Ethical hacking in Cybersecurity
The internet is a revolutionary technology that has transformed the lives of individuals, enterprises, and governments by networking the entire world. The globalization effects of the internet are evident in the pervasive sharing of information, ideas, knowledge, and culture that is not constrained by time or geographical location. However, while cyberspace has presented numerous advantages to modern living, it has also provided an alternative channel for criminals. As such, cybercrime is the most significant disadvantage of internet technology, and its growing trend has made cybersecurity a prime personal and organizational concern. According to the International Council of E-Commerce Consultants (EC Council), hackers launch attacks every 39 seconds, with one in every three Americans being targeted. Moreover, only 38 % of international companies proclaim their preparedness for a cyberattack. Indeed, hackers have gained notoriety by their ability to penetrate networks and launching their criminal activities remotely and anonymously. Although various cybersecurity approaches have been used to secure personal and organizational cyberspaces, hackers have always found a way of breaching them, causing untold anxiety and harm to individuals, organizations, and governments. Moreover, the vulnerability of the cyberspace has been exacerbated by the proliferation of mobile technologies and the rapid development of the internet-of-things (IoT), presenting challenges to conventional cybersecurity interventions (Abraham, Chatterjee and Sims 540).
Regular vulnerability testing of online systems is recommended to reduce the ever-changing vulnerability of cyberspace because it keeps cybersecurity abreast with the evolving hacking methods used by cybercriminals. Ethical hacking is an emerging field in cybersecurity that promises to reduce systems vulnerability continuously as ethical hackers think like cybercriminals and, therefore, able to anticipate system breaches before they occur. However, ethical hacking carries a negative connotation that prevents its acceptance in the mainstream cybersecurity community, even after ethical hackers continue to reveal vulnerabilities in information systems and networks (Marks). The ensuing discussion investigates the nature of ethical hacking and its potential to improve cybersecurity as part of a comprehensive cyber-resilience strategy in organizations. The link between hacking and cybersecurity is expounded alongside the characteristics of ethical hacking as an emerging profession in cybersecurity.
Cybersecurity is the securing of information and networks from internet-aided penetration and attacks by cybercriminals. It is a collection of tools, strategies, and human capital focusing on deterring malicious and unauthorized access to networks and information (Rathore 7). In turn, ethics is the collection of rules and regulations guiding human behavior according to prescribed moral principles (Bashir and Khalique 14). From this premise, ethics and cybersecurity are closely linked, and this relationship influences hacking. The proper use of these technologies requires adherence to the highest level of ethical conduct to ensure that the information remains secure and no harm is perpetrated through the information systems. However, since societies are always infiltrated by unethical people, some of whom have criminal intents, cybersecurity approaches and tools have been developed to protect information systems. Nonetheless, hackers specialize in penetrating such systems by identifying their inherent technical vulnerabilities. Moreover, they have gone further to employ mobile technologies, social media, and social engineering, by exploiting the frailties in human behavior when interacting with information systems, to use people to penetrate such systems (Caldwell 10). As such, hackers are highly skilled in IT, psychology, sociology, mathematics, and other disciplines. Hackers not only test the security of information systems, but their moral behavior necessitates the continuous development of cybersecurity strategies and tools.
Ethical hacking is an emerging profession that is different from unethical hacking because of the differences in moral foundations. While both hackers share expertise in penetrating information systems and networks, their intentions differ, based on their contradictory ethical outlooks. As such, the terms white hat and black hat are used to describe the ethical and unethical hackers, respectively (EC-Council). In this regard, the ethical hacker (white hat) is intent on identifying the system vulnerabilities to improve their security and reduce harm, while the unethical hacker (black hat) focuses on breaching the systems to perpetrate a crime or cause harm. Besides, the legality of the penetration act differentiates the ethical hacker from the unethical one. The ethical hacker is authorized to penetrate the system, while the unethical one is not authorized and therefore does so illegally (Bashir and Khalique 15). Altogether, the ethical hackers employ their skills for constructive and defensive reasons, while unethical hackers pursue offensive ends (Rathore 7). Interestingly, the possibility of changing from a black hat to a white hat exists, although the transformation has been questioned. For instance, Kevin Mitnick, who was a notorious unethical hacker, converted to a white hat (Thomas, Burmeister and Low 6)
From these differences, Bashir and Khalique (15) concluded that the ethical hacker is characterized by firstly, securing permission from the organization to scrutinize the information systems and network and identify the security risks. Secondly, the hacker must respect the privacy of the organization and individuals therein by not only guaranteeing confidentiality but also ensuring that their work is not susceptible to exploitation at a later date. Thirdly, the hacker must disclose all the identified security vulnerabilities regardless of whether they are already known or unknown. In turn, the benefits of ethical hacking include i) subjecting the system to real-life attacks, ii) discovering the system susceptibility from a cybercriminal’s perspective to enhance its security, iii) thwarting data theft and misuse by cybercriminals, iv) developing and implementing secure systems that are breach-proof, v) endearing trust from stakeholders, and vi) reinforcing national security by preventing terrorists’ access to data (Ding, De Jesus, and Janssen 3). These characteristics indicate that ethical hacking is a preventive and proactive cybersecurity strategy because it prevents cyberattacks beforehand (Shah and Vaswani 396). To achieve these ends, ethical workers use the black-box, white-box and grey-box testing approaches (Caldwell 13). In the black-box approach, ethical hackers are provided with the company name only, while in the white-box model, detailed information such as network topology and infrastructure technology are disclosed (Caldwell 13). The grey-box approach makes partial disclosure of the company’s system that is between the two other methods. Of the three methods, the black-box testing model reveals the most security vulnerabilities.
Ethical hackers are increasingly being incorporated into the comprehensive cyber-resilience strategy of organizations because of their ability to identify the cyber risks in information systems and networks, strengthen cybersecurity (Abraham, Chatterjee and Sims 542). Ethical hackers fit in the vulnerability management practices of organizations by conducting regular vulnerability assessments of the information systems and networks. They do this by undertaking penetration tests when commissioned directly by organizations or by participating in crowdsourced cybersecurity initiatives, as illustrated in figure 1.
Figure 1, Ethical hacking methods
Source: Ding, De Jesus, and Janssen (3)
Penetration testing differs from crowdsourced testing in the onboarding approach, time frame, personnel, payment model, testing hours and vulnerability reporting, as detailed in figure 2.
Figure 2.Comparison between penetration and crowdsourcing methods of ethical hacking
Source: Ding, De Jesus, and Janssen (4)
Crowdsourcing testing prevents notable advantages over penetration testing by being more efficient and effective because it leveraged the diverse capabilities from thousands of participants, enabling continuous testing and real-time reporting of the vulnerabilities, and its cost-effectiveness by paying for valid threats only (Ding, De Jesus, and Janssen 4). However, although crowdsourcing favors organizations using cybersecurity systems and tools available in the market, it is often rejected by companies that have in-house systems for confidentiality reasons. Notably, crowdsourced testing is executed either as bug bounty programs (BBP) or responsible disclosure (RD) (Ding, De Jesus, and Janssen 4). Currently, BBPs comprise of public and private programs in which ethical hackers identify and report on the vulnerabilities in exchange for a reward. Platforms such as Synack, Cobalt Labs, BugCrowd and HackOne, which are available in the market, can be purchased by organizations, who then invite white hats and engage them after meeting the selection criteria (Ding, De Jesus, and Janssen 4). Contrastingly, public programs allow the free participation of ethical hackers. Alternatively, responsible disclosure or coordinated vulnerability disclosure provides guidelines for reporting vulnerabilities that are grounded in organizational policy (Ding, De Jesus, and Janssen 4). In summary, while BBPs invite ethical hackers and rewards them, RDs coordinate the disclosure of vulnerabilities without a monetary reward.
Ethical hacking is progressing towards a mainstream profession due to the emerging certifications and university courses. As such, organizations are engaging ethical hackers as regular employees or contractual consultants to bolster cybersecurity. To facilitate the certification and employment of ethical hackers, various bodies have emerged with certification programs and codes of ethics to regulate the profession. For example, the International Council of E-Commerce Consultants (EC Council) offers the Certified Ethical Hacker (CEH) certification, while the Certified Information Systems Security Professional (CISSP) is awarded to information security experts with over 5 years experience in the United States (Caldwell 10). The recognition of the CEH certification by the United States Department of Defense (DoD) is evidence of the recognition of the importance of ethical hacking in national security. In the United Kingdom, the Council of Registered Ethical Security Testers (CREST) awards the Team Leader (CTL) and Team Member (CTM) certifications to British ethical hackers (Caldwell 10).
In conclusion, cybersecurity is challenged by fast-developing information and communication technologies alongside the proliferation of the internet across the world. Cybercriminals can now launch their illicit activities anonymously and remotely from any corner of the world. With cybercrimes escalating and cybercriminals continuously innovating new techniques to breach networks and information systems, ethical hackers who understand the criminal mindset may be the solution to cybersecurity in the 21st century. Ethical hackers launch attacks similar to those of cybercriminals, only that they are authorized and legal. As such, ethical hackers can be an integral component of a comprehensive cyber-resilience strategy because they approach cybersecurity proactively and preventively, thus forestalling cyberattacks before they are executed. Indeed, the growth of certification bodies and expansion of training are helping ethical hacking transform into a promising and respectable profession that is guided by a code of ethics. This will help erase the negative connotation associated with hacking and encourage organizations and nations to embrace ethical hackers as an effective and efficient approach to cybersecurity.
Abraham, Chon, Dave Chatterjee, and Ronald R. Sims. “Muddling through cybersecurity: Insights from the US healthcare industry.” Business Horizons, vol. 62, 2019, pp. 539-548.
Bashir, Bisma, and Aqeel Khalique. “A Review on Security versus ethics.” International Journal of Computer Applications, vol. 151, no. 11, 2016, pp. 13-17.
Caldwell, Tracey. “Ethical hackers: putting on the white hat.” Network Security, 2011, pp. 10-13.
Ding, Aaron Yi, Gianluca Limon De Jesus, and Marijn Janssen. “Ethical hacking for boosting IoT vulnerability management: a first look into bug bounty programs and responsible disclosure.” Proceedings of the Eighth International Conference on Telecommunications and Remote Sensing. ACM, 2019.
EC-Council. “What is ethical hacking?” 2019. https://www.eccouncil.org/ethical-hacking/
Marks, Joseph. “The Cybersecurity 202: The government’s relationship with ethical hackers has improved, security experts say.” The Washington Post, 6 August 2019. https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/08/06/the-cybersecurity-202-the-government-s-relationship-with-ethical-hackers-has-improved-security-experts-say/5d48a4bf88e0fa1454f8019a/. Accessed 6 December 2019
Rathore, Neeraj. “Ethical hacking and security against cyber crime.” i-manager’s Journal on Information Technology, vol. 5, no. 1, 2015, pp. 7-11.
Shah, Niral, and Naveen Vaswani. “Cyber Crime and Security–Challenges and Security Mechanisms.” International Journal of Engineering Trends and Technology, vol. 36. No. 7, 2016, pp. 367-371.
Thomas, Georg, Oliver Burmeister, and Gregory Low. “Issues of Implied Trust in Ethical Hacking.” ORBIT Journal, vol. 2, no. 1, 2018, pp. 1-16.