Elsevier

Network Security

Volume 2011, Issue 7, July 2011, Pages 10-13
Network Security

Feature
Ethical hackers: putting on the white hat

https://doi.org/10.1016/S1353-4858(11)70075-7Get rights and content

Ethical hackers are fast becoming an essential part of an enterprise's network security armoury. So-called ‘white hats’ – to distinguish them from their malicious black hat counterparts – are increasingly fulfilling a role beyond penetration testing. As the threats change, the skill sets of ethical hackers are changing too, encompassing social engineering, social networking and consumer mobile technologies.

Ethical hackers are fast becoming an essential part of an enterprise's network security armoury. As the threats change, the skillsets of ethical hackers are changing too, encompassing social engineering, social networking and consumer mobile technologies.

Career development may be along a number of routes but essential attributes for all ethical hackers are patience, lateral thinking and an ability to keep abreast of rapidly changing network threats. Tracey Caldwell looks at the skills required.

Section snippets

Starting out

The barriers to entry to becoming an ethical hacker are pretty low, according to Chris Larsen, senior malware researcher at Blue Coat Systems. “Buying or building a cheap computer and putting Linux, Apache, MySQL and PHP on it will get you started,” he says. “Just set up a simple website on your box, hook it to the Internet, and start watching your server logs. You'll see the hackers coming to you in no time.”

Chris Larsen, Blue Coat Systems.

He adds: “Ethical hackers have a valuable role to play

Training

Enterprises must address network security concerns and – almost as important – must be able to show a world full of regulators and auditors that they are doing so. James Foster, principal consultant at Acumin Consulting, points out that recent regulations such as the Sarbanes-Oxley Act and the UK's Code of Connection have provisions that require networks (wired and wireless), firewalls, databases, servers, applications and mobile devices to be checked thoroughly for vulnerabilities. For this

Bedroom to boardroom

White hats have come out of the back bedroom and are heading for the boardroom. Ian Glover, president of CREST, a not-for-profit organisation that offers certification training, says: “The term ethical hacker still has negative connotations associated with someone working alone in a bedroom on a computer and skirting on the fringes of legality and ethics. The reality is very different. The penetration testing or ethical security testing industry is well organised, with highly professional

White hat skillsets

Jeff Schmidt, executive global head of business continuity, security and governance at BT Global Services, believes effective ethical hackers need a range and depth of skills. “Becoming a white hat is more than just taking a few classes and getting a CEH accreditation. To be an effective white hat, you must learn the fundamental systems and tools that they work and interface with on a daily basis. It is more than using just tools. Tools are good for a baseline analysis, but to be effective one

Employment

The increasing number and complexity of threats facing enterprise networks is creating a rising demand for ethical hackers either on staff or under contract. BT's Schmidt says: “Today's networks are a myriad of systems, applications, hardware and end points. On top of a heterogeneous environment, add in the rate of change in technology, frequent updates and patches that happen inside the production environment, compression of the IT workforce, multi-person developed applications and a continued

Web application vulnerabilities

Researchers at WhiteHat Security found that the average website has serious vulnerabilities more than nine months of the year. The latest threats are to web applications. HP carries out regular research tracking the activities of black hats and its ‘2010 Top Cyber Security Risks Report’ identified a significant increase in the volume of organised cybercrime targeting datacentres and networks.1

The report indicates that while the majority of attacks are against known and patched security

Starting points

Today's ethical hacker needs to work within the business case of the enterprise, assessing the value of the assets being protected and the costs of protecting them. John Stock, senior security consultant at Outpost24, says three key questions must be asked to ensure that an effective test is carried out. What is the company trying to protect? What is the company trying to protect against? And how much time, effort and money is the company willing to expend to obtain adequate protection? Once

Career development

Ethical hackers need to invest considerable time in keeping up with the world of network security, including architectures, devices and communication protocols, multi-vendor operating systems, applications and security software. There is also a need to keep up to date with how the technology is applied within different industry sectors and evolving standards and approaches to security.

Mick Scott, security director at Deloitte, specialises in cyber-threats and penetration testing. “It requires a

About the author

Tracey Caldwell is a freelance business technology writer who writes regularly on network and security issues. She is editor of Biometric Technology Today, also published by Elsevier.

References (1)

  • ‘2010 Top Cyber Security Risks Report’. HP TippingPoint DVLabs

Cited by (24)

  • Hacker types, motivations and strategies: A comprehensive framework

    2022, Computers in Human Behavior Reports
    Citation Excerpt :

    These types of hackers are known for garnering public and media attention by targeting high profile victims, posting on their social media accounts (Conger & Popper, 2020) or leaving boastful and demeaning messages on social media accounts/dark web forums/targeted devices' displays (Sussman, 2019). Old guards use customized codes/scripts/penetration testing tools to reveal vulnerabilities in existing systems such as websites, software, and servers/computers/devices, find new malware using professional honeypots, and track malicious hackers using cyber forensic techniques (Caldwell, 2011; Palmer, 2001). They may take over the vulnerable system and inform their owners about the vulnerability directly, or report the vulnerabilities to concerned companies, security researchers or relevant authorities, or decide to make the vulnerability public.

  • The simulated security assessment ecosystem: Does penetration testing need standardisation?

    2016, Computers and Security
    Citation Excerpt :

    A study by Guard et al. (2015) assessed the characteristics of students most suited to conducting penetration tests within testbed environments. Skillset requirements and career development of penetration testers were discussed at a high-level by Caldwell (2011). Qualifications were explicitly referenced, which include three of the UK bodies, namely CHECK, CREST, and the Tigerscheme, along with the more internationally focused EC-Council Certified Ethical Hacker (CEH) and ISC2 Certified Information Systems Security Professional (CISSP).

View all citing articles on Scopus

About the author

Tracey Caldwell is a freelance business technology writer who writes regularly on network and security issues. She is editor of Biometric Technology Today, also published by Elsevier.

View full text