Written By: Kym Pasqualini, Feature Crime Writer for Lauth Investigations
The word “hacking” almost always has negative connotations. It seems the mention of Chinese hacking, Russian hacking, or DNC hacking receives constant mention in our 24-hour news cycle.
Ethical hacking is also referred to as penetration testing, intrusion testing and red teaming, coined by the government during the 1970’s when they first hired ethical hackers to break into the United States government’s computer systems to test for vulnerabilities.
It is estimated “hackers” cost the United States more than $445 billion annually.
In a Fortune article “Data Breaches Now Cost $4 Million on Average,” according to IBM’s security division, the cost of a breach per incident has risen to $4 million, up 29% since 2013. “We’re now in a mode where these attacks are going to happen even to people that are well prepared,” said Caleb Barlow, a vice president at IBM Security.
According to Fortune, hackers and cybercriminals cause most breaches, and more than half of data exposures are caused by malicious attacks; the rest are caused by mistakes or glitches.
Ethical hacking is a growing profession utilized by the United States government, technology companies and other institutions.
In the field, experts refer to three major types of hackers:
- White Hats: Security professionals or “ethical hackers” who use their expertise to strengthen a network and secure it from criminals.
- Black Hats: Malicious hackers or “crackers” who use their skills for malevolent purposes. White hats work to protect computer structures from the Black Hats.
- Gray Hats:Iindividuals who become white or black hats depending upon the circumstances and generally proclaim being an ethical hacker.
Many large corporations, such as IBM, employ teams of ethical hackers to keep their IT systems secure.
Why Ethical Hacking is Important
With every breach reported in the media, the need for more effective information security is becoming increasingly evident.
New technologies such as cloud computing, IT outsourcing, and enterprises must adjust their security practices and policies to combat the threat of malicious hacking. To combat threats, ethical hacking is rapidly gaining attention as an essential security practice to be performed on a regular basis.
In a public white paper entitled, “The Importance of Ethical Hacking: Emerging Threats Emphasize the Need for Holistic Treatment,” by Frost & Sullivan, it discusses top technical concerns and the role of ethical hacking in an enterprise architecture.
“The increased sophistication and success rate for recent cyber-attacks is directly related to the shift in the attacker profile, indicating that nation-states and large criminal organizations are funding well organized, highly motivated, and well-trained teams of programmers,” said Chris Rodriguez, Analyst for Frost and Sullivan. “The elevated threat landscape therefor, urgently dictates the need for a comprehensive, real-world assessment of an organization’s security posture,” said Rodriguez.
Ethical hacking provides objective analysis of an organization’s security stance for organizations of any size. Ethical hacking has become a mainstream service, as companies of all sizes pursue expert, objective, third -party analysis.
What is an Ethical Hacker?
Ethical hacking is an ambiguous term used to describe hacking performed by an individual or organization to help penetrate or gain access to identifying potential threats on a computer or a network infrastructure. In short, ethical hackers are simply computer programmers who use their skills in a constructive manner.
Ethical hackers can attempt to bypass security systems to isolate weak points malicious hackers could exploit. In the effort to eliminate or reduce potential criminal hacks, the information gained by the ethical hacker is then used by the company to make improvements to security.
Some may say there is no such thing as an “ethical” hacker. Simply “hacking is hacking” but the most notable hackers are known publicly as cybercriminals or computer criminals because of the damage they inflict on companies and individuals nationwide.
A highly publicized hacking incident where personal information is compromised can damage a company or organization for years.
A cybersecurity professional can have a range of expertise, anywhere from maintenance, administration, architecture, forensic investigation of secure networked systems that are increasingly necessary for the sake of operation of businesses, nonprofits, governments and medical, and educational institutions.
Even training is offered by the International Council for E-Commerce Consultants (EC-Council). The Certified Ethical Hacker (CEH) exam is made up of approximately 125 multiple choice questions and costs about $500 with additional IT certifications available. Training is entirely voluntary.
