White hat (computer security)

Last updated

A white hat (or a white-hat hacker, a whitehat) is an ethical security hacker. [1] [2] Ethical hacking is a term meant to imply a broader category than just penetration testing. [3] [4] Under the owner's consent, white-hat hackers aim to identify any vulnerabilities or security issues the current system has. [5] The white hat is contrasted with the black hat, a malicious hacker; this definitional dichotomy comes from Western films, where heroic and antagonistic cowboys might traditionally wear a white and a black hat, respectively. [6] There is a third kind of hacker known as a grey hat who hacks with good intentions but at times without permission. [7]

Contents

White-hat hackers may also work in teams called "sneakers and/or hacker clubs", [8] red teams, or tiger teams. [9]

History

One of the first instances of an ethical hack being used was a "security evaluation" conducted by the United States Air Force, in which the Multics operating systems were tested for "potential use as a two-level (secret/top secret) system." The evaluation determined that while Multics was "significantly better than other conventional systems," it also had "... vulnerabilities in hardware security, software security and procedural security" that could be uncovered with "a relatively low level of effort." [10] The authors performed their tests under a guideline of realism, so their results would accurately represent the kinds of access an intruder could potentially achieve. They performed tests involving simple information-gathering exercises, as well as outright attacks upon the system that might damage its integrity; both results were of interest to the target audience. There are several other now unclassified reports describing ethical hacking activities within the US military.

By 1981 The New York Times described white-hat activities as part of a "mischievous but perversely positive 'hacker' tradition". When a National CSS employee revealed the existence of his password cracker, which he had used on customer accounts, the company chastised him not for writing the software but for not disclosing it sooner. The letter of reprimand stated "The Company realizes the benefit to NCSS and encourages the efforts of employees to identify security weaknesses to the VP, the directory, and other sensitive software in files". [11]

On October 20, 2016, the Department of Defense (DOD) announced "Hack The Pentagon." [12] [13]

The idea to bring this tactic of ethical hacking to assess the security of systems and point out vulnerabilities was formulated by Dan Farmer and Wietse Venema. To raise the overall level of security on the Internet and intranets, they proceeded to describe how they were able to gather enough information about their targets to have been able to compromise security if they had chosen to do so. They provided several specific examples of how this information could be gathered and exploited to gain control of the target, and how such an attack could be prevented. They gathered up all the tools they had used during their work, packaged them in a single, easy-to-use application, and gave it away to anyone who chose to download it. Their program called Security Administrator Tool for Analyzing Networks, or SATAN, was met with a great amount of media attention around the world in 1992. [9]

Tactics

While penetration testing concentrates on attacking software and computer systems from the start – scanning ports, examining known defects in protocols and applications running on the system, and patch installations, for example – ethical hacking may include other things. A full-scale ethical hack might include emailing staff to ask for password details, rummaging through executive dustbins, usually without the knowledge and consent of the targets. Only the owners, CEOs, and Board Members (stakeholders) who asked for such a security review of this magnitude are aware. To try and replicate some of the destructive techniques a real attack might employ, ethical hackers may arrange for cloned test systems, or organize a hack late at night while systems are less critical. [14] In most recent cases these hacks perpetuate for the long-term con (days, if not weeks, of long-term human infiltration into an organization). Some examples include leaving USB/flash key drives with hidden auto-start software in a public area as if someone lost the small drive and an unsuspecting employee found it and took it.

Some other methods of carrying out these include:

These methods identify exploit known security vulnerabilities and attempt to evade security to gain entry into secured areas. They can do this by hiding software and system 'back-doors' that can be used as a link to information or access that a non-ethical hacker, also known as 'black hat' or 'grey hat', may want to reach.

Legality

Belgium

Belgium legalized white hat hacking in February 2023. [15]

China

In July 2021, the Chinese government moved from a system of voluntary reporting to one of legally mandating that all white hat hackers first report any vulnerabilities to the government before taking any further steps to address the vulnerability or make it known to the public. [16] Commentators described the change as creating a "dual purpose" in which white hat activity also serves the country's intelligence agencies. [16]

United Kingdom

Struan Robertson, legal director at Pinsent Masons LLP, and editor of OUT-LAW.com says "Broadly speaking, if the access to a system is authorized, the hacking is ethical and legal. If it isn't, there's an offense under the Computer Misuse Act. The unauthorized access offense covers everything from guessing the password to accessing someone's webmail account, to cracking the security of a bank. The maximum penalty for unauthorized access to a computer is two years in prison and a fine. There are higher penalties – up to 10 years in prison – when the hacker also modifies data". Unauthorized access even to expose vulnerabilities for the benefit of many is not legal, says Robertson. "There's no defense in our hacking laws that your behavior is for the greater good. Even if it's what you believe." [4]

Employment

The United States National Security Agency offers certifications such as the CNSS 4011. Such a certification covers orderly, ethical hacking techniques and team management. Aggressor teams are called "red" teams. Defender teams are called "blue" teams. [8] When the agency recruited at DEF CON in 2020, it promised applicants that "If you have a few, shall we say, indiscretions in your past, don't be alarmed. You shouldn't automatically assume you won't be hired". [17]

A good "white hat" is a competitive skillful employee for an enterprise since they can be a countermeasure to find the bugs to protect the enterprise network environment. Therefore, a good "white hat" could bring unexpected benefits in reducing the risk across systems, applications, and endpoints for an enterprise. [18]

Recent research has indicated that white-hat hackers are increasingly becoming an important aspect of a company's network security protection. Moving beyond just penetration testing, white hat hackers are building and changing their skill sets, since the threats are also changing. Their skills now involve social engineering, mobile tech, and social networking. [19]

Notable people

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. Such behavior frequently includes gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack. In lay terms, some exploit is akin to a 'hack'.

