reconnaissance

SecurityTrails Blog · Nov 06 · SecurityTrails team

An Ode to White Hats: What Is Ethical Hacking?

The first thing that comes to mind when people hear a word “hacker” is some sort of criminal, someone we should be scared of when browsing the Internet. This shouldn’t worry true professionals, the “white hats”, as the number of people who understand the importance of their role in Internet safety just keeps growing. But the question remains: What is an ethical hacker?

This post is a thoughtful ode to white hats, the ethical hackers, the modern heroes who work hard to keep everyone safe and protected against cyber criminals.

What is ethical hacking?

There’s a lot of fear attached to the word “hacker,” but hacking is not only about cracking into computers and stealing passwords and other sensitive information.

Besides the controversy surrounding it, the use of technical knowledge to test and penetrate vulnerabilities found in different computer and network systems is highly praised in the “computer” or “hacker” community, where it’s regarded as a compliment to call someone a hacker.

The simplest definition of a hacker is an information and cyber-security specialist who specializes in penetration testing, system examination, finding vulnerabilities and other network analysis methods that test and provide safety and integrity for many information systems.

It’s now become normal for every company to rely heavily on their computers and their computer networking systems to run their business smoothly. To avoid exploits and malicious attacks on their systems, security reviews and penetration tests are now enforced regularly.

With almost daily news about cyber security breaches, companies go in search for a white hat – an ethical hacker to test their systems and provide assistance in making them impenetrable.

Using methods that are fairly similar to malicious hackers (“black hats”), ethical hackers use their knowledge and skill set to test and try to bypass company-enforced security to find vulnerabilities that could be exploited by black hats.

One of the main differences between white hats and black hats is that white hats are authorized to access systems and try to compromise them, in contrast to the black hats who exploit systems with unauthorized access.

Also, white hats, having compromised systems to find their weak points, report back to the company with that information instead of using the information to attack and steal data from the company.

This type of white hat activity is known as “penetration testing”.

One of the main differences between white hats and black hats is that white hats are authorized to access systems and try to compromise them, in contrast to the black hats who exploit systems with unauthorized access.

There are three kinds of hackers – white hats, gray hats and black hats.

As we mentioned, white hats are ethical hackers who find vulnerabilities with authorized access and use them to help people; black hats are malicious hackers who, with unauthorized access, steal and compromise data; and grey hats, who don’t have authorized access but use the information they obtain for a good cause.

History of ethical hacking

We first saw the term “ethical hacking” when it was introduced in 1995 by former IBM Vice President John Patrick. He used this term to describe an action where someone deliberately tries to penetrate and test a system for any vulnerabilities.

This was certainly not the first time the world was introduced to hacking itself.

The term “hacker” was coined in the 1960s at MIT’s artificial intelligence labs, referring to a specialized group of individuals working and programming in FORTRAN.

It was during the 1970s when we saw a rise in the popularity of the term “hacker” and what hackers do. Also on the rise was the popularity of computers and computer systems.

For a more detailed history of hacking and how it all started, check out our blog post How web software gets hacked.

We also saw one of the first uses of ethical hacking when the United States Air Force performed a security evaluation of their Multics OS’s, testing the systems for work with top-secret confidentiality. The tests performed were mimicking techniques, simulating those an attacker would use to penetrate the systems.

In 1998, Dan Farmer developed one of the first, if not the first, vulnerability scanners. Named COPS (Computer Oracle and Password System), it was designed to scan for security vulnerabilities in one part of a Unix operating system.

After that, with ideas to enforce ethical hacking and its tactics in assessing system security, Farmer and Wietse Venema developed another security scanner SATAN (Security Administrator Tool for Analyzing Networks).

They gathered up all the tools they had used to collect information during their work, packaged them in a single, easy-to-use application, and gave it away to anyone who chose to download it. This application has caused many, especially law enforcement specialists, to believe that hackers will use it maliciously to break into computers.

Despite the bad word of mouth that has followed hackers since their early days, many companies, and even governments, have placed increasing importance on the many advantages and benefits of investing in someone highly skilled in penetrating systems and finding weaknesses, providing them with valuable insights.

Today, companies are actively engaged in finding individuals who can perform ethical hacking of their systems in order to upgrade overall security.

