It’s easy to have the simple view that all hackers are bad guys out to cause data breaches and to deploy ransomware. This isn’t true, though. There are plenty of bad-guy hackers out there. Some hackers use their skills ethically and legally. An “ethical hacker” is a hacker that hacks within the remit of a legal agreement with the legitimate system owner.
Tip: As the opposite of a black hat hacker, an ethical hacker is often called a white hat hacker.
The core of this is an understanding of what makes hacking illegal. While there are variations around the globe, most hacking laws boil down to “it is illegal to access a system if you don’t have permission to do so.” The concept is simple. The actual hacking actions aren’t illegal; it’s just doing so without permission. But that means that permission can be granted to allow you to do something that would otherwise be illegal.
This permission can’t just come from any random person on the street or online. It can’t even come from the government (though intelligence agencies operate under slightly different rules). Permission needs to be granted by the legitimate system owner.
Tip: To be clear, “legitimate system owner” doesn’t necessarily refer to the person that bought the system. It refers to someone who legitimately has the legal responsibility to say; this is ok for you. Typically this will be the CISO, CEO, or the board, though the ability to grant permission can also be delegated further down the chain.
While permission could simply be given verbally, this is never done. As the person or company performing the test would be legally liable for testing what they’re not supposed to, a written contract is required.
Scope of Actions
The importance of the contract cannot be overstated. It is the only thing granting the hacking actions of the ethical hacker legality. The contract grant gives indemnity for the actions specified and against the targets specified. As such, it is essential to understand the contract and what it covers, as going out of the scope of the contract means going out of the scope of the legal indemnity and breaking the law.
If an ethical hacker strays outside the contract’s scope, they are running a legal tightrope. Anything they do is technically illegal. In many cases, such a step would be accidental and quickly self-caught. When handled appropriately, this may not necessarily be an issue, but depending on the situation, it certainly could be.
The contract offered doesn’t necessarily need to be specifically tailored. Some companies offer a bug bounty scheme. This involves publishing an open contract, allowing anyone to try to ethically hack their system, as long as they play by the specified rules and report any issue they identify. Reporting issues, in this case, are typically rewarded financially.
Types of Ethical Hacking
The standard form of ethical hacking is the “penetration test,” or pentest. This is where one or more ethical hackers are engaged to try to penetrate the security defenses of a system. Once the engagement is complete, the ethical hackers, called pentesters in this role, report their findings to the client. The client can use the details in the report to fix the identified vulnerabilities. While individual and contract work can be done, many pentesters are internal company resources, or specialist pentesting firms are hired.
Tip: It’s “pentesting” not “pen testing.” A penetration tester doesn’t test pens.
In some cases, testing if one or more applications or networks are secure isn’t enough. In this case, more in-depth tests may be performed. A red-team engagement typically involves testing a much broader range of security measures. Actions can include performing phishing exercises against employees, trying to social engineer your way into a building, or even physically breaking in. While each red-team exercise varies, the concept is typically much more of a worst-case “so what if” test. Along the lines of “this web application is secure, but what if someone just walks into the server room and takes the hard drive with all the data on it.”
Pretty much any security issue that could be used to harm a company or system is theoretically open to ethical hacking. This assumes that the system owner grants permission, however, and that they are ready to pay for it.
Giving Things to the Bad Guys?
Ethical hackers write, use, and share hacking tools to make their lives easier. It is fair to question the ethics of this, as black hats could co-opt these tools to wreak more havoc. Realistically though, it is perfectly reasonable to assume that the attackers already have these tools, or at least something like them, as they try to make their lives easier. Not having tools and trying to make it harder for black hats is relying on security through obscurity. This concept is deeply frowned upon in cryptography and most of the security world in general.
An ethical hacker may sometimes stumble across a vulnerability when browsing a website or using a product. In this case, they typically try to report it responsibly to the legitimate system owner. The key thing after that is how the situation is handled. The ethical thing to do is to privately disclose it to the legitimate system owner to allow them to fix the problem and distribute a software patch.
Of course, any ethical hacker is also responsible for informing users affected by such a vulnerability so that they can choose to make their own security-conscious decisions. Typically, a time frame of 90 days from private disclosure is seen as an appropriate amount of time to develop and publish a fix. While extensions can be granted if a little more time is needed, this isn’t necessarily done.
Even if a fix isn’t available, it can be ethical to detail the issue publicly. This, however, assumes that the ethical hacker has tried to disclose the issue responsibly and, generally, that they’re trying to inform normal users so that they can protect themselves. While some vulnerabilities may be detailed with working proof of concept exploits, this often isn’t done if a fix isn’t available yet.
Though this may not sound completely ethical, ultimately, it benefits the user. In one scenario, the company is under enough pressure to deliver a timely fix. Users can update to a fixed version or at least implement a workaround. The alternative is that the company can’t deploy a fix for a severe security issue promptly. In this case, the user can make an informed decision about continuing to use the product.
An ethical hacker is a hacker that acts within the constraints of the law. Typically they are contracted or otherwise granted permission by the legitimate system owner to hack a system. This is done on the proviso that the ethical hacker will report the issues identified responsibly to the legitimate system owner so that they can be fixed. Ethical hacking is built on “set a thief to catch a thief.” By using the knowledge of ethical hackers, you can resolve the issues that black hat hackers could have exploited. Ethical hackers are also referred to as white hat hackers. Other terms may also be used in certain circumstances, such as “pentesters” for hiring professionals.