Definition

ethical hacker

Contributor(s): Linda Rosencrance and Michael Cobb

An ethical hacker, also referred to as a white hat hacker, is an information security expert who systematically attempts to penetrate a computer system, network, application or other computing resource on behalf of its owners -- and with their permission -- to find security vulnerabilities that a malicious hacker could potentially exploit.

The purpose of ethical hacking is to evaluate the security of and identify vulnerabilities in systems, networks or system infrastructure. It includes finding and attempting to exploit any vulnerabilities to determine whether unauthorized access or other malicious activities are possible.

Ethical hackers use their skills and many of the same methods and techniques to test and bypass organizations' IT security as their unethical counterparts, who are referred to as black hat hackers. However, rather than taking advantage of any vulnerabilities they find for personal gain, ethical hackers document them and provide advice about how to remediate them so organizations can strengthen their overall security.

Ethical hackers generally find security exposures in insecure system configurations, known and unknown hardware or software vulnerabilities as well as operational weaknesses in process or technical countermeasures.

Any organization that has a network connected to the Internet or provides an online service should consider subjecting it to penetration testing conducted by ethical hackers.

White hat, gray hat and black hat

Uses of ethical hacking

There are a number of ways ethical hackers can help organizations, including:

  • Finding vulnerabilities. Ethical hackers help companies determine which of their IT security measures are effective, which need to be updated and which contain vulnerabilities that can be exploited. When ethical hackers finish evaluating organizations' systems, they report back to company leaders about those vulnerable areas, for instance, a lack of sufficient password encryption, insecure applications or exposed systems running unpatched software. Organizations can use the data from these tests to make informed decisions about where and how to improve their security posture to prevent cyberattacks.
  • Demonstrating methods used by cybercriminals. These demonstrations show executives the hacking techniques that malicious actors use to attack their systems and wreak havoc with their businesses. Companies that have in-depth knowledge of the methods the attackers use to break into their systems are better able to prevent them from doing so.
  • Helping prepare for a cyberattack. Cyberattacks can cripple or destroy a business, especially a small business. However, most companies are completely unprepared for cyberattacks. Ethical hackers understand how threat actors operate and they know how these bad actors will use new information and techniques to attack systems. Security professionals who work with ethical hackers are better able to prepare for future attacks because they can better react to the constantly changing nature of online threats.

Ethical hacking techniques

Ethical hackers generally use the same hacking skills that malicious actors use to attack enterprises. Some of these hacking techniques include:

  • Scanning ports to find vulnerabilities. Ethical hackers use port scanning tools, such as Nmap, Nessus or Wireshark, to scan a company's systems, identify open ports, study the vulnerabilities of each port and take remedial action.
  • Scrutinizing patch installation processes to be sure that they don't introduce new vulnerabilities in the updated software that can be exploited.
  • Performing network traffic analysis and sniffing by using appropriate tools.
  • Attempting to evade intrusion detection systems, intrusion prevention systems, honeypots and firewalls.

Ethical hackers also rely on social engineering techniques to manipulate end users and obtain information about an organization's computing environment. Like black hat hackers, ethical hackers rummage through postings on social media or GitHub, engage employees in phishing attacks through email or roam through premises with a clipboard to exploit vulnerabilities in physical security. However, there are social engineering techniques that ethical hackers should not use, such as making physical threats to employees or other types of attempt to extort access or information.

How to become an ethical hacker

There are no standard education criteria for an ethical hacker, so an organization can set its own requirements for that position. Those interested in pursuing a career as an ethical hacker should consider a bachelor’s or master’s degree in information security, computer science or even mathematics as a strong foundation.

Individuals not planning to attend college can consider pursing an information security career in the military. Many organizations consider a military background a plus for information security hiring, and some organizations are required to hire individuals with security clearances.

Other technical subjects including programming, scripting, networking and hardware engineering, can help those pursuing a career as ethical hackers by offering a fundamental understanding of the underlying technologies that form the systems that they will be working on. Other pertinent technical skills include system administration and software development.

