By the Book: An Ethical Hacker’s Guide to Corporate Compromise
Ethical hackers are in big demand. Recent data from the the EC Council1 indicates this role is the number one role in demand and growing, with enterprises paying on average $90,000 salary, up to $140,000 annually to secure the services of a skilled ethical hacker.
Despite the positive impact of white hat hackers in identifying and remediating cybersecurity issues, however, the nature of corporate network compromise — even with permission — often puts these technology pros in a legal grey area. Here’s what you need to know about the nature of ethical enterprise attacks, the certifications needed to secure a career in IT compromise and the rules and regulations that govern digital break-and-enter best practices.
A Hack of Many Hats
Not all hacks are created equal. While all attack methods and threat vectors share the common goal of uncovering and exploiting network, system and application vulnerabilities, the purpose of these attacks defines their impact as positive, problematic or potentially dangerous. Hackers are typically divided into three broad groups:
- Black Hat — The common “bad actor”. Black hat hackers may work alone or as part of a larger group. They compromise enterprise networks to steal corporate data, extract money via account takeover or ransomware, or cause damage to IT systems. Black hat hackers are criminals and can be prosecuted under The Computer Fraud and Abuse Act.
- Grey Hat — Grey hat hackers are more interested in the challenge of hacking than extracting and monetary gain or causing serious harm. Some attack systems to identify potential vulnerabilities and then notify companies of their activities, while others focus on testing proof-of-concept threats to see how they perform at scale. Grey hat hackers are not employed by organizations and typically act on their own; without permission from target enterprises, they also operate outside the law.
- White Hat — Also called ethical hackers, white hat hackers are employed by organizations to find and exploit system vulnerabilities in a controlled environment. Some are hired as full-time IT staff and others work as independent contractors — most possess at least one ethical hacking or similar security certification, and help organizations develop and deploy effective cybersecurity solutions. Although white hat hackers operate with the permission of the companies they’re trying to breach, they’re still required to handle confidential data with care to comply with legal and corporate regulations.
The Path to Ethical Hacking
While many IT professionals now perform regular vulnerability assessments on corporate systems, there’s a growing demand for formally-certified staff with the skills to effectively design penetration testing frameworks, scan for weaknesses, discover access pathways, identify persistent problems and reconfigure systems for better defense. Some of the most popular certifications include:
- Certified Ethical Hacker (CEH) — This certification introduces the critical skills of footprinting, scanning, enumeration and system hacking. Certified ethical hackers must pass a 125-question exam with a score of 70 percent or better to earn their qualification. CEH remains one of the most in-demand hacking certifications available.
- Certified Information Systems Auditor (CISA) — CISA is a mid-level certification designed for security professionals with at least five years of experience in security management, governance and risk assessment.
- Certified Information Security Manager (CISM) — This advanced qualification is often a prerequisite for high-level security management or consultancy positions and certifies the ability of IT pros to design and develop organization-wide ethical hacking and defense programs.
- GIAC Security Essentials (GSEC) — This certification focuses on the hands-on work of security management and testing, and requires IT staff to demonstrate their skills in-situ.
Leading the Charge — and Following the Rules
The nature of ethical hacking means that IT pros aren’t following all the rules; instead, they’re leading the charge on vulnerability detection and remediation by finding ways to bend or break existing processes and gain unapproved access. While their intentions are good — they’re searching for overlooked or under-served systems that need care and attention to limit corporate risk — their actions place them firmly in an operational grey area.
As a result, it’s critical that ethical hackers understand their potential risk and follow all necessary regulations to ensure white hat attack vectors don’t become black hat problems.
First and foremost? Ethical hackers employed by organizations should always obtain full and informed consent from managers and C-suite executives before starting any staged attack. This transparency helps reduce the risk of potential misunderstanding during penetration tests. Infosec professionals also need to recognize the regulatory impact in three key areas:
- Compliance — Federal regulations such as HIPAA and industry standards such as PCI DSS define data protection and use standards for health and financial information, respectively. No matter their intention, ethical hackers who violate these regulations during penetration testing could put companies at risk of a compliance violation.
- Codes of Ethics — The EC-Council — which is responsible for granting the CEH designation — has a code of ethics which mandates that IT pros disclose potential hacking risks to stakeholders, avoid the use of illegal software tools and make every effort to protect enterprise intellectual property.
- Criminal Statutes — If ethical hackers intentionally defraud or damage computer systems to obtain value — even as part of a white hat hacking effort — they may be at risk of prosecution under the Computer Fraud and Abuse Act (CFAA).
Ethical hacking is now a key component of effective enterprise network defense. Equipped with the right certifications — and in compliance with critical rules and regulations — white hat hackers can help organizations discover system vulnerabilities, design new security solutions and develop superior defenses.
Create a FREE Account To Build Your Cybersecurity Career:
- "TOP 8 IN-DEMAND CYBERSECURITY JOBS IN 2020" https
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!