It’s also worth noting that now, being an ethical hacker is a highly sought-after career. People of all ages are using their knowledge and expertise to help companies and people all over the world make the Internet and Intranets safer. To be considered for a real job as an ethical hacker, it is frequently required to be a Certificated Ethical Hacker (CEH). Testing and examination to become a CEH is done through The EC-Council and various other accredited training centers.

Techniques of ethical hacking

We’ve mentioned one common technique ethical hackers use in penetration testing – scanning ports. This involves inspecting known weaknesses and other methods of evaluating security of the system. That is, of course, not all – replicating techniques used by malicious hackers is another standard procedure for white hats.

Often-used techniques for ethical hacking are collecting information about target websites (like used technologies, session ID, email, phone number, etc.), using different extractors as part of reconnaissance, scanning networks, sniffing, vulnerability research, and cracking wireless networks and servers.

Other methods used to carry out penetration testing and IT security checks are those that replicate common network security threats such as social engineering and DoS/DDoS attacks.

There are a lot of techniques and tools out there, so we’ve compiled a list of the top 15 best ethical hacking tools that infosec professionals use – you’re free to dive in and discover what’s out there!

It was mentioned that becoming a CEH requires a test to examine your skills and get a certificate at the end, but really, no one can become a true ethical hacker by merely taking a course. To become a successful ethical hacker it’s important to be a passionate security researcher with many years of studying as a professional in the infosec field.

Knowledge of scripting languages such as Perl, Python, CHS, SH and others are required, allowing you to write your own codes and research different network systems.

Also, a deep knowledge of subjects related to programming, networking, scripting and even hardware is fundamental to stay on top of any system you might work on.

But we don’t want to paint a picture of impossibility when it comes to getting into the infosec world. Dedication and education are definitely needed, but thanks to great pre-built toolkits and their documentation it’s easier than ever to get started on your ethical hacking career. You can check out some of those toolkits in our Top 25 list of Kali Linux penetration testing tools.

The importance of white hats

The number of cyber criminals is always on the rise, with WebARX reports from February 2018 showing that number of domains hacked daily surpasses 2000.

Unique domains hacked per day (February 2018)

For this reason, more and more companies are taking steps to invest in training ethical hacking professionals to detect any possible ways in which destructive, malicious actors can penetrate their systems and cause data, financial and other major losses. Without ethical hackers, security holes left uninspected can be easily exploited by black hats.

One outgrowth of this interest and investment in penetration testing and white-hat employment is the introduction of bug bounty programs.

Bug bounty programs

We’ve all heard of bounty programs: they have existed since the beginning of money as we know it. The Internet’s modern take on bounty programs offers rewards for hackers that detect exploits.

Bug bounty programs are a great way to reward security researchers and infosec professionals for their extensive knowledge and skills, and to show hackers that using their skills for ethical reasons is highly valued – that there is no need for them to go to the black hat world.

The first bug bounty program was launched by Netscape in 1995 and called “The Netscape Bugs Bounty.” Since then, bug bounty programs have been introduced by many companies, some offering more than $100,000, the way Microsoft did. Google paid hackers around $3 million in 2016 alone.

We here at SecurityTrails also have a data bounty program, open to anyone and everyone who can find interesting information in our data.

Since there are companies that don’t have open bounties for everyone, it’s important to differentiate those that are invite-only and those that are open for anyone to try and partake.

For an exact list of open bounties and the companies that offer them, take a look at the SecurityZap list of Bug Bounty Programs in 2018.

Summary

The main agenda of any organization or company should be investing in and ensuring their cyber security. With this, ethical hacking itself will only be on the rise. Testing security measures enforced by organizations and measuring the risks of data and security exploits will be conducted more and more often worldwide. By learning how malicious actors and cyber criminals continue to develop new and creative ways to attack, businesses can equip themselves with new solutions to keep themselves, and their customers, safe.

This is why everyone who takes part in the digitized world we have today should give their own ode to white hats, for making our everyday lives just a little bit safer.


We have built SecurityTrails for our infosec professionals, those who need to obtain relevant information on IP, domains and DNS information in order to protect themselves and their companies.

Start researching what our powerful security intelligence toolkit can do by grabbing your own API today.