What Is Ethical Hacking & How It Can Secure Your Business?
Written by Joe Beaumont on 02/11/2020
A Brief History of Hacking - What is Ethical Hacking and How Can it Help Secure Your Business
The term "hacker" gets thrown around in a variety of contexts and in a multitude of different ways nowadays. While it's great that cybersecurity is gaining more and more awareness across the globe, the technical nature of cybersecurity means that terms are often used interchangeably, in different contexts, and sometimes incorrectly. Popular culture has certainly played its part, with movies and television shows portraying hackers as super-smart criminal masterminds, or underachieving geniuses who get by in life by committing petty theft from their parents' basements. The truth is very different -- more often than not, hackers are actually just like you and me.
Their job also isn't solely restricted to criminal activities. Practices such as penetration testing and other code-breaking activity are legitimate, fundamental aspects of cyber security at any company, big or small. There are also various institutions out there whose whole business is testing security professionals and providing them with certifications in ethical hacking to back-up their good intentions.
The origins of hacking as we know it
Although computers in a form that resembles modern devices have not been around for more than fifty years, the origins of hackers can be traced back to long before the invention of the first integrated circuit. Hacking can be thought of as ‘defeating security’, as soon as there were people wanting to keep messages secret, there were people trying to read them.
The earliest ‘modern’ implementation of hacking stretches back to the cryptographers of World War 2. Though of course, they weren't called hackers then. Cryptographers are generally considered as the precursors of the computer wizards of today. Their job also entailed breaking (hacking) the security systems of foreign intelligence services, competing corporations, and individuals. Most famously, this involved a British team at Bletchley Park cracking the Enigma code. The Enigma machine was used by the Germans for high-security military communications and was thought to be unhackable, thanks to its mathematical permutations on top of linguistic ciphering. A combination of ingenuity, cutting-edge technology and human error enabled the Enigma code to be broken, and those same three principles still hold true today.
More connected = more vulnerable
As technological progress continued to push more and more aspects of human activity into the digital sphere, hackers in turn expanded their reach beyond cryptography. Tapping into phone systems or tinkering with ATMs to obtain credit card information were just some of the methods at their disposal.
Throughout the 1970s and 80s, computer hacking became a legitimate concern. As banks, schools and corporations slowly digitised their records and processes, hackers came up with new ways to gain access. It wasn't until the invention of the Internet though that hacking has made its way into the mainstream and revealed the fragility of our sense of security and anonymity in the digital sphere.
In early 2000, Dell, Amazon, CNN, eBay and others were taken offline by a string of denial-of-service attacks. The list of affected companies included Yahoo!, who at the time were the world’s largest search engine. The best part about this whole story? The hacker managed to do all of the above at 15 years of age, in the span of just one week. His name is Michael Calce, and his cyber attacks exposed the wider lack of knowledge about the Internet and utter ignorance of industry leaders and public officials.
Social justice hackers
By 2020, everyone and their mother have become acquainted with Anonymous, the far-reaching, loosely organised group of hackers and sympathisers known for taking a public stance on just about every socio-political issue there is. If not for them, the term 'hacktivist' would have never been born. Anonymous' origins can be traced back to 2003 on 4chan, the infamous message board platform. They rose to fame five years later, in 2008, with a coordinated attack on the Church of Scientology -- they brought down multiple websites belonging to the organisation and destroyed their fax machines with all-black images. On top of that, an in-person protest was organised, with attendees all wearing Guy Fawkes' masks (thanks to a popular film of the time), which quickly became the group's most recognisable symbol.
Although Anonymous' activities often turn out to be too disruptive to be considered ethical, there is no denying the fact that they are extremely well-versed in the art of social engineering and capturing the world's attention. The group has also inspired many young computer wizards to use their skills for something more than just personal gain.
A good hacker will easily steal hundreds of dollars and bring down prominent websites. A great hacker will do all that, while also getting paid to do IT work by the very companies he is wrecking. This is the story of Jeanson James Ancheta. In 2005, he used botnets, networks of infected computers under a hacker’s control, to break into and compromise over 400,000 computers. He was ultimately caught and arrested, but the cybersecurity industry was never the same since then. If not for Ancheta, botnets would remain hidden away from the public eye for many more years, and there is no telling how much loss they would have caused.
