CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [9]
In addition to these groups, there are self-proclaimed ethical hackers, who are interested in hacker tools mostly from a curiosity standpoint. They may want to highlight security problems in a system or educate victims so they secure their systems properly. These hackers are doing their "victims" a favor. For instance, if a weakness is discovered in a service offered by an investment bank, the hacker is doing the bank a favor by giving the bank a chance to rectify the vulnerability.
From a more controversial point of view, some people consider the act of hacking itself to be unethical, like breaking and entering. But the belief that "ethical" hacking excludes destruction at least moderates the behavior of people who see themselves as "benign" hackers. According to this view, it may be one of the highest forms of hackerly courtesy to break into a system and then explain to the system operator exactly how it was done and how the hole can be plugged; the hacker is acting as an unpaid-and unsolicited-tiger team (a group that conducts security audits for hire). This approach has gotten many ethical hackers in legal trouble. Make sure you know the law and your legal liabilities when engaging in ethical hacking activity.
Many self-proclaimed ethical hackers are trying to break into the security field as consultants. Most companies don't look favorably on someone who appears on their doorstep with confidential data and offers to "fix" the security holes "for a price." Responses range from "thank you for this information, we'll fix the problem" to calling the police to arrest the selfproclaimed ethical hacker.
Being able to identify the types of hackers is important, but determining the differences is equally-if not more-important. We'll look at this in the following sections.
Ethical Hackers and Crackers-Who Are They?
Many people ask, "Can hacking be ethical?" Yes! Ethical hackers are usually security professionals or network penetration testers who use their hacking skills and toolsets for defensive and protective purposes. Ethical hackers who are security professionals test their network and systems security for vulnerabilities using the same tools that a hacker might use to compromise the network. Any computer professional can learn the skills of ethical hacking.
As we mentioned earlier, the term cracker describes a hacker who uses their hacking skills and toolset for destructive or offensive purposes such as disseminating viruses or performing DoS attacks to compromise or bring down systems and networks. No longer just looking for fun, these hackers are sometimes paid to damage corporate reputations or steal or reveal credit-card information, while slowing business processes and compromising the integrity of the organization.
What Do Ethical Hackers Do?
Ethical hackers are motivated by different reasons, but their purpose is usually the same as that of crackers: They're trying to determine what an intruder can see on a targeted network or system, and what the hacker can do with that information. This process of testing the security of a system or network is known as a penetration test.
Hackers break into computer systems. Contrary to widespread myth, doing this doesn't usually involve a mysterious leap of hackerly brilliance, but rather persistence and the dogged repetition of a handful of fairly well-known tricks that exploit common weaknesses in the security of target systems. Accordingly, most crackers are only mediocre hackers.
Many ethical hackers detect malicious hacker activity as part of the security team of an organization tasked with defending against malicious hacking activity. When hired, an ethical hacker asks the organization what is to be protected, from whom, and what resources the company is willing