For hacking to be ethical, a hacker must abide by the following informal rules:
- Permission to access the network to identify potential security threats.
- Respect individual’s right to privacy.
- Treat all data, material, and findings as confidential.
Ethics play a vital role in hacking and differentiating innocent activities from computer crimes. Hacking is ethical if the skills are used to enhance a network system. But the issue of ethics can be very risky when one does not know a person’s motivations. With no formal code of ethics or code of honor, this void creates external forces to determine how to respond when ethical predicaments arise.
An ethical hacker will ensure the client’s IT system is properly evaluated for security issues and vulnerabilities, while protecting sensitive, personal and confidential or proprietary information. While accessing an organization’s system, the respected ethical hacker’s integrity will guide the actions of the ethical hacker.
While ethical hacking presents advantages to increase security to protect IT systems and assets, any organization implementing ethical hacking must consider any negative impacts that may arise from the practice.
An ethical hacker is typically contracted to hack the organization’s system. Hiring outside is usually preferred to start from scratch and simulate potential external hacks.
While there is an advantage of ethical hacking because it supports the organization’s efforts to gain more knowledge about the IT Security by identifying vulnerabilities, the main disadvantage is it presents risks of information disclosure. An outsider could intentionally or unintentionally disclose a company’s proprietary information to outside parties.
A dark side always is present where dishonest people will attempt to exploit others. Some risks of working with ethical hackers include:
- The ethical hacker using their skills to conduct malicious hacking activities.
- Massive security breaches.
- Potential the ethical hacker will place malicious code, malware, viruses or other potentially damaging things on a computer system.
- Allowing company’s financial, banking, or other proprietary information will be accessed.
Working with an Ethical Hacker
The benefits of working with an ethical hacker are obvious; however, many are overlooked, ranging from simply preventing malicious hacking to preventing national security breaches.
Before implementing any ethical hacking, an organization must ensure the ethical hacker understands the nature of the client’s business, computer or network system. This will help guide the ethical hacker in handling any sensitive confidential or proprietary information they may encounter.
The leadership in a company or organization must determine the sensitivity or confidentiality of the information involved. This will help ensure the ethical hacker does not violate laws, rules or regulations in handling sensitive personal, financial or proprietary information.
There are several guidelines to use when working with an ethical hacker:
- An ethical hacker should create a plan including: identifying all networks and components they will test; detail testing intervals; detail testing process.
- Require transparency while working with an ethical hacker, requiring all relevant information be reported while the system or network is being accessed. Transparency ensures the client to make immediate decisions and take necessary actions to maintain the security of the system or network.
- Establish target areas with written work agreements requiring the ethical hacker not to work beyond those parameters to minimize exposure of sensitive information. The ethical hacker should not access other areas on the computer or networks not specified in the agreement.
- Developing a non-disclosure agreement may be in order prior to contracting with an ethical hacker.
There are legal risks to include lawsuits involving disclosure of personal and confidential information possibly leading to a legal battle involving the organization and the hacker if the work is not done properly. Also, if the hacker makes errors compromising the IT network or company security, it is possible to negatively impact the organization’s general operations and profitability.
With cyberspace growing exponentially over the last decade, complex legal issues have led to the birth of a highly specialized branch of law. Cyber Law or Internet Law pertains to Internet and computer technology related offenses, especially copyright infringement and fraud that involve computers, software, hardware, and information systems (IS).
The Information and Technology Act, 2000 (IT Act) covers all types of cyber-crime, including hacking as provided under sections 43 and 66 which covers negligence and computer-related offenses.
Cyber Law prevents or reduces large-scale damage from cybercriminal activities by protecting information access, communications, privacy and intellectual property.
Ethical hacking is rapidly gaining attention as an essential business practice. Regardless of risks, companies large and small benefit from the work of ethical hackers by protecting a company’s most valuable data and protecting their bottom line.