Ethical hacking – ad­dress­ing security breaches and pre­vent­ing cy­ber­crime

Ethical hacking has become in­creas­ing­ly important in recent years in the face of rapidly in­creas­ing cases of cy­ber­crime. Ever more companies, or­ga­ni­za­tions, and in­sti­tu­tions look for skilled cy­ber­se­cu­ri­ty experts who can put their own security concept to the test by acting like “real” hackers.

In this de­f­i­n­i­tion of ethical hacking, we explain what dis­tin­guish­es this type of hacking and how it differs from illegal hacking. In addition, our overview takes a look at the areas of ap­pli­ca­tion of ethical hacking and the special qual­i­fi­ca­tions that define “good” hackers.

Ethical hackers are in­for­ma­tion security experts who break into IT systems by explicit as­sign­ment. Due to the consent of the “victim”, this variant of hacking is regarded as ethically jus­ti­fi­able. The aim of ethical hacking is to uncover weak­ness­es in their digital systems and in­fra­struc­tures (e.g. software bugs), to assess security risks, and to con­struc­tive­ly par­tic­i­pate in the cor­rec­tion of dis­cov­ered security flaws. A stress test for system security can take place at any time (i.e. even after an illegal hack). Ideally, however, ethical hackers should an­tic­i­pate cyber criminals and in doing so prevent greater damage.

Ethical hacking, in contrast to “normal” hacking with criminal motives also known as “white hat hacking”, focuses on pro­gram­ming weak­ness­es and on con­cep­tu­al software design (bugs). For security tests, the focus is on, among other things, web ap­pli­ca­tions and website security. Besides software, any hardware that is used can also be in­te­grat­ed into the system security testing process.

For their security checks, white hats partially use freely-available tools from the internet (e.g. the free version of Burp Suite), and partially self-written software. The latter guar­an­tees that security gaps and ma­nip­u­la­tion of the code of used programs can be excluded. Ethical hacking often results in concrete malicious code (in­di­vid­ual command sequences or a smaller program), which is called an exploit. The special code takes advantage of errors or weak­ness­es found in the system and then causes a certain behavior in the software, hardware, or other elec­tron­ic devices.

Char­ac­ter­is­tic for an ethical hack is a special approach: On the part of the con­trac­tor, the re­quire­ment of absolute trans­paren­cy and integrity applies, es­pe­cial­ly when sensitive areas (company and trade secrets, con­fi­den­tial customer data) are to be protected by ethical hacking. All relevant in­for­ma­tion from hacks must be com­mu­ni­cat­ed to the client, misuse or the passing on of company secrets must not take place.

Trans­paren­cy usually includes detailed and complete doc­u­men­ta­tion, which documents the exact procedure, the results, and other relevant in­for­ma­tion about the ethical hack. The detailed reports can also contain concrete rec­om­men­da­tions to take action, e.g. removal of malware or setting up a honeypot strategy. Ethical hackers also take care not to leave any weak points in the system that cyber criminals could exploit later.

In an ethical hacking situation, the clients can legally protect them­selves. Before beginning pen­e­tra­tion testing, companies should have a written agreement detailing the scope, legal re­quire­ments, ex­pec­ta­tions, and the parties involved in place. The EC-Council, a global leader in cyber security cer­ti­fi­ca­tion programs for ethical hackers, has laid out a practical code of eth­i­cal­ness Council code of ethics for this purpose.

With ethical hacking, the main dif­fer­ences to tra­di­tion­al (“normal”) hacking is its ethical foun­da­tion and the basic and general conditions of a hack. Ethically-motivated hacking aims to protect digital in­fra­struc­tures and con­fi­den­tial data from external attacks and con­struc­tive­ly con­tributes towards improved in­for­ma­tion security.

In contrast, “normal” hacking focuses on de­struc­tive ob­jec­tives, i.e. in­fil­tra­tion and possibly even de­struc­tion of security systems. Lower motives such as personal en­rich­ment or the ac­qui­si­tion and spying on of con­fi­den­tial data are at the heart of most hacking attacks. Most hack attacks are ac­com­pa­nied by criminal action such as extortion, in­dus­tri­al espionage, or the sys­tem­at­ic paralysis of system-critical in­fra­struc­ture (even on a large scale). Nowadays, “evil” hacks are in­creas­ing­ly being carried out by globally operating criminal or­ga­ni­za­tions, which, for example, use globally networked botnets for DDoS attacks . Moreover, a basic concern for many “bad hacks” is to remain undis­cov­ered and hidden.

At first glance, this dis­tinc­tion appears obvious and selective. On closer in­spec­tion, however, there are bor­der­line cases. For example, po­lit­i­cal­ly motivated hacks can pursue ethical-con­struc­tive, but also de­struc­tive goals. Depending on the interests and personal or political views, a different as­sess­ment can be made and a hack can be con­sid­ered “ethical” or “unethical”. For example, the covert intrusion of state in­ves­ti­ga­tion au­thor­i­ties and secret services into computer systems of private in­di­vid­u­als, public au­thor­i­ties, or other states has been crit­i­cal­ly discussed for several years.

