Ethical hacking (also referred to as white hat hacking) has become an essential way for businesses to identify and address cybersecurity exposures.
In this ethical hacking glossary, UK-based cybersecurity specialists, Redscan, describe the practice as “the identification and exploitation of cyber security vulnerabilities across IT environments for legitimate and non-malicious purposes”.
Ethical hacking is the opposite of “black hat” hacking – the kind of hacking that makes news headlines for the wrong reasons. Black hat hacking is a crime, and while ethical hacking may involve similar techniques, it is typically carried out by a professional company hired to perform testing and adheres to the highest standards.
What makes ethical hacking “ethical”? Let’s look at how ethical hacking can help to protect businesses from attacks, as well as examining the ways that you can ensure that you are working with genuine ethical hackers.
Performed with Consent
Ethical hacking is always performed with consent. While the object of engagements is to accurately reproduce the tactics, techniques and procedures used by cybercriminals, it is never designed to be malicious and aims to avoid damage and disruption to businesses. Before carrying out an assessment, a professional cybersecurity firm will ensure that there is a formal agreement in place that clearly defines the scope of assessments and upholds client confidentiality.
Performed by Experts
Ethical hacking should always be undertaken by trained professionals who understand the latest hacking tools and techniques and will perform assessments to the highest technical, legal and ethical standards.
Look out for organizations that hold appropriate ethical hacking certifications – one of the most widely known and recognised accreditation bodies is CREST. It is also advisable to seek out firms that have staff certified with a wide range of ethical hacking disciplines; this demonstrates the organization’s ability to perform a wide range of assessments.
Performed by Security-cleared Consultants
Upon commissioning an ethical hacking assessment, it’s important to have complete confidence in the people involved. Where a pen test involves access to highly confidential and/or classified information, businesses may wish to consider additional safeguards such as using testers with high-level security clearance.
Performed in Line with Current Laws
There are many legal aspects that need to be considered when undergoing ethical hacking. Testers may, through the normal process of an engagement, access highly sensitive data. To achieve an agreed goal, they may have a need to exfiltrate this information.
A professional ethical hacking business will consider legal issues outlined in legislation including any laws in specific countries/states and regulations such as GDPR.
When scheduling any form of ethical hacking it is wise to consult your organization’s legal team to ensure that tests stay within what is permissible by law. While no ethical hacker intends to cause damage or disruption, there are inherent risks to carrying out tests on live systems – all parties should be aware of the risks and put appropriate safeguards in place.
It is essential that ethical hacking assessments are as transparent as possible. An ethical hacker will always share findings and offer remediation advice to ensure that vulnerabilities are reported and addressed. They should be contactable throughout engagements and provide clear written reports to summarize findings and recommendations.
There are many things to consider when commissioning ethical hacking for your business. In any case, it is a good idea to work with a highly experienced provider that is happy to talk you through any risks and ensure that the whole process is conducted as safely as possible and delivers tangible outputs.
Mike James is a Brighton based writer and cybersecurity professional who specializes in penetration testing, ethical hacking and other cybersecurity issues facing businesses of all sizes.