Often in social situations, when people ask what I do for living, I have to pause for a moment. If I want to deflect the conversation, I just say “computer security” and their eyes usually glaze over and we move on to other topics. However, if I’m honest and say “ethical hacking,” this invariably arouses more interest. People are alternately confused by the implied oxymoron and intrigued by the implications of the phrase, which requires me to explain a bit more.
In a nutshell, ethical hacking is “hacking with permission.” An ethical hacker tries to find security problems and vulnerabilities for a client before the bad guys do. Although the word “hacker” bears negative connotations in many people’s minds, a hacker is really just someone who tries to find unexpected ways to use something. In our business, we’re trying to use – and abuse – the web applications and interfaces of our clients in ways they never expected, looking for opportunities to gain information or control that we should not, as outsiders, have.
It may sound exciting, but ethical hacking is really just a process of taking a painstaking look at the software we’re testing and searching for problems. It often involves repetitive and monotonous tasks, trying several different ways to find a way in. The job also usually involves running automated scanners that test for problems, carefully reviewing the output of the scans, and identifying genuine problems, possible problems, and false positives (non-problems that fooled the scanner). Doing all of the above carefully and thoroughly is key to performing the job well.
An effective ethical hacker also has to be imaginative, perpetually looking for alternative ways to break the system being tested. As security testing becomes more commonplace, the “low-hanging fruit” found by the scanners becomes less and less common, and finding new issues sometimes requires new approaches. It is certain that the clever miscreants looking to exploit the apps we test will not give up after trying the obvious ways in. This is why manual and scripted testing remains important.
In summary, ethical hacking is an interesting and challenging job. It can be tedious at times, but this is offset by the occasional new discovery. Explaining how the vulnerabilities work is also rewarding, as you see the light go on in the client’s eyes, and as developers learn why basic things like filtering input and encoding output are so important. The testers at SystemExperts take their jobs and the security of our clients very seriously, and treat each engagement as if it were our own security at stake. Our reputation depends on it.
Keith Salustro, based near Boston, MA, has been working in Information Security since 1997 where he began integrating firewall solutions. Today Keith provides IT security support, implements the latest defenses including firewalls and Intrusion Protection solutions, and conducts network assessments and penetration testing.