Ethical hacking in cybersecurity

A term such as “hacking” typically carries negative connotations; however, in recent years, it’s increasingly associated with positive security practices. When it comes to ethical hacking, as has become known, it involves actively helping people to learn more about how their data and websites could be at risk from malicious attacks.

Of course, many still view hacking as a crime, which means there is some legal leeway should hackers use techniques for the greater good. Let’s start by defining what ethical hacking refers to, and why it’s growing so important in the modern age.

What is ethical hacking?

At its core, the term ethical hacking refers to breaking into or bypassing security services to expose flaws and potentially uncover data theft threats. Ultimately, it’s considered hacking from the inside, sponsored by the victim in this definition.

Ethical hacking aims to help potential data theft victims identify areas where their security might be weak to rising threats. It’s essentially fighting fire with fire. Ethical hackers, and those who employ them, understand that by learning how hackers can attack resources, they can use similar techniques to fortify systems.

What do ethical hackers do?

The work of an ethical hacker depends largely on specific tasks set for them from one client to the next. For example, one client might request they break into systems to test their performance under threat as it’s not always so easy to judge system performance from the outside.

Let’s quickly break down some of the key areas an ethical hacker might focus on while working on behalf of corporate clients or someone who wants to improve their security in the face of rising threats.

Strength testing

One of the best ways for business and website owners to fortify their systems against hacking threats is to try and push their security to the maximum limits. This way, they know what they need to do to protect against evolving threats without resorting to potentially costly guesswork.

For example, an ethical hacker might receive a request to strength test a website against a distributed denial of service (DDoS) attack. This type of attack can bring down even the largest of corporate and governmental websites, so it’s prudent to protect against them wherever possible.

An ethical hacker might deploy their own DDoS attacks to see how well a client’s website holds up against brute force hacking. If they’re able to break into websites and their data easily, they will advise clients on what to do to reinforce their security.

Strength testing through ethical DDoS attacks puts websites through the same threats clients might expect out in the wild, but there’s no data loss. The attack takes place in-house, receives full authorization and ends when a hacker breaks through.

Many businesses see this as a safe way to prepare for potential threats as they can then work with cybersecurity experts to develop customized solutions to protect against external attacks in the future.

Password cracking

Password entropy or strength is a hot topic in cybersecurity. In some cases, even seemingly secure passwords that use a mix of alphanumeric characters can be easy for hackers to crack within minutes, possibly even seconds.

Hackers frequently use software such as keyloggers to detect passwords through spying, while crackers can process millions of passwords guesses in a matter of minutes. Clients employing ethical hackers can ask them to test the strength of passwords to help prevent external hackers from harvesting data.

In much the same way, ethical hackers will use software to process millions of password-breaking attempts to test whether users have set security phrases within recommended parameters.

If weak passwords are identified, hackers can advise clients on how to create higher quality passwords and pinpoint which passwords are the most at risk.

Advising safeguards

An ethical hacker doesn’t purely work to break into systems and to expose vulnerabilities. They’re on hand to make sure clients understand the weight of potential threats facing them, and what they need to do to protect themselves against evolving threats.

For example, a business might employ an ethical hacker alongside cybersecurity experts to design stronger defenses. This might include a broader focus on multi-factor authentication, upgrades to network security, stronger password definitions, tighter firewall controls and perhaps even automating threat detection.

Ethical hackers are highly beneficial to business owners in this sense as they know what cyber criminals are likely to look for and use when attempting to pull data from websites and large corporate sources. Ultimately, it’s putting the skill set of criminals to work without any repercussions.

As ethical hackers work in both investigatory and advisory capacities, they need to abide by strong ethical codes — and work within the law — if they are to benefit the greater good.

What ethics should ethical hackers hold themselves to?

While it’s always advisable that clients employing ethical hackers keep a close eye on their activities and clearly outline what they can and can’t do, it’s down to the individual hacker to hold themselves accountable and carry a conscience when working in such a capacity.

Some ethical hackers may be reformed criminals, for example, who now use their skills to help those who might be at severe risk of getting attacked. In this case, it makes sense for a hacker to think carefully about how they’re breaking into systems, and what they report.

