Ethical Hacking

Syed Ali Haidar, IIT(ISM) Dhanbad

Abstract: Hacking refers to unauthorised access to or control over computer network security
systems for some illicit purpose. There are no hard and fast rules whereby we can categorize
hackers into neat compartments. However, generally, we call them white hats, black hats and
grey hats. White hat hackers are ethical computer hackers or security experts who specialize in
what is known as penetration testing - doing an authorized simulated attack on a computer
system that looks for security weaknesses, potentially gaining access to the system's features
and data to make sure a system is truly secure. Black hat hackers, on the other hand, violate
security for malicious purposes and generally for personal gain. Grey hat hackers live
somewhere in the middle, often breaking into a system or network only to inform the owner that
there is a vulnerability. This paper analyses, in detail, white hat hacking, also known as ethical
hacking. Its history, principles, reliability, current scenario and future scope are described. Also,
some certification agencies in this field are discussed.

Contents:

1. Introduction………………………………………………………………………………..1
2. History……………………………………………………………………………………..2
3. Ethical hacking commandments………………………………………………………...2
4. Reliability of ethical hackers……………………………………………………………..3
5. Current scenario and future scope………………………………………………………3
6. Certification………………………………………………………………………………..4
7. Conclusion…………………………………………………………………………………5
8. References………………………………………………………………………………...6

1. Introduction:

The need for more effective information security practices is increasingly evident with
each security breach reported in the media. When adopting new technologies like cloud
computing, virtualization, or IT outsourcing, enterprises are facing imminent security
threats and must adjust their security processes, policies, and architectures accordingly.
The increased sophistication and success rate for recent cyber attacks signals a shift in
attacker profile, indicating that nation-states and large criminal organizations are funding
well organized, highly motivated, and well trained teams of programmers. The elevated
threat landscape therefore, urgently dictates the need for a comprehensive, real-world
assessment of an organization’s security posture. The solution of this threat is ethical
hacking. It offers an objective analysis of an organization’s information security posture
for organizations of any level of security expertise. The ethical hacking organization has
no knowledge of the company’s systems other than what they can gather. They scan for
weaknesses, test entry points, prioritise targets, and develop a strategy that best guards
their resources[1].

2. History:
The history of ethical hacking is actually just the history of hacking. The first hackers
appeared in the 1960s at the Massachusetts Institute of Technology(MIT), and their first
victims were electric trains. They wanted them to perform faster and more efficiently[2] .
With the growing popularity of computers, individuals who understood systems and
programming languages were beginning to see the possibilities in testing those
systems to understand their capabilities. This was also the time that “phreaking” began
to gain widespread notoriety. Phreaking refers to the practice of manipulating
telecommunications systems. Phreakers began to understand
the nature of telephone networks. Many individuals were able to use devices that
mimicked the dialing tones in order to route their own calls, which allowed them to make
calls for free – specifically, highly expensive long distance calls. Arguably, this was one
of the first times that hacking was used for illegal purposes by a large number of people.
Simultaneously, however, governments and companies were beginning to see the
benefit in having technical experts who actively seek out the weaknesses in a system for
them, thus allowing them to solve those problems before they could be exploited. These
were known as “tiger teams” and the American government was especially keen on
using them to reinforce their defences[3]. With the increase in system hack incidents,
organisations felt the need of checking their system’s security. In 1974, the U.S. Air
Force conducted one of the first ethical hacks to test the security of the operating system
Multics. Vice President of IBM John Patrick invented the term “ethical hacking” to
describe such good-intention hacks [4].

3. Ethical hacking commandments:

The Ten Commandments of Computer Ethics were created in 1992 by the Computer
Ethics Institute. The commandments were introduced in the paper "In Pursuit of a 'Ten
Commandments' for Computer Ethics" by Ramon C. Barquin as a means to create "a set
of standards to guide and instruct people in the ethical use of computers." They
follow Internet Advisory Board's memo on ethics from 1987. These commandments are:

1. You shall not use a computer to harm other people.

2. You shall not interfere with other people's computer work.

3. You shall not snoop around in other people's computer files.

4. You shall not use a computer to steal.

5. You shall not use a computer to bear false witness.

6. You shall not copy or use proprietary software for which you have not paid (without
permission).

7. You shall not use other people's computer resources without authorization or proper
compensation.

8. You shall not appropriate other people's intellectual output.

9. You shall think about the social consequences of the program you are writing or the system
you are designing.

10.You shall always use a computer in ways that ensure consideration and respect for your
fellow humans[5].

