Ethical hacking is the legal hacking of a computer system for the purpose of identifying areas where organizations can improve their cyber security. Companies and other organizations hire ethical hackers—also called white hat hackers or penetration testers—to try to exploit security vulnerabilities in digital assets. Following a hacking attempt, ethical hackers write a report detailing what they did or didn’t find and deliver it to the organization so it can create appropriate software patches or deploy software version updates.
What goes into an ethical hack?
While the underlying function remains the same as illegal hacking, ethical hacking follows a strict process. The important detail here is consent from the party being hacked. Without permission for a hacker to attempt breaking into a computer system, hacking is an illegal offense that can result in prison time and hefty fines.
According to ethical hacker Roger A. Grimes in CSO, ethical hacking consists of three steps:
- Scope and goal setting
Scope and goal setting involves the actual contractual terms of what, when, where, and how an ethical hacker may attempt to breach an organization’s systems. This step usually defines what a penetration tester can target, the specific timeframe when they can attempt a break-in, where they can look or what information they’re allowed to know beforehand, and what methods they’re allowed to explore for hacking.
Exploitation is when the ethical hacker attempts to break into the target computer system. Depending on the penetration testing agreement, organizations may require the hacker to take screenshots of this process or even film themselves attempting the hack. These resources can be useful to organizations and ethical hackers alike for the final step, documentation.
Documentation is the step where the ethical hacker prepares a detailed report for the organization. The contents of this report can vary, but in general, ethical hackers report on the vulnerabilities they discovered, where they were found, and how they were exploited. Using this information, organizations can make fixes to their software to reduce the likelihood of a successful illegal hack.
How do you become an ethical hacker?
With cyber crime on the rise, ethical hacking is in high demand, and many organizations will pay good money for penetration testing. Some people, like Kevin Mitnick, turn to a career in ethical hacking after operating as self-taught illegal hackers for an amount of time. Others learn ethical hacking in a formal education environment where they usually work towards a professional certification.
Ethical hacking courses are becoming a popular way for people to start a career in penetration testing, but many of today’s ethical hackers learned this specialty through a mix of self-taught illegal hacking and formal certification programs.
Here are three popular certification courses for becoming an ethical hacker:
- Certified Ethical Hacker (CEH) from EC-Council
- The Global Information Assurance Certification (GIAC) from the SANS Institute
- The Offensive Security Certified Professional (OSCP) from Offensive Security
In addition to contracting penetration testers, some organizations offer bug bounty programs. A bug bounty program is an agreement between an organization and an ethical hacker where the organization agrees to pay or offer another form of compensation to white hat hackers who successfully identify and disclose software bugs to the organization.
Some organizations that offer bug bounty programs include the United States Department of Defense, Microsoft, Salesforce, and IBM.