Ethical hacking: attacking to improve

Cybersecurity must be at the core of any business or institutional strategy. Without good risk protection, everything built on the internet can collapse like a house of cards. To optimise cyber defences, services that meet the ideals and objectives of ethical hacking must be used

Security auditing, as a whole, allows us to detect vulnerabilities in the system. While through hacking, we can test those weak points, exploiting the identified vulnerabilities, in order to understand exactly in which areas potential attacks can be successful.

Thus, we can find out how a system would react to an external attack through ethical hacking actions. And from all the information gathered, system operators can strengthen cyber defence measures and countermeasures. In short, ethical hacking enables organisations to learn how to defend themselves through well-intentioned attacks.

So are hackers any good?

Hackers vs Crackers

Living in a society subjected to the audiovisual imaginary sometimes plays tricks on us. When a person far removed from the world of cybersecurity thinks of hackers, they imagine young people in sweatshirts pursuing the collapse of companies and institutions on the internet from the sofa at home.

The reality is a far cry from the stereotypes and stereotypical images that have emerged in IT films and series.

For a start, this popular conceptualisation of the hacker actually describes his nemesis: the cracker. As their name suggests, these computer experts seek to crack the security of the organisations they attack. An example of this is the groups that operate from the internet, infecting corporate networks with ransomware.

Returning to the realm of audiovisual mythification, the last decade saw the success of Mr. Robot, a television series centred on a New Yorker who was a talented programmer by day and a cracker vigilante by night. The interest of the series lay in the fact that its protagonist did not seek financial gain through cracking but rather revenge on his supposed enemies: ethically reprehensible corporations.

In reality, less spectacular and more prosaic, cracking is a methodology of attacking systems and programmes with the aim of stealing data, hijacking documents, or committing fraud and eliminating security protections. In other words, to get rich by undermining companies and institutions and endangering the work of thousands of people.

This is why we say that hackers are, in reality, the natural enemies of crackers. Their job is to detect vulnerabilities in advance by testing systems through ethically planned attacks and with the authorisation of their owners.

If a good hacking job has been done, crackers will have nothing to do. Hackers not only test the strengths and weaknesses of systems to learn how to defend them, but they also anticipate the crackers’ destructive actions.

Like in science fiction master Philip K. Dick’s short story, The Minority Report, they abort crimes that have not yet happened.

What is ethical hacking?

Hacking not only does not seek to destroy but aims to build the best of cyber defenses. This is why we accompany the concept with the adjective ethical. Since attacks are always carried out to help organisations improve and optimise their security systems.

UNIR – The University on the Internet sequences ethical hacking in five phases:

1. Reconnaissance. In this phase, planning of attacks is carried out, clearly stipulating the targets and the attack vector.
2. Network scanning. Specific information about the systems to be attacked is obtained. This is done using tools such as NMap, hping for reconnaissance, or specific auditing tools for operating systems (like Nessus) or applications (such as Burp Suite, Wireshark or BadMod).
3. Gaining access to systems. The necessary actions are carried out to break through security barriers and gain access to systems. Techniques such as exploiting vulnerabilities, password cracking or session hijacking are used.
4. Privilege escalation/maintaining access. At this point in the hacking process, administrative privileges can be obtained on the system, and backdoors can be deployed as an APT, which could have catastrophic effects.
5. Erasing evidence. When they finish their attacks, crackers seek to erase evidence to make detection more difficult. Hence, ethical hacking actions sometimes perform the same operation to check whether the deletion of traces is detected.

In any case, the objective of the different phases is the same: to check the security systems and gather as much information as possible to narrow down the cyber risks.

Ethical hacking: A way of proceeding

Ethical hacking is not a solution or service in itself but a way of proceeding based on values and objectives of integrity. For example, it is ethical hacking when a cybersecurity company performs pentesting or advanced penetration testing.

In the course of a security audit, ethical hacking is also carried out in all its complexity. Bug bounty programs reward hackers who detect vulnerabilities and report them to organisations to fix.

Ethical hacking is not a service but a way of acting: attacking to build.

A methodology that has been at the basis of the learning process in numerous areas throughout history. Let’s think of something extremely popular since Ancient Greek times: one-on-one sports such as fencing, boxing, judo or, precisely, Greco-Roman wrestling.

In the lessons, the teachers not only teach their students the best defence and attack moves but also put them into practice. Thus, learners are subjected to attacks by their teachers that make their vulnerabilities visible. In order to perfect their methods, they need to know what their faults are.

This is true for sport, for cybersecurity and for life itself.

Post-attack: towards a stronger system

It is not enough to know how to attack the system. Rather, it is necessary to have the knowledge and experience to be able to process and analyse all the information provided by the attack and transform it into cyber-defence measures.

In other words, the key lies not only in the how but above all in the why and what for. Both the ways of proceeding and the purpose of hacking are ethical.

Data processing will allow us to make the leap from recognising and understanding vulnerabilities to addressing them. The attack is the starting point of the security strategy. It is a source of first-hand information that makes it possible to optimise security systems.

For crackers, the attack is the mission itself. Their targets are born and die with it. Once the attack is over, if they have succeeded, they will have obtained what they were looking for. For ethical hackers, on the other hand, the attack is the beginning of a huge task of fortifying and continually improving security systems.

In a world as volatile as ours, if organisations want to be secure on the internet, they must regularly hire hackers to test their computer systems. If they fail to do so, they face the risk of malicious attacks with very dangerous consequences for the viability of the business.

Trust is the key

So far, we have discussed the importance of ethical hacking, its objectives and ways of proceeding. But some companies or institutions may still be wary. After all, hacking means letting cybersecurity experts study the guts of the system, access confidential information and know it to its innermost limits.

For all these reasons, trust is the cornerstone of this type of action. Without it, they cannot be carried out successfully.

Tarlogic Security seeks to achieve this trust on the part of its clients by bringing four assets to the table:

1. Professional track record and talent. The cybersecurity company is a pioneer in ethical hacking. Throughout its more than ten years of existence, it has established itself in the field of security analysis and in the protection of critical infrastructures of large global companies. In addition, its team has been forged in large auditing firms and has been one of the fastest growing companies in europe for several years, according to financial times.
2. Confidentiality agreements. Information is gold. This is why the confidentiality agreements signed by all Tarlogic employees are a real insurance policy for clients. These agreements are signed before work begins and are stored in encrypted form in the company’s systems. ISO27001 certifications for information security, quality (ISO 9001) and technical equipment (CEH, OSCP, CREST, …) are also a must.
3. Professional ethics. If we talk about ethical hacking, it is for a reason. Ethics is the basis of all Tarlogic’s actions and services. In the selection process, an exhaustive verification of the background and professional history of the candidates to join the staff is carried out. Ethical hacking is a way of proceeding that can only be carried out if the person doing it also has high ethical standards.
4. Liability insurance. The ultimate safeguard. In the event of an incident, Tarlogic Security has liability insurance that provides protection of up to five million euros.

To conclude, ethical hacking is a way of proceeding that puts the experience and work of cybersecurity professionals at the service of organisations. Its aim is to build systems that are strongly protected against malicious attacks. To achieve this, systems and servers are attacked in order to improve them.