Ethical hacking is about discovering vulnerabilities in our information systems.
Movies have popularized the character of the “hacker”, so everybody is already familiar with the term. According to Wikipedia, a hacker is “a computer expert who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means”. It is quite a good definition, but rather incomplete; first, we need to consider “computer expert” in an extensive way: hardware, software, communications technologies, network protocols, cloud, mobile… everything related to IT is part of the hacker scope. And not only IT, as very frequently the easiest way to “overcome an obstacle” is by dealing with people, which also requires social skills.
Therefore, we may say that a hacker is somebody able to use a wide set of resources, not always legal or ethically acceptable, to gain access to IT systems.
There are many reasons why somebody may want to hack a system: economical benefit, intellectual challenge, revenge… In general, in terms of motivation, hackers are classified in three types:
• Black-hat hacker: a malicious hacker who tries to get unpermitted access to a system to obtain an illicit benefit or to inflict a damage.
• Grey-hat hacker: a hacker who acts without malice, but still illegally.
• White-hat hacker: a hacker who challenges the security measures of a system in order to detect vulnerabilities so they can be fixed.
One person may play different roles, and it is not infrequent that black-hats become white-hats along the time.
Ethical hacking is what white-hats do. According to the EC Council definition, “Ethical hackers learn and perform hacking in a professional manner, based on the direction of the client, and later, present a maturity scorecard highlighting their overall risk and vulnerabilities and suggestions to improve”. In short, an Ethical Hacker is a white-hat who checks how difficult could be for a black-hat to hack a system.
Even when ethical hackers share methods and tools with black-hats or grey-hats, there are relevant differences, not only in the objectives, but also in the means. Normally, the ethical hacker may have more information about the target system, but also has more constrains about the techniques to use, which are limited by the contract signed with the client. That contract is a very important piece of the ethical hacking, and it must state very clearly the scope of the project and the kind of activities the hacker is entitled to do. In fact, the contract protects both sides: for the client, it grants confidentiality and integrity of its systems and data. For the hacker, it provides legal coverage on a task that could be illegal otherwise.
Nowadays, ethical hackers are very professionalized: there are global organizations providing training and certifications: I’ve already mentioned the EC Council (International Council of E-Commerce Consultants, https://www.eccouncil.org/), an organization created after the 9/11 attack on the World Trade Center, which is the world’s largest cyber security technical certification body nowadays. The EC-council provides a prestigious certificate of ethical hacker (CEH) through a very requiring exam.
That’s all by now. In the next post, we will talk about the penetration tests: tools, techniques, and what should be taken into account when testing SAP systems.
NovisEuforia cooperates with Santa Marta AB to offer an ambitious initiative to improve cybersecurity over SAP systems.