Explore the history of Hacking, from early days at MIT, to the established subcultures of today. Lisa Bock compares white, grey and black hat hackers. Ethical hacking within an organization is defined as an essential as it enables an organization to identify vulnerabilities, and fine-tune their security posture.
- [Voiceover] The word hacker was first used at MIT in 1960. During that time, a group of computer science students were working on artificial intelligence. Most likely, these talented young individuals would "hack" at a problem until they had a solution. The term hacker was not associated with any malice. However, as time has passed, when someone refers to a hacker, it often has negative connotations. Many think of a hacker as someone who is trying to break into a system to steal information or release malware.
There are several subcultures of hacking groups. All have different attitudes and goals. Many times, a layman will group all hackers under the term hacker. But there is a difference. The three main types of hackers are black hat, white hat, and gray hat. Black hat hackers are considered to be the bad guys. A black hat hacker may be referred to as a "cracker," as they might try to crack the code or crack a password.
A black hat has an objective to cause harm by engaging in criminal activity. Many times, they're backed by organized crime or nation states. The black hat operates on the dark side of the Internet, damaging organizations, spreading unsavory content, and threaten governments with cyberterrorism. And they can cripple a victim's financial and well-being. White hat hackers are considered to be the good guys and are "ethical hackers." The white hat hacker has a supportive government and industry and are computer experts.
Many times, they are contract employees hired by security companies and are trained to test systems and attempt to break into them. But they can also be an internal team conducting regular penetration testing as part of an overall security plan. Ethical hackers diligently look for any system vulnerabilities in the computer's defense system, where, once identified, is reported and fixed either by the white hat team or the appropriate IT personnel, with the idea of improving a company's defense posture.
A gray hat hacker sits between the good guys and the bad guys in that they may try to gain access to a system without permission, but in general, without malice. They want to see if they can access a system. A gray hat hacker will, many times, notify an organization in some manner that their system was vulnerable. Black hat hackers have a large arsenal of software tools, malware, and social engineering techniques that are used to breach a system.
Anyone, either internally or externally, with proper motivation and the right situation, has the potential to become a hacker. That is where the idea of white hat, or ethical hacking, comes into play. Ethical hacking enables an organization to fine-tune their security posture, educate their staff, and implement security practices that protect critical systems and sensitive data. Ethical hacking can be done in-house by a trained IT professional or outsourced.
As outsourcing may be expensive, a company may choose to do an ethical hacking assessment in-house. If done in-house, select an appropriate candidate. Although someone might self-identify as a potential white hat hacker, take care in making your selection. Recommendations include selecting someone who understands the skills required. Ethical hackers uncover vulnerable entry points before attackers have a chance to exploit them. They have patience and persistence.
Not only do ethical hackers need to find vulnerabilities; they must suggest and/or implement mechanisms in order to reduce the threat. Ongoing training is essential. They respect the code of good conduct. The term ethical implies the candidate understands what is right and what is wrong. They understand that checking and reporting only to team members and management and not to a group of friends at a bar after hours, thus possibly compromising the security of an organization.
And they're a professional team member in that the ethical hacker is proficient in communicating any discoveries and will work with all team members to ensure a comprehensive approach that supports the overall security plan. Ethical hacking continues to evolve and is gaining attention as an essential security practice that every organization should perform on a regular basis.
Security expert Lisa Bock starts with an overview of ethical hacking and the role of the ethical hacker. She reviews the kinds of threats networks face, and introduces the five phases of ethical hacking, from reconnaissance to covering your tracks. She also covers penetration-testing techniques and tools. The materials map directly to the "Introduction to Ethical Hacking" competency from the CEH Body of Knowledge, and provide an excellent jumping off point for the next courses in this series.
Note: Our Ethical Hacking series will map to the 18 parts of the EC-Council's certification exam. Find more courses in the series on Lisa's author page.
- Ethical hacking principles
- Managing incidents
- Creating security policies
- Protecting data
- Conducting penetration testing
- Hacking in phases