What is ethical hacking?

Ethical hackers have the same skills and use the same tools and tactics as malicious hackers, but their goal is always to improve network security without harming the network or its users.

In many ways, ethical hacking is like a rehearsal for real-world cyberattacks. Organizations hire ethical hackers to launch simulated attacks on their computer networks. During these attacks, the ethical hackers demonstrate how actual cybercriminals break into a network and the damage they could do once inside.

The organization’s security analysts can use this information to eliminate vulnerabilities, strengthen security systems and protect sensitive data.

The terms "ethical hacking" and "penetration testing" are sometimes used interchangeably. However, penetration tests are only one of the methods that ethical hackers use. Ethical hackers can also conduct vulnerability assessments, malware analysis and other information security services.

Ethical hackers follow a strict code of ethics to make sure their actions help rather than harm companies. Many organizations that train or certify ethical hackers, such as the International Council of E-Commerce Consultants (EC Council), publish their own formal written code of ethics. While stated ethics can vary among hackers or organizations, the general guidelines are:

• Ethical hackers get permission from the companies they hack: Ethical hackers are employed by or partnered with the organizations they hack. They work with companies to define a scope for their activities including hacking timelines, methods used and systems and assets tested. 
• Ethical hackers don't cause any harm: Ethical hackers don't do any actual damage to the systems they hack, nor do they steal any sensitive data they find. When white hats hack a network, they're only doing it to demonstrate what real cybercriminals might do. 
• Ethical hackers keep their findings confidential: Ethical hackers share the information they gather on vulnerabilities and security systems with the company—and only the company. They also assist the company in using these findings to improve network defenses.
• Ethical hackers work within the confines of the law: Ethical hackers use only legal methods to assess information security. They don't associate with black hats or participate in malicious hacks.

Relative to this code of ethics, there two other types of hackers.

Sometimes called ‘black hat hackers,’ malicious hackers commit cybercrimes with for personal gain, cyberterrorism or some other cause. They hack computer systems to steal sensitive information, steal funds, or disrupt operations.

Sometimes called ‘gray hat hackers’ (or misspelled as ‘grey hat hackers’) these hackers use unethical methods or even work outside the law toward ethical ends. Examples include attacking a network or information system without permission to test an exploit, or publicly exploiting a software vulnerability that vendors will work on a fix. While these hackers have good intentions, their actions can also tip off malicious attackers to new attack vectors.

Ethical hacking is a legitimate career path. Most ethical hackers have a bachelor's degree in computer science, information security, or a related field. They tend to know common programming and scripting languages like python and SQL.

They’re skilled—and continue to build their skills—in the same hacking tools and methodologies as malicious hackers, including network scanning tools like Nmap, penetration testing platforms like Metasploit and specialized hacking operating systems like Kali Linux.

Like other cybersecurity professionals, ethical hackers typically earn credentials to demonstrate their skills and their commitment to ethics. Many take ethical hacking courses or enroll in certification programs specific to the field. Some of the most common ethical hacking certifications include:

• Certified Ethical Hacker (CEH): Offered by EC-Council, an international cybersecurity certification body, CEH is one of the most widely recognized ethical hacking certifications.

• CompTIA PenTest+: This certification focuses on penetration testing and vulnerability assessment.

• SANS GIAC Penetration Tester (GPEN): Like PenTest+, the SANS Institute's GPEN certification validates an ethical hacker's pen testing skills.

Ethical hackers offer a range of services.

Penetration tests, or "pen tests," are simulated security breaches. Pen testers imitate malicious hackers that gain unauthorized access to company systems. Of course, pen testers don't cause any actual harm. They use the results of their tests to help defend the company against real cybercriminals.

Pen tests occur in three stages:

During the recon stage, pen testers gather information on the computers, mobile devices, web applications, web servers and other assets on the company's network. This stage is sometimes called "footprinting" because pen testers map the network's entire footprint. 

Pen testers use manual and automated methods to do recon. They may scour employees' social media profiles and GitHub pages for hints. They may use tools like Nmap to scan for open ports and tools like Wireshark to inspect network traffic. If permitted by the company, they may use social engineering tactics to trick employees into sharing sensitive information.

Once the pen testers understand the contours of the network—and the vulnerabilities they can exploit—they hack the system. Pen testers may try a variety of attacks depending on the scope of the test. Some of the most commonly tested attacks include:

– SQL injections: Pen testers try to get a webpage or app to disclose sensitive data by entering malicious code into input fields.

– Cross-site scripting: Pen testers try planting malicious code in a company's website.

– Denial-of-service attacks: Pen testers try to take servers, apps and other network resources offline by flooding them with traffic.

– Social engineering: Pen testers use phishing, baiting, pretexting, or other tactics to trick employees into compromising network security. 

During the attack, pen testers explore how malicious hackers can exploit existing vulnerabilities and how they can move through the network once inside. They find out what kinds of data and assets hackers can access. They also test whether existing security measures can detect or prevent their activities.

At the end of the attack, pen testers cover their tracks. This serves two purposes. First, it demonstrates how cybercriminals can hide in a network. Second, it keeps malicious hackers from secretly following the ethical hackers into the system.

Pen testers document all their activities during the hack. Then, they present a report to the information security team that outlines the vulnerabilities they exploited, the assets and data they accessed and how they evaded security systems. Ethical hackers make recommendations for prioritizing and fixing these issues as well.

Vulnerability assessment is like pen testing, but it doesn't go as far as exploiting the vulnerabilities. Instead, ethical hackers use manual and automated methods to find, categorize and prioritize vulnerabilities in a system. Then they share their findings with the company.

Some ethical hackers specialize in analyzing ransomware and malware strains. They study new malware releases to understand how they work and share their conclusions with companies and the broader information security community.

Ethical hackers may also assist with high-level strategic risk management. They can identify new and emerging threats, analyze how these threats impact the company’s security posture and help the company develop countermeasures.

While there are many ways to assess cybersecurity, ethical hacking can help companies understand network vulnerabilities from an attacker's perspective. By hacking networks with permission, ethical hackers can show how malicious hackers exploit various vulnerabilities and help the company discover and close the most critical ones.

An ethical hacker's perspective may also turn up things that internal security analysts might miss. For example, ethical hackers go toe-to-toe with firewalls, cryptography algorithms, intrusion detection systems (IDSs), extended detection systems (XDRs) and other countermeasures. As a result, they know exactly how these defenses work in practice—and where they fall short—without the company suffering an actual data breach.