The Challenges of ethical hacking
Learn more about the different challenges presented within ethical hacking.
Learn more about the different challenges presented within ethical hacking.
Ethical hacking – also known as penetration testing or pen testing – is an activity that an individual or team performs in order to attempt to breach and compromise an organisation’s assets. Through the application of deep technical experience and skills, the ethical hacking exercise works to identify cyber (or other) vulnerabilities which may lead to a breach of the asset. These assets can take the form of technology systems; physical locations; processes; and even staff members (whose behaviours are influenced via social engineering tactics.)
To start an ethical hacking engagement, an organisation will agree on a legal contract and rules of engagement with the ethical hacker or penetration testing company for which the ethical hacker works that authorise the tests to take place and waives any legal repercussions and liability for any associated business-impacting outcomes of the activity for the testers.
Ethical hacking is a form of testing the effectiveness of a target’s defences: a target may have invested resources into developing and deploying defences to protect themselves from cyber-attacks and the loss or damage of their reputation, but regular testing is required to prove their effectiveness. Ethical hacking helps to validate these defences and identify weaknesses or gaps that can be remediated ahead of any genuine attacks occurring.
Ethical hacking is a critical security control and a necessary component of any organisation’s cyber defence strategy. Organisations invest heavily to protect their intellectual property, and data and employ the skills of ethical hackers to provide clear evidence as to whether this investment provides the level of protection required to at least meet the risk appetite of the business.
A simple way to think about the need to perform ethical hacking is through a behaviour many of us already adopt in our private lives – when we leave our homes each day, we lock our front doors and likely ‘test’ to ensure the door is actually shut and locked. In exactly the same way ethical hacking can help to validate that an organisations proverbial ‘front door’ is secure and protecting the assets that reside behind it to an acceptable level of security.
Key concepts of ethical hacking include:
The whole point of ethical hacking is that those delivering the tests work with, not against the target organisation. Ethical hacking aims to raise their security bar and discover vulnerabilities before someone malicious is able to. It is critical that testers remain ethical in their approach and only hack the organisation(s) that they are legally contracted to work with – ensuring they remain true to the contract’s Statement of Work; Rules of Engagement; and never wander into legal ‘grey areas’ or beyond.
It is important to keep within the defined Scope of any ethical cyber attacks, and not to edge beyond it without further approval (i.e. written consent) from the client. Scope ‘creep’ – as it’s often called – is where ethical hackers go outside of the confirmed scope. This can lead to unintended consequences and impacts for them and their clients – which at best would damage the relationship with the client, and potentially have legal and commercial ramifications.
As a testing regime, ethical hacking involves going much further than exploring only the surface of a technology stack, or simply running an automated Nessus-like vulnerability scan. Effective ethical hackers ensure that they dive deep to find vulnerabilities that scanners cannot. Through our Swarm’s own engagements, CovertSwarm regularly finds that the most interesting and impactful cyber vulnerabilities are only found through manual – person-led – ethical hacking.
Ethical hacking involves significant levels of communication with your target’s team members, sometimes as much time can be spent in discussion as is deployed on actual ‘hands on’ vulnerability hunting. Keeping the client appraised of your activities whilst asking pertinent questions to enrich your understanding of their organisation and its underlying technologies leads to the most effective and efficient ethical hacking engagements.
The output from any ethical hacking activity is as important as the ethical hacking itself. The vulnerability reporting should clearly detail the scope, activities undertaken, test plan, findings and most importantly include clear steps to evidence, replicate and remediate the found issues. The report must be written with the intended audience in mind, and be actionable for the client whilst avoiding the need for significant levels of debriefing or explanation from the ethical hackers involved.
The main issues and disadvantages with ethical hacking are:
Across the cyber industry, there are numerous ethical hackers and companies that offering ethical hacking services and penetration testing services. It can be challenging for businesses to cut through this noise and to identify quality providers. The best place to start is to look at established businesses where their main focus is providing offensive security services. Ensure that you speak directly to their ethical hackers; review their accreditations; ask for client references, and review sanitised examples of previous work.
Less experienced ethical hackers are more likely to cause issues and business interruption when delivering their ethical hacking services. To mitigate this risk ensure that you always use experienced ethical hackers who understand how to limit the risks of any potential system impact during their pen test delivery. Furthermore, ask the pen test company to evidence and explain their policies, procedures and commercial insurance should an incident occur.
Ethical hacking should be manually led, with the specialist relying on experience and knowledge and only light assisted by automated software tools. If your ethical hacker relies heavily upon software tools such as vulnerabilities scanning engines then you will be unlikely to gain significant value from the ethical hacking engagement.
Some of the limitations of ethical hacking include:
By this, we mean that the limiting factor of coverage the ethical hackers can achieve (and so assets they can effectively pen test) is limited by the time allocated to their snapshot engagement. The more time allocated, typically the more coverage will be obtained.
Organisations normally limit the scope of their ethical hacking engagements. This can be as they have limited budgets or are concerned that the ethical hacker will find issues in certain areas beyond the provided scope. Unfortunately, this is a counterproductive posture to take: the purpose of any cyber testing is to identify risk and to then take action to either mitigate, reduce or accept it. As such it is in the client’s best interests that the ethical hacker has the ability to cover as much ground as possible to identify, evidence and prove where vulnerabilities exist and how they can be exploited.
