Ethical hacking is the process of using the same methods and techniques used to bypass a system’s defences as used by malicious hackers. However, instead of taking advantage of vulnerabilities found, ethical hackers enable organisations to bolster their security. Some analysts suggest that there are significant flaws with penetration testing –the process of trying to ethically hack a system. As such, more advanced forms of ethical hacking, such as Structured Attack Simulation (SAS) are now used in the fight against cybercrime.

A short history of ethical hacking

ethical-hacking-techblogcorner

ethical-hacking

The logic behind ethical hacking predates the digital age, as this infographic helpfully points out. Assessing one’s own resilience to attack is rooted in the wars of ancient history and the strategic games which first developed in 6th century India which evolved in the 15th century into what we now call chess. In the 20th century, hacking was not limited to computers. It referred to any activity which expanded the capabilities of an electronic device beyond the intentions of the manufacturer. Modern hackers emerged in the 1960s at the Massachusetts Institute of Technology (MIT), where experiments were performed on electronic trains. In the 1970s more malicious forms of hacking emerged with the rise of phreaks and phone hackers. These groups of people learned how to hack telephone systems in order to make phone calls for free. In the 1980s phreaks started to move their attention to computer systems when Bulletin Board Systems (BBS) were used to share tips on how to break into computer systems, steal stolen credit card numbers and share stolen passwords.

In the mid-1980s the US government began to realise the threat posed by malicious forms of hacking and introduced the Computer Fraud and Abuse Act in 1986. With the onset of the internet age in the 1990s, the number of hackers multiplied considerably and computer systems security became big business. Around this time there was a considerable increase, in the business world, for penetration testing – where companies employed “ethical hackers” to try and break into their systems, thus helping those companies to identify unforeseen vulnerabilities in their security.

Unlimited Photo Storage

The problems with traditional penetration testing

 

traditional-penetration-testing-techblogcorner

traditional-penetration-testing

Critics of traditional penetration testing say that it is impossible to prove that there are no holes in a security system. Logic dictates that you can’t prove a negative, you can only prove a positive. So, when a company pays an ethical hacker/pen tester to try and compromise their network, if that person or organisation is unsuccessful at breaking in, they have not proved that the system is flawless they have merely shown that they could not find a way to break in. Some might argue that the only real value in penetration testing is in determining if a security system is particularly weak. If a pen tester finds it easy to compromise a system, this provides the organisation being tested with the knowledge that they need to invest more in their systems security set-up and strategy. Budget constraints also often dictate that penetration testing is carried out in the shortest possible time. This means that the results of a penetration test are flawed because they do not realistically replicate the advanced methodology and techniques used by today’s hackers.

The benefits of Structured Attack Simulation (SAS)

SAS-techblogcorner

SAS

As a counterpoint to traditional pen testing, organisations can consider more evolved forms of ethical hacking such as Structured Attack Simulation (SAS). SAS is designed to provide organisations with a more thorough assessment of their IT security systems. It differs from traditional pen testing in numerous ways. Firstly, SAS focuses on surveillance, where a target organisation and its employees are constantly monitored. This replicates the reconnaissance work undertaken by modern day attackers in the real world. Secondly, SAS employs techniques such as spear phishing, social engineering and deployment of custom malware. This replicates the far-reaching range of techniques as used in the real world. Thirdly, SAS operates over months rather than the traditional few days that are assigned to regular penetration tests. Operating over longer periods enables a much better picture of response capabilities to emerge. Finally, SAS reflects the pace of attacks conducted in the real world. This has the effect of ensuring the integrity of an organisation’s security systems, controls and processes are more accurately tested.

Summary

Ethical hacking has a long history rooted in ancient wars and strategic board games. With the onset of the digital age, cybercrime has prospered, forcing businesses to invest heavily in both their IT security systems and the testing of those systems. However, traditional penetration testing is flawed and businesses today need to look to more advanced solutions to ensure their data and systems remain safe.

 

About the author

Simon Heron

Simon Heron is the CTO at Redscan Ltd, a managed security company, where he is responsible for developing the overall business and technology strategy and growth. Heron has more than 16 years’ experience in the IT industry, including eight years’ experience in internet security. During this time he has developed and designed technologies ranging from firewalls, anti-virus, LANs and WANs. Prior to Redscan, Heron co-founded and was Technical Director of Cresco Technologies Ltd, a network design and simulation solution company with customers in the USA, Europe and China. Heron began his career as a digital hardware and software engineer, developing pioneering speech recognition technology before moving on to work for the British Antarctic Survey (B.A.S.) as science project leader. While at the B.A.S. he spent two Antarctic winters at the research station Halley in the Antarctic, developing and enhancing graphical technologies in the harshest of conditions.

Leave a Comment