Know your hacker
Not every hacker is the same. They differ in their methods, skill sets, and preferred hardware. The most fundamental categorisation of hackers, however, stems from their motivations. Some are motivated purely by self-interest, and others have a more sophisticated agenda. Beware of jumping to conclusions when it comes to malicious and ethical hackers. There have been cases of cyber-criminals who have gone on to become ethical hackers and work in penetration testing or information security for some of the world's biggest companies.
Those are the "good guys", more commonly called penetration testers. They use their skills and intellect to uncover security flaws in a professional, ethical way. You'll usually find them in corporate offices in the security or IT departments. White hat hackers are employed by firms to constantly try to break down its cybersecurity measures, test its resilience, and suggest improvements. A white hat's motivations are clear-cut, and their work is backed up by the right certifications in ethical hacking and penetration testing.
The essence of their work isn't much different from how black hats would go about their tasks, with one basic difference - they never break into computer systems without the owner's permission.
Just like in classic literature, villains of the hacking world are also clad in black. They break into networks, computers and infrastructure for personal gain, or to advance the goals of the hacking collective they belong to. Black hat hackers wrote most of the malware commonly found on personal computers. They never ask owners for permission to explore their systems, and often get entangled in the business of stealing sensitive data and selling it on the black market. Make no mistake, they are the bad guys. At one end of the scale is ‘script kiddies’ – opportunistic hackers who will fire out attacks en masse designed to exploit simple security flaws. It’s low effort but, because of the mind-boggling numbers of systems, servers, apps, mobile devices, PCs (etc) that are connected to the internet, don’t think that it’s low reward. At the other end of the scale is nation-state hacking teams. These are well-resourced, focussed teams of elite hackers that work for Governments around the world. Whilst they mostly confine themselves to hacking other Governments, their attacks often leak through to businesses as collateral damage.
Like some twisted hacking freelancers, the grey hats operate on their own terms, sometimes disregarding ethics to get to where they want to be. For example, as a grey hat hacker, you might break into the network of a big corporation without permission, mess around in there for a while, and bring a report of your activity to their IT desk, expecting reimbursement. While they can't necessarily be considered malicious, grey hats won't bother getting a certificate in ethical hacking, as most of what they do is still considered illegal since they act without permission. Still, grey hats generally don't exploit found vulnerabilities and prefer to capitalise on them with the system owner's knowledge.
What is Ethical Hacking?
Ethical hacking is the domain of white hat hackers, who work tirelessly in a loop of breaking into systems, pointing out vulnerabilities and making sure that malicious actors don't find them first. There is no agreed-upon, textbook definition of ethical hacking, but it can be explained as the practice of getting around security systems with their owner’s authorisation, in hopes of finding weaknesses before wrongdoers get to them. On top of that, ethical hacking also entails finding already existing security breaches and identifying looming threats. If you’re thinking this sounds like penetration testing, it’s because it is.
Is hiring hackers safe for my business?
A lot of business owners are reluctant to employ an ethical hacker because of the negative connotations of the term "hacker" itself. That's a big mistake on their side. As soon as you learn more and more about the subject, you'll come to the realisation that hiring a hacker isn't only safe for your company, but also essential for maintaining information security in the office, as well as on the computers of your remote workers.
You could go down the private hire route, weeding out any potentially malicious elements by asking for an up-to-date ethical hacking certificate or at least the recommendation of previous employers during the hiring process. The network security professionals you want to chase after should have obtained the Certified Ethical Hacker (CEH) qualification from the EC-Council, which is the oldest and most renowned organization that works in the field of ethical hacking.
