Ethical hacking – ad­dress­ing security breaches and pre­vent­ing cy­ber­crime

Ethical hacking has become in­creas­ingly important in recent years in the face of rapidly in­creas­ing cases of cy­ber­crime. Ever more companies, or­gan­isa­tions, and in­sti­tu­tions look for skilled cy­ber­se­cur­ity experts who can put their own security concept to the test by acting like “real” hackers.

In this defin­i­tion of ethical hacking, we explain what dis­tin­guishes this type of hacking and how it differs from illegal hacking. In addition, our overview takes a look at the areas of ap­plic­a­tion of ethical hacking and the special qual­i­fic­a­tions that define 'good' hackers.

Ethical hackers are in­form­a­tion security experts who break into IT systems by explicit as­sign­ment. Due to the consent of the ‘victim’, this variant of hacking is regarded as ethically jus­ti­fi­able. The aim of ethical hacking is to uncover weak­nesses in their digital systems and in­fra­struc­tures (e.g. software bugs), to assess security risks, and to con­struct­ively par­ti­cip­ate in the cor­rec­tion of dis­covered security flaws. A stress test for system security can take place at any time (i.e. even after an illegal hack). Ideally, however, ethical hackers should an­ti­cip­ate cyber criminals and in doing so prevent greater damage.

Ethical hacking, in contrast to ‘normal’ hacking with criminal motives also known as ‘white hat hacking’, focuses on pro­gram­ming weak­nesses and on con­cep­tu­al software design (bugs). For security tests, the focus is on, among other things, web ap­plic­a­tions and website security. Besides software, any hardware that is used can also be in­teg­rated into the system security testing process.

For their security checks, white hats partially use freely-available tools from the internet (e.g. the free version of Burp Suite), and partially self-written software. The latter guar­an­tees that security gaps and ma­nip­u­la­tion of the code of used programs can be excluded. Ethical hacking often results in concrete malicious code (in­di­vidu­al command sequences or a smaller program), which is called an exploit. The special code takes advantage of errors or weak­nesses found in the system and then causes a certain behaviour in the software, hardware, or other elec­tron­ic devices.

Char­ac­ter­ist­ic for an ethical hack is a special approach: On the part of the con­tract­or, the re­quire­ment of absolute trans­par­ency and integrity applies, es­pe­cially when sensitive areas (company and trade secrets, con­fid­en­tial customer data) are to be protected by ethical hacking. All relevant in­form­a­tion from hacks must be com­mu­nic­ated to the client, misuse or the passing on of company secrets must not take place.

Trans­par­ency usually includes detailed and complete doc­u­ment­a­tion, which documents the exact procedure, the results, and other relevant in­form­a­tion about the ethical hack. The detailed reports can also contain concrete re­com­mend­a­tions to take action, e.g. removal of malware or setting up a honeypot strategy. Ethical hackers also take care not to leave any weak points in the system that cyber criminals could exploit later.

In an ethical hacking situation, the clients can legally protect them­selves. Before beginning pen­et­ra­tion testing, companies should have a written agreement detailing the scope, legal re­quire­ments, ex­pect­a­tions, and the parties involved in place. The EC-Council, a global leader in cyber security cer­ti­fic­a­tion programs for ethical hackers, has laid out a practical code of eth­ic­al­ness Council code of ethics for this purpose.

With ethical hacking, the main dif­fer­ences to tra­di­tion­al (‘normal’) hacking is its ethical found­a­tion and the basic and general conditions of a hack. Ethically-motivated hacking aims to protect digital in­fra­struc­tures and con­fid­en­tial data from external attacks and con­struct­ively con­trib­utes towards improved in­form­a­tion security.

In contrast, ‘normal’ hacking focuses on de­struct­ive ob­ject­ives, i.e. in­filt­ra­tion and possibly even de­struc­tion of security systems. Lower motives such as personal en­rich­ment or the ac­quis­i­tion and spying on of con­fid­en­tial data are at the heart of most hacking attacks. Most hack attacks are ac­com­pan­ied by criminal action such as extortion, in­dus­tri­al espionage, or the sys­tem­at­ic paralysis of system-critical in­fra­struc­ture (even on a large scale). Nowadays, ‘evil’ hacks are in­creas­ingly being carried out by globally operating criminal or­gan­isa­tions, which, for example, use globally networked botnets for DDoS attacks . Moreover, a basic concern for many ‘bad hacks’ is to remain un­dis­covered and hidden.

At first glance, this dis­tinc­tion appears obvious and selective. On closer in­spec­tion, however, there are bor­der­line cases. For example, polit­ic­ally motivated hacks can pursue ethical-con­struct­ive, but also de­struct­ive goals. Depending on the interests and personal or political views, a different as­sess­ment can be made and a hack can be con­sidered ‘ethical’ or ‘unethical.’ For example, the covert intrusion of state in­vest­ig­a­tion au­thor­it­ies and secret services into computer systems of private in­di­vidu­als, public au­thor­it­ies, or other states has been crit­ic­ally discussed for several years.