<span class="mw-page-title-main">Hacker</span> Person skilled in information technology

In a positive connotation, a hacker is a person skilled in information technology who achieves goals by non-standard means. Though the term hacker has become associated in popular culture with a security hacker – someone with knowledge of bugs or exploits to break into computer systems and access data which would otherwise be inaccessible to them – hacking can also be utilized by legitimate figures in legal situations. For example, law enforcement agencies sometimes use hacking techniques to collect evidence on criminals and other malicious actors. This could include using anonymity tools to mask their identities online and pose as criminals. Likewise, covert world agencies can employ hacking techniques in the legal conduct of their work. Hacking and cyber-attacks are used extra-legally and illegally by law enforcement and security agencies, and employed by state actors as a weapon of legal and illegal warfare.

A grey hat is a computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but usually does not have the malicious intent typical of a black hat hacker.

A black hat is a computer hacker who violates laws or ethical standards for nefarious purposes, such as cybercrime, cyberwarfare, or malice. These acts can range from piracy to identify theft. A Black hat is often referred to as a "cracker".

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface. Constructs in programming languages that are difficult to use properly can also manifest large numbers of vulnerabilities.

A penetration test, colloquially known as a pentest, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is performed to identify weaknesses, including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed.

An information security audit is an audit of the level of information security in an organization. It is an independent review and examination of system records, activities, and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized as technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases, and highlights key components to look for and different methods for auditing these areas.

A security hacker is someone who explores methods for breaching defenses and exploiting weaknesses in a computer system or network. Hackers may be motivated by a multitude of reasons, such as profit, protest, information gathering, challenge, recreation, or evaluation of a system weaknesses to assist in formulating defenses against potential hackers.

EC-Council is a cybersecurity certification, education, training, and services company based in Albuquerque, New Mexico.

Network enumeration is a computing activity in which usernames and info on groups, shares, and services of networked computers are retrieved. It should not be confused with network mapping, which only retrieves information about which servers are connected to a specific network and what operating system runs on them. Network enumeration is the discovery of hosts or devices on a network. Network enumeration tends to use overt discovery protocols such as ICMP and SNMP to gather information. It may also scan various ports on remote hosts for looking for well known services in an attempt to further identify the function of a remote host. The next stage of enumeration is to fingerprint the operating system of the remote host.

<span class="mw-page-title-main">H. D. Moore</span> American businessman

H. D. Moore is a network security expert, open source programmer, and hacker. He is the founder of the Metasploit Project and was the main developer of the Metasploit Framework, a penetration testing software suite.

<span class="mw-page-title-main">Kali Linux</span> Debian-based Linux distribution for penetration testing

Kali Linux is a Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security.The software is based on the Debian Testing branch: most packages Kali uses are imported from the Debian repositories.

Social hacking describes the act of attempting to manipulate outcomes of social behaviour through orchestrated actions. The general function of social hacking is to gain access to restricted information or to a physical space without proper permission. Most often, social hacking attacks are achieved by impersonating an individual or group who is directly or indirectly known to the victims or by representing an individual or group in a position of authority. This is done through pre-meditated research and planning to gain victims’ confidence. Social hackers take great measures to present overtones of familiarity and trustworthiness to elicit confidential or personal information. Social hacking is most commonly associated as a component of “social engineering”.

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

HackerOne is a company specializing in cybersecurity, specifically attack resistance management, which blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the digital attack surface. It was one of the first companies to embrace and utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; pioneering bug bounty and coordinated vulnerability disclosure. As of December 2022, HackerOne's network had paid over $230 million in bounties. HackerOne's customers include The U.S. Department of Defense, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Slack, Twitter, and Yahoo.

The following outline is provided as an overview of and topical guide to computer security:

Offensive Security is an American international company working in information security, penetration testing and digital forensics. Operating from around 2007, the company created open source projects, advanced security courses, the ExploitDB vulnerability database, and the Kali Linux distribution. The company was started by Mati Aharoni, and employs security professionals with experience in security penetration testing and system security evaluation. The company has provided security counseling and training to many technology companies.

In cybersecurity, cyber self-defense refers to self-defense against cyberattack. While it generally emphasizes active cybersecurity measures by computer users themselves, cyber self-defense is sometimes used to refer to the self-defense of organizations as a whole, such as corporate entities or entire nations. Surveillance self-defense is a variant of cyber self-defense and largely overlaps with it. Active and passive cybersecurity measures provide defenders with higher levels of cybersecurity, intrusion detection, incident handling and remediation capabilities. Various sectors and organizations are legally obligated to adhere to cyber security standards.

