Most people today have heard about hacking and malicious attacks. You might have even seen the effects of this activity on the news, in your personal life, or while at work. What you might not understand is what a hacker really is and how they are different from other types of network users.
- Malicious User – Usually an internal attacker that have limited access to company resources and decides to access sensitive data from within the company or even launch attacks on corporate systems from inside the network. This is usually an intentional attack, but can also be unintentional because their system has been compromised by another user through malware or virus.
- Hacker – For many years this was defined as someone who liked to tinker with technology and experiment with ways to make technology useful in their environment. This has more recently meant someone who is remotely attacking systems for personal gain. Hackers usually have increased status with their friends if they can prove they accessed high profile environments or networks, but often attacks are completed without any acceptance of responsibility.
- Ethical Hacker – This is someone who attempts to hack network systems to test the security of the systems involved, and use their knowledge to protect the target systems from unauthorized access or misuse. There are people who do this as part of their jobs, and are generally referred to as “system auditors” or “security specialists”, but that isn’t really ethical hacking.
Ethical Hacking is attempting to find new ways to use technology to improve a process or a different way to use something that is wasn’t intended to be used that way and it is helpful or doesn’t do any harm. It can also be the practice of attempting to find new security vulnerabilities in a piece of network hardware or in the software used in those devices. Security specialists or system auditors generally are testing systems against a list of known vulnerabilities, and ethical hackers are usually finding those new vulnerabilities. These different technology groups are doing different jobs, but are generally working together to make corporate network environments safer and more secure.
You should also be aware that there are several laws and guidelines that dictate the difference between unlawful and lawful activity when it comes to network security. You need to be aware that HIPPA, HITECH, GLBA, NERC, etc. all govern activities under U.S. federal law. There are also private guidelines like the PCI DSS requirements written by the credit card companies. If you stray outside of their requirements you could be identified as a hacker and on find yourself on the wrong side of the law. You should also be aware of any policies your company might have about network activity before you attempt any probing of your network security settings.
Understanding the Need to Hack
You have to think about Ethical Hacking like a treasure hunt. The first person who finds the treasure determines how it is used. If an ethical hacker finds the vulnerability, it can be reported and quickly fixed by the vendor before it can be used for illegal purposes. If a hacker finds the vulnerability, they will not report the issue and will use the new weakness to attack systems for personal gain.
To discover a new vulnerability, you have to think like a hacker. You have to understand what systems they would normally attack, what techniques they would use to compromise those systems, how to test against known vulnerabilities, etc. Since hackers prey on weak system security, you have to make sure you have the strongest possible security and force the average hacker to move along to another system that has weaker security. A determined and skilled hacker will often find a way into your network, but that doesn’t mean you have to make it easy for them to attack your systems.
A good ethical hacker will periodically attack their own network, simulating an attack by a determined hacker. The more vulnerabilities you test against, adding more variety in your attack techniques, and focusing on common attack methods while constantly adjusting and improving your network settings will help achieve your goal of total network security.
Ethical Hacking Techniques
As an ethical hacker, your goal is to secure your network systems:
- Prioritize systems so your efforts are focused on the systems that matter the most.
- Use nondestructive attacks to test systems for vulnerabilities.
- List all known vulnerabilities and which ones you have tested so you can double-check your results and report to your corporate management the scope of your efforts.
- Immediately address any vulnerabilities discovered on your network.
Another area of attacks to your network systems is non-technical attacks. This can be as simple as calling a few employees until you find on that will provide you with their network password. It could also involve sorting through discarded trash in the dumpster outside of your corporate office. You might also have success just walking around the office and looking for passwords taped to monitors or laptops. The key to improving the non-technical security is education of non-technical users.
One great resource for a list of known vulnerabilities is the NIST Vulnerability Database (NVD).
Remember, if you are going to be an Ethical Hacker, you have to have the highest moral standards and be trustworthy. Any misuse of the systems you are attacking is strictly forbidden and you must respect the privacy of the information discovered.