Ethical hacking has become a popular buzzword that you’ll hear used in virtually any company that has a large online presence and wants to protect it. But the phrase ‘ethical hacking’ is often confused with the concept of penetration testing. It is important to distinguish between the two as it can make a big difference to the cyber defence strategy that you take in the future. First, let’s look at the history of ethical hacking to help understand what it is and how it can be useful.
What is ethical hacking?
At first glance, the phrase ‘ethical hacking’ sounds like an oxymoron. To understand it, we need to first understand ‘hacking’. It should first be noted that hacking was not originally intended for computers – it fact it pre-dates the traditional personal computer as we know it today. The first modern mention of hacking was in the 1960s and it was in reference to activities at the famous Massachusetts Institute of Technology (MIT). It was a way of bypassing certain aspects of a system and in the very first example it was used in the Tech Model Railroad Club.
By the 1970s, ‘hacking’ had taken on a more familiar meaning as it was being used to describe nefarious activities such as a phreaking which allowed people to make long range phone calls for free by mimicking the dial tone. Then the rise of computer systems and eventually the internet in the early 90s, saw the development of hacking as we know it today.
And almost as soon as malicious hacking existed, there were people using those same techniques that cyber criminals would use to bypass defences, but using them for good. This is what is known as ‘ethical hacking’ – as ethical hackers would uncover the faults in a cyber security system in order for organisations to be able to fix them before cyber criminals uncovered them.
How does traditional penetration testing differ from ethical hacking?
Penetration testing is simple one form of ethical hacking that attempts to find holes in a cyber security system. It can be useful for testing whether specific forms of cyber defences are strong enough to defend against hacking. However, penetrating testing is a very narrow type of cyber-attack. It could actually be considered ultimately impossible as the final goal is to show that there are no possible ways to enter a system – but proving a negative is impossible.
Even if the penetration test is carried out thoroughly it doesn’t necessarily show anything other than the fact that the tester was unable to find any faults – not that the faults don’t exist.
What are the alternatives?
More advanced forms of ethical hacking such as structured attack simulation (SAS) provide a far more eye-opening look into a company’s cyber defences. The problem with penetration testing is that is doesn’t go any further than the base levels of hacking attacks but modern cyber criminals are often far more sophisticated.
SAS often includes surveillance of the organisation and its employees to look for easy ways into a system. Skilled hackers understand that the easiest way into the system is likely to be the best, especially if they can compromise a business by using internal credentials and employee passwords.
SAS also uses techniques that traditional penetration testing would not deploy, such as creating custom malware and spear phishing campaigns to get access to a system.
The truth is that in the modern world of hacking, simple penetration testing is not effective enough to provide any great level of security. It takes more sophisticated techniques of ethical hacking like structured attack simulation to ensure that a business can feel entirely safe from the reaches of cyber criminals.
Guest article written by: Mike James, an independent content writer with a keen interest in cyber threat and its prevention. For the information in this post, Mike consulted Redscan, penetration testing and cyber threat security specialists.
You made some decent factors there. I looked on the internet for the difficulty and found most individuals will associate with along with your website.