall into three categories:

  • Black hat - exploiting security vulnerabilities to steal data, cause network disruption or to cause other damage. Using advanced technical knowledge, these hackers will stop at nothing to reach their goal. This form of hacking is generally malicious and always illegal.
  • White hat - breaking into networks and systems to demonstrate security weaknesses and vulnerabilities with the system owner’s permission. These hackers have deep knowledge of the same techniques employed by black hats, but their motives are good.
  • Grey hat - generally involves using illegal techniques to break into networks but without malicious intent.

Because of the potential damage and disruption, illegal hacking is a serious crime. Hackers can face several years in prison - or even be extradited to stand trial in another country depending on who and what they attack.

Why are hackers defined by coloured hats? The categorisation (allegedly) stems from the observation that the good cowboys in Western movies typically wear white hats, while the villains wear black.

Also known as ‘ethical hacking’, white hat hacking is an important tool in the battle against malicious cyber criminals. The rest of this article will address what is ethical hacking.

How could hacking affect my business?

Your data is arguably the most valuable asset your business owns. If that information is stolen or disrupted, the effects may be significant. Consider the potential outcomes for the following:

  • Key intellectual property is stolen and sold to your competitors or leaked online.
  • The company online banking details are compromised, allowing hackers to empty your accounts.
  • Key files are corrupted or deleted by a malware infection.
  • Traffic to your website is disrupted, preventing real customers from placing orders.
  • Your customer list is stolen and sold.

Any one of these scenarios has significant implications, even if they only last a matter of hours. In the most severe circumstances, smaller businesses could fail completely.

The implications are not purely financial either. A security breach affects customer trust; 58% of consumers would avoid a provider who had recently experienced a cybersecurity incident.

Given the complexity of modern IT systems, it probably comes as surprise to learn that hackers have a wide range of techniques at their disposal.

What is ethical hacking?

Ethical hacking is the discipline of testing IT security using the same tools and techniques that black hat hackers employ. The goal of ethical hacking is therefore to identify vulnerabilities, with the permission of the system’s owner. These vulnerabilities would then be mended and changed to ensure long-term online security.

Penetration tests (pen testing) assess how easy it is to break into a network. Ethical hacking is often conducted by a team of cybersecurity experts to provide a complete overview of your defences and their effectiveness. They will typically conduct a combination of technical pen testing along with social engineering attacks to create a complete understanding of your readiness.

Is ethical hacking legal?

Ethical hacking is completely legal because it is carried out in a controlled manner with the permission of the company or individual who owns the system. The intention of ethical hacking is merely to expose security vulnerabilities, not to steal data or damage and disrupt systems.

An ethical hacker is a trusted individual who always operates in accordance with the law, applicable regulations and any rules laid down by the client.

What do ethical hackers do?

Effective ethical hacking follows a process for each project. This ensures that everything is properly tested and that no details are overlooked.

In between projects, white hats will also practice their skills using a hacking simulator. These simulators mimic real-world IT systems and defences without having to build a full test lab – or attack a real-world network.

Scope and goal setting (rules of engagement)

Before conducting any kind of pen test, an ethical hacker will first discuss your specific needs. Are you looking to test a specific system? Do you want to assess your employees’ readiness to deal with social engineering? Or are you looking for regular ongoing testing of your systems to ensure cyber security standards are being maintained?

Defining the project scope ensures you get the testing you need – and that your cyber security consultant doesn’t inadvertently over-step the mark and cause unexpected disruption.

Reconnaissance

Hackers rarely jump straight into an attack; trying to break into your systems without any foreknowledge is likely to see their efforts detected and blocked before they achieve their goals. In the same way, ethical hackers will begin gathering information about your business before attempting to penetrate defences.

They will typically gather insights into how your business uses and stores data, your operating environment and potential exploits to use against your security. They may even use no-tech methods like “dumpster diving”, going through your bins to retrieve old information that has been thrown away that reveals details of your operations.

Footprinting, scanning & enumeration

Initial reconnaissance completed, activities then step up a gear, using technology to probe at your systems in an effort to create a more detailed picture of operations.

  • Footprinting begins to identify your systems and potential attack points. Passive footprinting may be nothing more than reviewing your company email system. Active footprinting is more hands-on, testing systems to see if they respond to SQL injection commands for instance.
  • Scanning uses automated tools to probe your systems and infrastructure to see what is in use on your network. This will reveal active computers (hosts) and the ports left open allowing traffic into and out of your company network and firewall.
  • Enumeration seeks to extract specific details from the network, such as usernames, machine names and any available network resources.

Put together, the results of these activities will give your ethical hackers a very good understanding of your network, the technologies you use and likely points of entry.

Gaining access

With potential entry points identified, ethical hackers put their extensive technical knowledge to work breaking in. They use a combination of scripts and tools to circumvent or break security.

Once inside the network, hackers will daisy-chain techniques to escalate privileges and compromise other systems. This process can last days or months as the hacker continues looking for valuable data without triggering any of your network defence mechanisms.

Maintaining access in ethical hacking (gaining persistence)

Having broken through your defences and established a foothold on the network, the hacker will first ensure they can maintain access. They will create new user accounts with admin level permissions for instance, allowing them to log in through the “front door”. Or they may install trojan horse malware on the network, providing a backdoor from which to work in future.

Large hacking projects can take months to execute, so maintaining access is vital until the hacker’s target is accomplished.

Reporting

With analysis and testing complete, the ethical hacker will produce a detailed report of their findings. They will document each of the vulnerabilities they identified, the tools they used and how successfully they were able to exploit each weakness.

The final report is an important tool for your cybersecurity strategy. Not only does it document where there are failings, but it will also help to prioritise remedial work to bring defences up to standard and reduce the risk of being successfully hacked by a black hat.

Interested?

Want more information?

Get in touch with us