Head of Penetration Testing
20th September 2021
Most businesses would like to avoid being hacked. However, hacking of an ethical nature can actually help improve your security posture. When we talk about a ‘hacker’, you’re likely picturing a criminal mastermind hidden away behind their computer screens in a dark room, wreaking havoc on businesses across the globe. In actual fact, a majority of hackers are no different from the likes of you or me. When it comes to penetration testing, this type of ethical hacking is a legitimate activity to assess your business security, with most businesses finding it and even fundamental for sound business security.
The origins of hackers can be traced back to long before the invention of the first integrated circuit.
1. The introduction of hacking
These days, hacking is described as ‘the activity of using a computer to access information stored on another computer system, without permission’. But hacking goes back even before the use of computers. From some of the earliest types of communication, as soon as people were trying to keep messages secret, there were other people trying to read them.
Cryptography has been a way of privately communicating for centuries, even as far back as 2000 BC where Ancient Egyptians would use hieroglyphics. A good place to talk about the introduction of hacking though is within the Roman Empire, where cryptography was commonly used to encrypt communications. The Caesar Cipher, used by Julius Caesar himself, is a classic example of ancient cryptography. The substitution based cipher involved replacing one letter with another, by a set number of shifts away. Therefore to decipher (or hack) the message, you’d simply apply the same number of shifts in the opposite direction to see the correct letters. Unsurprisingly, over time this substitution concept has been improved and has since become more complex.
A more recent implementation of hacking and cryptography that you’ll be familiar with is during World War 2. A team of cryptographers based at Bletchley Park had the job of cracking the Enigma code to be able to read secret, high-security, communications from foreign intelligence. The Enigma machine used by the Germans was considered unhackable, due to its mathematical permutations. But thanks to the Bletchley Park team’s resourcefulness, cutting-edge technology, and outright human error from the Germans, the code was broken. But those same three principles still stand true for hackers in this day and age when they are trying to crack passwords and gain access.
Hacking has made its way into the mainstream and has revealed the fragility of our sense of security.
Modern day hacking became more recognisable as technological advancement increasingly pushed human activities into the digital field. Hackers subsequently expanded beyond cryptography and started to try and gain unauthorised access to an organisation’s systems. In the 70’s and 80’s computer hacking was a grave concern for businesses, as hackers began exploiting corporations that were digitising their records and activities. The invention of the internet only further highlighted the instability of an organisation’s security as hackers developed new tactics.
For instance in the early 2000s, Yahoo!, Amazon, Dell, eBay and others were taken offline due to a denial-of-service attack. And the hacker? He was 15 years old. Michael Calce managed the attacks in the span of just one week, and although he didn’t put any data at risk, the attacks showed the lack of awareness and fragility of the internet.
2. Know your hacker
We shouldn’t jump to conclusions when it comes to both malicious and ethical hackers. Hackers aren’t always who you think they are, as the Michael Calce example showed you. Every hacker is different – from their skillsets through to their motivations. Some are driven by self-interest, others by an agenda, or even because they’re ethical hackers and it’s their career. There have also been cases where malicious cyber criminals have even gone on to work in ethical hacking to help businesses instead of hinder them.
One group that are well-versed in capturing the world’s attention through hacking are Anonymous. Although they can’t be considered as ethical hackers, the group often take a very public stance on socio-political issues, leading to the coining of the term ‘hacktivist’ and inspiring many computer savvy youngsters to use their skills for something greater than self interest.
3. Types of hackers
These are your ethical hackers, employed by businesses to discover security flaws. They then offer remediation advice for how a business can improve its security standpoint. They usually hold ethical hacking and penetration testing accreditations, and never do things without an owner’s authorisation first – consider them the ‘good guys’.
The ‘bad guys’. They break into systems for self interest or to add to the goals of the hacking group they belong to. These types of hackers don’t seek permission first, and often steal and sell sensitive data on the black market. The experience of these hackers can vary, from one end of the scale with opportunistic hackers that use low-effort tools to exploit a simple security flaw they’ve found in a business, through to elite hacking teams that actively seek out lucrative targets.
Usually operating on their own terms, a grey hat hackers are a bit in the middle of a black and a white hat hacker. They may break into a system without authorisation, see what damage they could do, but then produce a report for the business in the hope of reimbursement. It’s a bit like being an opportunistic freelancer.
4. What is ethical hacking?
A key way that businesses can prevent being breached is by discovering their security flaws themselves before a malicious hacker does. This is where ethical hacking comes into play. Ethical hackers, also commonly known as penetration testers, are employed by businesses to find vulnerabilities and produce a report on what they’ve found, consequently preventing the disruption and damage that a real attack would have caused.
5. Is ethical hacking safe?
Although hackers are normally surrounded with negative connotations, there are ‘good guys’ out there. Ethical hacking is not only safe for your business, but can be highly beneficial in fixing security flaws before they’re exploited.
You could privately hire a penetration tester for your business, in which case ask for an ethical hacking certification or a previous employer’s recommendation. But for an even safer approach, use a penetration testing company. They will have trustworthy and reliable white hat hackers as salaried employees and their broad experience will mean you get a thorough test of your infrastructure or application.
If you’re still unsure, look for penetration testing companies that have ISO 27001 as this highlights that they take their security seriously. You can also look out for highly respected qualifications such as CREST and Tigerscheme, then you can be sure you’re in safe hands.
6. Does ethical hacking prevent me from being attacked?
By using ethical hacking, you can find your security weaknesses before a black hat hacker does. This enables you to fix the vulnerabilities and keep the data of your customers, partners and employees safe.
Penetration testing is the cornerstone of a strong security posture. It’s a fundamental aspect in ensuring your infrastructure is secure. You will need to test at least once annually though to stay on top of your vulnerabilities, and if you really want to ensure there are no loopholes for malicious actors to exploit, you can use automated tools such as VA scanning in between your penetration tests.
In a world where all security controls can be undone by a single click, the right staff training is vital.
7. The bonus security measure
Although we’ve covered how a penetration test can help prevent you from being hacked, there is one matter you mustn’t forget when forging a strong security posture – humans are hackable too! Your staff aren’t always going to be computer wizards, which means you need to train them to spot potential attacks. Without a basic knowledge of cyber risks, they are left open to hackers attempts of social engineering. A favourite, low-effort attack type for hackers is phishing, where all the time and money you’ve put into ensuring rigid technical controls can be undone by a single click on a malicious email. So even with the right penetration testing in place, to further ensure you avoid the financial and reputational damages of a breach, get your staff onto some cyber awareness training. Think of it as human penetration testing, a simple but crucial activity to help protect your business from hackers.
With the right mix of penetration testing, VA scanning and staff training – you’re well on your way to a secure cyber posture. But the best lesson we can teach you is to be proactive with your security. Hackers will forever prey on laziness as it makes for a great opportunistic hack. Defense.com™ has all the tools you need to keep on top of your security, including our best-in-class penetration tests.
Easily manage cyber risks with Defense.com™
Get access to comprehensive security tools and expertise, without the enterprise price tag.
No advanced knowledge required – we’ll take care of the heavy lifting for you.
Find out more about the 7 steps to securing your business and sign up for a free trial today.