Ethical hacking which encompasses formal and methodical penetration testing, white hat hacking, and vulnerability testing involves the same tools, tricks, and techniques that hackers use, but with one major difference: Ethical hacking is performed with the target’s permission. The intent of ethical hacking is to discover vulnerabilities from a malicious attacker’s viewpoint to better secure systems. Ethical hacking is part of an overall information risk management program that allows for ongoing security improvements. Ethical hacking can also ensure that vendors’ claims about the security of their products are legitimate.
Hackers (or external attackers) try to compromise computers and sensitive information for ill-gotten gains usually from the outside as an unauthorized user. Hackers go for almost any system they think they can compromise. Some prefer prestigious, well-protected systems, but hacking into anyone’s system increases an attacker’s status in hacker circles.
Malicious internal users
Malicious internal users (or internal attackers) try to compromise computers and sensitive information from the inside as authorized and “trusted” users. Malicious users go for systems they believe they can compromise for ill-gotten gains or revenge.
Malicious attackers are, generally speaking, both hackers and malicious users. For the sake of simplicity, I refer to both as hackers and specify hacker or malicious user only when I need to drill down further into their tools, techniques, and ways of thinking.
Ethical hackers (or good guys) hack systems to discover vulnerabilities to protect against unauthorized access, abuse, and misuse.
Hacker has two meanings:
- Traditionally, hackers like to tinker with software or electronic systems. Hackers enjoy exploring and learning how computer systems operate. They love discovering new ways to work both mechanically and electronically.
- In recent years, the hacker has taken on a new meaning someone who maliciously breaks into systems for personal gain. Technically, these criminals are crackers (criminal hackers). Crackers break into or crack, systems with malicious intent. They are out for personal gain: fame, profit, and even revenge. They modify, delete, and steal critical information, often making other people miserable.
The good-guy (white hat) hackers don’t like being in the same category as the bad-guy (black hat) hackers. (In case you’re curious, the white hat and black hat terms come from old Western TV shows in which the good guys wore
white cowboy hats and the bad guys wore black cowboy hats.) Gray hat hackers are a little bit of both. Whatever the case, most people have a negative connotation for the word hacker.
Many malicious hackers claim that they don’t cause damage but instead help others. Yeah, right. Malicious hackers are electronic thieves and deserve the consequences of their actions.
Defining malicious user
Malicious users meaning a rogue employee, contractor, intern, or other users who abuse his or her privileges is a common term in security circles and in headlines about information breaches. A long-standing statistic states that insiders carry out 80% of all security breaches. Whether this number is accurate is still questionable, but based on what I’ve seen and numerous annual surveys, undoubtedly an insider problem makes up the majority of all computer breaches.
The issue is not necessarily users “hacking” internal systems, but rather users who abuse the computer access privileges they’ve been given. Users ferret through critical database systems to glean sensitive information, e-mail confidential client information to the competition or other third parties, or delete sensitive files from servers that they probably didn’t need to have access to in the first place. There’s also the occasional ignorant insider whose intent is not malicious but who still causes security problems by moving, deleting, or corrupting sensitive information.
Malicious users are often ethical hackers’ worst enemies because they know exactly where to go to get the goods and don’t need to be computer savvy to compromise sensitive information. These users have the access they need and the management trusts them without question.
Recognizing How Malicious Attackers Beget Ethical Hackers
You need protection from hacker shenanigans; you need (or need to become) an ethical hacker. An ethical hacker possesses the skills, mindset, and tools of a hacker but is also trustworthy. Ethical hackers perform the hacks as security tests for their systems based on how hackers might work.
Ethical hacking versus auditing
Many people confuse ethical hacking with security auditing but there are big differences. Security auditing involves comparing a company’s security policies to what’s actually taking place. The intent of security auditing is to validate that security controls exist typically using a risk-based approach. Auditing often involves reviewing business processes and might not be very technical. I often refer to security audits as “security checklists” because they’re usually based off (you guessed it) checklists.
Conversely, ethical hacking focuses on vulnerabilities that can be exploited. It validates that security controls do not exist. Ethical hacking can be both highly technical and nontechnical and, although you do use formal methodology, it tends to be a bit less structured than formal auditing. If auditing continues to take place in your organization, you might consider integrating the ethical hacking techniques I outline into your auditing process.
If you choose to make ethical hacking an important part of your business’s risk management program, you really need to have a documented security testing policy. Such a policy outlines the type of ethical hacking that is done,
which systems (such as servers, Web applications, laptops, and so on) are tested, and how often the testing is performed. Specific procedures for carrying out your security tests could outline the ethical hacking methodology
I cover in this book. You might also consider creating a security standards document that outlines the specific security testing tools that are used and specific dates your systems are tested each year. You might list standard testing dates, such as once per quarter for external systems and biannual tests for internal systems.
Compliance and regulatory concerns
Your own internal policies might dictate how company management views security testing, but you also need to consider the state, federal, and global laws and regulations that affect your business. Many of the federal laws and regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), North American Electric Reliability Corporation (NERC) CIP requirements, and Payment Card Industry Data Security Standard (PCI DSS) require periodic and consistent security evaluations. Incorporating your ethical hacking into these required tests is a great way to meet the state and federal regulations and beef up your overall privacy and security compliance program.
This post contains the content of book Hacking For Dummies, 3rd Edition