Certified ethical hackers

There are a number of ethical hacking certifications as well as IT certifications related to security that can help individuals become ethical hackers, including:

  • Certified Ethical Hacker (CEH): This is a vendor-neutral certification from the EC-Council, one of the leading certification bodies. This security certification, which validates how much an individual knows about network security, is best suited for a penetration tester role. This certification covers more than 270 attacks technologies. Prerequisites for this certification include attending official training offered by the EC-Council or its affiliates and having at least two years of information security-related experience.
  • Certified Information Systems Auditor (CISA): This certification is offered by ISACA, a nonprofit, independent association that advocates for professionals involved in information security, assurance, risk management and governance. The exam certifies the knowledge and skills of security professionals. To qualify for this certification, candidates must have five years of professional work experience related to information systems auditing, control or security.
  • Certified information security manager (CISM): CISM is an advanced certification offered by ISACA that provides validation for individuals who have demonstrated the in-depth knowledge and experience required to develop and manage an enterprise information security program. The certification is aimed at information security managers, aspiring managers or IT consultants who support information security program management.
  • GIAC Security Essentials (GSEC): This certification created and administered by the Global Information Assurance Certification organization is geared toward security professionals who want to demonstrate they are qualified for IT systems hands-on roles with respect to security tasks. Candidates are required to demonstrate they understand information security beyond simple terminology and concepts.
This was last updated in September 2018

Continue Reading About ethical hacker

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

Join the conversation

22 comments

Send me notifications when other members comment.

Please create a username to comment.

Help a company or individual identify potential threats on the computer or network attempts to hack their way past the system security, finding any weak points in the security that could be exploited by other hackers
Cancel
What’s your view on 'ethical hackers' who try to penetrate systems without the explicit permission of the system's owner?
Cancel
Overall I think they're doing these companies a favor, but ultimately I think it depends what they do after they find the vulnerability. If they try to make money off the situation, it starts feeling a little less 'ethical'. 
Cancel
I feel if you are doing it without a companies permission it is not ethical. If they have a bounty for finding bugs, and provide the details of how to report the issue to claim the reward it's ok. Ethical hacking to me means testing your system for flaws and possible security breaches, not someone else's who is unaware of your presence.
Cancel
I don't think there's any question as to whether or not this practice is "ethical". If you're fooling around with someone else's systems without permission, I'm confident that would be viewed by law enforcement, prosecutors, judges, and juries as an illegal act. If you have enough time to be doing this then perhaps you should get a job doing the work legitimately - your income earning potential is unlimited, so why not!?
Cancel
Kevin, I know this is a late reply although I would like to explain why your thought of just "get a job" is quite creative. There are many jobs which require a degree and years of professional experience. These people doing this have time to investigate security issues just like some people go home and actually put puzzle pieces together. Just because someone has a hobby and puts time towards it does not mean they need a job in it. Even if these people did want to do this professionally such as myself, workplaces tend to make it dry. There is something exciting about finding a "hole" in the wild, then tasting the forbidden fruit without setting ablaze the whole tree. I myself have reported security issues to companies, some being fortune 500 companies. I have done this voluntarily, sure I have probably seen information I should not. At the end of the day, these companies just do not take security seriously enough though. After all, why would an "unethical hacker" be a threat if security was taken seriously? This world is not all innocence, just the same way you don't let 4 year old children run around outside unattended, you should not let your guard down on your systems. There is an adrenaline rush that you get, it can not be attained from doing something perfectly lawful and systematic. It is fun to just go freelance on the net. You sound like the type that thinks people running a port scanner should be in prison for life. Driving by someone's house and looking in their windows from a public street should not be criminal. This is the Internet, be secure or do not be. These are just my thoughts.
Cancel
I think that hackers are a something like a "necessary evil". And i say "necessary" because as Sherry Turkle writes at "The Second Self:Computers and the Human Spirit", hackers are users who don't treat computers as tools, but they are guided by an enthusiasm for the process and not just for the result. So, i believe that the largest percentage of hackers are more intersted in improving a technology than money speculation.
Cancel
Ethical hackers really are helpful people. Just imagine how many companies would be ruined because of hackers.
Cancel
My view is that those people have too much time on their hands. 

