| An Ethical Hacker is an expert hired by a | | | | reports back to the company with a list of the |
| company to attempt to attack their network and | | | | vulnerabilities he uncovered. The list in and of |
| computer system the same way a hacker would. | | | | itself, however, is not particularly useful. What's |
| Ethical Hackers use the same techniques and | | | | most valuable is the instructions for eliminating the |
| tactics as those used by illegal hackers to breach | | | | vulnerabilities that the Ethical Hacker provides. |
| corporate security systems. The end result is the | | | | An Ethical Hacker works to uncover three key |
| company's ability to prevent an intrusion before it | | | | pieces of information. First, he determines what |
| ever occurs. | | | | information an illegal hacker can gain access to. |
| A company can't know if their security system is | | | | Next, he explores what an illegal hacker could do |
| solid unless they test it. It's hard, though, for a | | | | with that information once gained. Last, the Ethical |
| company's IT team to thoroughly ring out the | | | | Hacker ascertains whether an employee or staff |
| system. Try as they might, the techs can't go at | | | | member would be alerted to the break-in, |
| the system with all the malicious or mischievous | | | | successful or not. |
| motives of a true illegal hacker. To thoroughly | | | | At first it might sound strange that a company |
| uncover vulnerabilities, the theory goes; you must | | | | would pay someone to try to break into their |
| examine your security system through the eyes | | | | system. Ethical hacking, though, makes a lot of |
| of an illegal hacker. | | | | sense, and it is a concept companies have been |
| The word hacking has strongly negative | | | | employing for years. To test the effectiveness |
| connotations, and, for the most part, rightly so. | | | | and quality of product, we subject it to the worst |
| But ethical hacking is much different. It takes | | | | case scenario. The safety testing performed by |
| place with the explicit permission of the company | | | | car manufacturers is a good example. Current |
| whose system is being attacked. In fact, their | | | | regulatory requirements including HIPAA, Sarbanes |
| "good guy" role is underscored by the nickname | | | | Oxley, and SB-1386 and BS 799 require a trusted |
| "white hat" Ethical Hackers have been given. The | | | | third party to check that systems are secure. |
| nickname is a throwback to old Westerns where | | | | In order to get the most out of the assessment, |
| the good cowboys could be identified by their | | | | a company should decide in advance the nature |
| white hats. | | | | of the vulnerabilities they're most concerned with. |
| The company and the Ethical Hacker enter into a | | | | Specifically, the company should determine which |
| legally binding contract. The contract, sometimes | | | | information they want to keep protected and |
| called a "get out of jail free card," sets forth the | | | | what they're concerned would happen if the |
| parameters of the testing. It's called the "get out | | | | information was retrieved by an illegal hacker. |
| of jail free card" because it's what harbors the | | | | Companies should thoroughly assess the |
| Ethical Hacker from prosecution. Hacking is a | | | | qualifications and background of any Ethical Hacker |
| felony, and a serious one at that. The terms of | | | | they are considering hiring. This individual will be |
| the agreement are what transform illegal behavior | | | | privy to highly sensitive information. Total honesty |
| into a legal and legitimate occupation. | | | | and integrity is of the utmost importance. |
| Once the hacker has exhausted his attempts, he | | | | |