Ethical Hackers – What They Do And Why

The high profile cyber attack at Talk Talk towards the end of 2015 highlighted how breaches are becoming a fact of life for any organisation using the web for business.

It’s the reason why many companies employ ethical hackers to test their cyber security and identify potential vulnerabilities that put confidential financial, security or customer data at risk.

Nefarious activities

So, what does an ethical hacker do? And how does this differ from the nefarious activities of those individuals that break into computer systems and networks for gain – or to cause harm?

In short, ethical hackers use the same methods as cyber-criminals but for entirely different motivations. Their role is to simulate attacks a malicious or criminal hacker could carry out, revealing potential security weaknesses and how these could be exploited so that steps can be taken to address these issues.

The crucial difference here, however, is that ethical hackers have express permission to proceed with their activities and can only undertake their work once legal contracts are in place and a full written scope of work has been created.

Since ethical hacking involves practices that are technically illegal, these permissions are paramount to protecting all concerned. And, since ethical hackers will attempt to access the innermost secrets of the enterprise, it’s essential to ensure that practitioners employed in this role are trusted, hold appropriate certifications, and are approved by the EC-Council.

Is ethical hacking the same as penetration testing?

The ethical hacking process involves several methods, including vulnerability assessments to reveal security flaws – like outdated software, operational weaknesses or security bugs. And that’s when penetration testing can begin to exploit these flaws and reveal the extent of the vulnerability.

But the scope of an ethical hackers approach extends far beyond the technology alone. Ideally they’ll unearth information about your employees, suppliers, along with useful information like project names and site maps to pinpoint weak links in the security chain – which more often than not, is not the IT system itself but its users.

Armed with these insights they’ll use this data to gain access either remotely via the network or in person by physically accessing an organisation’s facilities – or those of one of its business partners. Techniques employed will include password guessing and cracking, session hijacking and spoofing, denial-of-service attacks, exploiting buffer overflow vulnerabilities or SQL injection.

What happens once a breach is identified?

Having gained access, the ethical hacker will detail every step they’ve taken so that remedial work can be undertaken later to fix all identified access holes. What’s more, they’ll plant a back door or create new user accounts – just as an attacker would – to demonstrate they can return and access systems time and again.

Finally, the ethical hacker will look to remove all evidence of their presence – deleting logs, user accounts and wiping audit trails.

With cyber security issues changing on an almost daily basis, the need for IT specialists with accredited information security and ethical hacker skills is growing. According to some reports the average length of time from hacker intrusion to detection is typically around six months – but in some cases cyber criminals have gone undetected for years. For that reason ethical hacker teams are also being utilised to shut down what a hacker has done and investigate what information has been exposed.

Companies hire ethical hackers because they want to proactively test their security and improve the resilience of their networks. But keeping the enterprise safe depends on hiring specialists with approved certifications and ensuring all appropriate legal and scope of work frameworks are in place.

How much do you know about 2015’s biggest data breaches? Take our quiz to find out!

Duncan Macrae

Duncan MacRae is former editor and now a contributor to TechWeekEurope. He previously edited Computer Business Review's print/digital magazines and CBR Online, as well as Arabian Computer News in the UAE.

View Comments

  • It's actually not essential that the hacker you are using is EC-Council registered or certified. Some of the most prolific and experienced Ethical Hackers are not certified by any governing body. The essential factor here is to investigate the individual, ensure scope is clearly defined and insist upon a NDA.

    Take the time to select your provider (as with any contract) and you will be both save and well served by an ethical professional.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago