Penetration Testing
Ethical hacking is term that describes a range of activites undertaken to evaluate the security of an information system by attempting to gain surreptitious access to that system using the same techniques and resources that a criminal hacker might employ.
Can you hack my spouse’s Gmail account?
Yes, we probably can, but we won’t. Why? Because that would be a crime, and we are not criminals. Ethical hacking differs from criminal hacking in two respects:
Ethical Hacking | Criminal Hacking | |
---|---|---|
Role | The ethical hacker acts in support of the information security efforts of the target system. | The criminal hacker acts to circumvent or subvert the information security efforts of the target system. |
Beneficiary | The beneficiaries of an ethical hack are first, the client, and second, the community, who can develop more effective security systems from lessons learned. | The beneficiaries of a criminal hack are first, the financial gain and perhaps fame of the hacker, and all else is second. |
Motivation | Although an ethical hacker is paid a fee for services rendered, the financial reward is seldom the ethical hacker’s primary motivation. In general they’re motivated by the challenge and a desire to discover new vulnerabilities and exploits that can be fixed to the benefit of everyone. | A criminal hacker is almost always financially motivated. In other words, their hope is that the target system will contain data of value which can be resold or used to generate revenue (for example, personal identification data, credit card and bank details, source code, trade secrets or other valuable data) |
Intention | The ethical hacker intends to test the security of a system. When a vulnerability is discovered an ethical hacker will notify the client and await further instructions before attempting to exploit that vulnerability or putting the client’s system at greater risk. | A criminal hacker has no regard for the impact that their activities might have on the target system. Their intention is to gain unauthorized access by any means possible – even if their actions could cause system failure or data destruction. |
Authority | An ethical hacker gains authorized access to a target system. The owner or their authorized representative will give the ethical hacker permission to conduct a penetration test. Strict guidelines (rules of engagement) are usually stipulated so that the target system and its data is never damaged or placed at risk of compromise. | A criminal hacker gains unauthorized access to the target system, and in so doing are engaged in criminal activity. They are not confined or limited by the wishes of the target system’s owners and have no regard for the financial and other losses that the target client may suffer. |
Assignment | His or her assignment is to probe a target network in the same manner a criminal hacker would so that any vulnerabilities in the target systems can be addressed. | He or she intends to gain unauthorized access to systems and data for any number of malicious, criminal or destructive purposes. |
Methodology | There is little or no difference in the methodologies, tools and techniques used by ethical hackers and criminal hackers. There would be significant differences in how certain tools were used or how techniques and methodologies were applied – with the ethical hacker constantly aware of the risk that their actions might pose to the target system’s integrity or availability, and a criminal hacker constantly aware of the risk of their actions being exposed and their access terminated before they’ve completed their mission. | |
Toolbox | ||
Skillset | ||
Secrecy | An ethical hacker will sign a non-disclosure agreement which prohibits him or her from disclosing any information related to client, the target system, the assignment or the outcome. | A criminal hacker is not bound by any non-disclosure agreement, and will often publish details of the hack online (including dumping stolen data in the public domain). |