Loopholes are great. They allow people to squirm out of certain situations on technicalities, but sadly the converse is also true - they allow people to get into things that they shouldn’t. Loopholes in IT networks are weaknesses that can be exploited by hackers. Just because you don’t know the weak point exists, doesn’t mean an attacker can’t find it. It sent shivers down our spines to just write that, so let’s hear about the heroes in shining white hats that protect our systems through ethical hacking!
White Hat vs. Black hat
The difference between White Hat hackers and Black Hat hackers is derived almost entirely from intention. The motives behind Black hats are fairly easy to guess – they’re maliciously driven. Black Hats exploit weaknesses to gain personal details or damage privacy, with monetary gain as a primary motivator. Even Hannibal Lecter shies away from these people.
But the people who perform White Hat hacking work to prevent these breaches, while thinking in much the same way as their loathsome counterparts. By stepping into hacker’s shoes, you can perform penetration tests (pen tests) that test the security of the network, and (requiring the consent of the network owner has been obtained) it’s completely legal! Living out your Mission Impossible hacking fantasies has never been so easy, or so heavily encouraged. This vulnerability assessment highlights the resiliency of the network highlights any gaps in security. It’s also used to better understand any proactive steps that can be taken to improve the effectiveness of your current security strategy in a safe way. With a better White Hat presence, perhaps the NHS wouldn’t have been hit so hard by the WannaCry ransomware attack in 2017. With the forthcoming advancements in our technology-oriented society, improvements to cyber security couldn’t be more vital for organisations.
What specifically makes it ethical?
Identifying potential threats through pen testing is great, but you must follow the rules to the letter. For example, you need express permission to perform a pen test. This often isn’t a problem for assessments carried out in-house, just as concerns regarding company-wide privacy are lessened when tests are performed internally. Not to mention that you have to make sure that any ethical hackers must close out their work, making certain that no exploits are left open. You wouldn’t leave your friend’s house with the door wide open, would you? Aristotle would be pleased.
The best way to look hacking from an ethical standpoint is the protection of customer data. When that data is stored with a company, such as a medical provider or a bank, there is a great deal of sensitive information that is kept in confidence. This means that should the organisation have a data leak, not only will they surrender a tremendous amount of customer loyalty and damage their corporate reputation; but will also lose data that can land them with a potentially huge amount of compensation claims. Performing pen tests with this specifically in mind, an ethical hacker can add to their report any weak points regarding data protection.
Complying with security regulations such as ISO 27001, PCI or HIPAA is a way for any organisation to display an ethically charged dedication to the protection of customer data. You can be seen to be diligently performing pen tests to stay on top of protecting this data. A fortunate, completely unexpected (wink wink) result of this is an improved business perception, which may or may not give potential customers another reason to engage with a specific organisation.
A simulated cyber attack
The general, basic overview of a pen test is comprised of five phases. In order to gather an accurate report from the viewpoint of a black hat hacker, all of these phases must be completed and recorded accurately. The generalised steps for an ethical hacker are as follows (and are slightly dramatised):
- Research and planning – it can be fairly determined that a successful targeted cyber attack would need an amount of research and intelligence before beginning. The ethical hacker in question would establish their goals for the hack from this intelligence.
- Scanning – It’s possible to determine how the subject system is likely to respond to the test, further removing some guesswork.
- Accessing the network – The first act of actual system penetration. The best hackers will have a plethora of tools at their disposal and can deploy them to gain access through any manner of weak points.
- Maintaining Access – Like a bucking bronco, the ethical hacker must stay on the system for as long as possible. In taking every valuable second as an opportunity to dig into the system, they can gain more sensitive information as they dig deeper.
- Analysis and configuration review – The most important part, without which the entire process is null and void. The hacker compiles a report based on the results of the previous phases – and then the pen test analysis can begin.
Beyond this, a pen testing can highlight strengths and flaws in incident responses. In the midst of a cyber emergency, there needs to be a procedure in place that can be relied upon. Pen tests are the safe play area to practice responses before any catastrophic breaches occur.
But this is a general, basic explanation for a pen test. A research paper written by Finifter and Wagner detailed the specific benefits of doing manual code review in the context of web application tools, as it found over 50% more vulnerabilities than black-box testing. This means that a standardised test is functionally fine for finding large amounts of weaknesses; however becoming knowledgeable on other types of testing is where the real value of pen testing is revealed.
For those who still need more information on wearing their White Hat proudly, have a look at the CompTIA PenTest+ course that Quanta offers! Learn to test your security controls and gain more trust in your security. For more information, Get In Touch with us today! It’s the ethical thing to do.
Like what you've read? Download the pdf here!