Why are ethical hackers taught how to hack?

If you are a vegetarian I will apologise in advance for this analogy, but every tool can be used as a weapon. The bread knife that you use to spread butter on your toast, can also be used to kill, maim, or even remove screws in the absence of a screwdriver. Much the same, tools intended for intrusion prevention can also be used to compromise, infiltrate and deface the same systems they were intended to protect.

“To defend, you need to understand the attack.”

There is also great value in learning what it takes to compromise a system, and the level of complexities involved with that compromise. Understanding the effort required can also be an indication to the level of commitment, and the compounding level of dedication an attacker would require compromising your systems.

These indicators, and the understanding of the attack vectors can enable your organisation to determine where their threat actors and enemies will be coming from, and likely an idea of what organisation, or foreign intelligence service they may represent.

But not all threat vectors are from external sources, the most damaging threat vectors may also come from within your security perimeter, so it is also important to adopt and internal overwatch methodology to security, and man the perimeter walls facing outwards at the same time.

What is meant by ‘ethical’ hacking?

An ethical hacker generally works for, or under contract with, an organisation which wishes to understand the threat landscape associated with their information systems. The ethical hacker may employ the very same tools which an offensive hacker may adopt, but with the limitation of either working within a sandbox environment closely resembling the real system, or the real system itself. In both instances, the ethical hacker needs to document their progress, where they have modified or altered the system, and to what extent their efforts gained them access to the systems.

There are two major components to ethical hacking, one being the penetration test and the other being the vulnerability assessment. Both may seem like each other, but with the major exception of the objective.

A penetration test aims to gain control over a system through the exploitation of detected vulnerabilities. Conversely, a vulnerability assessment aims to find the exploitation vectors, determine if they are a threat then report those threats to the customer in the form of a vulnerability assessment report.

Ethical hackers may also be imposed with ground rules prior to conducting an assessment. These may contain limiters such as not attacking live payment systems or seek entry into the target system through an external entity (such as a banking payment gateway). There may also be start and stop dates between which the assessment may be conducted. Whilst the truest vulnerability test is best done unannounced, there is some level of negotiation required on a live organisation, even for an ethical hacker.

What cyberlaws are protecting the users, and the ethical hackers?

There are more laws prohibiting the act of hacking (even the ethical variety) than there are laws or accommodations to allow it. For this reason, it is imperative that an ethical hacker researches their target prior to conduct and establishes a written agreement between the two parties prior to even beginning to interact with a target system.

There are also other considerations and other possible victims who may be affected by a penetration test, or vulnerability assessment. These may include Internet Service Providers, mail providers, legitimate customers, and even employees of the target and associate companies.

If I find a vulnerability, what are my responsibilities?

Ethical hackers are generally required to disclose the vulnerabilities they have detected to their employer, or the contract provider for which they are working. Ethical hackers should not be hording vulnerabilities or hiding them from their reporting either.

There are some services available online against which you may legally hack systems, and there are also bug bounties against which a client will legally authorise specific hacks against their system in exchange for vulnerability disclosures. These disclosures may result in a payment to the attacker in the event of find a legitimate vulnerability.

Tools are available for documentation of system vulnerabilities, and these can be as simple as a word document, or even a screen recording from within Kali Linux. These documents are extremely valuable to an ethical hacker in demonstrating how a vulnerability was detected and exploited.

Want to know more?

If you would like to know more about Ethical Hacking, or even how to get onto the path of becoming a certified ethical hacker, please let us know. We would love to hear your questions and thoughts on the process.