- Security TWENTY
- Women in Security Awards
Mark Amory of IT trainers and project managers QA discusses what ethical hackers do, and why.
The recent high profile cyber attack at Talk Talk highlights how breaches are becoming a fact of life for any organisation using the web for business. It’s the reason why many companies employ ethical hackers to test their cyber security and identify potential vulnerabilities that put confidential financial, security or customer data at risk.So, what does an ethical hacker do? And how does this differ from the nefarious activities of those individuals that break into computer systems and networks for gain – or to cause harm? In short, ethical hackers use the same methods as cyber-criminals but for entirely different motivations. Their role is to simulate attacks a malicious or criminal hacker could carry out, revealing potential security weaknesses and how these could be exploited so that steps can be taken to address these issues.
The crucial difference here, however, is that ethical hackers have express permission to proceed with their activities and can only undertake their work once legal contracts are in place and a full written scope of work has been created. Since ethical hacking involves practices that are technically illegal, these permissions are paramount to protecting all concerned. And, since ethical hackers will attempt to access the innermost secrets of the enterprise, it’s essential to ensure that practitioners employed in this role are trusted, hold appropriate certifications, and are approved by the EC-Council.
Is ethical hacking the same as penetration testing?
The ethical hacking process involves several methods, including vulnerability assessments to reveal security flaws – like outdated software, operational weaknesses or security bugs. And that’s when penetration testing can begin to exploit these flaws and reveal the extent of the vulnerability.
But the scope of an ethical hackers approach extends far beyond the technology alone. Ideally they’ll unearth information about your employees, suppliers, along with useful information like project names and site maps to pinpoint weak links in the security chain – which more often than not, is not the IT system itself but its users. Armed with these insights they’ll use this data to gain access either remotely via the network or in person by physically accessing an organisation’s facilities – or those of one of its business partners. Techniques employed will include password guessing and cracking, session hijacking and spoofing, denial-of-service attacks, exploiting buffer overflow vulnerabilities or SQL injection.
What happens once a breach is identified?
Having gained access, the ethical hacker will detail every step they’ve taken so that remedial work can be undertaken later to fix all identified access holes. What’s more, they’ll plant a back door or create new user accounts – just as an attacker would – to demonstrate they can return and access systems time and again. Finally, the ethical hacker will look to remove all evidence of their presence – deleting logs, user accounts and wiping audit trails. With cyber security issues changing on an almost daily basis, the need for IT specialists with accredited information security and ethical hacker skills is growing. According to some reports the average length of time from hacker intrusion to detection is typically around six months – but in some cases cyber criminals have gone undetected for years. For that reason ethical hacker teams are also being utilised to shut down what a hacker has done and investigate what information has been exposed.
Companies hire ethical hackers because they want to proactively test their security and improve the resilience of their networks. But keeping the enterprise safe depends on hiring specialists with approved certifications and ensuring all appropriate legal and scope of work frameworks are in place.