Penetration testing

Ethical hacking vs. penetration testing

Dimitar Kostadinov
June 10, 2016 by
Dimitar Kostadinov

History of ethical hacking

It all began in the 1960s at MIT when the notion "hacker" was coined to mean someone dedicated to solving technical problems in machines in a different, more creative fashion than what is set out in a manual. Back then the people practicing "hacking" just intended to find out a quick way to evaluate and improve problematic systems that need to be optimized.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

The term migrated to computers in the 1970s, and according to one famous definition from that period, a hacker was "a person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary (the Request for Comments (RFC) 1392, the Internet Users')."

Chronologists can trace the roots of ethical hacking back to 1960s and 1970s when the U.S. government hired groups of security experts known as 'red teams' whose job was to hack into the government own computer systems.

Around the early 1980s, the ethics of hacking were solidified: "It was never about attacks and never about monetary gain. The underlying principle was to understand the system and make some kind of logic out of the chaos," said Mark Abene, one of those 80s hackers.

In the late 80s and early 90s, the term was very popular, but it acquired a negative connotation synonymous with "digital trespasser." In this respect, here you can read an excerpt published in the Times in 1990:

Computer hackers often sell the stolen codes to other students for a few dollars.

Mr. Poulsen, who is charged with the most crimes, has a history as a "hacker," who began trespassing in university and government computers as a teenager using the assumed name Dark Dante, according to a profile in California magazine in 1984.

Furthermore, Kevin Mitnick was a famous hacker arrested and tried during the 1990s.

As it seems, however, the purpose of the ethical hacking from its very beginning is to right the wrong in security systems created to protect the functionality of other systems and the integrity of data within the systems under attack. In 1998, a Boston-based hacker group called L0pht Heavy Industries discovered a way to shut down the Internet, and its leaders got in touch with the Committee on Governmental Affairs to give "advice rather than being accused of causing trouble." From that moment on hackers were no longer regarded as naughty kids, they were considered something like security guardians.

Ever since its inception until today, ethical hacking has become an inseparable part of the cyber security market and is in a process of rapid development all the time. The majority of all large companies nowadays, especially those having valuable information assets such as IBM, employ own corporate teams of ethical hackers or use security firms that offer ethical hacking as a service.

Types of hackers

The concept of persons wearing white and black hats by the nature of their intentions – either good or evil – originates from the Western genre of movies. For example, the white-black dichotomy is clearly visible in Sergio Leone's Once Upon a Time in the West where the good guy, Charles Bronson, is wearing a white hat and the villain, Henry Fonda, has a preference for darker colors.

An individual who is hired by an organization to provide ethical hacking or penetration testing as a service is referred to as a "white hat" hacker. Such hackers gain access to a computer system that does not belong to them, but they do so only after they have obtained the owner's permission. Once a white hat hacker takes advantage of system vulnerabilities that allow him to conduct a cyber attack, he is ethically (and often contractually) obliged to reveal these vulnerabilities directly and solely to the owner. Also, it is against a white hat hacker's professional ethics to misuse information he knows, for instance, to keep the existence of a vulnerability in his employer's system secret so that he can use it for his own personal gain later on. A black hat hacker is likely to do such thing.

To summarize, organizations hire white hat hackers, who are also known as ethical hackers, to hack into their corporate information system, using penetration testing techniques, to remediate security omissions and improve the overall cyber security defenses.

White hat hackers may resort to social engineering to test a company's cybersecurity because this is a common technique used by black hat hackers in the real world. By performing social engineering scams, a white hat hacker may end up gaining access to confidential information after he has used someone else's credentials he had stolen before that. In the end, the hacker may be prosecuted for breaches of different data legislations which prohibit taking advantage of customer or employee information.

Another method to worm your way into corporate matters is through companies' business partners. Big corporations rely on a long supply chain – a well-known fact. Despite their best efforts to secure everything from the bottom to the top, there are always weaker links. Just think of the Target case. Therefore, an ethical hacker may want to penetrate into an associate company first so that he can get inside information, which is then used for gaining a foothold into the main target. However, unless these business partners have been covered by the scope of the penetration test, the ethical hacker may have overstepped the thin line between legal and illegal.

Moreover, the "my-hands-are-clean" principle introduced by Pontius Pilate, among other historical figures, is applicable here as well – every organization that has granted permission to pentesters to do their job is more or less free to claim that it has taken "better than best efforts" to improve its cyber security. Presumably, such a claim is accompanied by a nicely polished report that identifies weaknesses and according to recommendations.

