By DeVry University
Ethical hacking involves the authorized attempt to gain access to computer systems, applications or data by duplicating the strategies and methods that would be used by a malicious hacker. Also known as penetration testing, the practice has been established to test an organization’s cyber security methods and safeguards, as well as identify security vulnerabilities that can be addressed and resolved before a malicious hacker can exploit them.
An ethical hacker is a cyber security professional with in-depth knowledge of computer systems, networks and security. They should be well-versed in potential threats and vulnerabilities that can hack – or bring down – organizational systems.
Why is Ethical Hacking Important?
To understand the importance of ethical hacking in the cyber security world, let’s look at some of its many applications. Ethical hacking can be used to:
- Test password strength
- Penetration test after software updates or a new security patch
- Test the validity of authentication protocols
- Ensure data communication channels cannot be intercepted
Deterring threats from malicious hackers is often a top priority of corporate, e-commerce, banking and financial systems operators who need to ensure customer data – like birthdays, payment information and passwords – are protected. Without this protection, successful cyberattacks can result in catastrophic results – including loss of data, fines and other penalties, lost revenue and diminished consumer confidence.
As more aspects of our lives involve online transactions, the internal systems, software and servers required to make it all run smoothly remain vulnerable to cyberattacks. For this reason, institutions, such as those who handle sensitive electronic medical records, have made cyber security measures a vital component of their risk management strategies.
According to a report from the cybersecurity firm Sophos, 66% of healthcare organizations were hit by ransomware attacks last year, demonstrating that adversaries are becoming “considerably more capable at executing the most significant attacks at scale,” and that the complexity of the attacks is growing, according to the report.
Types of Hackers
Using a familiar “old west” style naming system, the cyber security industry identifies three different types of hackers – white hat, black hat and gray hat.
White hat hackers: These are the “good guys.” Also known as ethical hackers, white hat hackers assist government and business organizations by performing penetration testing and identifying cyber security flaws. Breaking into systems with good intentions, they use a variety of techniques to uncover vulnerabilities attackers would exploit with malicious intent and help the host organization’s IT department remove viruses and malware.
Black hat hackers: Typically motivated by a payday through ransomware or other dishonest means, black hat hackers, on the other hand, are the cybercriminals against which every network-dependent organization must defend itself. These malicious hackers look for flaws in individual computers and or public institutions. They hack into their networks to gain access to valuable or highly sensitive personal, business and financial information, exploiting any loopholes they find. Some black hat hackers deface websites or crash backend servers for fun, to damage a business’s reputation or cause them financial loss.
Gray hat hackers: These individuals, as the name implies, fall somewhere in the middle. While many don’t use their skills for personal gain, they can have either good or bad intentions. A gray hat might, for example, hack into an organization’s system, find a vulnerability and leak it online to inform the organization about it. This well-intentioned effort, however, can then be seen and exploited by a malicious hacker.
Types of Ethical Hacking
Malicious hackers gain access to computers that are connected to a broader network through various types of system hacking. To understand ethical hacking, it’s important to be aware of the different ways cybercriminals target and attack computer networks.
Web applications: Application software database servers generate web information in real-time, so attackers use gluing, ping deluge, port scan, sniffing attacks and social engineering techniques to grab credentials, passcodes and company information from web applications. This is accomplished in many cases by preying on human nature to trick people into divulging sensitive information.
Email “phishing” schemes: One example of this type of attack is email “phishing” to trick individuals who are connected to corporate networks into changing their passwords or downloading files containing malicious code.
Wireless Network Vulnerabilities: Wireless networks are also vulnerable. By setting up a fake network with a name resembling that of a familiar and trusted one, let’s say at the local coffee shop, a hacker can easily gain passwords, credit card numbers and other sensitive personal information from unsuspecting internet users.
To thwart cyberattacks like these, ethical hackers will perform reconnaissance and gain as much information as possible about an organization’s IT assets. Their next step will be to use defensive measures like password busting, privilege escalation, malicious software construction or “packet sniffing” to uncover vulnerabilities or weak links in the information system chain or loopholes in network security systems and use the same tactics a malicious hacker would deploy to exploit those vulnerabilities.
Some of the vulnerabilities ethical hackers uncover include:
- Injection attacks
- Broken authentication
- Security misconfigurations
- Use of components with known vulnerabilities
- Sensitive data exposure
After testing, ethical hackers will prepare detailed reports that include steps to patch or mitigate the discovered vulnerabilities.
How to Become an Ethical Hacker
According to the IT security website CSO, some of the skills needed to become an ethical hacker include:
- Knowledge of scripting languages
- Proficiency in operating systems
- Deep understanding of networking
- A solid foundation in the principles of information security
After acquiring the basic skills, ethical hackers may choose to specialize their skills and focus in specific areas.
