Definition

ethical hacker

Contributor(s): Michael Cobb

An ethical hacker is a computer and networking expert who systematically attempts to penetrate a computer system or network on behalf of its owners for the purpose of finding security vulnerabilities that a malicious hacker could potentially exploit.

Ethical hackers use the same methods and techniques to test and bypass a system's defenses as their less-principled counterparts, but rather than taking advantage of any vulnerabilities found, they document them and provide actionable advice on how to fix them so the organization can improve its overall security.

The purpose of ethical hacking is to evaluate the security of a network or system's infrastructure. It entails finding and attempting to exploit any vulnerabilities to determine whether unauthorized access or other malicious activities are possible. Vulnerabilities tend to be found in poor or improper system configuration, known and unknown hardware or software flaws, and operational weaknesses in process or technical countermeasures. One of the first examples of ethical hacking occurred in the 1970s, when the United States government used groups of experts called "red teams" to hack its own computer systems. It has become a sizable sub-industry within the information security market and has expanded to also cover the physical and human elements of an organization's defenses. A successful test doesn't necessarily mean a network or system is 100% secure, but it should be able to withstand automated attacks and unskilled hackers.

Any organization that has a network connected to the Internet or provides an online service should consider subjecting it to a penetration test. Various standards such as the Payment Card Industry Data Security Standard require companies to conduct penetration testing from both an internal and external perspective on an annual basis and after any significant change in the infrastructure or applications. Many large companies, such as IBM, maintain employee teams of ethical hackers, while there are plenty of firms that offer ethical hacking as a service. Trustwave Holdings, Inc., has an Ethical Hacking Lab for attempting to exploit vulnerabilities that may be present in ATMs, point-of-sale devices and surveillance systems. There are various organizations that provide standards and certifications for consultants that conduct penetration testing including:

  • CREST
  • Mile2
  • SANS Institute
  • EC-Council

Ethical hacking is a proactive form of information security and is also known as penetration testing, intrusion testing and red teaming. An ethical hacker is sometimes called a legal or white hat hacker and its counterpart a black hat, a term that comes from old Western movies, where the "good guy" wore a white hat and the "bad guy" wore a black hat. The term "ethical hacker" is frowned upon by some security professionals who see it has a contradiction in terms and prefer the name "penetration tester."

Before commissioning an organization or individual, it is considered a best practice to read their service-level and code of conduct agreements covering how testing will be carried out, and how the results will be handled, as they are likely to contain sensitive information about how the system tested. There have been instances of "ethical hackers" reporting vulnerabilities they have found while testing systems without the owner's express permission. Even the LulzSec black hat hacker group has claimed its motivations include drawing attention to computer security flaws and holes. This type of hacking is a criminal offence in most countries, even if the purported intentions were to improve system security. For hacking to be deemed ethical, the hacker must have the express permission from the owner to probe their network and attempt to identify potential security risks.

 

