Introduction
Hacking is the act of gaining unauthorized access to a computer system by a user for the purpose of either
stealing information or damaging the system. Ethical Hacking, however, is the authorized access to a computer or
system usually for testing the systems security and reporting the findings to an responsible party or security team.
Hackers strive to break or exploit systems and cause problems for users and companies. They are constantly testing
the limits of an application or system to find it's vulnerabilities. Ethical hacking has pretty much the same goals
in mind, but for an entirely different purpose. Ethical hackers test systems for defensive reasons rather than
offensive reasons.
The Three (+ one) Hacker Classes
There are three hacker classes, each with a different purpose and goal. These classes are the
Black Hats, the White Hats and the Grey Hats. There is a sub-category of the Grey Hats that are known as Hacktavists.
The Black Hats are the hackers who cause trouble. They hack for personal gain, sometimes monetary,
or to intentionally compromise a computer system. These are the hackers most portrayed on TV and in the movies.
The White Hats are the hackers who are authorized to try to break into a system by someone in the
company that has the authority to grant such activity. These hackers are the ones that use their skills and tools
as a defensive measure to find weaknesses in a system and once finding these weaknesses, report them to the proper
people or team.
The Grey Hats are by far the most interesting group of hackers. They can be hackers that have been
hired but are not authorized to access the system. They could just be skilled individuals who feel that by the use
of full disclosure, they can justify their actions. Full disclosure is still controversial, however. Should
a Gray Hat innocently find a weakness, it is up to them to decide whether they report it to the proper team or not.
Another group of hackers that fall under the Grey Hats are those known as Hacktivists. They are the ones
with a personal or group agenda. They are either trying to make a point or are using their skills or to make
a statement. Of course you have those who actually wish to get caught. By doing so, they consider the act of
getting caught part of their plan. These are known as Suicide Hackers.
There is one group that do not belong to any of the above classes, and this group is better known as
Script Kiddies. These people are not hackers in the true sense, but rather a group that, due to the lack
of true technical skills to create their own script, rely on preexisting scripts to perform their "hacking".
A typical hacker can be defined as a person who is curious about how things work. They obtain information and are
able to use this information for whatever they so desire. Though it should not be used in a negative way, many
times it is. So where are the boundaries dividing curiosity and invasion?
The boundary between the two classifications all depends on if the hacker obtained the information illegally or by
false pretense or whether they were hired to perform a security, or penetration test for the organization. Typically,
curiosity becomes invasion once the legal boundary is breached.
Threat Modeling is the determining the importance of the security issues that are the most
important to a company or organization, and then identifies the events possible that could affect those issues.
Risk Management determines the proper course of action to take when a threat is identified.
(For further reading, check out our discussion about
Risk Management.)
Management must be committed to security and must be made aware of both the threat modeling and risk management of
their organization. Only with this commitment can a system remain secure and if a breach has occurred, can it be
contained, managed and eliminated effectively.
Some terms that go hand-in-hand with risk management are:
- Threat: Potential threats that are neither good or bad, just potential.
- Weakness: A flaw that leaves an asset vulnerable to attack.
- Exposure: A point of access to a weakness.
- Vulnerability: An instance of an exposure to a weakness.
- Exploit: The act of taking advantage of a vulnerability.