Definition

ethical hacker

Contributor(s): Linda Rosencrance and Michael Cobb

An ethical hacker, also referred to as a white hat hacker, is an information security expert who systematically attempts to penetrate a computer system, network, application or other computing resource on behalf of its owners -- and with their permission -- to find security vulnerabilities that a malicious hacker could potentially exploit.

The purpose of ethical hacking is to evaluate the security of and identify vulnerabilities in systems, networks or system infrastructure. It includes finding and attempting to exploit any vulnerabilities to determine whether unauthorized access or other malicious activities are possible.

Content Continues Below

Ethical hackers use their skills and many of the same methods and techniques to test and bypass organizations' IT security as their unethical counterparts, who are referred to as black hat hackers. However, rather than taking advantage of any vulnerabilities they find for personal gain, ethical hackers document them and provide advice about how to remediate them so organizations can strengthen their overall security.

Ethical hackers generally find security exposures in insecure system configurations, known and unknown hardware or software vulnerabilities as well as operational weaknesses in process or technical countermeasures.

Any organization that has a network connected to the Internet or provides an online service should consider subjecting it to penetration testing conducted by ethical hackers.

White hat, gray hat and black hat

Uses of ethical hacking

There are a number of ways ethical hackers can help organizations, including:

  • Finding vulnerabilities. Ethical hackers help companies determine which of their IT security measures are effective, which need to be updated and which contain vulnerabilities that can be exploited. When ethical hackers finish evaluating organizations' systems, they report back to company leaders about those vulnerable areas, for instance, a lack of sufficient password encryption, insecure applications or exposed systems running unpatched software. Organizations can use the data from these tests to make informed decisions about where and how to improve their security posture to prevent cyberattacks.
  • Demonstrating methods used by cybercriminals. These demonstrations show executives the hacking techniques that malicious actors use to attack their systems and wreak havoc with their businesses. Companies that have in-depth knowledge of the methods the attackers use to break into their systems are better able to prevent them from doing so.
  • Helping prepare for a cyberattack. Cyberattacks can cripple or destroy a business, especially a small business. However, most companies are completely unprepared for cyberattacks. Ethical hackers understand how threat actors operate and they know how these bad actors will use new information and techniques to attack systems. Security professionals who work with ethical hackers are better able to prepare for future attacks because they can better react to the constantly changing nature of online threats.

Ethical hacking techniques

Ethical hackers generally use the same hacking skills that malicious actors use to attack enterprises. Some of these hacking techniques include:

  • Scanning ports to find vulnerabilities. Ethical hackers use port scanning tools, such as Nmap, Nessus or Wireshark, to scan a company's systems, identify open ports, study the vulnerabilities of each port and take remedial action.
  • Scrutinizing patch installation processes to be sure that they don't introduce new vulnerabilities in the updated software that can be exploited.
  • Performing network traffic analysis and sniffing by using appropriate tools.
  • Attempting to evade intrusion detection systems, intrusion prevention systems, honeypots and firewalls.

Ethical hackers also rely on social engineering techniques to manipulate end users and obtain information about an organization's computing environment. Like black hat hackers, ethical hackers rummage through postings on social media or GitHub, engage employees in phishing attacks through email or roam through premises with a clipboard to exploit vulnerabilities in physical security. However, there are social engineering techniques that ethical hackers should not use, such as making physical threats to employees or other types of attempt to extort access or information.

How to become an ethical hacker

There are no standard education criteria for an ethical hacker, so an organization can set its own requirements for that position. Those interested in pursuing a career as an ethical hacker should consider a bachelor’s or master’s degree in information security, computer science or even mathematics as a strong foundation.

Individuals not planning to attend college can consider pursing an information security career in the military. Many organizations consider a military background a plus for information security hiring, and some organizations are required to hire individuals with security clearances.

Other technical subjects including programming, scripting, networking and hardware engineering, can help those pursuing a career as ethical hackers by offering a fundamental understanding of the underlying technologies that form the systems that they will be working on. Other pertinent technical skills include system administration and software development.

Certified ethical hackers

There are a number of ethical hacking certifications as well as IT certifications related to security that can help individuals become ethical hackers, including:

  • Certified Ethical Hacker (CEH): This is a vendor-neutral certification from the EC-Council, one of the leading certification bodies. This security certification, which validates how much an individual knows about network security, is best suited for a penetration tester role. This certification covers more than 270 attacks technologies. Prerequisites for this certification include attending official training offered by the EC-Council or its affiliates and having at least two years of information security-related experience.
  • Certified Information Systems Auditor (CISA): This certification is offered by ISACA, a nonprofit, independent association that advocates for professionals involved in information security, assurance, risk management and governance. The exam certifies the knowledge and skills of security professionals. To qualify for this certification, candidates must have five years of professional work experience related to information systems auditing, control or security.
  • Certified information security manager (CISM): CISM is an advanced certification offered by ISACA that provides validation for individuals who have demonstrated the in-depth knowledge and experience required to develop and manage an enterprise information security program. The certification is aimed at information security managers, aspiring managers or IT consultants who support information security program management.
  • GIAC Security Essentials (GSEC): This certification created and administered by the Global Information Assurance Certification organization is geared toward security professionals who want to demonstrate they are qualified for IT systems hands-on roles with respect to security tasks. Candidates are required to demonstrate they understand information security beyond simple terminology and concepts.
This was last updated in September 2018

Continue Reading About ethical hacker

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

Join the conversation

38 comments

Send me notifications when other members comment.

Please create a username to comment.

Help a company or individual identify potential threats on the computer or network attempts to hack their way past the system security, finding any weak points in the security that could be exploited by other hackers
Cancel
Hello. I came across a very good Hacker Goatse Security. They have helped with a lot of issues like Phone Hack, Account Hack, Clear Debts, Grade upgrade, criminal records help E.t.c They have saved my life,Contact: sgoatse (at) gmail dot com Text+12059000668 GoodLuck. 


Cancel

I’ve had a very positive experience with credit brainiac . repair gmail c()m. This group worked very hard and got all inquires cleared from my credit in just a short time including fixing my payment history. I got great results, my credit score has improved. I feel like a huge weight has been lifted off my shoulders and I can now go on with my life without debts on my mind. My mom was able to secure a small business loan with their help. Honest and hardworking hackers.

Cancel
What do you think of requiring ethical hacker certifications for cybersecurity professionals?
Cancel
that's a grate idea but couldn't they just create a fake certificate if there good enough what do you think about that?
Cancel
What’s your view on 'ethical hackers' who try to penetrate systems without the explicit permission of the system's owner?
Cancel
Overall I think they're doing these companies a favor, but ultimately I think it depends what they do after they find the vulnerability. If they try to make money off the situation, it starts feeling a little less 'ethical'. 
Cancel
I feel if you are doing it without a companies permission it is not ethical. If they have a bounty for finding bugs, and provide the details of how to report the issue to claim the reward it's ok. Ethical hacking to me means testing your system for flaws and possible security breaches, not someone else's who is unaware of your presence.
Cancel
I don't think there's any question as to whether or not this practice is "ethical". If you're fooling around with someone else's systems without permission, I'm confident that would be viewed by law enforcement, prosecutors, judges, and juries as an illegal act. If you have enough time to be doing this then perhaps you should get a job doing the work legitimately - your income earning potential is unlimited, so why not!?
Cancel
Kevin, I know this is a late reply although I would like to explain why your thought of just "get a job" is quite creative. There are many jobs which require a degree and years of professional experience. These people doing this have time to investigate security issues just like some people go home and actually put puzzle pieces together. Just because someone has a hobby and puts time towards it does not mean they need a job in it. Even if these people did want to do this professionally such as myself, workplaces tend to make it dry. There is something exciting about finding a "hole" in the wild, then tasting the forbidden fruit without setting ablaze the whole tree. I myself have reported security issues to companies, some being fortune 500 companies. I have done this voluntarily, sure I have probably seen information I should not. At the end of the day, these companies just do not take security seriously enough though. After all, why would an "unethical hacker" be a threat if security was taken seriously? This world is not all innocence, just the same way you don't let 4 year old children run around outside unattended, you should not let your guard down on your systems. There is an adrenaline rush that you get, it can not be attained from doing something perfectly lawful and systematic. It is fun to just go freelance on the net. You sound like the type that thinks people running a port scanner should be in prison for life. Driving by someone's house and looking in their windows from a public street should not be criminal. This is the Internet, be secure or do not be. These are just my thoughts.
Cancel
I think that hackers are a something like a "necessary evil". And i say "necessary" because as Sherry Turkle writes at "The Second Self:Computers and the Human Spirit", hackers are users who don't treat computers as tools, but they are guided by an enthusiasm for the process and not just for the result. So, i believe that the largest percentage of hackers are more intersted in improving a technology than money speculation.
Cancel
Ethical hackers really are helpful people. Just imagine how many companies would be ruined because of hackers.
Cancel
My view is that those people have too much time on their hands. 

Beyond that... well, I'm not really sure if I think it's ethical. Kind of a gray area. I guess that if they provide the company with useful info about the vulnerability with nothing but the intention to help, and not exploit the issue, then good for them.
Cancel
The article gives the following definition at the very beginning.

"An ethical hacker is a computer and networking expert who systematically attempts to penetrate a computer system or network on behalf of its owners for the purpose of finding security vulnerabilities that a malicious hacker could potentially exploit."