4. Reliability of ethical hackers:

Reliability of ethical hackers is a big issue. It is argued that there is no such thing as a
good hacker and all white hat hackers are act ually bad hackers who have
turned a new leaf. The term "ethical hacker" is frowned upon by such people as
they see it has a contradiction in terms and prefer the name "penetration tester."
Businesses remain skeptical about the risk inherent with inviting a third-party to attempt
to access sensitive systems and resources. However, any organization that has a
network connected to the Internet or provides an online service should consider
subjecting it to a penetration test as cyber attack can happen anytime resulting in
stealing of valuable data of the organization. To reduce the skepticism related to ethical
hackers , businesses should hire only such type of ethical hacking companies that
implement practices to ensure privacy and confidentiality. They should also be
accredited by international trade organizations such as the EC-Council and ISC.

Ethical hacking is all about trust. Ethical hackers have the skills to break into systems
but they decide to use their skills for a socially constructive purpose. Now-a-days, with
the increase in the cases of cyber attacks, more and more companies are taking the
help of ethical hackers. Some large companies have increased the amount of money
they allocate to protect themselves against hacks. According to a PwC report, American
companies’ cybersecurity budgets have grown twice as much as their information-
technology budgets over the past two years[6].

However, there is a great need for companies to be vigilant. Before commissioning an

organization or individual, it is considered a good practice to read their service-level and
code of conduct agreements covering how testing will be carried out, and how the
results will be handled, as they are likely to contain sensitive information about how the
system is tested. There have been instances of "ethical hackers" reporting vulnerabilities
they have found while testing systems without the owner's express permission. Ensuring
effectiveness of the enterprise security architecture should be verified on a regular basis.
This represents a great challenge for increasingly sophisticated organizations due to
complex IT environments which include security solutions, end-user awareness, policies,
and new technologies. These systems not only change continually but also interoperate
with each other and therefore must be tested as part of holistic assessment to best
emulate a real-world attack scenario.

5. Current scenario and future scope:

In recent years, ethical hacking has become increasingly lucrative, as companies have
turned to ethical hackers to protect them from the growing threat of cybercrime.
According to U.S. director of National Intelligence, cyber attacks were listed first among
global threats, above both terrorism and weapons of mass destruction. We are
witnessing an ongoing series of low-to-moderate level cyber attacks from a variety of
sources over time, which imposes cumulative costs on a nation’s economic
competitiveness and security. Most of the cybercrime that occurs, which is of the
economic-espionage variety, is never made public. It is a very big business. In response,
companies have increased the amount of money allocated for this purpose. Some
companies hire external information-security professionals to undertake penetration
testing. Others use “bug-bounty” programs, which pay freelance hackers for each
previously unknown software vulnerability they uncover. These programs may be run in-
house—Google, for example, has had its own bug-bounty system since 2010 and
pays up to $20,000 for a single bug—or outsourced to separate companies like
HackerOne and BugCrowd, which connect hackers with clients and take a cut for each
bug found[7].

According to Data Security Council of India, the cyber security market is expected to
grow to USD 35 billion by 2025. A report by NASSCOM states that the country needs at
least one million skilled people by 2020. These figures are clear indication that the
country has a huge scarcity of qualified cyber security professionals and the need is
going to become severe with cyber criminals increasingly targeting enterprises and
government establishments.

