Mark Amory | 20 January 2016
Ask yourself the following questions:
If the answer to all of the above is yes, then you might just have what it takes to be an ethical hacker.
So what is an Ethical Hacker?
We all know what a hacker is right? A hacker is generally identified as someone who breaks into computer systems and networks for some gain. Be that financial, malicious, or simply to cause disruption, a hacker generally acts outside the law in an unauthorised capacity.
An ethical hacker differs from this only slightly, an ethical hacker acts within the law, in an authorised capacity.
An ethical hacker, like their devious counter-part, seeks out weaknesses in systems, reverse-engineers code to make it do things it was not originally designed to do, presses the 'X' button when prompted to press the 'Y' button, just to see what happens.
What does an ethical hacker do – What does a day in the life look like?
Most days of an ethical hacker will typically be spent carrying out coffee-fuelled research into everything and anything related to IT and tech in general. It’s a vocation that is ever-changing, so you need to stay ahead of the game at all times.
On the days where the hacking skills get brought into play, a series of common tasks will be carried out which I shall outline below, but before I do, I'm going to assume that all the necessary legal work has already been completed and a full, written scope of works has been created and duly signed by the legal team of your client giving authority for the work to be conducted.
Oh dear, stop everything and go back to square one.
Before ANY work is undertaken, you must get fully detailed legal approval to proceed, failure to do so will put you, and your client at risk of breaking the law – This is not ethical.
OK, so you've got the legalities sorted? Let's go.Stage 1- Reconnaissance (A.K.A. Footprinting)
You need to know everything about your target, and I mean everything. Even down to where staff go to get their lunch (who knows what juicy titbit of info you might pick up in the queue for a nice chicken & pesto salad sandwich). The weakest link is rarely the IT system, it's usually the user. Find out emails, phone numbers, software versions, project names, supplier details, site maps, anything and everything can be useful in later stages.Stage 2- Gaining access
Data from stage one will be used in stage 2 to gain access either remotely via the networks (using vulnerabilities in software), or physically by entering the building (Clip-board & Hi-Viz vest work a treat for this!). You heard that a new generator was being delivered next month for the server farm? Turn up the week before to do a site survey. Who knows what could happen once you are onsite?
This stage is typically where the art of hacking comes to the forefront – In the films, this is the point where the protagonist sits in a darkened, smoke-filled room with multiple monitor screens and a nice blue-LED glow from various hi-tech looking devices. Reality is, it's probably done from an overly-cramped desk via a Linux laptop perched on top of numerous O'Reilly books about Python, or Networking.Stage 3- Enumeration
Making sense of the data you find once access has been gained – detailing each and every step you take, so that remedial works can be carried out to ensure the access holes are fixed. A painstaking, yet necessary task - ultimately it’s what is going to get you paid.Stage 4- Maintaining access
Planting backdoors, or creating new user accounts to allow you to keep returning to the scene of the crime. The hacker will want to do this, and so should you. Demonstrate to your client that an attack is rarely a one-off hit; the attackers keep coming back for more, and more.Stage 5- Covering tracks
Deleting logs, wiping audit trails, deleting user accounts. Remove all evidence of your visit so as not to raise any suspicions of a breach at all.
If the above antics get you excited, then you probably have the makings of an ethical hacker. But a word of caution, the clue is in the name; Ethical. Whatever you do, do it legally.
Get a recognised accreditation, keep learning about IT, buy shiny things and take them apart and make the world a better, safer place to live, work and play