Border crossing is also a form of ethical hacking, which is oriented toward the common good and the im­prove­ment of cy­ber­se­cu­ri­ty, but at the same time takes place un­so­licit­ed and without the “target’s” knowledge. This kind of hacking is practiced by groups like the Cult of the Dead Cow (cDc), which is America’s oldest hacking group. The ac­tiv­i­ties of the as­so­ci­a­tion focus less on economic aspects than on feared negative effects on society and the data security of citizens.

As such, the cDc has played an in­stru­men­tal role in pushing internet security to the forefront and de­moc­ra­tiz­ing tech­nol­o­gy. They have played an active role in many central issues by releasing code, tes­ti­fy­ing to Congress, and launching companies that could help uncover security threats. But even if or­ga­ni­za­tions like the cDc do not want to harm their “victims”, disclose the results of a hack, and ex­plic­it­ly aim to educate the public, they remain in a legal grey zone.

If you look at “normal” and ethical hacking from a purely technical per­spec­tive, it’s even more difficult to dis­tin­guish between the two. Tech­ni­cal­ly, white hat hacking uses the same know-how and the same tech­niques and tools as “unethical” hacking to detect weak­ness­es in hardware and software as close as possible to the real world.

The line between “normal” and ethical hacking is, therefore, rather blurry, and it’s certainly no co­in­ci­dence that in many young IT offenders can become respected security con­sul­tants and thought leaders in the industry when they’re older. There are also critics who fun­da­men­tal­ly reject ethical mo­ti­va­tions as a dis­tin­guish­ing criterion and take the view that hacking per se should be condemned. Con­se­quent­ly, there is no jus­ti­fi­able dis­tinc­tion between a “good” (= ethical) and an “evil” (= unethical) hack.

However, this position ignores the positive effects and the often useful and necessary practice of ethical hacking. The community of the in­ter­na­tion­al­ly rec­og­nized cy­ber­se­cu­ri­ty platform HackerOne, for example, elim­i­nat­ed more than 72,000 security vul­ner­a­bil­i­ties in over 1,000 companies by May 2018. According to the Hacker-Powered Security Report 2018, the total number of reported critical security vul­ner­a­bil­i­ties increased by 26 percent in 2017. These figures show that white hat hacking is an important and proven tool in today’s fight against cy­ber­crime.

Ethical hackers are usually commissioned by or­ga­ni­za­tions, gov­ern­ments, and companies (e.g. tech­nol­o­gy and in­dus­tri­al companies, banks, insurance companies) to search for security gaps and pro­gram­ming errors (bugs). They use the expertise of white hats fre­quent­ly for so-called pen­e­tra­tion tests.

In pentests, ethical hacking pen­e­trates an IT system in a targeted manner and shows possible solutions for improving IT security. A dis­tinc­tion is often made between IT in­fra­struc­ture and web ap­pli­ca­tion pen­e­tra­tion tests. The former test and analyze server systems, Wi-Fi networks, VPN access, and firewalls, for example. In the field of web ap­pli­ca­tions, network services, websites (e.g. web shops), customer ad­min­is­tra­tion portals, or systems for mon­i­tor­ing servers and services are examined more closely. A pen­e­tra­tion test can refer to the network and ap­pli­ca­tion level. Read Dive has put together a list of the 10 best companies in the US that offer pen­e­tra­tion testing, sim­u­lat­ing an attack on your system to determine any vul­ner­a­bil­i­ties.

The concrete routine tests of ethical hacks include the detection of open ports by means of port scans, the ver­i­fi­ca­tion of the security of payment data (credit card data), logins and passwords, and the sim­u­la­tion of hacker attacks via the network. Since the TCP/IP protocol is usually used for this purpose, it’s also called IP-based pen­e­tra­tion testing. In pen­e­tra­tion tests, systems are often checked to see whether in­fil­trat­ed viruses or Trojans can capture sensitive company data (company secrets, technical patents, etc.). Such strate­gies can be sup­ple­ment­ed by social en­gi­neer­ing tech­niques, which take the human risk factor into account and ex­plic­it­ly examine the behavior of employees in a security concept.

Standards have been es­tab­lished for con­duct­ing such pen­e­tra­tion tests. On an in­ter­na­tion­al level, the Open Source Security Testing Method­ol­o­gy Manual (OSSTMM) is among the most es­tab­lished bench­marks for security testing. In the United States, the National Institute of Standards and Tech­nol­o­gy (NIST) is another force to be reckoned with, con­tribut­ing to security in­no­va­tion of US or­ga­ni­za­tions. The framework guar­an­tees IT security in in­dus­tries from banking to energy.

There is no rec­og­nized, pro­fes­sion­al training to become an ethical hacker. However, the EC Council, which spe­cial­izes in security training and cyber security services, has developed a program to become a certified ethical hacker. The cor­re­spond­ing IT training courses are offered worldwide by various official partners and or­ga­ni­za­tions, and certified EC Council trainers are re­spon­si­ble for the im­ple­men­ta­tion.

