Ethical hacking is the use of hacking techniques by friendly parties in an attempt to uncover, understand and fix security vulnerabilities in a network or computer system.
Ethical hackers have the same skills and use the same tools and tactics as malicious hackers, but their goal is always to improve network security without harming the network or its users.
In many ways, ethical hacking is like a rehearsal for real-world cyberattacks. Organizations hire ethical hackers to launch simulated attacks on their computer networks. During these attacks, the ethical hackers demonstrate how actual cybercriminals break into a network and the damage they could do once inside.
The organization’s security analysts can use this information to eliminate vulnerabilities, strengthen security systems and protect sensitive data.
The terms "ethical hacking" and "penetration testing" are sometimes used interchangeably. However, penetration tests are only one of the methods that ethical hackers use. Ethical hackers can also conduct vulnerability assessments, malware analysis and other information security services.
Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM Security X-Force Threat Intelligence Index.
Register for the Cost of a Data Breach report
Ethical hackers follow a strict code of ethics to make sure their actions help rather than harm companies. Many organizations that train or certify ethical hackers, such as the International Council of E-Commerce Consultants (EC Council), publish their own formal written code of ethics. While stated ethics can vary among hackers or organizations, the general guidelines are:
- Ethical hackers get permission from the companies they hack: Ethical hackers are employed by or partnered with the organizations they hack. They work with companies to define a scope for their activities including hacking timelines, methods used and systems and assets tested.
- Ethical hackers don't cause any harm: Ethical hackers don't do any actual damage to the systems they hack, nor do they steal any sensitive data they find. When white hats hack a network, they're only doing it to demonstrate what real cybercriminals might do.
- Ethical hackers keep their findings confidential: Ethical hackers share the information they gather on vulnerabilities and security systems with the company—and only the company. They also assist the company in using these findings to improve network defenses.
- Ethical hackers work within the confines of the law: Ethical hackers use only legal methods to assess information security. They don't associate with black hats or participate in malicious hacks.
Relative to this code of ethics, there two other types of hackers.
Outright malicious hackers
Sometimes called ‘black hat hackers,’ malicious hackers commit cybercrimes with for personal gain, cyberterrorism or some other cause. They hack computer systems to steal sensitive information, steal funds, or disrupt operations.
Unethical ethical hackers
Sometimes called ‘gray hat hackers’ (or misspelled as ‘grey hat hackers’) these hackers use unethical methods or even work outside the law toward ethical ends. Examples include attacking a network or information system without permission to test an exploit, or publicly exploiting a software vulnerability that vendors will work on a fix. While these hackers have good intentions, their actions can also tip off malicious attackers to new attack vectors.
Ethical hacking is a legitimate career path. Most ethical hackers have a bachelor's degree in computer science, information security, or a related field. They tend to know common programming and scripting languages like python and SQL.
They’re skilled—and continue to build their skills—in the same hacking tools and methodologies as malicious hackers, including network scanning tools like Nmap, penetration testing platforms like Metasploit and specialized hacking operating systems like Kali Linux.
Like other cybersecurity professionals, ethical hackers typically earn credentials to demonstrate their skills and their commitment to ethics. Many take ethical hacking courses or enroll in certification programs specific to the field. Some of the most common ethical hacking certifications include:
Certified Ethical Hacker (CEH): Offered by EC-Council, an international cybersecurity certification body, CEH is one of the most widely recognized ethical hacking certifications.
CompTIA PenTest+: This certification focuses on penetration testing and vulnerability assessment.
SANS GIAC Penetration Tester (GPEN): Like PenTest+, the SANS Institute's GPEN certification validates an ethical hacker's pen testing skills.
Ethical hackers offer a range of services.
Penetration testing
Penetration tests, or "pen tests," are simulated security breaches. Pen testers imitate malicious hackers that gain unauthorized access to company systems. Of course, pen testers don't cause any actual harm. They use the results of their tests to help defend the company against real cybercriminals.
Pen tests occur in three stages:
1. Reconnaissance
During the recon stage, pen testers gather information on the computers, mobile devices, web applications, web servers and other assets on the company's network. This stage is sometimes called "footprinting" because pen testers map the network's entire footprint.
Pen testers use manual and automated methods to do recon. They may scour employees' social media profiles and GitHub pages for hints. They may use tools like Nmap to scan for open ports and tools like Wireshark to inspect network traffic. If permitted by the company, they may use social engineering tactics to trick employees into sharing sensitive information.
2. Staging the attack
Once the pen testers understand the contours of the network—and the vulnerabilities they can exploit—they hack the system. Pen testers may try a variety of attacks depending on the scope of the test. Some of the most commonly tested attacks include:
– SQL injections: Pen testers try to get a webpage or app to disclose sensitive data by entering malicious code into input fields.
– Cross-site scripting: Pen testers try planting malicious code in a company's website.
– Denial-of-service attacks: Pen testers try to take servers, apps and other network resources offline by flooding them with traffic.
– Social engineering: Pen testers use phishing, baiting, pretexting, or other tactics to trick employees into compromising network security.
During the attack, pen testers explore how malicious hackers can exploit existing vulnerabilities and how they can move through the network once inside. They find out what kinds of data and assets hackers can access. They also test whether existing security measures can detect or prevent their activities.
At the end of the attack, pen testers cover their tracks. This serves two purposes. First, it demonstrates how cybercriminals can hide in a network. Second, it keeps malicious hackers from secretly following the ethical hackers into the system.
3. Reporting
Pen testers document all their activities during the hack. Then, they present a report to the information security team that outlines the vulnerabilities they exploited, the assets and data they accessed and how they evaded security systems. Ethical hackers make recommendations for prioritizing and fixing these issues as well.
Vulnerability assessments
Vulnerability assessment is like pen testing, but it doesn't go as far as exploiting the vulnerabilities. Instead, ethical hackers use manual and automated methods to find, categorize and prioritize vulnerabilities in a system. Then they share their findings with the company.
Malware analysis
Some ethical hackers specialize in analyzing ransomware and malware strains. They study new malware releases to understand how they work and share their conclusions with companies and the broader information security community.
Risk management
Ethical hackers may also assist with high-level strategic risk management. They can identify new and emerging threats, analyze how these threats impact the company’s security posture and help the company develop countermeasures.
While there are many ways to assess cybersecurity, ethical hacking can help companies understand network vulnerabilities from an attacker's perspective. By hacking networks with permission, ethical hackers can show how malicious hackers exploit various vulnerabilities and help the company discover and close the most critical ones.
An ethical hacker's perspective may also turn up things that internal security analysts might miss. For example, ethical hackers go toe-to-toe with firewalls, cryptography algorithms, intrusion detection systems (IDSs), extended detection systems (XDRs) and other countermeasures. As a result, they know exactly how these defenses work in practice—and where they fall short—without the company suffering an actual data breach.
IBM® X-Force® Red provides penetration testing for your applications, networks, hardware and personnel to uncover and fix vulnerabilities that expose your most important assets to attacks.
Offensive security services include penetration testing, vulnerability management and adversary simulation to help identify, prioritize and remediate security flaws that cover your entire digital and physical ecosystem.
Manage the expansion of your digital footprint and get on target with fewer false positives to improve your organization's cyber resilience quickly.
The IBM Security® X-Force® Threat Intelligence Index 2023 offers CISOs, security teams and business leaders actionable insights to help understand how threat actors wage attacks and how they can proactively protect organizations.
Explore the comprehensive findings from the Cost of a Data Breach Report 2023. This report provides valuable insights into the threats that you face, along with practical recommendations to upgrade your cybersecurity and minimize losses.
A security operations center improves an organization's threat detection, response and prevention capabilities by unifying and coordinating all cybersecurity technologies and operations.
IBM Researchers have discovered new threats and developed actionable defenses for a different type of AI model called deep generative models (DGMs). DGMs are an emerging AI tech capable of synthesizing data from complex, high-dimensional manifolds.
Network security is the field of cybersecurity focused on protecting computer networks from cyber threats. Network security safeguards the integrity of network infrastructure, resources and traffic to thwart attacks and minimize their financial and operational impact.
Attack surface management (ASM) is the continuous discovery, analysis, remediation and monitoring of the cybersecurity vulnerabilities and potential attack vectors that make up an organization’s attack surface.