Beyond that... well, I'm not really sure if I think it's ethical. Kind of a gray area. I guess that if they provide the company with useful info about the vulnerability with nothing but the intention to help, and not exploit the issue, then good for them.
Cancel
The article gives the following definition at the very beginning.

"An ethical hacker is a computer and networking expert who systematically attempts to penetrate a computer system or network on behalf of its owners for the purpose of finding security vulnerabilities that a malicious hacker could potentially exploit."

Hence the question of the discussion is a bit irrelevant. Without permission hacking production systems is not really ethical.

On the other hand, exploring software systems via conventional methods available to all users is not "hacking", is it? The problem is, with nowaday's quality an innocent attempt has chances of bringing down the system :)
Cancel
Hire them. Force them to work for their living....
Cancel
How would you feel if someone "ethically hacked" your personal computer? Would you be mad or thank them for finding a problem? Also would you trust them to not have gone poking around to far and steal personal info, install a virus or some other malicious software.
Cancel
That's a very good question!
If you were the owner of a software company and you had been hacked, then what is the percentage of your gain and your lose?

Firstly you will check what the hacker exactly did to your own system/software. How did he upgrade it? Which technical method did he choose to make your software even better? And if he really did a good job, then he media will start to focus on your company about security and policy issues.  

So there are 2 cases: If you are a small company, you will learn for the hacker's interference and you will try to make a better product with no damage on your business image since media will not be interested. On the other hand, if you are a big company a hacker will grow the market competition, and push you to make something more alternative. Moreover even if media will talk about the "knock" from the hacker, it's still an advertising for you.

So it will always be a 50-50!
Cancel
Ethics! That's the big word here
Cancel
Any how intrusion or attempt in some one network or system is illegal under IT Act 2000
act 2000.

ATTEMP OR INTRUSION IN A SYSTEM IS AN OFFENCE IN IT ACT 20000.ethical
Ethical word is confusing and giving no protection under law .it is basically
Denotes instructions obeyed by employee of his employer for the benignit
And protection of their system . In fact as long as another system has not disturbed
,it can be said ethical ,but if disturbed then unethical and is intrusion and both
Employee and employer may emerged as conspirators until hacker has done for himself only .


Cancel
@Asphyxia, my apologies - I don't receive notifications of  responses to these comments but I just came across yours from a while back and wanted to reply. I strongly believe in the concept of live and let live. Are these organizations with ridiculous - and basic - security flaws asking to have their systems tested? Probably not - I think that's way beyond the thought process of those who are in security denial. Whether these hackers are considered ethical, criminal, or somewhere in between, there's a universal law that applies here: choices have consequences. You're free to do what you choose (to an extent, although that's changing with government growth)...still, you have to live with what comes along with those behaviors - for better or for worse. If you're going to "help" people by hacking their systems, why not do it as part of a long-term, successful career in this field? Any other way is probably going to be frowned up...again, especially by those who don't get the essence of security.
Cancel
These hackers tries to learn about the system also find the weakness in the system should be  "jailed: felony done without permission
Cancel
I think that they necessarily lack any significant philanthropic or selfless motive. I would guess that their motive is, at best, related to the thrill of the challenge and the risk of doing something illegal.  At worst for gathering data for some other business, and ultimately for monetary gain, for political leverage, or for publicity.  I am new to the subject, but that is my impression from the perspective of a husband, a father, a son, a student, a veteran, a father, a felon, a thief, a liar, a drug-addict, a math-junkie, and an horrible(but dedicated and highly-motivated) basketball player.
Cancel
What do you think of requiring ethical hacker certifications for cybersecurity professionals?
Cancel
Its a "Felony" here in the US Sorry All
Cancel
if you do the so called test and get the loops holes at the end i will find my way through if i wish so

Cancel
That's not an ethical hacker acting within the law. Convo over.
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close