Hacking is a term that's acquired a pretty poor reputation among the general public. Type the term into any stock photo search and you'll see page after page of anonymous, hooded young men hunched over keyboards in darkened rooms, usually with lines of matrix-style pseudo-code scrolling down the screen.
Yet, while the stereotype of people in basements dressed up like bank robbers trying to break down business' firewalls is far from the truth of today's increasingly-organized gangs, it isn't the only common misconception of people with these skills. In fact, there is another category of hacker you need to be aware of - those whose motives aren't based around greed or destruction, but who want to help defend businesses from their criminal counterparts.
Businesses have been taking advantage of these 'ethical hackers' for a while now with programs such as bug bounties, and they are increasingly bringing them on board more formally to test their defenses. For some, however, hacking is still hacking, regardless of their motives, so firms may have reservations about using them. But in today's environment, the need for them is greater than ever.
The need to understand your defenses
If you want to find out how safe a car is, you run a crash test and drive it at high speed into a solid wall. If you want to know how strong an airplane’s wing it, you hook up some pulleys and keep bending it until it snaps. And if you want to know how secure your IT network is, the best way is to have someone try to break into it - and that's where ethical hackers come in.
These ethical, or 'white-hat', hackers should be a fundamental part of any business' security testing. Independent, skilled individuals who have no prior knowledge or understanding of a company's systems are the best way of putting your defenses to the test. Bringing in people from outside the organization is vital because, often, those who have built the system are too close to it and may not be able to spot any gaps or flaws in their defenses.
How ethical hackings is different to penetration testing
Of course, the idea of testing security systems is not a novel one. Businesses have been using penetration testing for as long as there have been systems to defend. But while this term is sometimes used interchangeably with ethical hacking, there are a few key differences to be aware of, which can have a big influence on the results you get.
A penetration tester will often have a fairly narrow goal and remit. A business may have a new mobile application, for example, and ask their tester to look for any vulnerabilities. They are often given a limited amount of time to do their work and will only have access to the specified systems they are testing.
Ethical hacking on the other hand, is a more all-encompassing term. Ethical hackers won't have any restrictions on the tools or methods they can use, and will have the entirety of a firm's network as potential entry points. They may not have a brief any more specific than 'find a weakness' and will have as long as they need to plan and execute their attacks. This means that they can act and think much more like black hat hackers whose motives are less altruistic, and can spot vulnerabilities others may not have thought of.
The benefits of ethical hackers
While penetration testers will mimic the methods of hackers in a relatively controlled environment, ethical hackers have no such constraints, and can resort to tactics such as hacking into employees' social media accounts looking for shared passwords, or even using social engineering tactics like spear-phishing to get access to credentials.
This is why some people argue that 'ethical' hacking is actually nothing of the sort, and why you need strong protections in place if you're going to use them. Ethical hackers, unlike penetration testers, will usually have specific qualifications from a body such as the EC Council, which offers a Certified Ethical Hacker course, to give businesses peace of mind about their skills.
Ethical hacking is still something of a gray area. As well as those employed directly by businesses, there are also many independent hackers looking to cash in on bug bounties, or just see what can be done before alerting the business owners, which may cross the line into becoming illegal.
But the results they provide can be hugely informative. An ethical hacker commissioned by a business can produce a much more detailed report into the strengths and weaknesses of a network than those a penetration tester may pick up on, giving firms a much better insight into how their defenses perform in the real world.
Ultimately, to beat hackers, you have to think like them. So as long as there are black hats out there looking to steal information, extort businesses for money or just cause chaos, organizations will need to rely on white hats to find any weaknesses before real damage can be done.