Ethical Hacking: What It Is & Examples
An ethical hacker is a security expert who works to gain unauthorized access to a network, system, application, data, or device in an attempt to identify potential security vulnerabilities.
Ethical hacking is a means of finding and exploiting potential weak points in a computer network or system in order to fix these issues before a cyberattack occurs.
Ethical hackers follow the same routes that malicious hackers do in their attempts to breach a system. The difference is that they are doing so for legitimate purposes, while “black hat” hackers are doing so to commit cybercrime.
Ethical hacking can prevent breaches and cyberattacks by securing potential vulnerabilities within an organization’s infrastructure, system, or application.
What is ethical hacking?
Ethical hacking is a proactive measure for finding and determining if a system or computer network has security vulnerabilities. An ethical hacker, also called a white hat hacker, is a security professional who employs traditional hacking methods to attempt to compromise a system in an effort to identify and fix potential security risks.
Ethical hacking will often employ many of the same techniques as a malicious or bad actor to gain and maintain access to privileged information and systems. An ethical hacker is often tasked with thinking like a cybercriminal to determine where and how a system or application can be breached or attacked.
Ethical hacking can involve the following:
- Identifying vulnerabilities and security weaknesses within an organization’s systems and networks
- Prevention of cyberattacks and keeping malicious cybercriminals from accessing and stealing sensitive and privileged data and information
- Designing and implementing security strategies to fix potential security weaknesses and shore up vulnerabilities
- Securing networks to help deter possible security breaches
- Safeguarding assets and information to instill trust in an organization
Essentially, ethical hacking is legally breaking into a system or computer to test and strengthen an organization’s cybersecurity.
Key concepts of ethical hacking
Ethical hackers need to follow specific protocols to remain above board and within the approved range of the assignment the organization is tasking them with. Concepts include the following:
- Remain legal and obtain approval. Ethical hacking requires that the security assessment be approved by the appropriate parties within an organization before the hack is performed.
- The scope must be clearly defined. The organization should set boundaries so the ethical hacker knows exactly what the scope of the assignment is and how to remain legal and within the bounds of the intended assessment.
- Data sensitivity must be respected. An ethical hack may often come in contact with sensitive information, and the ethical hacker will need to treat this data with care. Often, an organization will request that an ethical hacker sign a nondisclosure agreement and agree to set terms and conditions before performing the assessment.
- Vulnerabilities are reported. Whatever the ethical hack uncovers in terms of security vulnerabilities and risk factors should be reported to the organization.
- Give advice on securing systems. Once vulnerabilities are exposed, an ethical hacker should present options on how to fix these issues and make the system more secure from potential breaches or future attacks.
Types of hackers
There are three main types of hackers: a white hat hacker, black hat hacker, and gray hat hacker. There are also the lesser-known red hat hacker, green hat hacker, and blue hat hacker.
- White hat hacker: This ethical hacker is a hired cybersecurity professional whose intention is to legally attack a network, system, application, device, or program to find and expose potential vulnerabilities. The white hat hacker works with an organization to improve cybersecurity measures.
- Black hat hacker: These hackers have malicious intent and breach security systems, often to commit a form of cybercrime. A black hat hacker illegally breaks into a system to wreak havoc — either to steal data, disrupt systems, for purposes of espionage, or to destroy things.
- Gray hat hacker: This type of hacker is in between a black and a white hat hacker. They usually don’t have initial malicious intent; however, they are also illegally, or without the knowledge of the organization, attempting to breach a system or organization to find potential weaknesses.
If they find vulnerabilities, the gray hat hacker will often report this to the organization requesting payment to fix the issue. If payment is not produced, the gray hat hacker may become malicious.
- Red hat hacker: Often classified as vigilantes, a red hat hacker is the enemy of the black hat hacker, as they go straight after them in an attempt to shut them down and often disrupt or destroy their computers or systems.
- Green hat hacker: This is a newcomer to the scene. It is a novice who is learning the tools and techniques of hacking but lacks education and advanced technical skills.
- Blue hat hacker: There are two types of blue hat hackers: one is a novice whose motivation is revenge, and the other is a security professional contracted to find potential vulnerabilities in software.
Examples of ethical hacking
Ethical hacking often involves a form of penetration testing, or pen testing. This is an attempt to breach a system, operating system, application, server, network, program, or device. Penetration testing can involve internal or external testing as well as web application testing.
External testing involves testing for vulnerabilities as an outsider trying to get into an organization or system. This type of testing looks for issues with firewalls potentially being misconfigured, problems with third-party applications, or weaknesses in email servers.
Internal testing looks for possible issues within an organization, often related to human error and employees use Human error is the most common cybersecurity threat to organizations and businesses. This can be due to weak passwords, vulnerability to phishing and social engineering scams, and failure to update systems and devices. Ethical hackers will look for ways to bait employees and search for potential security vulnerabilities.
Web application testing is a type of ethical hacking that looks for problems with websites and applications. This can ferret out potential bugs or security breaches with applications and websites before they are deployed or go live.
Phases of ethical hacking
Ethical hacking uses a variety of tools and techniques. It typically follows five main phases to attempt to breach a system or network.