Border crossing is also a form of ethical hacking, which is oriented toward the common good and the im­prove­ment of cy­ber­se­cur­ity, but at the same time takes place un­so­li­cited and without the 'target’s' knowledge. This kind of hacking is practiced by groups like the Cult of the Dead Cow (cDc), which is America’s oldest hacking group. The activ­it­ies of the as­so­ci­ation focus less on economic aspects than on feared negative effects on society and the data security of citizens.

As such, the cDc has played an in­stru­ment­al role in pushing internet security to the forefront and demo­crat­ising tech­no­logy. They have played an active role in many central issues by releasing code, testi­fy­ing to Congress, and launching companies that could help uncover security threats. But even if or­gan­isa­tions like the cDc do not want to harm their ‘victims’, disclose the results of a hack, and ex­pli­citly aim to educate the public, they remain in a legal grey zone.

If you look at ‘normal’ and ethical hacking from a purely technical per­spect­ive, it’s even more difficult to dis­tin­guish between the two. Tech­nic­ally, white hat hacking uses the same know-how and the same tech­niques and tools as ‘unethical’ hacking to detect weak­nesses in hardware and software as close as possible to the real world.

The line between ‘normal’ and ethical hacking is, therefore, rather blurry, and it’s certainly no co­in­cid­ence that in many young IT offenders can become respected security con­sult­ants and thought leaders in the industry when they’re older. There are also critics who fun­da­ment­ally reject ethical mo­tiv­a­tions as a dis­tin­guish­ing criterion and take the view that hacking per se should be condemned. Con­sequently, there is no jus­ti­fi­able dis­tinc­tion between a ‘good’ (= ethical) and an ‘evil’ (= unethical) hack.

However, this position ignores the positive effects and the often useful and necessary practice of ethical hacking. The community of the in­ter­na­tion­ally re­cog­nised cy­ber­se­cur­ity platform HackerOne, for example, elim­in­ated more than 72,000 security vul­ner­ab­il­it­ies in over 1,000 companies by May 2018. According to the Hacker-Powered Security Report 2018, the total number of reported critical security vul­ner­ab­il­it­ies increased by 26 percent in 2017. These figures show that white hat hacking is an important and proven tool in today’s fight against cy­ber­crime.

Ethical hackers are usually commissioned by or­gan­isa­tions, gov­ern­ments, and companies (e.g. tech­no­logy and in­dus­tri­al companies, banks, insurance companies) to search for security gaps and pro­gram­ming errors (bugs). They use the expertise of white hats fre­quently for so-called pen­et­ra­tion tests.

In pen tests, ethical hacking pen­et­rates an IT system in a targeted manner and shows possible solutions for improving IT security. A dis­tinc­tion is often made between IT in­fra­struc­ture and web ap­plic­a­tion pen­et­ra­tion tests. The former test and analyse server systems, Wi-Fi networks, VPN access, and firewalls, for example. In the field of web ap­plic­a­tions, network services, websites (e.g. web shops), customer ad­min­is­tra­tion portals, or systems for mon­it­or­ing servers and services are examined more closely. A pen­et­ra­tion test can refer to the network and ap­plic­a­tion level. Read Dive has put together a list of the 10 best companies in the US that offer pen­et­ra­tion testing, sim­u­lat­ing an attack on your system to determine any vul­ner­ab­il­it­ies.

The concrete routine tests of ethical hacks include the detection of open ports by means of port scans, the veri­fic­a­tion of the security of payment data (credit card data), logins and passwords, and the sim­u­la­tion of hacker attacks via the network. Since the TCP/IP protocol is usually used for this purpose, it’s also called IP-based pen­et­ra­tion testing. In pen­et­ra­tion tests, systems are often checked to see whether in­filt­rated viruses or Trojans can capture sensitive company data (company secrets, technical patents, etc.). Such strategies can be sup­ple­men­ted by social en­gin­eer­ing tech­niques, which take the human risk factor into account and ex­pli­citly examine the behaviour of employees in a security concept.

Standards have been es­tab­lished for con­duct­ing such pen­et­ra­tion tests. On an in­ter­na­tion­al level, the Open Source Security Testing Meth­od­o­logy Manual (OSSTMM) is among the most es­tab­lished bench­marks for security testing. In the United States, the National Institute of Standards and Tech­no­logy (NIST) is another force to be reckoned with, con­trib­ut­ing to security in­nov­a­tion of US or­gan­isa­tions. The framework guar­an­tees IT security in in­dus­tries from banking to energy.

There is no re­cog­nised, pro­fes­sion­al training to become an ethical hacker. However, the EC Council, which spe­cial­ises in security training and cyber security services, has developed a program to become a certified ethical hacker. The cor­res­pond­ing IT training courses are offered worldwide by various official partners and or­gan­isa­tions, and certified EC Council trainers are re­spons­ible for the im­ple­ment­a­tion.