<span class="mw-page-title-main">Synack</span>

Synack is an American technology company based in Redwood City, California. The company uses a crowdsourced network of white-hat hackers to find exploitable vulnerabilities and a SaaS platform enabled by AI and machine learning to identify exploitable vulnerabilities. Customers include government agencies and businesses in retail, healthcare and the manufacturing industry.

References

  1. "What is white hat? - a definition from Whatis.com". Searchsecurity.techtarget.com. Archived from the original on 2011-02-01. Retrieved 2012-06-06.
  2. Okpa, John Thompson; Ugwuoke, Christopher Uchechukwu; Ajah, Benjamin Okorie; Eshioste, Emmanuel; Igbe, Joseph Egidi; Ajor, Ogar James; Okoi, Ofem, Nnana; Eteng, Mary Juachi; Nnamani, Rebecca Ginikanwa (2022-09-05). "Cyberspace, Black-Hat Hacking and Economic Sustainability of Corporate Organizations in Cross-River State, Nigeria". SAGE Open. 12 (3): 215824402211227. doi: 10.1177/21582440221122739 . ISSN   2158-2440. S2CID   252096635.{{cite journal}}: CS1 maint: multiple names: authors list (link)
  3. Ward, Mark (14 September 1996). "Sabotage in cyberspace". New Scientist. 151 (2047). Archived from the original on 13 January 2022. Retrieved 28 March 2018.
  4. 1 2 Knight, William (16 October 2009). "License to Hack". InfoSecurity. 6 (6): 38–41. doi:10.1016/s1742-6847(09)70019-9. Archived from the original on 9 January 2014. Retrieved 19 July 2014.
  5. Filiol, Eric; Mercaldo, Francesco; Santone, Antonella (2021). "A Method for Automatic Penetration Testing and Mitigation: A Red Hat Approach". Procedia Computer Science. 192: 2039–2046. doi: 10.1016/j.procs.2021.08.210 . S2CID   244321685.
  6. Wilhelm, Thomas; Andress, Jason (2010). Ninja Hacking: Unconventional Penetration Testing Tactics and Techniques. Elsevier. pp. 26–7. ISBN   978-1-59749-589-9.
  7. "What is the difference between black, white, and grey hackers". Norton.com. Norton Security. Archived from the original on 15 January 2018. Retrieved 2 October 2018.
  8. 1 2 "What is a White Hat?". Secpoint.com. 2012-03-20. Archived from the original on 2019-05-02. Retrieved 2012-06-06.
  9. 1 2 Palmer, C.C. (2001). "Ethical Hacking" (PDF). IBM Systems Journal. 40 (3): 769. doi:10.1147/sj.403.0769. Archived (PDF) from the original on 2019-05-02. Retrieved 2014-07-19.
  10. Paul A. Karger; Roger R. Scherr (June 1974). MULTICS SECURITY EVALUATION: VULNERABILITY ANALYSIS (PDF) (Report). Archived (PDF) from the original on 13 November 2017. Retrieved 12 Nov 2017.
  11. McLellan, Vin (1981-07-26). "Case of the Purloined Password". The New York Times. Archived from the original on 2016-03-07. Retrieved 11 August 2015.
  12. "DoD Announces 'Hack the Pentagon' Follow-Up Initiative". U.S. Department of Defense. Retrieved 2023-12-15.
  13. Perez, Natasha Bertrand,Zachary Cohen,Alex Marquardt,Evan (2023-04-13). "Pentagon leak leads to limits on who gets access to military's top secrets | CNN Politics". CNN. Archived from the original on 2023-12-15. Retrieved 2023-12-15.{{cite web}}: CS1 maint: multiple names: authors list (link)
  14. Justin Seitz, Tim Arnold (April 14, 2021). Black Hat Python, 2nd Edition: Python Programming for Hackers and Pentesters. No Starch Press. ISBN   978-1-7185-0112-6. Archived from the original on August 26, 2021. Retrieved August 30, 2021.
  15. Drechsler, Charlotte Somers, Koen Vranckaert, Laura (3 May 2023). "Belgium legalises ethical hacking: a threat or an opportunity for cybersecurity?". CITIP blog. Archived from the original on 17 May 2023. Retrieved 7 May 2023.{{cite web}}: CS1 maint: multiple names: authors list (link)
  16. 1 2 Brar, Aadil (18 January 2024). "China Raises Private Hacker Army To Probe Foreign Governments". Newsweek . Archived from the original on 20 January 2024. Retrieved 20 January 2024.
  17. "Attention DEF CON® 20 attendees". National Security Agency. 2012. Archived from the original on 2012-07-30.
  18. Caldwell, Tracey (2011). "Ethical hackers: putting on the white hat". Network Security. 2011 (7): 10–13. doi:10.1016/s1353-4858(11)70075-7. ISSN   1353-4858.
  19. Caldwell, Tracey (2011-07-01). "Ethical hackers: putting on the white hat". Network Security. 2011 (7): 10–13. doi:10.1016/S1353-4858(11)70075-7. ISSN   1353-4858.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.