Ethical hacking is the process of using the same methods and techniques used to bypass a system’s defences as used by malicious hackers. However, instead of taking advantage of vulnerabilities found, ethical hackers enable organisations to bolster their security. Some analysts suggest that there are significant flaws with penetration testing –the process of trying to ethically hack a system. As such, more advanced forms of ethical hacking, such as Structured Attack Simulation (SAS) are now used in the fight against cybercrime.
A short history of ethical hacking
The logic behind ethical hacking predates the digital age, as this infographic helpfully points out. Assessing one’s own resilience to attack is rooted in the wars of ancient history and the strategic games which first developed in 6th century India which evolved in the 15th century into what we now call chess. In the 20th century, hacking was not limited to computers. It referred to any activity which expanded the capabilities of an electronic device beyond the intentions of the manufacturer. Modern hackers emerged in the 1960s at the Massachusetts Institute of Technology (MIT), where experiments were performed on electronic trains. In the 1970s more malicious forms of hacking emerged with the rise of phreaks and phone hackers. These groups of people learned how to hack telephone systems in order to make phone calls for free. In the 1980s phreaks started to move their attention to computer systems when Bulletin Board Systems (BBS) were used to share tips on how to break into computer systems, steal stolen credit card numbers and share stolen passwords.
In the mid-1980s the US government began to realise the threat posed by malicious forms of hacking and introduced the Computer Fraud and Abuse Act in 1986. With the onset of the internet age in the 1990s, the number of hackers multiplied considerably and computer systems security became big business. Around this time there was a considerable increase, in the business world, for penetration testing – where companies employed “ethical hackers” to try and break into their systems, thus helping those companies to identify unforeseen vulnerabilities in their security.
The problems with traditional penetration testing
Critics of traditional penetration testing say that it is impossible to prove that there are no holes in a security system. Logic dictates that you can’t prove a negative, you can only prove a positive. So, when a company pays an ethical hacker/pen tester to try and compromise their network, if that person or organisation is unsuccessful at breaking in, they have not proved that the system is flawless they have merely shown that they could not find a way to break in. Some might argue that the only real value in penetration testing is in determining if a security system is particularly weak. If a pen tester finds it easy to compromise a system, this provides the organisation being tested with the knowledge that they need to invest more in their systems security set-up and strategy. Budget constraints also often dictate that penetration testing is carried out in the shortest possible time. This means that the results of a penetration test are flawed because they do not realistically replicate the advanced methodology and techniques used by today’s hackers.
The benefits of Structured Attack Simulation (SAS)
As a counterpoint to traditional pen testing, organisations can consider more evolved forms of ethical hacking such as Structured Attack Simulation (SAS). SAS is designed to provide organisations with a more thorough assessment of their IT security systems. It differs from traditional pen testing in numerous ways. Firstly, SAS focuses on surveillance, where a target organisation and its employees are constantly monitored. This replicates the reconnaissance work undertaken by modern day attackers in the real world. Secondly, SAS employs techniques such as spear phishing, social engineering and deployment of custom malware. This replicates the far-reaching range of techniques as used in the real world. Thirdly, SAS operates over months rather than the traditional few days that are assigned to regular penetration tests. Operating over longer periods enables a much better picture of response capabilities to emerge. Finally, SAS reflects the pace of attacks conducted in the real world. This has the effect of ensuring the integrity of an organisation’s security systems, controls and processes are more accurately tested.
Ethical hacking has a long history rooted in ancient wars and strategic board games. With the onset of the digital age, cybercrime has prospered, forcing businesses to invest heavily in both their IT security systems and the testing of those systems. However, traditional penetration testing is flawed and businesses today need to look to more advanced solutions to ensure their data and systems remain safe.