However, a much more efficient, and not to mention safer approach, is to go to a penetration testing company. They have teams of white-hats ready and waiting to test an organisation’s infrastructure. They’ll have intensely vetted their ethical hackers, most of whom will be salaried employees. By choosing a penetration testing company you’ll benefit from peace of mind that you’re getting a comprehensive security assessment from truly ethical hackers. Their broad experience will mean they’re also able to work with you to assess things like your scope – basically what you want tested. Getting this stage right is often the difference between a meaningful test and a waste of money.
Rules and Regulations
First off, there are sets of laws that every aspiring ethical hacker needs to familiarise themselves with, in order to know what they can and can't do when tapping into a computer or network. While a singular code of ethics doesn't really exist when it comes to ethical hacking, there are a few rules that professionals in this area generally abide by:
- Do not act without the owner's permission
- Keep private information private
- Only use legally obtained software
- If you come across potential threats by accident, always inform the potential victims with no expectation of reimbursement
You won't just get hired off the spot without the right experience or education. A bachelor's degree in computer science or a related subject is an advantage, unless you've already got a year or two of real-life experience under your belt. Remember – malicious hacking doesn't count as experience, and you'd be wise not to brag about such exploits on your CV – especially if you're trying to get hired as an ethical hacker.
How to get certification for Ethical Hacking?
Increasing numbers of companies are recruiting for penetration testers, and Bulletproof has its accelerator/grad scheme to help young talent get a leg up in the industry. However, some will find it more challenging to break into the cyber security industry, and aspiring white-hat ethical hackers might have to start off as a systems administrator or a web developer. Don't treat it as a setback though, as these positions will prepare you well for the future with valuable knowledge of networks, apps and systems.
Why should you become an Ethical Hacker?
The short answer is that being a penetration tester is fun, rewarding, and pays well. The longer answer is that ethical hacking is the answer to many pressing security questions that stem from the accelerated transition of most human activity to the digital realm. The work of every single penetration tester is invaluable when it comes to patching up holes that could be otherwise exploited to ruins businesses and livelihoods. Automated technologies do exist, such as VA scans, but they’re no replacement for the human insight and ingenuity that goes into a penetration test, so automation is unlikely to make a pen tester redundant anytime soon.
Can Ethical Hackers prevent cyber attacks?
Cybersecurity measures for businesses
Penetration testing is the single most fundamental aspect of any ethical hacker's job. Infrastructure, network and application testing need to be performed regularly to continuously catch and report on loopholes and imperfections that might be vulnerable to hacking. Automated tools such as VA scans can be performed more frequently, such as weekly or monthly, but they’re no substitute for full penetration tests. Yearly pen tests are standard, though increasingly the argument for 6-monthly testing is being made.
Humans are hackable too
Not all of your employees are hackers or trained computer experts, and that's okay. Running a business requires personnel with various areas of expertise. But everyone in your organisation needs to have a basic knowledge of the cyber risks they face and responsibilities they have to their employer. A vast number of hacking attempts include social engineering, typically phishing, which is where a hacker tries to manipulate human psychology to help them breach your business. In a world where all technical cyber controls can be undone by a single click from a malicious link in an email, the right cyber awareness training is absolutely vital.
Social engineering hacks such as phishing often result in immense financial losses, to say nothing of the reputational damage. And all because a staff member could not distinguish a scam email from a genuine one. The time and effort it takes to train people to recognise these dangers is typically less than you think. Once again, ethical hackers can come to the rescue by simulating a phishing attack on your business. The results of this can feed into your security awareness training – essentially a human penetration test instead of a technical one. A simple exercise, but one that could save your organisation from ruin.
Proactivity is key to avoiding disaster
If there is one lesson to draw from the history of hacking it is the fact that hackers prey on ignorance and laziness more than any computer exploit. Whether it is to steal credit card information, grab sensitive personal data or just to cause havoc, every time a successful attempt is carried out it’s because of an unremediated technical flaw or a gullible human. And, excluding the work of nation-state hacking teams and exotic 0-day flaws, preventing both of these attack vectors is well within a business’ reach. But it relies upon using the skills of ethical hackers to be proactive and secure your business before a malicious hacker strikes.
Our experts are the ones to trust when it comes to your cyber security
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.