The National Ini­tia­tive for Cy­ber­se­cu­ri­ty Careers and Studies also offers a training program to become a certified ethical hacker (CEH). Com­plet­ing the course “proves that you have the skills to help the or­ga­ni­za­tion take pre­emp­tive measures against malicious attacks by attacking the system himself, all the while staying within legal limits”. Other rec­og­nized qual­i­fi­ca­tions and cer­tifi­cates have been developed by Offensive Security (Offensive Security Certified Pro­fes­sion­al, OSCP) and the SANS Institute (Global In­for­ma­tion Assurance Cer­ti­fi­ca­tions, GIAC).

However, many pro­fes­sion­al hackers reject training-based cer­tifi­cates and classify them as not par­tic­u­lar­ly practical. Yet, theses cer­tifi­cates offer an important point of reference for busi­ness­es, as they enable them to better assess the se­ri­ous­ness of an ethical hacker. The cer­tifi­cates are also a signifier for the in­creas­ing pro­fes­sion­al­ism in the field. With rapidly in­creas­ing demand, ethical hackers can market them­selves more ef­fec­tive­ly through cer­ti­fi­ca­tion, receive offers for more lucrative jobs, and position them­selves as serious service providers, for example, by pre­sent­ing their skills on their own websites.

Cer­tifi­cates can be helpful for ethical hackers during the ac­qui­si­tion process, but they are not (yet) an absolute necessity. White hat hackers are currently mainly IT spe­cial­ists who usually have extensive knowledge in the following areas:

• Computer security
• Networks
• Different operating systems
• Pro­gram­ming and hardware know-how
• Basics of computer and digital tech­nol­o­gy

In addition to these qual­i­fi­ca­tions, a more extensive knowledge of the hacker scene, its mentality, and how its members act is helpful.

Of course, many who switch careers to hacking acquire the necessary knowledge for ethical hacking through self-study (e.g. through online research). IT pro­fes­sion­als who have acquired the basic knowledge through training as IT systems elec­tron­ics engineers or through a classic computer science degree are par­tic­u­lar­ly suitable for demands of the job. As part of the Hacker-Powered Security Report 2018, 1,698 ethical hackers were asked about their training. At the time of the survey, almost 50 percent were working full-time in in­for­ma­tion tech­nol­o­gy. The focus was on hardware and, in par­tic­u­lar, software de­vel­op­ment. More than 40 percent of the IT pro­fes­sion­als had spe­cial­ized in security research. A high per­cent­age of those surveyed (25 percent) were still studying. In 2019, hacking was still mainly a side hustle. According to the 2020 Hacker Report by HackerOne, only 18 percent of those surveyed were working in ethical hacking full-time that year.

Ethical hackers don’t just work as external IT experts. Some companies train permanent IT spe­cial­ists in-house to become white hat hackers and ensure that their staff con­tin­u­al­ly attend training and ed­u­ca­tion­al courses on (ethical) hacking and cyber security.

White hat hackers can find work contracts through a special tender process. Large companies such as Facebook, Google, and Microsoft use bug bounty programs, in which they precisely define the con­di­tions and re­quire­ments for cy­ber­at­tacks and bug-finding and sometimes offer suc­cess­ful hackers the prospect of con­sid­er­able financial rewards to detect security issues. Bug bounty programs often sup­ple­ment pen­e­tra­tion testing.

In­ter­na­tion­al­ly rec­og­nized mediation platforms such as HackerOne are often involved in the award of contracts. Their https://www.hackerone.com/resources/reporting/the-2020-hacker-report - external-link-window "Results and download of the 2020 Hacker Report">2020 Hacker Report states that in 2019 alone, hackers earned ap­prox­i­mate­ly $40 million. That means that a total of $82 million has been paid out since the HackerOne platform was es­tab­lished. Ethical hackers also acquire contracts using their own ini­tia­tive by ad­ver­tis­ing their services online.

In times when cy­ber­crime is on the rise, ethical hacking is a rec­om­mend­ed business strategy for the pre­ven­tion and pro­tec­tion from such cy­ber­at­tacks. Targeted test attacks and practical pen­e­tra­tion tests can demon­stra­bly optimize the security of an IT in­fra­struc­ture and, in doing so, prevent illegal hacking at an early stage. Clients who engage in ethical hacking can avoid the danger of op­er­a­tional blindness because outside experts approach hacks dif­fer­ent­ly and may have different spe­cial­ist per­spec­tive or a different set of prior knowledge and un­der­stand­ing of the matter.

Small and medium-sized companies, in par­tic­u­lar, can gain access to security tech­nol­o­gy know-how that may otherwise not be available to them. However, clients should always be aware that ethical hacking carries risks. Even if all the re­quire­ments of a “clean” hack are adhered to, negative effects cannot always be excluded. For example, systems could be un­in­ten­tion­al­ly affected or even crash.

White hat hackers may also be able to access con­fi­den­tial and private data of third parties. The risk increases if no clear basic and general con­di­tions are defined, or hacks are not carried out com­pe­tent­ly and carefully. Before an as­sign­ment is made, ethical hackers should be thor­ough­ly scru­ti­nized and carefully selected on the basis of proven expertise (e.g. a cer­tifi­cate).