While hacking is ordinarily considered an illegal activity, ethical hacking involves companies hiring highly trained cybersecurity experts for the express purpose of infiltrating their computer networks, systems and web applications. The logic behind these simulated cyberattacks is that they enable organizations to preemptively uncover vulnerabilities, anticipate the antics of cybercriminals and create disaster recovery plans based on “real-world” conditions.
Upon discovering a vulnerability, such as missing data encryption or cross-site scripting, these “white hat” hackers must document them and provide the organization with advice on remediation. A “black hat” hacker, on the other hand, is an unauthorized intruder who seeks to extract information or compromise a system.
“Ethical hacking starts with curiosity first,” said Anand Mohabir, founder and CEO of Elteni, a cybersecurity consulting firm. “If you’re a curious person by nature and if you like breaking things and fixing them from a technical perspective, then it’s probably for you.”
Even though these benign hackers are contracted by companies to perform penetration tests, becoming a Certified Ethical Hacker (CEH) doesn’t give one license to run amok. An ethical hack is carefully planned out, where the hacker enters into a legal agreement with the company stipulating what systems and applications they’re allowed to compromise, start and end times for the simulated cyberattack, the scope of work and protections for potential liability issues.
“We need to make sure that we have a legal basis to do these things and protect ourselves from legal recourse,” Mohabir explained. “So it is a very formal process when it comes to contracting these ethical hacking exercises.”
What are the benefits of ethical hacking?
There are three main benefits to ethical hacking.
- Finding vulnerabilities—Determining which security measures are effective, which ones need to be updated, and which ones contain vulnerabilities that can be exploited.
- Demonstrating methods used by cybercriminals—Showing executives the hacking techniques that malicious actors might use to attack their systems.
- Preparing for a cyberattack—Anticipating cyberattacks and buttressing weak spots in the organization’s cybersecurity infrastructure.
How does ethical hacking work?
Penetration testing is a form of ethical hacking that involves attempting to breach application systems, APIs, front-end/back-end servers, operating systems and more. Ethical hackers perform a range of penetration tests to determine an organization’s cybersecurity readiness, including internal testing, external testing and web application testing.
External tests are the most common type and involve someone outside of the organization attempting to infiltrate security systems. Misconfigured firewalls or vulnerabilities in third-party applications are commonplace vulnerabilities, and can cost an organization millions of dollars in financial and reputational damage. For example, an email server must be configured to stop employees from sending confidential documents to domains outside of the organization and require employees to protect their corporate email accounts with a strong password policy.
On the other hand, internal tests are designed to find weaknesses within the organization. In fact, employees represent the weakest link in cybersecurity as they are prone to social engineering—any type of psychological manipulation that induces people to divulge sensitive information. In 2020, almost a third of security breaches incorporated social engineering techniques, 90% of which were phishing attacks. Worse still, a report by Cisco found that spear phishing attacks account for 95% of breaches in enterprise networks. While phishing generally involves indiscriminately sending mass emails or text messages containing malicious URLs that download malware onto the victim’s device, spear phishing constitutes a targeted approach aimed at a specific individual, such as a C-level executive.
“People are creatures of habit, they reuse passwords, and they’re not very good at detecting social engineering attempts,” said Mohabir. “What we know is people generally trust other people, so we look to exploit that when we’re doing these types of tests.”
Ethical hackers need to get creative when it comes to ferreting out people-related vulnerabilities. For example, they can leave a mysteriously labeled USB drive on an employee’s desk to see if they’ll plug it into their computer, bait an employee over the phone into revealing customer information, or “even impersonate a pizza delivery guy and walk into somebody’s office.” In fact, dumpster diving is an important part of safeguarding an organization from a potential data breach. When improperly disposed of, trash from a business can contain hard drives, USB drives or hand-shredded checks that reveal confidential information.
Often, ethical hackers will help organizations put technical safeguards in place to mitigate the potential damages of social engineering, such as a data loss prevention (DLP) solution or strict policies around firewalls and web filtering. Employees also need to be trained to understand what cyber threats they might encounter and how to recognize social engineering.
The third type of penetration testing, known as web application testing, entails checking a website for potential bugs. This is a commonplace procedure in the software development life cycle before the site goes live. Specifically, web testing checks for non-functional requirements such as availability, reliability, security, performance and more, all of which can be compromised in the event of a cyberattack.
Some techniques that ethical hackers use to probe a system include the following:
- Scanning ports to find vulnerabilities using port scanning tools such as Nmap, Nessus or Wireshark to scan a company’s systems, identify open ports, study the vulnerabilities of each port and take remedial action. (A port is a communication endpoint that is associated with a specific process or service. Ports allow computers to differentiate between different kinds of traffic.)
- Examining patch installation processes to be sure they don’t introduce new vulnerabilities through software updates
- Attempting to evade intrusion detection systems, honeypots and firewalls
- Performing network traffic analysis and sniffing using appropriate tools
- Social engineering to manipulate end users and obtain information about an organization’s computing environment
How to get started in ethical hacking: bug bounty programs
Cyberattacks are so costly—IBM estimates that a single data breach costs a business $3.86 million on average—that some companies offer a financial reward to independent security researchers to find and report bugs back to the organization. These bugs are security exploits and vulnerabilities, but can also include process issues and hardware flaws. Bug bounty programs can be private (invite-only) or public (anyone can sign up). Major companies including Amazon, Apple, Facebook, Snapchat, Dropbox and more offer bug bounty programs. Most companies offer a minimum and maximum payout—Microsoft, for instance, pays a minimum of $15,000 for finding critical bugs, with rewards topping out at $250,000. However, bug bounty hacking is far from a get-rich-quick scheme. Breaking into a computer system is time-consuming and requires a great deal of advanced research into how operating systems and applications work, learning more about an organization’s technology stack, and developing and testing exploits.
“Ethical hackers spend a lot more time doing research than hacking,” said Mohabir. “The reason for that is we’re trying to develop a way into the client’s environment and that involves understanding how they operate, what systems they have, whether those systems are vulnerable to attacks and what kinds of exploits we can develop.”
While there is no formal education pathway towards becoming an ethical hacker, many start by obtaining a computer science degree or taking a course in cybersecurity, such as Springboard’s Cyber Security Career Track. Experience in network support, network engineering and information security are helpful to have before you obtain your Certified Ethical Hacker (CEH) certification from the International Council of Electronic Commerce Consultants.
“There’s a lot that comes into play when you’re trying to become an ethical hacker. You have to know how a network is designed and operated, how servers interact, how virtual machines, storage and firewalls work,” said Mohabir. “The reality is you at least have to know how systems interoperate so that you can reverse engineer them to find vulnerabilities and exploit them.”
Is cybersecurity the right career for you?
According to Cybersecurity Ventures, the cybersecurity industry is expected to have 3.5 million high-paying, unfilled jobs this year. With Springboard’s comprehensive Cyber Security Career Track, you’ll work 1:1 with an industry-mentor to learn key aspects of information technology, security software, security auditing, and finding and fixing malicious code. Learning units include subject-expert approved resources, application-based mini-projects, hands-on labs, and career-search related coursework.
The course will culminate in a multi-part capstone project that you can highlight on your resume for prospective employers or use to demonstrate your technical knowledge in your job interview. The learning materials will also help prepare you to pass the globally-recognized CompTIA Security+ certification so you stand out when applying for cybersecurity roles.
Learn more about Springboard’s Cyber Security Career Track here.