While automation is axing jobs of lower end and mid-level engineers worldwide, cyber
security is a stream which has remained unaffected. Due to high demand, the average
starting salary for ethical hackers ranges from average INR 4 lakh to INR 5 lakh. MNCs
are ready to offer even more handsome incentives to professional cyber security
agencies. Hence, ethical hacking is emerging not as a growing but also a money making
career for youngsters who are willing to get into the cyberspace [8].
Fig. 1. Pen testing pay in India[9]

6. Certification:

In order to be considered for a job as an ethical hacker, most employers require an

ethical hacking certification. Certification tests ensure that the hacker not only
understands the technology, but also the ethical responsibilities of the job. Since many
employers do not have the expertise to technically evaluate applicants for these jobs, a
certification gives them some assurance that the candidate is qualified. Following are
some of the options available for certification:

Certified Ethical Hacker ( CEH ) : Its certification is achieved by taking the CEH examination
after having either attended training at an Accredited Training Center (ATC), or completed
through self-study. If a candidate opts for self-study, an application must be filled out and proof
submitted of two years of relevant information security work experience. Those without the
required two years of information security related work experience can request consideration of
educational background. The latest version of this exam has 125 multiple-choice questions, with
a 4-hour time limit [10].

Global Information Assurance Certification Penetration Tester : The Global Information

Assurance Certification (GIAC ) program is run by the SANS Institute , one of the oldest
organizations that provides cybersecurity education. GIAC offers dozens of vendor-
neutral certifications with courses that require hands-on learning. GIAC courses are held
online. The company also sponsors research white papers that are provided to the
cybersecurity industry without charge.
There are a variety of options to earn the GIAC Penetration Tester (GPEN ) certification
but it is highly recommended that learners take the SEC560 course on Network
Penetration Testing and Ethical Hacking from the SANS Institute. SEC560 is one of the
most comprehensive courses on the topic and demonstrates that the certificate holder
has had a nice balance of theory and hands-on training.

Offensive Security Certified Professional : The Offensive Security Certified Professional

(OSCP) is the least known but most technical of the certification options. Offered by the
for-profit Offensive Security, it is advertised as the only completely hands-on certification
program. Offensive Security designed the program for technical professionals “to prove
they have a clear, practical understanding of the penetration testing process and
lifecycle[11].”

7. Conclusion:
With the increase in the incidents of cyber attacks, the need for ethical hacking is
becoming increasingly visible. For the first time, its need was felt in the early 1960s
when electric train system was hacked in USA. There are Ten Commandments in ethical
hacking which guide and instruct people in the ethical use of computers.
Very often, businesses are suspicious regarding a third party attempting to access
sensitive systems and resources. They need to hire only such ethical hacking companies
that implement practices to ensure privacy and confidentiality.
Now-a-days, ethical hacking has become increasingly lucrative. More and more
companies are hiring ethical hackers to remain safe from the growing threat of cyber
attack. According to a report by NASSCOM, India needs atleast one million people in this
field by 2020. The average starting salary is around 4-5 lakh INR.
In order to be considered for a job as an ethical hacker, most employers require an ethical
hacking certification. Certified Ethical Hacker (CEH), Global Information Assurance
Certification Penetration Tester and Offensive Security Certified Professional are some of
the options available for getting certification in this field.

8. References:
[1] https://www.helpnetsecurity.com/2012/04/20/the-importance-of-ethical-hacking/

[2] http://saiethicalhacking.blogspot.in/2009/11/history-of-hacking.html

[3]
https://www.researchgate.net/profile/Rajendra_Chataut/publication/317165614_Introduction_to_Ethic
al_Hacking/links/59279d3ea6fdcc4443508b3d/Introduction-to-Ethical-Hacking.pdf

[4] https://pop.orange.com/en/a1294/ethical-hacker-cybersecurity-white-hat-hacking/a-brief-history-of-
ethical-hacking/

[5] https://en.wikipedia.org/wiki/Ten_Commandments_of_Computer_Ethics

[6] https://www.theatlantic.com/technology/archive/2015/12/white-hat-ethical-hacking-
cybersecurity/419355/

[7] https://www.theatlantic.com/technology/archive/2015/12/white-hat-ethical-hacking-
cybersecurity/419355/

[8] http://www.cxotoday.com/story/india-is-in-desperate-need-for-an-army-of-ethical-hackers/

[9] http://learnhacking.in/ethical-hacking-and-cyber-security-market-in-india/

[10] https://en.wikipedia.org/wiki/Certified_Ethical_Hacker

[11] https://www.simplilearn.com/top-ethical-hacking-certifications-to-consider-article