We hear the word hacking all the time but ethical hacking, penetration testing or pen testing not so much. I have had business owners looking at me with bemused expressions across their faces when I mention we do penetration testing at Meta Defence Labs. Non-technical people often look confused with the term penetration testing or ethical hacking and I always enjoy taking the time to explain what it is and the importance of IT security in today's highly connected world. Alarmingly this happens so often that I thought it would be a good non-technical topic for this weeks post.
In popular media today, hacking means gaining unauthorised access and control of a system by exploiting system vulnerabilities or a human via social engineering methods. Different hackers have different motives and for the attack to be successful they must have a vulnerability that can be exploited, a motive and method. Next the hack is executed to steal data, cause disruption or perform malicious acts that can lead to business reputational and financial losses.
Hacking has many stages;
Information gathering is where the hacker indirectly gains as much information as possible about the target they are planning to attack.
Scanning is where the attacker gets directly involved with the target system but still at the pre attack phase to gather in depth information on systems by extracting network data , live machine details, port details and any other information about the network that would be useful for gaining access.
Gaining Access to the target system and taking control by exploiting the earlier discovered vulnerabilities from the information gathering and scanning stages.
Maintaining access to the compromised systems to retain ownership of the systems they have gained control over. They have to protect this from other hackers and create backdoors to keep using that access to achieve their goals with the compromised system.
Clearing tracks while having continuous access to the owned systems is what most good hackers do, so they don’t get caught. They cover their tracks by overwriting system logs and deleting any evidence of their activities so that they can remain undetected. This is why it takes a long time for some businesses to identify they have been hacked. Good hackers don’t get caught easily and often the first time a company finds out they have been hacked is when company confidential data is leaked on the internet. A good example of this was the TalkTalk hack.
Hackers come in many forms and mostly with malicious and destructive intentions. They will use their computer skills to exploit vulnerabilities in systems and compromise security to gain unauthorised access to resources or cause harm. A hacker is usually an individual with excellent computer skills with abilities to probe the hardware and software of a computer system.
There are many classes of hackers;
Black hats are unethical hackers who cause damage with their malicious acts and are highly skilled individuals or groups.
White Hats are the good guys. They are usually security professionals who use their hacking skills for defensive purposes. They are also known as Ethical hackers or Information security professionals.
Grey hats are in between white hats and black hats, where they practice hacking both offensively and defensively.
There are also Script Kiddies who are unskilled and use freely available automated hacking tools developed by professionals. You may also have heard of suicide hackers, state sponsored hackers, cyber terrorists and hacktivists whose names are pretty self-explanatory. They all have one thing in common they are there to further their own agenda without concern of what damage they cause in the process.
Ethical Hackers use the same hacking tools and similar steps that hackers would use but the intentions are quite the opposite of a hacker. They will only perform the hacking techniques to identify the risks & vulnerabilities of a system once they have written permission from the authorities that own the system. They can help organisations to discover and fix their vulnerabilities to make sure that their systems are secure and constantly monitored for potential attacks.
Why do we need Ethical hackers?
Ethical hackers, also known as penetration/pen testers are the information security professionals trained to understand how cyber criminals operate and can help organisations to uncover vulnerabilities and risks to their systems by simulating attacks. The information gained from these penetration tests is then used to harden systems before the bad guys get to them and cause damage. This is a good security practice that will help organisations when strengthening their security posture by putting in placing the right security controls.