The National Ini­ti­at­ive for Cy­ber­se­cur­ity Careers and Studies also offers a training program to become a certified ethical hacker (CEH). Com­plet­ing the course ‘proves that you have the skills to help the or­gan­isa­tion take pre-emptive measures against malicious attacks by attacking the system himself, all the while staying within legal limits’. Other re­cog­nised qual­i­fic­a­tions and cer­ti­fic­ates have been developed by Offensive Security (Offensive Security Certified Pro­fes­sion­al, OSCP) and the SANS Institute (Global In­form­a­tion Assurance Cer­ti­fic­a­tions, GIAC).

However, many pro­fes­sion­al hackers reject training-based cer­ti­fic­ates and classify them as not par­tic­u­larly practical. Yet, theses cer­ti­fic­ates offer an important point of reference for busi­nesses, as they enable them to better assess the ser­i­ous­ness of an ethical hacker. The cer­ti­fic­ates are also a signifier for the in­creas­ing pro­fes­sion­al­ism in the field. With rapidly in­creas­ing demand, ethical hackers can market them­selves more ef­fect­ively through cer­ti­fic­a­tion, receive offers for more lucrative jobs, and position them­selves as serious service providers, for example, by present­ing their skills on their own websites.

Cer­ti­fic­ates can be helpful for ethical hackers during the ac­quis­i­tion process, but they are not (yet) an absolute necessity. White hat hackers are currently mainly IT spe­cial­ists who usually have extensive knowledge in the following areas:

• Computer security
• Networks
• Different operating systems
• Pro­gram­ming and hardware know-how
• Basics of computer and digital tech­no­logy

In addition to these qual­i­fic­a­tions, a more extensive knowledge of the hacker scene, its mentality, and how its members act is helpful.

Of course, many who switch careers to hacking acquire the necessary knowledge for ethical hacking through self-study (e.g. through online research). IT pro­fes­sion­als who have acquired the basic knowledge through training as IT systems elec­tron­ics engineers or through a classic computer science degree are par­tic­u­larly suitable for demands of the job. As part of the Hacker-Powered Security Report 2018, 1,698 ethical hackers were asked about their training. At the time of the survey, almost 50 percent were working full-time in in­form­a­tion tech­no­logy. The focus was on hardware and, in par­tic­u­lar, software de­vel­op­ment. More than 40 percent of the IT pro­fes­sion­als had spe­cial­ised in security research. A high per­cent­age of those surveyed (25 percent) were still studying. In 2019, hacking was still mainly a side hustle. According to the 2020 Hacker Report by HackerOne, only 18 percent of those surveyed were working in ethical hacking full-time that year.

Ethical hackers don’t just work as external IT experts. Some companies train permanent IT spe­cial­ists in-house to become white hat hackers and ensure that their staff con­tinu­ally attend training and edu­ca­tion­al courses on (ethical) hacking and cyber security.

White hat hackers can find work contracts through a special tender process. Large companies such as Facebook, Google, and Microsoft use bug bounty programs, in which they precisely define the con­di­tions and re­quire­ments for cy­ber­at­tacks and bug-finding and sometimes offer suc­cess­ful hackers the prospect of con­sid­er­able financial rewards to detect security issues. Bug bounty programs often sup­ple­ment pen­et­ra­tion testing.

In­ter­na­tion­ally re­cog­nised mediation platforms such as HackerOne are often involved in the award of contracts. Their 2020 Hacker Report states that in 2019 alone, hackers earned ap­prox­im­ately $40 million. That means that a total of $82 million has been paid out since the HackerOne platform was es­tab­lished. Ethical hackers also acquire contracts using their own ini­ti­at­ive by ad­vert­ising their services online.

In times when cy­ber­crime is on the rise, ethical hacking is a re­com­men­ded business strategy for the pre­ven­tion and pro­tec­tion from such cy­ber­at­tacks. Targeted test attacks and practical pen­et­ra­tion tests can demon­strably optimise the security of an IT in­fra­struc­ture and, in doing so, prevent illegal hacking at an early stage. Clients who engage in ethical hacking can avoid the danger of op­er­a­tion­al blindness because outside experts approach hacks dif­fer­ently and may have different spe­cial­ist per­spect­ive or a different set of prior knowledge and un­der­stand­ing of the matter.

Small and medium-sized companies, in par­tic­u­lar, can gain access to security tech­no­logy know-how that may otherwise not be available to them. However, clients should always be aware that ethical hacking carries risks. Even if all the re­quire­ments of a ‘clean’ hack are adhered to, negative effects cannot always be excluded. For example, systems could be un­in­ten­tion­ally affected or even crash.

White hat hackers may also be able to access con­fid­en­tial and private data of third parties. The risk increases if no clear basic and general con­di­tions are defined, or hacks are not carried out com­pet­ently and carefully. Before an as­sign­ment is made, ethical hackers should be thor­oughly scru­tin­ised and carefully selected on the basis of proven expertise (e.g. a cer­ti­fic­ate).