Consequently, although the majority of companies believe that the mere act of authorizing an ethical hacker to test an organization's defenses is per se legal, it is still a gray area not sufficiently regulated. Without pen tests carried out by ethical hackers, however, how would a business entity be able to identify weaknesses and improve defensive capabilities against real cyber criminals (i.e., the black hats)? In that sense, these activities are a necessary business service. To be on the safe side, a pentester needs to ensure that:

  1. he has a valid, written, signed and plain form of authorization to conduct pen tests on an organization;
  2. the scope and other important terms and conditions are clearly set out in a contract – for example, how the pentester will deal with proprietary or confidential information, which networks, systems, and branches are to be part of the pen test, usage of tools, damage control, report requirements, etc.;
  3. he strictly adheres to the terms of the contract at all times and observes the law.

Much like the Yin-Yang dualism, black hat hackers are the evil twins of the white hat hackers. The term was coined by Richard Stallman to illustrate the contrast between the maliciousness demonstrated by criminal hackers and the spirit of playfulness and exploration of hacker culture presented by white hat hackers, who carry out hacker activities to identify places to repair. Black hat hackers' motives also differ, ranging from hacking into systems just for fun (e.g., script kiddies) to committing financially motivated computer-related crimes (e.g., DDoS attacks or ransomware). They practice the same profession, yet they practice it in violation of all kinds of ethics and norms (expert for maybe some personal code of ethics).

Black hats perform cyber attacks and other illegal activities; thus, simply put, they are computer criminals. Unsurprisingly, the black hat hackers are the types of hackers on which the media like to focus. Not a week goes by without we hearing or reading news about some mischiefs committed by malicious hackers, whether that will be a hacking story with a political nuance (e.g., How Anonymous hacked Donald Trump), corporate hacking (e.g., Anthem, Target), celebrity hacking (e.g., Sony Pictures Entertainment or other embarrassing photo leaks), or hacking that concerns consumers (practically every case that has something to do with stealing consumer data, such as Anthem, Target, Ashley Madison, etc.).

Sometimes a black hat hacker is an accessory to a crime, as in cases where he finds a brand new, "zero-day" cybersecurity weakness and then sells it to the actual wrongdoer on the darknet; the buyer might be a criminal cybergang specializing in a particular kind of cyber crime, for instance, intellectual property theft.

The L0pht hacker group first mentioned the term gray hat in 1998. A gray hat hacker undertakes acts considered as borderline illicit – you never know what is the nature of his game. To have a better grasp of the controversy called gray hat hackers, imagine how you would feel if an unknown person(s) compromises your computer system, without obtaining first permission from you, out of a desire to show you what you need to do to fix the backdoors he has taken advantage of. You would wonder whether to turn in this person to the authorities or thank him vehemently, wouldn't you?

Ethical hacking vs. penetration testing

Despite that these two terms are often used interchangeably, there is a thin but distinct enough line between them.

Penetration testing is a formal procedure aiming at discovering security vulnerabilities, flaws risks, and unreliable environment. In other words, penetration testing can be seen as a successful but not damaging attempt to penetrate a specific information system; mimicking activities cyber criminals would engage in with the intention to compromise this system.

Generally speaking, organizations conduct pen tests to strengthen their corporate defense systems comprising all computer systems and their adjoining infrastructure. It is to be noted that while penetration testing can help organizations fortify their cybersecurity defenses, this measure should be performed on a regular basis since malicious entities invent all the time newer and newer weak points in emerging systems, programs, and applications. Even though a pen test may not provide answers to all of your security concerns, such a test will significantly minimize the possibility of a successful attack.

Ethical hacking, on the other hand, is an all-embracing term that includes all hacking methods, and other related cyber attack methods. Some people disagree with hacking being considered "ethical" in any way. They deem that the word "hacker" in the term "ethical hacker" is added to attract more people to training programs and courses. For that reason, among other things, these people would prefer not to associate this term with them.

Compared to ethical hacking, penetration testing is a more narrowly focused phase. Simply put, ethical hacking is something like an umbrella term, and penetration testing is merely one fragment of all techniques, which is designed, as already mentioned, to locate security issues within the targeted information surface. Hence, penetration testing is some subset of ethical hacking.

Penetration Testing Ethical Hacking

A narrow term which focuses on performing cyber security assessment on IT systems A comprehensive term in which penetration testing is only one feature

A tester needs to have a good knowledge and skills only in the specific area for which he conducts pen testing An ethical hacker needs to possess a comprehensive knowledge of various programming and hardware techniques

Anyone who is familiar with penetration testing can perform pen tests Usually is required an obligatory certification of ethical hacking

Access is required only to those systems on which the pen testing will be conducted Access is required to a wide range of computer systems throughout an IT infrastructure

Interested in receiving an online hacker certification? Check out InfoSec Institute's award-winning training boot camps.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Sources

Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.