Ethical hacking – addressing security breaches and preventing cybercrime

Ethical hacking has become increasingly important in recent years in the face of rapidly increasing cases of cybercrime. Ever more companies, organizations, and institutions look for skilled cybersecurity experts who can put their own security concept to the test by acting like “real” hackers.

In this definition of ethical hacking, we explain what distinguishes this type of hacking and how it differs from illegal hacking. In addition, our overview takes a look at the areas of application of ethical hacking and the special qualifications that define “good” hackers.

Ethical hackers are information securityexperts who break into IT systems by explicit assignment. Due to the consent of the “victim”, this variant of hacking is regarded as ethically justifiable. The aim of ethical hacking is to uncover weaknesses in their digital systems and infrastructures (e.g. software bugs), to assess security risks, and to constructively participate in the correction of discovered security flaws. A stress test for system security can take place at any time (i.e. even after an illegal hack). Ideally, however, ethical hackers should anticipate cyber criminals and in doing so prevent greater damage.

Ethical hacking, in contrast to “normal” hacking with criminal motives also known as “white hat hacking”, focuses on programming weaknesses and on conceptual software design (bugs). For security tests, the focus is on, among other things, web applications and website security. Besides software, any hardware that is used can also be integrated into the system security testing process.

For their security checks, white hats partially use freely-available tools from the internet (e.g. the free version of Burp Suite), and partially self-written software. The latter guarantees that security gaps and manipulation of the code of used programs can be excluded. Ethical hacking often results in concrete malicious code (individual command sequences or a smaller program), which is called an exploit. The special code takes advantage of errors or weaknesses found in the system and then causes a certain behavior in the software, hardware, or other electronic devices.

Characteristic for an ethical hack is a special approach: On the part of the contractor, the requirement of absolute transparency and integrity applies, especially when sensitive areas (company and trade secrets, confidential customer data) are to be protected by ethical hacking. All relevant information from hacks must be communicated to the client, misuse or the passing on of company secrets must not take place.

Transparency usually includes detailed and complete documentation, which documents the exact procedure, the results, and other relevant information about the ethical hack. The detailed reports can also contain concrete recommendations to take action, e.g. removal of malware or setting up a honeypot strategy. Ethical hackers also take care not to leave any weak points in the system that cyber criminals could exploit later.

In an ethical hacking situation, the clients can legally protect themselves. Before beginning penetration testing, companies should have a written agreement detailing the scope, legal requirements, expectations, and the parties involved in place. The EC-Council, a global leader in cyber security certification programs for ethical hackers, has laid out a practical code of ethicalness Council code of ethics for this purpose.

With ethical hacking, the main differences to traditional (“normal”) hacking is its ethical foundation and the basic and general conditions of a hack. Ethically-motivated hacking aims to protect digital infrastructures and confidential data from external attacks and constructively contributes towards improved information security.

In contrast, “normal” hacking focuses on destructive objectives, i.e. infiltration and possibly even destruction of security systems. Lower motives such as personal enrichment or the acquisition and spying on of confidential data are at the heart of most hacking attacks. Most hack attacks are accompanied by criminal action such as extortion, industrial espionage, or the systematic paralysis of system-critical infrastructure (even on a large scale). Nowadays, “evil” hacks are increasingly being carried out by globally operating criminal organizations, which, for example, use globally networked botnets for DDoS attacks . Moreover, a basic concern for many “bad hacks” is to remain undiscovered and hidden.

At first glance, this distinction appears obvious and selective. On closer inspection, however, there are borderlinecases. For example, politically motivated hacks can pursue ethical-constructive, but also destructive goals. Depending on the interests and personal or political views, a different assessment can be made and a hack can be considered “ethical” or “unethical”. For example, the covert intrusion of state investigation authorities and secret services into computer systems of private individuals, public authorities, or other states has been critically discussed for several years.

Border crossing is also a form of ethical hacking, which is oriented toward the common good and the improvement of cybersecurity, but at the same time takes place unsolicited and without the “target’s” knowledge. This kind of hacking is practiced by groups like the Cult of the Dead Cow (cDc), which is America’s oldest hacking group. The activities of the association focus less on economic aspects than on feared negative effects on society and the data security of citizens.

As such, the cDc has played an instrumental role in pushing internet security to the forefront and democratizing technology. They have played an active role in many central issues by releasing code, testifying to Congress, and launching companies that could help uncover security threats. But even if organizations like the cDc do not want to harm their “victims”, disclose the results of a hack, and explicitly aim to educate the public, they remain in a legal grey zone.

If you look at “normal” and ethical hacking from a purely technical perspective, it’s even more difficult to distinguish between the two. Technically, white hat hacking uses the same know-how and the same techniques and tools as “unethical” hacking to detect weaknesses in hardware and software as close as possible to the real world.

The line between “normal” and ethical hacking is, therefore, rather blurry, and it’s certainly no coincidence that in many young IT offenders can become respected security consultants and thought leaders in the industry when they’re older. There are also critics who fundamentally reject ethical motivations as a distinguishing criterion and take the view that hacking per se should be condemned. Consequently, there is no justifiable distinction between a “good” (= ethical) and an “evil” (= unethical) hack.

However, this position ignores the positive effects and the often useful and necessary practice of ethical hacking. The community of the internationally recognized cybersecurity platform HackerOne, for example, eliminated more than 72,000 security vulnerabilities in over 1,000 companies by May 2018. According to the Hacker-Powered Security Report 2018, the total number of reported critical security vulnerabilities increased by 26 percent in 2017. These figures show that white hat hacking is an important and proven tool in today’s fight against cybercrime.

