Page 6 - EngineerIt July 2021
P. 6
ICT
Ethical Hacking - what you need to know
By Dominic White
thical hacking has been my to the roof unmonitored and making entry through the roof possible. Alarm panels can
profession and life for the last often be disabled with common passwords like 1234 or by observing the smudge marks
Eseventeen years, and it is hard on the panel. By simulating a variety of possible break-in avenues, gaps in security can be
to step out of the bubble and remember covered, and defences can be oriented towards how criminals actually break into a home.
that to most people, the term sounds Anyone who has made improvements after a break-in can attest to how valuable such a
like an oxymoron - how can a criminal service would have been.
act be ethical? Ethical hacking is much like this example, except applied to our computer-based
Ethical hacking, also called systems. It could be a company wanting to know if their move to remote working has made
“penetration testing” by those in the them more vulnerable on the Internet, or a bank wanting to know if their latest mobile
industry who no longer giggle at the banking application introduces any new avenues for attack.
term, is the act of proactively trying
to find vulnerabilities in computer and Types of ethical hacking
information systems, applications, There are a range of different approaches that ethical hacking exercises can take. These
networks or ways of using them. This is range from the Hollywood - a team of hackers attempting to move large amounts of money
done to fix them before real criminals find starting with little more than the name of the company - to the scientific - having full access
and exploit them. What makes it “ethical” to the source code for an application and its development team, to systematically identify
is the intention to aid the defence and any and all possible improvement areas, or more commonly a blend.
security of such systems. Importantly, Of course, the scope can vary dramatically too. Drawing an exact line around where
the work is strictly done with the explicit computer systems stop and the real world starts is hard with hacking, as real criminals
permission of the system owners. will move between both worlds. Hacking exercises are paired sometimes with physical
Real world analogies sometimes intrusion exercises as well as confidence tricks against employees of the company,
help, especially before we get into the although the central focus will always be on the manipulation of computer systems.
harder to imagine and more complex
world of cybersecurity. Imagine if your At a high level, there are a few different types of ethical hacking:
armed response company also offered 1. Penetration testing is the most common form, where networks or applications are
a service where they try to break into assessed for security vulnerabilities by an expert penetration tester. These are usually
your house while you watch and tell you shorter exercises focused on a well-defined scope such as the external network
all the things you could do to improve perimeter (i.e. what’s on the Internet), a single system, application or network. Stealthy
your security. Of course, they will already operation is rarely a requirement, rather the focus is on finding as many vulnerabilities
tell you what you can do to improve in as short a time as possible, while also demonstrating their risks.
your security at a high-level, but the 2. Red teaming is a type of adversary emulation exercise. The hacking team takes on the
details matter. How they matter is best role of a variety of likely criminal groups, emulating their modus operandi (or TTPs for
demonstrated with an example. tools, tactics and procedures). Akin to the Hollywood example given above, although
unlike Hollywood’s depiction, it requires careful preparation and extended periods of
A physical analogy staring at text on a screen.
Best practise for physical home security 3. Vulnerability scanning is an automated scan of an application, network or infrastructure.
is to have a wall, electric fence, exterior Being automated, it benefits from an ability to scale far more than penetration testing.
and interior alarm sensors, locked doors While penetration testing will include vulnerability scanning, usually at the start, it is
and windows and burglar bars/gates on merely one tool a human expert will use. Vulnerability scanners are also unlikely to
your windows and doors. You can have demonstrate the risk of a vulnerability by exploiting it.
all these things, check the items off on
a list, and be done with it. However, it is These terms are often argued about within and outside the ethical hacking industry, but
entirely possible for one home to have these are close to what the consensus is.
all these things, and another not to, but There are some obvious benefits to ethical hacking, most notably and obviously,
the latter to still be safer. This could be finding and fixing the problems before they are used in a real attack. Beyond that, there
for a variety of reasons, the way the are some other, more subtle benefits. As ethical hacking is my job, I must acknowledge my
items are installed, their coverage or potential bias.
even the neighbourhood you live in.
For example, a ladder and plank are Four important benefits of ethical hacking are listed below
enough to create an easy to step over The first is that the risk of the vulnerabilities found can be demonstrated. Many security
platform for the wall and fence. Exterior teams will talk of the difficulty in getting an organisation to fix the vulnerabilities found.
beams usually only cover approaches to However, if an ethical hacking team can demonstrate how the vulnerability could be used
windows and doors, leaving climb holds to cause real business harm, it tends to drive a faster response. Of course, the hackers
EngineerIT | July 2021 | 4
