What is ethical hacking & how can it secure your business?

A Brief History of Hacking – What is Ethical Hacking and How Can it Help Secure Your Business

The term "hacker" gets thrown around in a variety of contexts and in a multitude of different ways nowadays. While it's great that cybersecurity is gaining more and more awareness across the globe, the technical nature of cybersecurity means that terms are often used interchangeably, in different contexts, and sometimes incorrectly. Popular culture has certainly played its part, with movies and television shows portraying hackers as super-smart criminal masterminds, or underachieving geniuses who get by in life by committing petty theft from their parents' basements. The truth is very different -- more often than not, hackers are actually just like you and me.

Their job also isn't solely restricted to criminal activities. Practices such as penetration testing and other security assessment activities are legitimate, fundamental aspects of cyber security at any company, big or small. There are also various institutions out there whose whole business is testing security professionals and providing them with certifications in ethical hacking to back-up their good intentions.

The origins of hacking as we know it

'Hacking', as we think of it, can be thought of as a synonym for ‘defeating security’, as soon as there were people wanting to keep messages secret, there were people trying to read them.

Cryptography has a history that stretches back thousands of years, but a good place to start understanding it is in the Roman Empire. Julius Caesar invented the Caesar Cipher. This was a simple substitution cipher, where one letter was replaced with another. Unsurprisingly, the concept has been improved over the intervening two thousand years, though in today’s world it cannot be considered anything more than a novelty.

The earliest ‘modern’ implementation of what we typically think of as hacking stretches back to the cryptographers of World War 2. In much the same way that hackers can try to decode encrypted passwords, the cryptographers' job was to decode the secret messages of foreign intelligence services (though in strict terms it's pure mathematics). Most famously, this involved a British team at Bletchley Park cracking the Enigma code. The Enigma machine was used by the Germans for high-security military communications and was thought to be unhackable, thanks to its mathematical permutations on top of linguistic ciphering. A combination of ingenuity, cutting-edge technology and human error enabled the Enigma code to be broken. Those same three principles still hold true today for hackers trying to unscramble passwords or de-obfuscate lines of code.

More connected = more vulnerable?

As technological progress continued to push more and more aspects of human activity into the digital sphere, hackers in turn expanded their reach beyond cryptography. Tapping into phone systems, known as phreaking, is where ‘hacking’ starts to get more recognisable as its modern term and relied on miscreants mis-using existing access/configuration settings for their own ends. In this way, it’s similar to modern penetration testing practices.

Throughout the 1970s and 80s, computer hacking became a legitimate concern. As banks, schools and corporations slowly digitised their records and processes, hackers came up with new ways to gain access. It wasn't until the invention of the Internet though that hacking has made its way into the mainstream and revealed the fragility of our sense of security and anonymity in the digital sphere.

The Inter-what?

In early 2000, Dell, Amazon, CNN, eBay and others were taken offline by a string of denial-of-service attacks. The list of affected companies included Yahoo!, who at the time were the world’s largest search engine. The hacker managed to do all of the above at 15 years of age, in the span of just one week. His name is Michael Calce, and though a DoS attack didn't put any data at risk, his cyber attacks exposed the wider lack of knowledge about the Internet.

Social justice hackers

By 2020, everyone and their mother have become acquainted with Anonymous, the far-reaching, loosely organised group of hackers and sympathisers known for taking a public stance on just about every socio-political issue there is. If not for them, the term 'hacktivist' would have never been born. Anonymous' origins can be traced back to 2003 on 4chan, the infamous message board platform. They rose to fame five years later, in 2008, with a coordinated attack on the Church of Scientology -- they brought down multiple websites belonging to the organisation and destroyed their fax machines with all-black images. On top of that, an in-person protest was organised, with attendees all wearing Guy Fawkes' masks (V for Vendetta), which quickly became the group's most recognisable symbol.

Although Anonymous cannot be considered ethical, there is no denying the fact that they are extremely well-versed in the art of capturing the world's attention. The group has also inspired many young computer wizards to use their skills for something more than just personal gain.

Know your hacker

Not every hacker is the same. They differ in their methods, skill sets, and preferred hardware. The most fundamental categorisation of hackers, however, stems from their motivations. Some are motivated purely by self-interest, and others have a more sophisticated agenda. Beware of jumping to conclusions when it comes to malicious and ethical hackers. There have been cases of cyber-criminals who have gone on to work in penetration testing for some of the world's biggest companies.

Those are the "good guys", more commonly called penetration testers. They use their skills and intellect to uncover security flaws in a professional, ethical way. You'll usually find them in corporate offices in the security or IT departments. White hat hackers are employed by firms to constantly try to break down its cybersecurity measures, test its resilience, and suggest improvements. A white hat's motivations are clear-cut, and their work is backed up by the right certifications in ethical hacking and penetration testing.

The essence of their work isn't much different from how black hats would go about their tasks, with one basic difference – they never break into computer systems without the owner's permission.

Just like in classic literature, villains of the hacking world are also clad in black. They break into networks, computers and infrastructure for personal gain, or to advance the goals of the hacking collective they belong to. Black hat hackers wrote most of the malware commonly found on personal computers. They never ask owners for permission to explore their systems, and often get entangled in the business of stealing sensitive data and selling it on the black market. Make no mistake, they are the bad guys. At one end of the scale are ‘script kiddies’ – opportunistic hackers who will fire out attacks en masse designed to exploit simple security flaws. It’s low effort but, because of the mind-boggling numbers of systems, servers, apps, mobile devices, PCs (etc) that are connected to the internet, don’t think that it’s low reward. Often a script kiddie’s knowledge is so basic that they won’t even understand the tools that they’re using. At the other end of the scale are highly organised hacking teams. These are well-resourced, focussed teams of elite hackers that treat hacking as a serious professional business, often going after specific, lucrative targets.

Like some twisted hacking freelancers, the grey hats operate on their own terms, sometimes disregarding ethics to get to where they want to be. For example, as a grey hat hacker, you might break into the network of a big corporation without permission, mess around in there for a while, and bring a report of your activity to their IT desk, expecting reimbursement. An example of a grey hat hacker might be a legitimate penetration tester who, when not at work, is involved with Anonymous.

What is Ethical Hacking?

Ethical hacking is the domain of white hat hackers, who work tirelessly in a loop of breaking into systems, pointing out vulnerabilities and making sure that malicious actors don't find them first. There is no agreed-upon, textbook definition of ethical hacking, but it can be explained as the practice of getting around security systems with their owner’s authorisation, in hopes of finding weaknesses before wrongdoers get to them. On top of that, ethical hacking also entails finding disclosed security vulnerabilities and identifying looming threats. If you’re thinking this sounds like penetration testing, it’s because it is.

Is hiring hackers safe for my business?

A lot of business owners are reluctant to employ an ethical hacker because of the negative connotations of the term "hacker" itself. That's a big mistake on their side. As soon as you learn more and more about the subject, you'll come to the realisation that hiring a hacker isn't only safe for your company, but also essential for maintaining information security in the office, as well as on the computers of your remote workers.

You could go down the private hire route, weeding out any potentially malicious elements by asking for an up-to-date ethical hacking certificate or at least the recommendation of previous employers during the hiring process.

However, a much more efficient, and not to mention safer approach, is to go to a penetration testing company. They have teams of white-hats ready and waiting to test an organisation’s infrastructure. They’ll have teams of trustworthy ethical hackers, most of whom will be salaried employees. By choosing a penetration testing company you’ll benefit from peace of mind that you’re getting a comprehensive security assessment from truly ethical hackers. Their broad experience will mean they’re also able to work with you to assess things like your scope – basically what you want tested. Getting this stage right is often the difference between a meaningful test and a waste of money.

Look for companies with ISO 27001 and ISO 9001 qualifications, which shows they’re taking their business seriously. There are also security-specific qualifications to look for. One of the most well-known and well-respected is CREST.

Rules and Regulations

First off, there are sets of laws that every aspiring ethical hacker needs to familiarise themselves with, in order to know what they can and can't do when tapping into a computer or network. For the UK there is the Computer Misuse Act (1990). While a singular code of ethics doesn't really exist when it comes to ethical hacking, there are a few rules that professionals in this area generally abide by:

• Do not act without the owner's permission
• Keep private information private
• Only use legally obtained software
• If you come across potential threats by accident, always inform the potential victims with no expectation of reimbursement

Most ethical hackers use their powers for good and find employment as salaried or freelance penetration testers.

Qualifications

You won't just get hired off the spot without the right experience or education. A bachelor's degree in computer science or a related subject is an advantage, unless you've already got a year or two of real-life experience under your belt. Remember – malicious hacking doesn't count as experience, and you'd be wise not to brag about such exploits on your CV – especially if you're trying to get hired as an ethical hacker.

How to get certification for Ethical Hacking?

Although there are various documents and diplomas you can get to prove your skills and motivations, you should really aim for CREST certification.

Career Pathways

Increasing numbers of companies are recruiting for penetration testers, and Bulletproof has its accelerator/grad scheme to help young talent get a leg up in the industry. However, some will find it more challenging to break into the cyber security industry, and aspiring white-hat ethical hackers might have to start off as a systems administrator or a web developer. Don't treat it as a setback though, as these positions will prepare you well for the future with valuable knowledge of networks, apps and systems.

Why should you become an Ethical Hacker?

The short answer is that being a penetration tester is fun, rewarding, and pays well. The longer answer is that ethical hacking is the answer to many pressing security questions that stem from the accelerated transition of most human activity to the digital realm. The work of every single penetration tester is invaluable when it comes to patching up holes that could be otherwise exploited to ruin businesses and livelihoods. Automated technologies do exist, such as VA scans, and they absolutely serve a vital purpose in maintaining good security. But they’re no replacement for the human insight and ingenuity that goes into a penetration test, so automation is unlikely to make a pen tester redundant anytime soon.

Can Ethical Hackers prevent cyber attacks?

Ethical hackers can find your security flaws before a malicious cyber criminal does. This gives you a chance to fix the weaknesses, meaning your data stays where it should do – inside your business.

Cybersecurity measures for businesses

Penetration testing is perhaps the single most fundamental aspect of good business security. Infrastructure, network and application testing need to be performed regularly to continuously catch and report on loopholes and imperfections that might be vulnerable to hacking. Automated tools such as VA scans can be performed more frequently, but they serve a different purpose to full penetration tests. Yearly pen tests are standard, though increasingly the argument for 6-monthly testing is being made.

Humans are hackable too

Not all of your employees are hackers or trained computer experts, and that's okay. Running a business requires personnel with various areas of expertise. But everyone in your organisation needs to have a basic knowledge of the cyber risks they face and responsibilities they have to their employer. A vast number of hacking attempts include social engineering, typically phishing, which is where a hacker tries to manipulate human psychology. In a world where all technical cyber controls can be undone by a single click from a malicious link in an email, the right cyber awareness training is absolutely vital.

Social engineering attacks such as phishing often result in immense financial losses, to say nothing of the reputational damage. And all because a staff member could not distinguish a scam email from a genuine one. The time and effort it takes to train people to recognise these dangers is typically less than you think. Once again, ethical hackers can come to the rescue by simulating a phishing attack on your business. The results of this can feed into your security awareness training – essentially a human penetration test instead of a technical one. A simple exercise, but one that could save your organisation from ruin.

Proactivity is key to avoiding disaster

If there is one lesson to draw from the history of hacking it is the fact that hackers prey on ignorance and laziness more than any computer exploit. Whether it is to steal credit card information, grab sensitive personal data or just to cause havoc, every time a successful attempt is carried out it’s because of an unremediated technical flaw or a gullible human. And, excluding the work of nation-state hacking teams and rare 0-day flaws, preventing both of these attack vectors is well within a business’ reach. But it relies upon using the skills of ethical hackers to be proactive and secure your business before a malicious hacker strikes.