This was last updated in November 2014

Continue Reading About ethical hacker

Dig Deeper on Hacker Tools and Techniques: Underground Sites and Hacking Groups

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

17 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Help a company or individual identify potential threats on the computer or network attempts to hack their way past the system security, finding any weak points in the security that could be exploited by other hackers
Cancel
What’s your view on 'ethical hackers' who try to penetrate systems without the explicit permission of the system's owner?
Cancel
Overall I think they're doing these companies a favor, but ultimately I think it depends what they do after they find the vulnerability. If they try to make money off the situation, it starts feeling a little less 'ethical'. 
Cancel
I feel if you are doing it without a companies permission it is not ethical. If they have a bounty for finding bugs, and provide the details of how to report the issue to claim the reward it's ok. Ethical hacking to me means testing your system for flaws and possible security breaches, not someone else's who is unaware of your presence.
Cancel
I don't think there's any question as to whether or not this practice is "ethical". If you're fooling around with someone else's systems without permission, I'm confident that would be viewed by law enforcement, prosecutors, judges, and juries as an illegal act. If you have enough time to be doing this then perhaps you should get a job doing the work legitimately - your income earning potential is unlimited, so why not!?
Cancel
Kevin, I know this is a late reply although I would like to explain why your thought of just "get a job" is quite creative. There are many jobs which require a degree and years of professional experience. These people doing this have time to investigate security issues just like some people go home and actually put puzzle pieces together. Just because someone has a hobby and puts time towards it does not mean they need a job in it. Even if these people did want to do this professionally such as myself, workplaces tend to make it dry. There is something exciting about finding a "hole" in the wild, then tasting the forbidden fruit without setting ablaze the whole tree. I myself have reported security issues to companies, some being fortune 500 companies. I have done this voluntarily, sure I have probably seen information I should not. At the end of the day, these companies just do not take security seriously enough though. After all, why would an "unethical hacker" be a threat if security was taken seriously? This world is not all innocence, just the same way you don't let 4 year old children run around outside unattended, you should not let your guard down on your systems. There is an adrenaline rush that you get, it can not be attained from doing something perfectly lawful and systematic. It is fun to just go freelance on the net. You sound like the type that thinks people running a port scanner should be in prison for life. Driving by someone's house and looking in their windows from a public street should not be criminal. This is the Internet, be secure or do not be. These are just my thoughts.
Cancel
I think that hackers are a something like a "necessary evil". And i say "necessary" because as Sherry Turkle writes at "The Second Self:Computers and the Human Spirit", hackers are users who don't treat computers as tools, but they are guided by an enthusiasm for the process and not just for the result. So, i believe that the largest percentage of hackers are more intersted in improving a technology than money speculation.
Cancel
Ethical hackers really are helpful people. Just imagine how many companies would be ruined because of hackers.
Cancel
My view is that those people have too much time on their hands. 

Beyond that... well, I'm not really sure if I think it's ethical. Kind of a gray area. I guess that if they provide the company with useful info about the vulnerability with nothing but the intention to help, and not exploit the issue, then good for them.
Cancel
The article gives the following definition at the very beginning.

"An ethical hacker is a computer and networking expert who systematically attempts to penetrate a computer system or network on behalf of its owners for the purpose of finding security vulnerabilities that a malicious hacker could potentially exploit."

Hence the question of the discussion is a bit irrelevant. Without permission hacking production systems is not really ethical.

On the other hand, exploring software systems via conventional methods available to all users is not "hacking", is it? The problem is, with nowaday's quality an innocent attempt has chances of bringing down the system :)
Cancel
Hire them. Force them to work for their living....
Cancel
How would you feel if someone "ethically hacked" your personal computer? Would you be mad or thank them for finding a problem? Also would you trust them to not have gone poking around to far and steal personal info, install a virus or some other malicious software.
Cancel
That's a very good question!
If you were the owner of a software company and you had been hacked, then what is the percentage of your gain and your lose?

Firstly you will check what the hacker exactly did to your own system/software. How did he upgrade it? Which technical method did he choose to make your software even better? And if he really did a good job, then he media will start to focus on your company about security and policy issues.  

So there are 2 cases: If you are a small company, you will learn for the hacker's interference and you will try to make a better product with no damage on your business image since media will not be interested. On the other hand, if you are a big company a hacker will grow the market competition, and push you to make something more alternative. Moreover even if media will talk about the "knock" from the hacker, it's still an advertising for you.

So it will always be a 50-50!
Cancel
Ethics! That's the big word here
Cancel
Any how intrusion or attempt in some one network or system is illegal under IT Act 2000
act 2000.

ATTEMP OR INTRUSION IN A SYSTEM IS AN OFFENCE IN IT ACT 20000.ethical
Ethical word is confusing and giving no protection under law .it is basically
Denotes instructions obeyed by employee of his employer for the benignit
And protection of their system . In fact as long as another system has not disturbed
,it can be said ethical ,but if disturbed then unethical and is intrusion and both
Employee and employer may emerged as conspirators until hacker has done for himself only .


Cancel
@Asphyxia, my apologies - I don't receive notifications of  responses to these comments but I just came across yours from a while back and wanted to reply. I strongly believe in the concept of live and let live. Are these organizations with ridiculous - and basic - security flaws asking to have their systems tested? Probably not - I think that's way beyond the thought process of those who are in security denial. Whether these hackers are considered ethical, criminal, or somewhere in between, there's a universal law that applies here: choices have consequences. You're free to do what you choose (to an extent, although that's changing with government growth)...still, you have to live with what comes along with those behaviors - for better or for worse. If you're going to "help" people by hacking their systems, why not do it as part of a long-term, successful career in this field? Any other way is probably going to be frowned up...again, especially by those who don't get the essence of security.
Cancel
These hackers tries to learn about the system also find the weakness in the system should be  "jailed: felony done without permission
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close