When a company is ready to put their infrastructure and applications to the test, they use ethical hackers. These experts look for security gaps in a system. They use frameworks to guide their actions, like OWASP and NIST 800-115. The ethical hacker will find vulnerabilities and flaws. After these are patched and fixed, the result will be a more secure system.
Can an ethical hacker simulate what a skilled criminal hacker can accomplish? Does passing a penetration test ensure you will not get hacked? Consider the following comparison of their situations and decide.
|Time||For a worthy prize, criminals can spend weeks and months attempting to break in. Time is no constraint.||Companies use ethical hackers for the length of a contract or on an hourly paid basis. Unless money is unlimited, time is not.|
|Tools||There are many tools available that help people get into systems. Most are open source and widely available. In addition, criminals can get tools fast, without the need for internal approvals, as with a corporation.||Ethical hackers use similar tools as criminals to test. There could be restrictions to certain type of software that are not legal however.|
|Ethics||Criminals out for money have no qualms about resorting to unethical methods to achieve goals. “Hacktivists” break into websites and systems with the goals of righting a wrong or bringing awareness to injustice. But in either case, there is likely little concern for ethics to break in.||The name is a hint! “Ethical” in the hacker term means these people do not engage in anything against accepted morals or values to test. Unless there is a clear mandate to go into “grey areas”, keeping on the straight and narrow might prevent ethical hackers from pushing a system.|
|Motivation||Setting aside ethical or legal concerns, money is a good indicator of where talent goes. The business model of hacking is complex. One study said a hacker can earn $80,000 per month! If there is a power forcing the criminals to do the hacking, that could also be an extreme motivator.||The average salary of an Certified Ethical Hacker is $118,000 so there is some pressure to earn that wage and succeed. The intrinsic motivation to help companies is impossible to calculate. The drive to test and excel can be strong.|
|Scope||A criminal hacker can go to any lengths to commit the act.||Much like time, the scope of an engagement is defined from the outset. Unless the scope is very broad, the test is going to include what is agreed upon.|
We established that a penetration test is beneficial, but the test might not meet the level of effort and time that a dedicated criminal can bring to bear in an actual. Lessen the chance of getting hacked by following best practices for security. Here are just a few tips:
- Update and patch your software
- Never share passwords
- Backup your data regularly
- Beware of emails coming from unrecognized addresses
Read more tips on how to stay secure. For more on ethical hacking, download our PDF: