In general, hackers can be divided into three general groups: white hats, black hats, and gray hats. White hats are ethical hackers, they use their skills to help defend a system from malicious users. Black hats are malicious hackers who use their skills for illegal or malicious purposes. Gray hats are those who stand in the middle of white and black hat hackers. They work offensively and defensively, but do not strictly stay to one side of the spectrum.
When a company wants to evaluate the security of their systems and products, they need someone who has a knowledge of how to attack computer systems. For this purpose, they will often hire penetration testers, or ethical hackers, to apply hacking skills to try to compromise their systems. An ethical hacker is a hacker who attempts to compromise a system, with the purpose of reporting vulnerabilities to the owner of the system. It is important to note that an ethical hacker will never seek to cause damage to a system, but rather demonstrate that a vulnerability exists without causing impact to the system.
The goal of an ethical hacker is to expose vulnerabilities that can cause an impact to confidentiality, integrity, and availability of a system. To understand this better, we can dive further into each of these attributes, often referred to as the CIA triad, to better understand what an attacker may attempt to do on a vulnerable, system. Attacks to confidentiality involve exposing sensitive user information to an attacker. Such information may include passwords, bank details, or biometric data. These types of attacks are what are typically seen in the news, when data breaches occur at companies. Integrity based attacks seek to change data that is owned by a user, even when an attacker should not be able to do this. Examples can include changing a victim’s password or altering invoice data. These types of attacks can result in significant loses to the victim. Finally, availability-based attacks seek to stop users from accessing a service for any amount of time. Examples include crashing a bank website to stop users from being able to access it to pay bills.
Attacks against the CIA triad are devastating for the victims they impact, which is the motivation for companies to actively locate and patch these issues. Ethical hackers think from the mindset of an attacker, actively seeking possible weak points, and creating exploits to show they are vulnerable. From the perspective of security, ethical hackers are some of the most important team members, since they can spot issues that an attacker may find and exploit.
The way a company enlists and utilizes ethical hackers can vary greatly depending on their application, resources, and budgets. Many companies will choose to have internal teams dedicated to testing and patching their products. Some companies may choose to setup bug bounty programs to pay ethical hackers for finding and reporting bugs in their software. All of these setups have their pros and cons, but ultimately, they achieve similar results. If a company can financially incentive skilled hackers to report issues to them, they can avoid costly breaches in their software.
The skillset of an ethical hacker is one that can be valuable to aspiring computer security experts, as well as software developers in general. If you learn to think like an attacker, you can better secure your applications against them.
Interested in learning more about Ethical Hacking? Until May 24, get 70% off course “An Introduction to Ethical Hacking with Kali Linux”. Available at: https://www.udemy.com/course/an-introduction-to-ethical-hacking-with-kali-linux/?couponCode=B8440C21E49CE5BBC36D