Ethical hackers are usually commissioned by organizations, governments, and companies (e.g. technology and industrial companies, banks, insurance companies) to search for security gaps and programming errors (bugs). They use the expertise of white hats frequently for so-called penetration tests.

In pentests, ethical hacking penetrates an IT system in a targeted manner and shows possible solutions for improving IT security. A distinction is often made between IT infrastructure and web application penetration tests. The former test and analyze server systems, Wi-Fi networks, VPN access, and firewalls, for example. In the field of web applications, network services, websites (e.g. web shops), customer administration portals, or systems for monitoring servers and services are examined more closely. A penetration test can refer to the network and application level. Read Dive has put together a list of the 10 best companies in the US that offer penetration testing, simulating an attack on your system to determine any vulnerabilities.

The concrete routine tests of ethical hacks include the detection of open ports by means of port scans, the verification of the security of payment data (credit card data), logins and passwords, and the simulation of hacker attacks via the network. Since the TCP/IP protocol is usually used for this purpose, it’s also called IP-based penetration testing. In penetration tests, systems are often checked to see whether infiltrated viruses or Trojans can capture sensitive company data (company secrets, technical patents, etc.). Such strategies can be supplemented by social engineering techniques, which take the human risk factor into account and explicitly examine the behavior of employees in a security concept.

Standards have been established for conducting such penetration tests. On an international level, the Open Source Security Testing Methodology Manual (OSSTMM) is among the most established benchmarks for security testing. In the United States, the National Institute of Standards and Technology (NIST) is another force to be reckoned with, contributing to security innovation of US organizations. The framework guarantees IT security in industries from banking to energy.

There is no recognized, professional training to become an ethical hacker. However, the EC Council, which specializes in security training and cyber security services, has developed a program to become a certified ethical hacker. The corresponding IT training courses are offered worldwide by various official partners and organizations, and certified EC Council trainers are responsible for the implementation.

The National Initiative for Cybersecurity Careers and Studies also offers a training program to become a certified ethical hacker (CEH). Completing the course “proves that you have the skills to help the organization take preemptive measures against malicious attacks by attacking the system himself, all the while staying within legal limits”. Other recognized qualifications and certificates have been developed by Offensive Security (Offensive Security Certified Professional, OSCP) and the SANS Institute (Global Information Assurance Certifications, GIAC).

However, many professional hackers reject training-based certificates and classify them as not particularly practical. Yet, theses certificates offer an important point of reference for businesses, as they enable them to better assess the seriousness of an ethical hacker. The certificates are also a signifier for the increasing professionalism in the field. With rapidly increasing demand, ethical hackers can market themselves more effectively through certification, receive offers for more lucrative jobs, and position themselves as serious service providers, for example, by presenting their skills on their own websites.

Certificates can be helpful for ethical hackers during the acquisition process, but they are not (yet) an absolute necessity. White hat hackers are currently mainly IT specialists who usually have extensive knowledge in the following areas:

• Computer security
• Networks
• Different operating systems
• Programming and hardware know-how
• Basics of computer and digital technology

In addition to these qualifications, a more extensive knowledge of the hacker scene, its mentality, and how its members act is helpful.

Of course, many who switch careers to hacking acquire the necessary knowledge for ethical hacking through self-study (e.g. through online research). IT professionals who have acquired the basic knowledge through training as IT systems electronics engineers or through a classic computer science degree are particularly suitable for demands of the job. As part of the Hacker-Powered Security Report 2018, 1,698 ethical hackers were asked about their training. At the time of the survey, almost 50 percent were working full-time in information technology. The focus was on hardware and, in particular, software development. More than 40 percent of the IT professionals had specialized in security research. A high percentage of those surveyed (25 percent) were still studying. In 2019, hacking was still mainly a side hustle. According to the 2020 Hacker Report by HackerOne, only 18 percent of those surveyed were working in ethical hacking full-time that year.

Ethical hackers don’t just work as external IT experts. Some companies train permanent IT specialists in-house to become white hat hackers and ensure that their staff continually attend training and educational courses on (ethical) hacking and cyber security.

White hat hackers can find work contracts through a special tender process. Large companies such as Facebook, Google, and Microsoft use bug bounty programs, in which they precisely define the conditions and requirements for cyberattacks and bug-finding and sometimes offer successful hackers the prospect of considerable financial rewards to detect security issues. Bug bounty programs often supplement penetration testing.

Internationally recognized mediation platforms such as HackerOne are often involved in the award of contracts. Their https://www.hackerone.com/resources/reporting/the-2020-hacker-report - external-link-window "Results and download of the 2020 Hacker Report">2020 Hacker Report states that in 2019 alone, hackers earned approximately $40 million. That means that a total of $82 million has been paid out since the HackerOne platform was established. Ethical hackers also acquire contracts using their own initiative by advertising their services online.

In times when cybercrime is on the rise, ethical hacking is a recommended business strategy for the prevention and protection from such cyberattacks. Targeted test attacks and practical penetration tests can demonstrably optimize the security of an IT infrastructure and, in doing so, prevent illegal hacking at an early stage. Clients who engage in ethical hacking can avoid the danger of operational blindness because outside experts approach hacks differently and may have different specialist perspective or a different set of prior knowledge and understanding of the matter.

Small and medium-sized companies, in particular, can gain access to security technology know-how that may otherwise not be available to them. However, clients should always be aware that ethical hacking carries risks. Even if all the requirements of a “clean” hack are adhered to, negative effects cannot always be excluded. For example, systems could be unintentionally affected or even crash.

White hat hackers may also be able to access confidential and private data of third parties. The risk increases if no clear basic and general conditions are defined, or hacks are not carried out competently and carefully. Before an assignment is made, ethical hackers should be thoroughly scrutinized and carefully selected on the basis of proven expertise (e.g. a certificate).