These are the phases of ethical hacking phases:
- Reconnaissance: This is the information gathering phase, during which the hacker does not directly attack or attempt to breach the system of the target. Instead, the hacker is looking to glean as many details as possible on the target through both active and passive footprinting.
With active footprinting, the hacker uses tools to scan the network of the target. Passive footprinting searches the internet and social media account of the target and employees, using methods to collect information without directly accessing the target.
- Scanning: The information obtained in the first step is used to scan the network for vulnerabilities using port scanners, sweepers, network mappers, dialers, and vulnerability scanners. This phase of ethical hacking looks for the simplest way to access the network or system and find information.
- Gaining access: During this phase, the hacker will use all of the data gained during the first two steps to get unauthorized access to the target’s networks, systems, or applications through any means necessary. Social engineering and tools such as Metasploit are used for this. This is the actual hacking phase, also known as the “owning the system” phase.
- Zombie system: Once the ethical hacker has access to the system, the goal is to maintain this access and proceed with malicious activities, such as stealing records or databases, launching a DDoS attack, using the system as a launching pad to further exploit the infrastructure, installing a backdoor or Trojan to steal credentials and privileged information, and working to keep their access as long as possible without the target’s knowledge. The now “owned” system can be changed further so that legitimate personnel can no longer access it, making it a zombie.
- Evidence removal: This is the phase where the hacker clears their tracks, removing all evidence of having been in the system to avoid detection. The hacker will edit, delete, or corrupt registry values and logs. The hacker wishes to maintain a connection to the server without it being traced back to them.
Differences between ethical & malicious hacking
An ethical hacker is working with an organization in a legal manner to try and find security risks and vulnerabilities. Ethical hacking involves reporting these potential issues back to the organization, offering solutions for fixing the problems, and plugging possible leaks and weak spots.
Overall, ethical hacking can help to prevent cyberattacks and security breaches by finding problems before bad actors exploit them.
Malicious hacking, on the other hand, is used for illegitimate and illegal purposes, often to commit a crime. Cybercrime cost Americans over $4.2 billion in losses in 2020, the FBI reports.
A malicious hacker will gain unauthorized access to a system, computer, network, or application, and use this access to steal credentials, sensitive information, crash systems, insert malware, or otherwise wreak havoc. A malicious hacker is working for financial or personal gain.
Requirements to be an ethical hacker
There are several career paths for an ethical hacker, including penetration tester, security analyst, vulnerability assessor, security consultant, information security manager, and certified ethical hacker (CEH).
To earn the CEH designation, you will need to obtain a CEH v.11 from the EC-Council. You will need to possess the following skills:
- Strong working knowledge of computer systems and networks
- Solid foundation in information security and respective principles
- Understanding of cryptography and encryption techniques
- Adherence to professional conduct and a code of ethics
- Knowledge of common forms of cyberattacks as well as countermeasures and evasion tactics
- Proficiency in multiple coding languages, including Java, C and C++, Python, SQL, and PHP
- Understanding of security protocols for commonly used operating systems, including Windows, Mac, and Linux
- Knowledge of concepts, methodologies, and phases of ethical hacking
- Ability to perform preventative, corrective, and protective countermeasures for malicious attacks
- Ability to identify and decipher multiple types of passwords
- Ability to hack into systems and networks to assess vulnerabilities, with permission
Ethical hacking is a growing field with several different job title options. Typically, an ethical hacker can make around six figures. They will usually have at least a bachelor’s degree and several years of experience in the computer and cybersecurity field.
Additional resources
Aside from the EC-Council CEH certification for ethical hackers, there are several other options as well, including these:
- CompTIA Security +
- CCNA (Cisco Certified Network Associate) Security certification
- PEN-200, a penetration testing certification through OFFSEC (Offensive Security)
- GIAC certification
In the long run, ethical hacking can save companies and industries time, money, and the embarrassment of having to undo potential damage from a cyberattack.
An ethical hack can prevent potential breaches, shore up cyber defenses, and help organizations gain respect and trust within their respective industry. Customers and investors are more likely to partner with an organization that proves to take cybersecurity seriously and strives to maintain confidentiality and data integrity.
Ethical hacking can provide a solid way to achieve heightened security measures to keep networks, systems, servers, devices, applications, and programs secure and free from malicious intent or attack.
References
Why Human Error Is the #1 Cyber Security Threat to Businesses in 2021. (February 2021). The Hacker News.
Concepts of Ethical Hacking: A Survey. (April 2020). International Journal of Creative Research Thoughts (IJCRT).
FBI Releases the Internet Crime Complaint Center 2020 Internet Crime Report, Including COVID-19 Scam Statistics. (March 2021). Federal Bureau of Investigation (FBI).
Interview With a Cybersecurity Consultant. (January 2018). U.S. Bureau of Labor Statistics (BLS).
CompTIA Security+. CompTIA.
CCNA Security. (2022). Cisco Systems, Inc.
PEN-200. (2022). OffSec Services Limited.
GIAC Certifications: The Highest Standard in Cyber Security Certifications. (2022). GIAC.