Hence the question of the discussion is a bit irrelevant. Without permission hacking production systems is not really ethical.

On the other hand, exploring software systems via conventional methods available to all users is not "hacking", is it? The problem is, with nowaday's quality an innocent attempt has chances of bringing down the system :)
Cancel
Hire them. Force them to work for their living....
Cancel
How would you feel if someone "ethically hacked" your personal computer? Would you be mad or thank them for finding a problem? Also would you trust them to not have gone poking around to far and steal personal info, install a virus or some other malicious software.
Cancel
That's a very good question!
If you were the owner of a software company and you had been hacked, then what is the percentage of your gain and your lose?

Firstly you will check what the hacker exactly did to your own system/software. How did he upgrade it? Which technical method did he choose to make your software even better? And if he really did a good job, then he media will start to focus on your company about security and policy issues.  

So there are 2 cases: If you are a small company, you will learn for the hacker's interference and you will try to make a better product with no damage on your business image since media will not be interested. On the other hand, if you are a big company a hacker will grow the market competition, and push you to make something more alternative. Moreover even if media will talk about the "knock" from the hacker, it's still an advertising for you.

So it will always be a 50-50!
Cancel
Ethics! That's the big word here
Cancel
Any how intrusion or attempt in some one network or system is illegal under IT Act 2000
act 2000.

ATTEMP OR INTRUSION IN A SYSTEM IS AN OFFENCE IN IT ACT 20000.ethical
Ethical word is confusing and giving no protection under law .it is basically
Denotes instructions obeyed by employee of his employer for the benignit
And protection of their system . In fact as long as another system has not disturbed
,it can be said ethical ,but if disturbed then unethical and is intrusion and both
Employee and employer may emerged as conspirators until hacker has done for himself only .


Cancel
@Asphyxia, my apologies - I don't receive notifications of  responses to these comments but I just came across yours from a while back and wanted to reply. I strongly believe in the concept of live and let live. Are these organizations with ridiculous - and basic - security flaws asking to have their systems tested? Probably not - I think that's way beyond the thought process of those who are in security denial. Whether these hackers are considered ethical, criminal, or somewhere in between, there's a universal law that applies here: choices have consequences. You're free to do what you choose (to an extent, although that's changing with government growth)...still, you have to live with what comes along with those behaviors - for better or for worse. If you're going to "help" people by hacking their systems, why not do it as part of a long-term, successful career in this field? Any other way is probably going to be frowned up...again, especially by those who don't get the essence of security.
Cancel
These hackers tries to learn about the system also find the weakness in the system should be  "jailed: felony done without permission
Cancel
I think that they necessarily lack any significant philanthropic or selfless motive. I would guess that their motive is, at best, related to the thrill of the challenge and the risk of doing something illegal.  At worst for gathering data for some other business, and ultimately for monetary gain, for political leverage, or for publicity.  I am new to the subject, but that is my impression from the perspective of a husband, a father, a son, a student, a veteran, a father, a felon, a thief, a liar, a drug-addict, a math-junkie, and an horrible(but dedicated and highly-motivated) basketball player.
Cancel
Its a "Felony" here in the US Sorry All
Cancel
if you do the so called test and get the loops holes at the end i will find my way through if i wish so

Cancel
That's not an ethical hacker acting within the law. Convo over.
Cancel
Plz Jon to hacking support

Cancel
hello there my name is muhumind aluaywa and i was allowed to see this great info on this internet wow but i dont understand your wording 
Cancel
its a very good cause I for one could like to take it app 
Cancel
I have a hacker that I want to introduce to anyone who needs the help of a hacker to contact (wisetechhacker @ gmail co ) or WhatsApp:  (+1 518-749-2846)
Cancel
My company just recovered over $824,000 that was lost to some online scammers all thanks to this pro hacker wisetechhacker from United kingdom. I promised to paste his contact all over the net so if you need help, contact Wise Tech on his EMAIL- (wisetechhacker @ gmail com) OR WhatsApp +1 (424) 283 6238 .He rendered me a personal service of cloning and entire cellphone within 12hours, I could monitor the entire phone on my computer. He offers many other services.
Cancel
There are several legit ways in which you can hack someone’s or any account easily. One of them is by hiring a professional hacker. Finding a professional hacker is not an issue in this advanced technologically driven world, but finding a genuine and legit professional hacker is difficult. There are a large number of fake people who claim to be professional hackers, they will scam you for money and would not even complete the job for which they were initially hired. But, if you happen to find a legit hacker, they can help you hack into anybody's account.
I use to be an admin on dark web, you can contact me for serious business on hacking,I can also help you to hack anything you want.
send me Email on webs900 @tutanota.com to get solution to your hacking problem.
Cancel
Hello, Do you need to check your partner's sincerity, recover employee honesty, lost email, institutional server key logging, change university grades / admin (employee) bank account hack and transfer funds, access / password to facebook, whatsapp, instagram, bbm , Skype, Snapchat, Various Blogs, iCloud, Apple Accounts etc Clear Criminal Record , E-mail Accounts hack (gmail, yahoomail, hotmail) Database Hack Incomprehensible IP, change your school grades, gain access to bank accounts. Contact Perfect Hacker for urgent help at affortable price.  Email him at : perfecthacker1@aol.com
Cancel

