Ethical hacking, in which an organization uses the tools and practices of cyberattackers against their own systems, can be a valuable part of your cybersecurity strategy.
Cybersecurity has been important, in some form or another, since the birth of the internet. In the early days, data breaches and hacks were relatively rare occurrences. But, now they are risks that impact all businesses, government agencies and nonprofit foundations. As a result, it's essential for all organizations to employ a variety of tactics to protect the integrity of their data and digital assets.
Some of these strategies are standard operating procedure at this point – antivirus software, firewalls, encryption, vulnerability assessments, patch management and so on. Others are on the more unconventional end of the spectrum, yet they can be just as effective as their more standard counterparts in helping organizations bolster the efficacy of their cybersecurity. Ethical hacking, firmly belongs in the latter category, and can have great value as part of your network security strategy.
Ethical hacking 411: From the Wild West to consulting gigs
According to the Infosec Institute, ethical hacking represents any effort by an organization's IT and team (or third-party consultants) to replicate the actions attackers undertake to gain unauthorized access to the primary network. In so doing, the organization can discover and catalogue any vulnerabilities found in their security architecture and begin determining the best strategies for addressing those weak points. The practice is sometimes called white-hat hacking, as opposed to the malicious black-hat activities of those breaking into networks to get their hands on data, steal money or simply cause chaos.
If an ethical hacker suspected weak spots in a company's network and wanted to point them out altruistically, they would be expected to let the organization know well in advance and seek their approval. Simply put: For hacking to be ethical, it should be done legally. Many of those holding this vocation have earned the Certified Ethical Hacker designation, awarded by the International Council of Electronic Commerce Consultants, and maintain compliance with numerous corporate and government compliance requirements.
The majority of modern white-hat hacking takes place in highly controlled settings. In addition to receiving expressly communicated permission from the organization to be ethically hacked, those engaging in such infiltration activities are expected to:
- Immediately report on all flaws they uncover.
- Respect the privacy of the organization, its staff and customers or clients (or, in the case of a government or nonprofit, individuals benefiting from the organizations' services).
- Close any loopholes they open or exploit.
The difference between penetration testing and ethical hacking
Ethical hacking is sometimes confused with penetration testing. Both are white-hat techniques that can provide major value in vulnerability assessments and cybersecurity upgrades. But, it's important to point out their primary distinction. The key difference is that penetration testing is largely focused on discovery and isolation of vulnerabilities, whereas ethical hacking, in stark contrast to what its name implies, is a process that makes room for what happens well after vulnerabilities are found:
- In penetration testing, an engineer, coder or other expert attempts every possible method of breaking into the network of the organization they're working on behalf of, directly attacking all cyberdefenses currently in place (that are within scope). The point is to determine exactly where vulnerabilities are and what damage can be done once they're exploited. It's often conducted on a quarterly or annual basis.
- Meanwhile, an ethical hacker - most likely called a cybersecurity/infosec consultant, or something along those lines - works not only to find weaknesses in the network architecture but also to develop new strengths within it to aid its future. Ethical hackers help determine the best practices for safeguarding whatever vulnerabilities are discovered and implement them as regular behaviors going forward.
Key advantages of ethical hacking operations
As noted in Tenable Research's report Cyber Defender Strategies: What Your Vulnerability Assessment Practices Reveal, there's a disproportionate amount of research regarding cyberattackers' behavior, as opposed to insight into how security practitioners are responding. Thus, the biggest advantage of ethical hacking is it allows you to understand both the attacker and defender perspective. You can examine the anatomy of a cyberattack from both sides and gain a better sense of perspective. It can help an infosec team develop tools and strategies its members might not have thought of otherwise.
Include ethical hacking as part of a bigger toolbox
Ethical hacking is likely to become more prevalent in the future. The Black Hat Security Conference – a key gathering of white-hat hackers and cybersecurity experts, its name notwithstanding – celebrated its 20th anniversary two years ago. The prevalence of bug bounties further exemplifies the entrenchedness and value of white-hat tactics. For example, companies are offering tens of thousands of dollars to ethical hackers who can find vulnerabilities before cyberattackers wreak havoc. Even more notably, they are increasingly hiring white hats for lucrative security gigs.
Bringing on a white hat as a full-time consultant or offering bounties to independent bug hunters shouldn’t be the only component of your cybersecurity strategy. Instead, make ethical hacking part of your larger toolbox, used in conjunction with periodic penetration tests and ongoing vulnerability assessment and management practices.
Vulnerability scanning tools, such as Nessus Professional, are a critical element to an effective cybersecurity strategy, helping identify and carefully diagnose flaws in network security architecture.