We regularly see reports of organisations procuring ethical hacking and penetration testing engagements which turn out to be quite different to what they purported to be: all too frequently we see basic vulnerability assessments or vulnerability scans being delivered instead where the ‘ethical hacker’ will simply run one of the many popular vulnerability scanning tools and rehash the tool’s report – rather than applying their skillset or experience to unpicking and identifying vulnerabilities.
Your organisation is constantly changing and one of the key limitations of ethical hacking is that it delivers only a snapshot of your cyber security health at that point in time. Due to the constant change incurred by successful organisations upon themselves, the ethical hacking reports they receive are out of date the moment they are published. Modern, constant cyber-attack offerings such as that delivered by CovertSwarm solve this problem by keeping pace with the target organisation’s rate of change, and effectively close their cyber risk gap.
If you or your employed researchers are hacking legally there are no ethical implications. Only ever hack devices that you own and have full control of, and where there is no breach of any Terms Of Services (or use) in doing so if your estate is in a hosted environment. Always ensure that you hack organisations where you have a contract in place with them that provides legal permission and associated liability waivers, and adhere to any relevant country “communication” laws.
Under no circumstances ever attempt to ‘hack’ any organisation where you do not have the full and complete legally binding permission to do so. This includes exploring services, outside of something you ‘own’ and have complete right of control over. For example, if a device you have communicates back to an organisation via an API you should not target said organisation unless explicit permission exists as part of their own bug bounty program, or other similar permission has been granted.
An ethical hacker is an individual who acts legally and ethically in all aspects of their hacking. They will only hack organisations where they are authorised to do so and have all of the necessary legal contracts and permissions in place.
A malicious hacker is someone that operates to breach and gain access to an organisation’s data, systems or services via illegal means and for illicit gain – often breaking multiple laws as part of their activity.
Yes, there have been a number of examples where previously malicious hackers and cybercriminals have changed their ways to become ethical hackers.
Absolutely. In fact, we think it’s one of the most fun, creative and rewarding careers that exist.
When you become an ethical hacker you face a different and unique challenge every day – getting paid to learn, explore and exploit an array of technologies. What could be better than that?
Furthermore, the career offers outstanding progression opportunities and infinite areas for learning and development for its practitioners.
In CovertSwarm’s view, the basic requirements to learn ethical hacking are:
To have a willingness to learn and be curious;
To have at least a foundation-level technology knowledge (in any area) to build your hacking knowledge upon;
To want to help organisations protect their assets and intellectual property from genuine attack.
You need very little initial experience to start your career as an ethical hacker. Begin by getting involved in the cyber community and speaking to other, more experienced ethical hackers. There is a wealth of excellent, free information available online to support you, backed by an open and engaging cybersecurity community. Hey, you are reading this blog right? So you’ve already made your first step!
In terms of skills – none are specifically required but a foundation technical skillset will definitely help. Some of the very best ethical hackers have previously been developers or infrastructure engineers.
You can use a number of methods of study to learn ethical hacking. For example:
Numerous great books are available on Amazon;
There are numerous Audiobooks;
There are various online courses available, some are even free;
There are companies offering classroom-led training;
You can learn from peers in the community, just get involved!
For specific recommendations drop an email to us and we’d be happy to speak with you.
A prescriptive course can help you to focus on a set syllabus of materials with key outcomes and takeaways forming a rewarding part of your knowledge capture.
Here are some great free Ethical Hacking courses that we recommend:
Virtual machines are important for ethical hacking for the following three reasons:
Virtualisation allows you to run multiple operating systems from within a single ‘host’ system. This enables tools that are designed for different operating systems to be used alongside one another as part of your ethical hacking activity and toolkit.
Virtualisation enables the ability to ‘sandbox’ your ethical hacking activities so that you can test part of your ethical hacking approaches – such as exploit and payload development – in isolated VM environments before performing them against your intended, real target.
Should an unexpected issue occur, for example with a tool or a system fault – you can quickly roll back to a previous machine ‘state’ or snapshot with ease.
To find a trusted professional ethical hacker, start with a company that specialises in offensive security services; penetration testing and ethical hacking. These companies will have professional ethical hackers working for them directly as an employee and will typically have procedures in place to validate their ethical hacker’s skills and capabilities whilst also performing necessary background checks to ensure they are indeed ethical.
Organisations, where ethical hacking and penetration testing are the main business lines, are usually the best places to start.
Using organisations that themselves accredit and audit penetration testing companies is usually a great place to start, such as The Council of Registered Security Testers (CREST). CREST accredit penetration testing companies, and for excellent service delivery and quality assurance, we recommend working with companies like CovertSwarm who are additionally Simulated Targeted Attack and Response (STAR) CREST accredited – having been through additional audits and quality/capability checks. As one of the very limited numbers of STAR accredited companies, CovertSwarm also offers Intelligence-Led penetration testing services.
A final note – when appraising the ability of your ethical hacking vendor be sure to ask for sanitised examples of their recent work, and specific experience in your sector.