Last year, thieves stole about $744 million without breaking a window or kicking in a door.1 In 2023, hackers swiped people’s personal data at an alarming rate, making data breaches the second most commonly reported type of cybercrime.1 In the digital Wild West, one of the ways that these black-hatted villains can be dealt with is through white-hat hacking.
White-hat hackers are certified ethical hackers who use their cyber expertise for good. Companies often hire them to test their organization's computer systems' security posture, identify points of weakness and recommend ways to improve.
White-hat hacking is a responsible and lucrative way to fight cybercrime. Keep reading to learn how ethical hackers use their skills to fight fire with fire.
Common Cybersecurity Threats
Before we can understand the role of an ethical hacker, we have to understand the need for this specific role.
In 2023, phishing scams, personal data breaches and non-payment/non-delivery scams were the three most common cyber crimes.1 The most common threats are malicious, infectious software like malware or ransomware. Likewise, distributed denial of service (or DDoS) attacks bombard digital systems with excessive traffic, often disguising an incursion. Phishing scams take a sneakier approach, using social engineering to solicit info from unaware users.2
The Role of Ethical Hackers
After getting briefed on a company's business model and existing security measures, ethical hackers carry out a penetration test, also known as a pen test. Their main goal is to probe cybersecurity defenses to find weaknesses before malicious hackers get the chance.
The best ethical hackers use the same tricks and methods as their cyber-thieving counterparts, but they hack for different reasons. Ethical hackers test the system in coordination with the cybersecurity team, looking for ways to improve and protect. Meanwhile, criminal hackers exploit security systems for a nefarious purpose, such as stealing money, compromising data or locking the system in a ransomware attack.
Scope and Legal Framework
Before they begin their pen testing, ethical hackers coordinate with the company to define the scope of the test. In other words, they set boundaries that the white hat won’t cross. Alongside the company's guidelines, white-hat hackers adhere to legal standards and ethical guidelines. For instance, an ethical hacker consulted by a company will not transgress further into the system than agreed upon with the company or break any laws in the process.
Penetration Testing Methodology
Penetration testing is much more than trying to steal some passwords. Usually, pen testing happens in five steps:3
- Planning: The ethical hacker and security team agree on the scope and parameters that will guide the test. Is the goal to test the whole system, or one particular app or aspect?
- System Assessment: This is part one of the reconnaissance phase, during which the cyber sleuth collects data about the cybersecurity system, software or email platforms. Depending on the parameters, hackers may use software to scan the system to gain information about its setup and procedures.
- Vulnerability Assessment: This is part two of the recon phase. This time, the goal is to discover the system’s weakest points of defense. Again, the hacker may use software to scan for vulnerabilities.
- Exploitation Attempt: When the ethical hacker finds a weakness, this is where he or she will attempt to exploit it. The cyber spy tries to intrude into the system but stops short of actually stealing data.
- Report and Remediate: Once the test has concluded, it’s time to assess the target system ’s efficacy and address any vulnerabilities.
Types of Penetration Tests
Penetration tests vary depending on how much info is shared with the hacker beforehand. For instance, the penetration testing can take one of these forms:4
- White Box Test: The hacker is given a tour of the entire network and system information. This saves time and money and allows the test to focus more closely on one particular element of the security apparatus
- Black Box Test: The hacker is given no information beforehand. This puts the ethical hacker in the position of an external hacker, so the system is put through a real-world scenario
- Gray Box Test: The hacker is given a certain amount of information or access without being given full access. For instance, the hacker may receive a username and password and system access
Vulnerability Assessment Tools
Like any other profession, ethical hackers have their tools of the trade. In this case, they often use software designed to highlight the vulnerabilities that exist in a cybersecurity system. Vulnerability assessment tools include web application, protocol and network scanners.5 The cybersecurity expert can select which tool is right, given the nature of the penetration test, the part of the system being tested and the security protocols.
Real-world Hacking Techniques
Phishing and malware are two real-world hacking techniques used by ethical hackers to improve systems. Phishing occurs when a hacker tricks someone into sharing private info like credit card numbers or passwords. Malware refers to nefarious software like viruses, ransomware or spyware.
White hats use similar techniques to find the system’s weaknesses before malicious actors do. Phishing simulation is a feature of cybersecurity training for organizations, in which they send (ultimately benign) suspicious emails to employees to see how they react. Likewise, ethical hackers help seal up the cracks, preventing a malware infestation.
Web Application Security Testing
As more businesses enter the digital economy, the need for solid web application security checks has grown, too. Recently, hackers have even exposed vulnerabilities in mobile applications during beta testing.1 Web apps are susceptible to SQL injection, which occurs when a hacker inserts code into the application, often through a form. Requiring code validation before it’s active can help stop injections.
Network and Infrastructure Testing
The interwoven matrix of servers and software enables computers to communicate with one another throughout an organization. Much like physical infrastructure, digital infrastructure, like roads, bridges and tunnels, facilitates the fast movement of information. To test their strength, ethical hackers probe infrastructure security, helping companies prevent someone from sneaking in via a forced intrusion through a network vulnerability.
Wireless Network Security
Wireless network passwords should be changed early and often to thwart hackers. Thus, secure companies use encryptions like WPA3 to protect data transmitted over Wi-Fi.
Wireless penetration tests will mimic common hacker tactics like a "man-in-the-middle" attack, where a third party intercepts data in transit. Or, they may attempt an access point attack, where an unauthorized access point slips past the network’s security.
Social Engineering and Human Factors
Human error is unfortunately one of the biggest culprits of cybersecurity failing. So, hackers may also find vulnerabilities in the user instead of the system itself. For instance, employees who post too loosely on social media may become targets for phishing scams. To warn against those habits, ethical hackers sometimes send emails to employees with details gathered from social media accounts. This lends the attacker some credibility, making the employee an easier mark.
Reporting and Remediation
With all of this valuable data and security information on the line, documenting every stage of a cybersecurity pen test is essential. Responsible reporting keeps track of the goals, scope, security vulnerabilities and steps for improvement. Once the testing is completed, vulnerability remediation requires buy-in from all stakeholders, especially since every user is a potential security weak point.
Legal and Ethical Considerations
Protecting private data is of course an important aspect of doing business, but it's up to an organization to create, manage and uphold those standards. Companies have responsibilities to the law and to their stakeholders in terms of cybersecurity. Outside of internal IT teams, penetration testing by ethical hackers helps fulfill these responsibilities by ensuring user data is safe. And if a data breach occurs, the company has a legal obligation to disclose that information to customers since businesses are required to protect users’ data.6
Continuous Learning and Certification
Programs exist to educate cyber security professionals about the art and science of ethical hacking, either through initial training or continuing education. Ethical hacking certifications and continuing education, like a master's degree in cybersecurity, help cybersecurity experts stay a step ahead. Finding vulnerabilities before bad actors requires continuing education, ensuring experts evolve as the threats do.
The Future of Ethical Hacking
Today, the cyber threat landscape is ever-shifting. We need ethical hackers to help anticipate problems before cyber criminals create them, and to know how to counteract whatever tools or tactics they use. Through penetration testing, these white-hat hackers use their skills to probe defenses and find vulnerabilities to protect cyber users.
If you’re curious about the world of ethical hacking or want to put your hacking skills to better use, check out the online Master of Science in Cybersecurity from Yeshiva University. This program equips you with the knowledge and skills necessary to become a white-hat hacker in those dusty digital streets.
1. Retrieved on March 16, 2024, from ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf
2. Retrieved on March 16, 2024, from mass.gov/info-details/know-the-types-of-cyber-threats
3. Retrieved on March 16, 2024, from fedramp.gov/assets/resources/documents/CSP_Penetration_Test_Guidance.pdf
4. Retrieved on March 16, 2024, from gsa.gov/system/files/Conducting-Penetration-Test-Exercises-%5BCIO-IT-Security-11-51-Rev-6%5D-11-25-2022.pdf
5. Retrieved on March 16, 2024, from https://www.imperva.com/learn/application-security/vulnerability-assessment/
6. Retrieved on March 16, 2024, from federalregister.gov/documents/2023/01/23/2023-00824/data-breach-reporting-requirements