According to CSO, many ethical hackers become professionals in this field by obtaining formal training or by earning certifications. The EC Council’s Certified Ethical Hacker (CEH) course can be taken online or in-person with an instructor and contains 20 different subject domains, including common hacking subjects and modules on malware, wireless, cloud and mobile platforms.
The Offensive Security Certified Professional (OSCP) course and certification is another option you might consider pursuing.
At DeVry, our Undergraduate Certificate in Cyber Security can help you prepare to pursue a career as a cyber defender, securing sensitive data and protecting organizations against data breaches. The courses in our 100% online certificate program will teach you how to design strategies to protect information, infrastructure and brands against the threat of cyberattacks.
Some courses within our curriculum may also help you prepare to pursue industry-relevant cyber security certifications like:
CompTIA A+ - Earned after passing two exams designed by IT professionals. This certification focuses on troubleshooting, hardware, operating systems and networks.
CompTIA Cloud+ - A globally recognized certification that confirms an individual's ability to troubleshoot, set up and manage cloud computing systems securely.
CompTIA LINUX+ - Designed for professionals that use the Linux operating system to manage networks and devices, this certification is particularly useful for carefully managing each aspect of a system or network.
Responsibilities of an Ethical Hacker
Ethical hackers must follow basic rules of conduct. Emphasizing the “ethical” part of their job title, they must adhere to an established code of ethics. The EC Council has developed such a code.
- Their first responsibility is to keep their activities legal by obtaining proper approvals before accessing systems or performing a security assessment.
- Ethical hackers must also determine the scope of the assessment to ensure their work remains within well-defined boundaries approved by the client organization.
- They must notify the client organization of all vulnerabilities discovered during their assessment and provide advice for resolving these vulnerabilities.
- Finally, the ethical hacker must respect data sensitivity and may have to sign a non-disclosure agreement or comply with other terms and conditions the client organization stipulates.
Penetration testers are typically part of an organization’s risk management team. They look for loopholes and vulnerabilities, and help reduce risk by showing management and IT department leaders areas that are likely to be attacked and the different ways in which a security breach might take place. To do this effectively, they must also take the necessary steps to obtain in-depth knowledge of the organization they wish to “hack” and think like a malicious hacker who would steal confidential data or lock authorized users out of the system until a ransom is paid.
A partial list of an ethical hacker’s job responsibilities may include:
- Meeting with organization management to review security systems currently in place
- Verifying the organization’s system, network topology and vulnerable entry points
- Performing penetration testing on the system
- Identifying and documenting security flaws and vulnerabilities
- Testing the level of information security in the network
- Determining the best security solutions
- Documenting findings and submitting penetration test reports
- Repeating penetration testing after implementation of new security features
- Researching alternatives to security features that aren’t working
Limitations of Ethical Hacking
Ethical hackers are typically required to operate within certain limitations in the scope and methods of their work, and constraints on the resources available to them. For example, ethical hackers are often limited by time constraints that don’t concern malicious hackers, and often work within finite power and budget allocations. The ethical hacker’s methods may be restricted by an organization’s request that they avoid test cases that would likely cause their servers to crash (as in Denial of Service or DoS attacks). Ethical hackers cannot progress beyond a defined scope to make an attack successful but can discuss “out of scope” attack potential with the client organization.
The Future of Ethical Hacking
Indications are that ethical hackers will continue to play a significant role in cyber security to reinforce information security and protect data systems in government, healthcare, banking and other industries. According to the U.S. Bureau of Labor Statistics, employment for information security analysts is projected to grow 35% on a national level from 2021 to 2031, much faster than the average for all occupations1.
What Is Ethical Hacking: Conclusion
As more aspects of our lives become digitized and cloud-based and cybercriminals become more sophisticated and motivated, the stakes become higher in the effort to defend sensitive consumer and financial data systems against data breaches and ransomware attacks. Working in partnership with IT professionals in government, corporate, financial, healthcare and ecommerce organizations, ethical hackers should continue to be an essential component of this effort.
Earn Your Undergraduate Certificate in Cyber Security
As the digital world expands, maintaining cyber security becomes ever more critical to businesses and their customers. At DeVry, our Undergraduate Certificate in Cyber Security program can help prepare you to pursue a career as a cyber defender, learning how to secure sensitive data and protect organizations against data breaches.
The courses in this program will help you develop fundamental cyber security skills and teach you how to design strategies to protect information, infrastructure and brands against the threat of cyberattacks. Classes start every 8 weeks.
1Growth projected on national level. Local growth will vary by location. https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm