When you think of hackers and hacking, do you picture groups like Anonymous launching high-profile attacks that target email passwords and personal information?
Or do you see high-school kids in their bedrooms, logging into school networks to change their grades?
We usually think hacking and hackers are bad. Sometimes, that’s true. But hacking can also be done for the greater good, and that’s where "ethical hacking" comes in.
Ethical hacking sounds like an oxymoron, but it's essential to cybersecurity.
Testing the boundaries
"Ethical hacking is the practice and exercise of testing a company's security measures and business practices in an effort to identify vulnerabilities and weaknesses that threaten their assets," said Luke McOmie, director of Lambda Labs at Red Lambda, a data-security-software provider based in Longwood, Fla. "The purpose of this testing is to produce information that judges the company's security posture against industry/international security standards."
Ethical hackers use the same tools and techniques that malicious hackers use to penetrate a network or deceive humans in order to identify weaknesses in technology and employees, said Renee Chronister, an ethical hacker with Parameter Security in St. Peters, Mo.
Ethical hackers, also known as penetration testers or "pen testers," see how far they can get into a company or organization's network and what sensitive data they can access. They use this information not to their advantage, but to the company’s advantage, so that it can better lock down its network.
Perpetual problem solvers
Most ethical hackers are professionals who may have started off hacking computers many years ago and developed skills over time. Some have systems- and network-administrator backgrounds. Others are former software developers. Some have mathematical backgrounds, while others have scientific training.
"Regardless of the background, truly effective ethical hackers love a challenging puzzle," said Ed Skoudis, a SANS Institute Faculty Fellow and founder of Counter Hack Challenges, an educational organization devoted to information security. "They revel in taking things apart to find their flaws."
"Some ethical hackers focus on security research, discovering flaws in products, protocols and new technologies," Skoudis said. "Penetration testers focus on finding flaws in organizations' deployed systems.
"Penetration testing, in essence, is the application of ethical hacking skills and techniques to a specific deployed technical infrastructure," he said. "Some ethical hackers are security researchers and penetration testers."
Perhaps most importantly, ethical hackers provide valuable insight into how an attacker thinks, how he or she will form an attack and what the attacker's next move will be.
"Because of this, we can fix holes before they become targets," said Charles Tendell, a "certified ethical hacker" based in Denver.
That's how ethical hackers promote better cybersecurity.
"If you don't know where your security holes are, then how can you protect against malicious attacks?" Chronister said. "Ethical hacking identifies and exploits your weaknesses so you can see what sensitive data can be assessed and empowers you by being able to remediate these weaknesses hopefully before malicious hackers strike."
To become an ethical hacker, Skoudis said, one should spend time learning how computer systems and networks really work. A deep view and understanding of technology is vital to finding flaws and manipulating systems.
Skoudis believes hacking is a skill that everyone should have.
"One of the things I do with my kids is hold periodic 'Skoudis Family Hacking Nights,'" he said. "When I tell some of the folks in my neighborhood about this, they look at me in horror. I then explain to these folks that hacking can be done for noble purposes, with a focus on helping improve the state of security."
As technology becomes a more important part of most people's lives, Skoudis added, the ability to find flaws in it and to manipulate it is increasingly valuable for people in all walks of life.
Related on SecurityNewsDaily:
Copyright 2012 SecurityNewsDaily, a TechMediaNetwork company. All rights reserved.