Threats and ethical hackers
The are many different types of threats that can compromise information security.
Focusing on cyber attacks, we can separate them into three main categories:
- Technical attacks – usually take advantage of vulnerabilities, such as bugs in software or misconfiguration of the services
- Social engineering – these target what we might call ‘the weakest link’ in an organisation’s security – its employees
- Insider threats – these will usually involve the misuse of trust relations within the organisation
We’ll be covering each of these attacks in more detail throughout this Ethical Hacking program.
As the title implies, the main expectations for an ethical hacker are that they will behave ethically and comply with the relevant laws and regulations. That’s the main difference between the ‘good’ and the ‘bad’ guys. As for just about everything else, they’re using the same tools, techniques and processes.
It’s vitally important that the ethical hacker is authorised to attack their targets before they take any action and that they stay within the scope of the assignment at all times. An ethical hacker would act in the best interest of the client organisation and treat all information uncovered during the test as confidential.
How it works
Before the penetration testing begins, the ethical hackers will agree a formal contract with the client organisation. As part of that, they will specify the rules of engagement covering the scope (targets such as servers, networks, employees, etc), dates, times and so on. We’ll discuss these in more detail when covering the penetration testing methodologies in Week 2.
There are also two types of penetration tests often referred to as ‘white-box’ and ‘black-box’. The difference is in how much information and access is provided to the ethical hackers before the test.
In the case of a ‘white-box’ penetration test, hackers may have access to things like network diagrams, Wi-Fi passwords, source code and even some internal accounts. The advantage of this is that the ethical hackers will have a much better view on the system and will potentially find more vulnerabilities. It will also take less time and be cheaper.
On the other hand, a ‘black-box’ pentest will not provide much information to the testers, apart from defining the targets in scope. The testers will have to find all the information and gain access themselves. The advantage of this approach is that the hackers are simulating a real attack much more closely – a malicious hacker would typically work based on the information they gathered during the first part of their attack (known as reconnaissance).
Do you have what it takes?
The skill set required for ethical hacking is significant. Thinking about the technical skills alone, you will need to cover virtually the full span of digital technologies, as you never know what technology your clients will use.
This is one of the main reasons that ethical hacking is a team job, with different members of the team specialising in different technologies and tools.
So, in a team you might have people specialising in hardware and networking, others specialising in Windows and active domains, others in web applications, social engineering, and so on.
In any case, all of the team members need to possess good ‘soft’ skills, such as teamworking, coordination, cooperation, problem management and report writing.
© Coventry University. CC BY-NC 4.0