Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

What You Need to Know About Ethical Hacking

Ethical hacking, in which an organization uses the tools and practices of cyberattackers against their own systems, can be a valuable part of your cybersecurity strategy. 

Cybersecurity has been important, in some form or another, since the birth of the internet. In the early days, data breaches and hacks were relatively rare occurrences. But, now they are risks that impact all businesses, government agencies and nonprofit foundations. As a result, it's essential for all organizations to employ a variety of tactics to protect the integrity of their data and digital assets. 

Some of these strategies are standard operating procedure at this point – antivirus software, firewalls, encryption, vulnerability assessments, patch management and so on. Others are on the more unconventional end of the spectrum, yet they can be just as effective as their more standard counterparts in helping organizations bolster the efficacy of their cybersecurity. Ethical hacking, firmly belongs in the latter category, and can have great value as part of your network security strategy.

Ethical hacking 411: From the Wild West to consulting gigs

According to the Infosec Institute, ethical hacking represents any effort by an organization's IT and team (or third-party consultants) to replicate the actions attackers undertake to gain unauthorized access to the primary network. In so doing, the organization can discover and catalogue any vulnerabilities found in their security architecture and begin determining the best strategies for addressing those weak points. The practice is sometimes called white-hat hacking, as opposed to the malicious black-hat activities of those breaking into networks to get their hands on data, steal money or simply cause chaos. 

If an ethical hacker suspected weak spots in a company's network and wanted to point them out altruistically, they would be expected to let the organization know well in advance and seek their approval. Simply put: For hacking to be ethical, it should be done legally. Many of those holding this vocation have earned the Certified Ethical Hacker designation, awarded by the International Council of Electronic Commerce Consultants, and maintain compliance with numerous corporate and government compliance requirements.  

The majority of modern white-hat hacking takes place in highly controlled settings. In addition to receiving expressly communicated permission from the organization to be ethically hacked, those engaging in such infiltration activities are expected to:

  • Immediately report on all flaws they uncover. 
  • Respect the privacy of the organization, its staff and customers or clients (or, in the case of a government or nonprofit, individuals benefiting from the organizations' services). 
  • Close any loopholes they open or exploit. 

The difference between penetration testing and ethical hacking

Ethical hacking is sometimes confused with penetration testing. Both are white-hat techniques that can provide major value in vulnerability assessments and cybersecurity upgrades. But, it's important to point out their primary distinction. The key difference is that penetration testing is largely focused on discovery and isolation of vulnerabilities, whereas ethical hacking, in stark contrast to what its name implies, is a process that makes room for what happens well after vulnerabilities are found:

  • In penetration testing, an engineer, coder or other expert attempts every possible method of breaking into the network of the organization they're working on behalf of, directly attacking all cyberdefenses currently in place (that are within scope). The point is to determine exactly where vulnerabilities are and what damage can be done once they're exploited. It's often conducted on a quarterly or annual basis.
  • Meanwhile, an ethical hacker - most likely called a cybersecurity/infosec consultant, or something along those lines - works not only to find weaknesses in the network architecture but also to develop new strengths within it to aid its future. Ethical hackers help determine the best practices for safeguarding whatever vulnerabilities are discovered and implement them as regular behaviors going forward. 

Key advantages of ethical hacking operations

As noted in Tenable Research's report Cyber Defender Strategies: What Your Vulnerability Assessment Practices Reveal, there's a disproportionate amount of research regarding cyberattackers' behavior, as opposed to insight into how security practitioners are responding. Thus, the biggest advantage of ethical hacking is it allows you to understand both the attacker and defender perspective. You can examine the anatomy of a cyberattack from both sides and gain a better sense of perspective. It can help an infosec team develop tools and strategies its members might not have thought of otherwise.

Include ethical hacking as part of a bigger toolbox

Ethical hacking is likely to become more prevalent in the future. The Black Hat Security Conference – a key gathering of white-hat hackers and cybersecurity experts, its name notwithstanding – celebrated its 20th anniversary two years ago. The prevalence of bug bounties further exemplifies the entrenchedness and value of white-hat tactics. For example, companies are offering tens of thousands of dollars to ethical hackers who can find vulnerabilities before cyberattackers wreak havoc. Even more notably, they are increasingly hiring white hats for lucrative security gigs.

Bringing on a white hat as a full-time consultant or offering bounties to independent bug hunters shouldn’t be the only component of your cybersecurity strategy. Instead, make ethical hacking part of your larger toolbox, used in conjunction with periodic penetration tests and ongoing vulnerability assessment and management practices. 

Vulnerability scanning tools, such as Nessus Professional,  are a critical element to an effective cybersecurity strategy, helping identify and carefully diagnose flaws in network security architecture.

Try Nessus Pro Free for 7 Days

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.