The ethical hacker and his role in security

Ruslan Rakhmetov, Security Vision

Sometimes you can hear people who understand the structure of a programme, website or database being called hackers. In this article we will tell you about those who are so called, dispel the main myths about their sphere of activity and how an ethical hacker differs from the rest.

Sophisticated technologies have reliably penetrated our lives, education, work, everyday life and entertainment are connected with them. Technology usually has developers, owners and customers; with technology, different data, simple and sensitive, is stored within systems, which means there are people who seek to obtain this data by hacking into the system and those who protect it from intruders.

Ethical hacking is the use of technology knowledge to investigate systems, discover vulnerabilities and apply hacking skills to enhance security. This process is described by different methodologies (like NIST for describing cyber incident response processes), but in general can include a set of understandable steps:

1) Information Gathering

This step involves gathering as much public information as possible about the target system, network, employees and structure of the organisation. Available legitimate information retrieval tools and sometimes social engineering techniques are used.

2) Scanning the target

The hacker uses various tools to find vulnerabilities in the target system (search for open ports, services, applications). Similar tools are used inside companies to describe the IT landscape and manage company assets.

3) Gaining access

Using technical vulnerabilities discovered in the previous step, weak passwords, unprotected computers, etc.

4) Lock-in

It is advantageous for a hacker to have constant access to the system, which means that everything must be done to ensure that the first time the device is restarted or the user returns to the desktop, it is possible to remain in the infrastructure of the ‘hacked’ object.

5) Privilege analysis

The hacker analyses the access gained and determines what capabilities they have from that point of entry. It is common to seek administrator privileges, domain controller access, or other privileges, sometimes bypassing the existing IdM-system.

At the end of the process, the ethical hacker writes and delivers a report to the customer, based on which security policies can be adapted so that in the future another hacker (already presumably an attacker) will not be able to exploit known weaknesses in the companies' defence echelons.

An ethical hacker is not always a full-time employee or working within the perimeter. Sometimes knowledge and creativity in solving tasks similar to penetration testing are used in a kind of competition, when the company is ready to pay any ‘searcher’ for the found bugs and vulnerabilities (as, for example, Yandex and Google do ).

Becoming a ‘white’ hacker is easiest for those who study or apply information security knowledge in practice (i.e. students, IT employees, SOC analysts, etc.), and skills can be confirmed at special competitions (e.g. educational, vendor or partner competitions), as well as with certificates (CEH - Certified Ethical Hacker, OSCP - Offensive Security Certified Professional, etc.).

Most often hackers are understood as those who break into a system to gain profit by deception, but this is not always true - ethical hackers and malicious hackers may indeed be united by their motivation (making money), but their approaches and ways of working will differ. Where black hackers plan destruction, data theft or other malicious activity, white hackers are looking to improve security and are willing to earn an honest living (e.g. as a full-time employee). White hackers engage in penetration testing with the permission of system owners to improve data security, including protecting customers.

Thanks to cinema (e.g. American "Mr. Robot “ or Russian-made ”Offline ’) and the general halo of secrecy surrounding the profession (Cicada 3301, Anonymous), some people believe that hackers are members of hidden organisations that use technology not available to ordinary people and can hack anything. However, in reality it is almost impossible to hack all systems, and the techniques and tools used can be learnt and understood quite easily. Most attacks are based on rudimentary techniques such as weak passwords, phishing (the victim puts the data in the hacker's hands) and social engineering (where psychological tricks are used). A hacker is not necessarily a secretive young man sitting in a basement packed with advanced technology.

A third myth about the hacking process is that a computer can be hacked in seconds and no amount of defence will help. In reality, since hackers use common earthly technologies and psychological tricks, many of their tools are already well studied and described, studied in universities or described in analytical reports and feeds for threat analyses.

It is also important to highlight that it is not only computers that can be hacked, but also networks (which we covered in another article), smart devices (IoT, Internet of Things), smartphones, tablets, banking systems and many other devices and objects.

Both types of hackers, meanwhile, can operate alone or in groups/communities. White hackers often operate under contracts or agreements that define the parameters and goals of their penetration testing. The actions of black hackers are illegal and the attacker may be penalised for their actions. In order to separate these two concepts definitively, we propose to formulate the basic principles of ethical hacking:

- Compliance with laws and regulations

There are laws and regulations governing information security and computer systems that keep people and companies safe. In an ethical process, laws are followed 100%.

- Goals and Methods

Despite similar processes, the methods of ethical hackers are aimed at improving system security rather than stealing data or blackmailing. The search for vulnerabilities and potential threats in the ethical hacking process culminates in remediation rather than exploitation.

- Permission to operate

For ethical hackers, contracts are created, explicit authorisations are given from system owners or public rewards are announced for activities that improve security.

Thus, hackers may indeed use their skills and abilities to break into technical tools, but they may do so not only to steal or destroy data, but also to improve security. Anything can be broken, but basic techniques to protect yourself and your data work well against malicious hackers.