Introduction

Hacking is the act of gaining unauthorized access to a computer system by a user for the purpose of either stealing information or damaging the system. Ethical Hacking, however, is the authorized access to a computer or system usually for testing the systems security and reporting the findings to an responsible party or security team.

Hackers strive to break or exploit systems and cause problems for users and companies. They are constantly testing the limits of an application or system to find it's vulnerabilities. Ethical hacking has pretty much the same goals in mind, but for an entirely different purpose. Ethical hackers test systems for defensive reasons rather than offensive reasons.

The Three (+ one) Hacker Classes

Hacker Types There are three hacker classes, each with a different purpose and goal. These classes are the Black Hats, the White Hats and the Grey Hats. There is a sub-category of the Grey Hats that are known as Hacktavists.

The Black Hats are the hackers who cause trouble. They hack for personal gain, sometimes monetary, or to intentionally compromise a computer system. These are the hackers most portrayed on TV and in the movies.

The White Hats are the hackers who are authorized to try to break into a system by someone in the company that has the authority to grant such activity. These hackers are the ones that use their skills and tools as a defensive measure to find weaknesses in a system and once finding these weaknesses, report them to the proper people or team.

The Grey Hats are by far the most interesting group of hackers. They can be hackers that have been hired but are not authorized to access the system. They could just be skilled individuals who feel that by the use of full disclosure, they can justify their actions. Full disclosure is still controversial, however. Should a Gray Hat innocently find a weakness, it is up to them to decide whether they report it to the proper team or not.

Another group of hackers that fall under the Grey Hats are those known as Hacktivists. They are the ones with a personal or group agenda. They are either trying to make a point or are using their skills or to make a statement. Of course you have those who actually wish to get caught. By doing so, they consider the act of getting caught part of their plan. These are known as Suicide Hackers.

There is one group that do not belong to any of the above classes, and this group is better known as Script Kiddies. These people are not hackers in the true sense, but rather a group that, due to the lack of true technical skills to create their own script, rely on preexisting scripts to perform their "hacking".

Curiosity Or Invasion

A typical hacker can be defined as a person who is curious about how things work. They obtain information and are able to use this information for whatever they so desire. Though it should not be used in a negative way, many times it is. So where are the boundaries dividing curiosity and invasion?

The boundary between the two classifications all depends on if the hacker obtained the information illegally or by false pretense or whether they were hired to perform a security, or penetration test for the organization. Typically, curiosity becomes invasion once the legal boundary is breached.

Threat Modeling and Risk Management

Threat Modeling is the determining the importance of the security issues that are the most important to a company or organization, and then identifies the events possible that could affect those issues.

Risk Management determines the proper course of action to take when a threat is identified. (For further reading, check out our discussion about Risk Management.)

Management must be committed to security and must be made aware of both the threat modeling and risk management of their organization. Only with this commitment can a system remain secure and if a breach has occurred, can it be contained, managed and eliminated effectively.

Some terms that go hand-in-hand with risk management are:

  • Threat: Potential threats that are neither good or bad, just potential.
  • Weakness: A flaw that leaves an asset vulnerable to attack.
  • Exposure: A point of access to a weakness.
  • Vulnerability: An instance of an exposure to a weakness.
  • Exploit: The act of taking advantage of a vulnerability.