Hacking is a familiar concept – we often hear about security breaches happening through the internet in order to “steal” valuable data from individuals or companies. Many of these cyberattacks become known after the damage has already been done.
Wouldn’t it be good if cyberattacks could be prevented in advance?
As a result of this growing negative trend, there is also a growing need for professionals who can effectively neutralize such “virtual” threats.
This is why I contacted Ivica Gjorgjevski and asked him to explain this fast-growing but relatively unknown profession. He is Head of the IT Department at the Directorate for Security of Classified Information of the Republic of North Macedonia and a certified EC Council Instructor in ethical hacking.
Stambolieva: Mr. Gjorgjevski, please explain to our readers, what is ethical hacking?
Gjorgjevski: Ethical hacking is the practice of employing computer and network skills in order to assist organizations in testing their network security for possible loopholes and vulnerabilities. White hats hackers (also known as security analysts or ethical hackers) are the individuals or experts who perform ethical hacking. Nowadays, most organizations (private companies, universities, government organizations, etc.) are hiring white hats to assist them in enhancing their cybersecurity. They perform hacking in ethical ways, with the permission of the network/system owner and without the intention to cause harm. An ethical hacker reports all vulnerabilities to the system/network owner for remediation, thereby increasing the security of an organization’s information system. Ethical hacking involves the use of hacking tools, tricks, and techniques typically used by an attacker to verify the existence of exploitable vulnerabilities in system security.
Today, the term hacking is closely associated with illegal and unethical activities. There is a continuing debate on whether hacking can be ethical or not, given the fact that an unauthorized access to any system is a crime.
The important distinction between an ethical hacker and black hat hackers (crackers) is consent. Crackers are attempting to gain unauthorized access to systems, while ethical hackers are always completely open and transparent about what they are doing and how they are doing it. Ethical hacking is therefore always legal.
Most companies use IT-professionals to audit their systems for known vulnerabilities. Although this is a beneficial practice, crackers are usually more interested in using newer, lesser-known vulnerabilities, and so these by-the-numbers system audits do not suffice. A company needs someone who can think like a hacker, keep up with the newest vulnerabilities and exploits, and can recognize potential vulnerabilities where others cannot. This is the role of an ethical hacker.
Ethical hackers usually employ the same tools and techniques as hackers, with the important exception that they do not damage the system they evaluate system security, update the administrators regarding any discovered vulnerabilities, and recommend procedures for patching those vulnerabilities.
Stambolieva: Why do companies or governments use ethical hacking?
Gjorgjevski: Ethical hacking is necessary as it allows countering attacks from malicious hackers by anticipating methods used by them to break into a system. It helps to predict the various possible vulnerabilities well in advance and rectify them without incurring any kind of attack from outsiders. As hacking involves creative thinking, vulnerability testing and security audits cannot ensure that the network is secure. To achieve security, organizations need to implement a “defense-in-depth” strategy by penetrating their networks to estimate vulnerabilities and expose them.
Reasons why organizations recruit ethical hackers:
- Prevent hackers from gaining access to an organization’s information system;
- Uncover vulnerabilities in systems and explore their potential as a risk;
- Analyze and strengthen an organization’s security posture including policies, network protection infrastructure, and end-user practices;
- Provide adequate preventive measures in order to avoid security breaches;
- Help safeguard customer’s data available in business transactions;
- Enhance security awareness at all levels in a business.
Stambolieva: How does ethical hacking work in practice?
Gjorgjevski: Ethical hacking is a structured and organized security assessment, usually as part of a penetration test or security audit. It is used to identify risks and highlight remedial actions, and also to reduce Information and Communications Technology (ICT) costs by resolving those vulnerabilities.
The ethical hacker must follow certain rules to fulfill the ethical and moral obligations. An ethical hacker must do the following:
- Gain authorization from the client and have a signed contract giving the tester permission to perform the test;
- Maintain confidentiality when performing the test and follow a Nondisclosure Agreement (NDA) with the client for the confidential information disclose during the test. The information gathered might contain sensitive information and the ethical hacker must not disclose any information about the test or the confidential company data to a third party.
- Perform the test up to but not beyond the agreed-upon limits. Loss of revenue, goodwill, and worse could befall an organization, whose servers or applications are unavailable to customers because of the testing.
The following steps provide a framework for performing a security audit of an organization, which will help in ensuring that the test is organized, efficient, and ethical:
- Talk to the client, and discuss the needs to be addressed during the testing;
- Prepare and sign NDA documents with the client;
- Organize an ethical hacking team, and prepare a schedule for testing;
- Conduct the test;
- Analyze the results of the testing, and prepare a report;
- Present the report findings to the client.
Stambolieva: What can individuals do if they wish to work as ethical hackers?
Gjorgjevski: It is essential for an ethical hacker to acquire knowledge and skills to become an expert hacker and use this knowledge in a lawful manner. The technical and non-technical skills to be a good ethical hacker are:
- Technical Skills:
- In-depth knowledge of major operating systems;
- In-depth knowledge of networking concepts, technologies, and related hardware and software;
- Knowledge of security areas and related issues;
- High technical knowledge to launch a sophisticated attack.
- Non-Technical Skills:
- Ability to quickly learn and adapt new technologies;
- Strong work ethics and good problem solving and communication skills;
- Commitment to an organization’s security policies;
- Awareness of local standards and laws.
Some courses that I can recommend for sure are the courses from EC-Council’s cybersecurity certification programs. The Certified Ethical Hacker (CEH) course is one of the most valuable certifications that an individual can have. EC-Council was the pioneer in this field. Nowadays there are many vendors dealing with cybersecurity targeting different groups. Anyway, this type of training will give you the essential knowledge needed to work in this field, but really, the proficiency of the individual depends on the person itself, because after the training the person should practice a lot in order to gain a high level of proficiency.
Every day there are new vulnerabilities, new exploits, new security solutions. Ethical hackers should research by themselves in order to keep a pace with the latest developments.