Whether you own a business or you are just dealing with the cyber security, you may have come across the term ‘ethical hacking’. This is a service that is increasingly being offered by professional cyber security firms.
To understand whether ethical hacking could be helpful for you, there’s a few things you need to understand about the term. Let’s take a closer look at hacking and how the ethical hacker became such an important tool for businesses looking to reinforce their cyber defences.
Aren’t all hackers evil?
For many people, the word ‘hacker’ means an online criminal stealing passwords, data and money from both businesses and individuals. This idea of the hacker as a villain has been pushed by the media presenting stories about large companies that have suffered from hacking attacks - like the infamous phone hacking scandal, where editors of the News of the World were convicted of numerous offenses.
Perhaps it’s no surprise then, that when you hear the phrase ‘ethical hacker’, it can be difficult to understand how those two words can be used in the same sentence. If hackers are all evil criminals praying on the vulnerable, how can they be ethical? The truth is that it is not fair label all hackers as the bad guys.
There are actually two schools of thought about hacking. Firstly, those hackers that you are more familiar with are known as ‘black hat’ hackers. They are the ones using their skills to break down cyber security to attempt to steal or defraud. While ethical or ‘white hat’ hackers use those same skills to uncover the weaknesses in systems and have them corrected before black hat hackers can exploit them.
A quick history of hacking
When the word ‘hacking’ was initially used in the way that we know it today, it wasn’t considered a negative term. Instead it actually a phrase used by engineering students at Massachusetts Institute of Technology (MIT) in the 1960s to mean bypassing certain functions of electrical systems to make them more efficient. Indeed, in this original incarnation of hacking, it was considered to be a useful activity that could only be positive.
It was only when people started to see the application for bypassing systems in order to defraud companies or institutions that hacking began to take on a negative meaning. Through the 1970s, the kind of hacking that got the most news coverage was ‘phreaking’, which involved using sound emulators to fool the dialling tone used by phones. This allowed the hacker to make long distance calls for free.
Then when personal computers gained widespread popularity in the 1980s and all sorts of data and information was stored on them, unscrupulous hackers began to see the possibilities for using their skills for illegal purposes. They started using their understanding of programming languages and knowledge of computer systems to take control of them.
Is your business at risk from hackers?
Unfortunately it’s the case that cyber criminals now target businesses of virtually any size with everything from tiny online store to huge corporations suffering from hacking attacks. For example, a study in 2013 estimated that 30,000 websites were hacked every single day. That means that if you don’t have adequate cyber security you could be on the receiving end of a hack that could cause real problems for your business.
As long as there have been hackers attempting to manipulate systems of their advantage, there have been ethical hackers attempting to make it harder for them to do so. Ethical hackers use their knowledge to uncover those same weaknesses that black hat hackers would look to exploit – they then pass this information on to the business or organisation so that they can defend themselves for that type of attack.
There are a range of ethical hacking strategies, one of which is called penetration testing. However, if you are using a cyber security company that offers penetration testing it’s worth knowing that its scope is narrower than ethical hacking.
Is penetration testing enough?
Penetration testing is an important part of ethical hacking but the two terms should not be confused. If one company is offering you penetration testing, it’s not the same thing that you will get from another offering a comprehensive ethical hacking service. Penetration testing refers to ethical hackers using digital methods to access the system – this could include programming tricks and other digital means.
This is very useful as it is one of the best way to overcome serious deficiencies and weaknesses in your software. However, penetration testing doesn’t necessarily prepare you for the more sophisticated techniques that modern hackers engage in. So let’s look at exactly why you will benefit from full ethical hacking.
Why do you need ethical hacking?
Unlike penetration testing, ethical hacking attempts to investigate every possible way that that a black hat hacker might look to defeat your cyber defences. When they have discovered a way to beat your defences, they report back to you and show you how they were able to access your system. This gives you the chance to fix the problems before real hackers can attack you.
Using ethical hackers will also make sure that you aren’t preparing your cyber security blindly. As ethical hackers will use the same techniques as black hat hackers, they will allow you to understand the weaknesses in your system and prepare for them adequately.
If you don’t use ethical hackers you simply won’t know how well your system would perform against a full scale hacking attack. Some of the world’s largest companies have suffered catastrophic attacks, which just shows that they are weakness in just about any cyber security system.
How do ethical hackers work?
Ethical hacking does not follow a set guideline, it is simply an attempt to emulate black hat hackers. As discussed with penetration testing, hackers are expert programmers who understand the common vulnerabilities of cyber security, so they will attempt to find ways to defeat the software itself.
They will also use techniques such as sending out bogus emails and creating fake log-in screens in an attempt to trick employees into handing over their credentials. Once hackers have these details they can easily gain access to the system without having to do any further work.
But ethical hackers don’t stop here. They understand that hackers can use all sorts of alternative ways to get into a system. Criminal activities including surveillance of staff and even different forms of social engineering to find ways in. If there is an easy way into your system, hackers are much more likely to find and use it, so it shows the importance of training staff to be aware of the dangers.