Hello. I came across a very good Hacker Goatse Security. They have helped with a lot of issues like Phone Hack, Account Hack, Clear Debts, Grade upgrade, criminal records help E.t.c. They have saved my life Contact: sgoatse (at) gmail dot Text +1twoZero5-9zeroZero-Zerosix6eight GoodLuck


Cancel
Having been in the crypto space for 1 years now. But I must say this guy Richard is good with his crypto videos, his analysis is top class, while Alejandro has the most accurate signals for trading as well as strategy creation and If you trade cryptos its definitely worthwhile seeking his assistance. I remember what my first 12 months was as a trader and how i blew over $35,000 and then my next 2 months after meeting (cryptocurrencyminerr5 @ gmail com or whatsapp +19172750978) (I was able to make back my losses and accumulate an additional 11btc. . thank you Mr Richard
Cancel
I just want to share my experience with everyone. I have been hearing about this blank ATM card for a while and I never really paid any interest to it because of my doubts. Until one day I discovered a hacking  Perfect Hidden Hacker. he is really good at what he does. Back to the point, I inquired about The Blank ATM Card. If it works or even Exists. He told me Yes and that it's a card programmed for only money withdraws without being noticed and can also be used for free online purchases of any kind. This was shocking and I still had my doubts. Then I gave it a try and asked for the card and agreed to his terms and conditions.. Four days later I received my card and tried it with the closest ATM machine close to me, to my greatest surprise It worked like magic. I was able to withdraw up to $2,000 daily. ATM has really changed my life, i decide to share this great news to the world because i don't want to benefit from this alone, i believe so many people are struggling  out there and this might be an opportunity for you to overcome your financial difficulties, Contact perfect Hidden Hacker for any kind of hacking, He is great and reliable here is his email Address: [perfecthacker1@aol.com} or WhatApp Number:(+1 (909) 343-4860)

Cancel

Don't be deceived by the fake testimonies everywhere. It took me 2 months to finally find someone who Helped but it wasn't easy because I was scammed once.
Long story cut short, i was very skeptical about working with this individual but i am glad i did,  Monitorywizard via gmail (MONITORYWIZARD247 @ GMAIL COM) or whatsapp +19172750978
Get the peace of mind you deserve.
Cancel
I was having bad times when i lost over half of my savings to a fake hacker i met online. I never believed i could get back at him or even try to get my money back from him because i have no trace of him. To my greatest surprise, I saw a referral who posted about a hacker that helped her recover her lost money to a fake hacker online. I had no choice but to contact the hacker too because i needed to recover my money back which he perfectly did for me. My dear I'm so amazed like i never believed it could be possible until it actually happened. You can contact him via monitorywizard247 @ gmail com or whatsapp +19172750978 to help you out too.
Cancel
Hello everyone, Do you need hacking services? . please contact= STANDARDWEBHACKERS @ GMAIL . COM  
WHATSAPP =  +18283565461
Be warned, most of these hackers called here are imposters, I know how real hackers work, they never advertise in such a gullible way and they are always discreet. I was tricked so many times out of desperation trying to find urgent help to change my grades from school, finally my friend introduced me to a group of trusted hackers who work with discretion and delivery promptly, they do all sorts of hacking that vary;
+Database Hacking,
+Spying and monitoring of any device
+School grade hack,
+Company records and systems,
+Bank Account Hacks,
+Clearing of Criminal records of diverse types,
+VPN Software,
+Monitoring of GPS locations,
+Bank transfer, Western Union, Money Gram, Credit Card transfer,
+Bank Account Hacks,
+Credit score increase
+University Grades Hack,
+Any social media platform hack,
+Retrieval of lost documents
+Facebook Hacking Tricks,
+Email hack: Gmail, AOL, Yahoomail, Proton-mail etc,
+Mobile phone (call and text message Hacking are available also)
+ATM hack,
+Retrieval of lost documents, etc..
Contact them at=  STANDARDWEBHACKERS @ GMAIL . COM  
WHATSAPP =  +18283565461
THEY ARE 100% RELIABLE, REFERABLE AND RETAINABLE
Cancel

File Extensions and File Formats

Powered by:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close