An ethical hacking expert must always hold themselves accountable within the law, regardless of where they carry out their attacks and make suggestions. This means they must always have explicit permission from the client they’re working with. It’s vital for hackers to clearly lay out their plans and for the client to agree to them before work begins. Otherwise, they could be at risk of prosecution.

Ethical hackers should seek out a contractual agreement to ensure the activities they’re about to carry out are fully understood. It’s the responsibility of the client to provide guidelines so that there are no misunderstandings during the hacking process and to ensure that their interests are equally protected.

Without a contract and clear definitions as to what the hacking will entail, the client could be left vulnerable, while the hacker could be left wide open to court cases if they go beyond the brief.

Beyond this, ethical hackers should respect a code of conduct when working behind the scenes. They should uphold the privacy of any data they work with and the people potentially at risk of exposure from their attacks. Confidentiality should be clearly established as part of any contract agreed to between clients and hackers before work begins.

It’s also ethically important for hackers to clearly lay out the scope of their work, and to ensure clients understand the potential outcomes of such a project. This includes making sure clients know the risks involved as part of signed contracts.

Ethical hackers should also report any vulnerabilities and other issues to clients as soon as they arise. Withholding information for personal gain or for malicious intent is willfully breaking the law, or at the very least, it’s breaking the contract agreed between parties.

This means that while clients should hold ethical hackers responsible to a degree, the hackers themselves have a duty of care and should self-manage their activities.

How does US law view ethical hacking?

In 2022, the US Department of Justice reviewed national cybercrime strategies and made sweeping changes that would protect ethical hackers in the future.

Specifically, the Computer Fraud and Abuse Act (CFAA) declared that hackers working under ethical means — such as, on behalf of a company agreeing to carry out such attacks — would no longer face Department of Justice (DoJ) prosecution. 

This landmark ruling essentially clarifies that hackers working to help avoid harm are not under threat of state prosecution.

The move was hailed as almost revolutionary by security experts of the time, with many having previously felt threatened when reporting exploits and glitches for fear of facing DoJ prosecution.

While this protection is in place, the law is always open to interpretation — and the court will review each case on its own merits.

There is also still the matter of contracts between clients and hackers. If a hacker breaks an agreed upon contract or goes beyond the scope set out, there could be a chance they face lawsuits from those they worked with.

Ultimately, a successful prosecution will likely rely on whether the client can prove that an ethical hacker was working to nefarious ends rather than to support their client.

Breaches of contract of any kind are open to prosecution, so while ethical hackers can rest easy regarding DoJ intervention, they must still hold themselves accountable and work to the letter of any contracts they sign to maintain legal standing.

Some argue that the CFAA was long due to be updated in line with modern hacking practices. It was, after all, first drafted and made law back in 1986, which even predates public use of the internet.

We will need to wait to see if the law will face further scrutiny and adjustments in the years to come, as ethical hacking continues to produce positive insights for clients who choose to fortify their security practices this way.

It’s worth remembering that there are additional laws beyond the CFAA that define what’s legal when it comes to hacking within the US. Other federal laws such as the Defend Trade Secrets Act (DTSA), the Stored Communications Act (SCA) and the Electronic Communications Privacy Act (ECPA) all affect the data at risk through hacking.

The penalties for hacking within the US remain heavy for those who don’t hold themselves accountable to strong ethical codes. For example, computer-based extortion can carry prison sentences of up to 10 years, and the same applies to password trafficking alone.

There are also potential civil suit costs should an ethical hacker turn rogue — intentionally or not — while working on a contract with a company. It’s in the ethical hacker’s best interests to avoid rocking the boat at all costs or pay the consequences.

Some might argue that ethical hackers would be well advised to enlist the services of a defense lawyer just in case, though careful contract practice will help avoid this.

How do people become ethical hackers?

It is possible to learn about ethical hacking through college and university degrees, so graduates fresh out of school can start working with companies to find exploits and make suggestions on how to fortify defenses.

Reputable institutions such as St. Bonaventure University offers an online Master of Cyber Security degree, which enables budding hackers to learn more about how ethical practices can protect a variety of systems, networks and data sources.

This course delves deep into different techniques ethical hackers can use to expose security faults for the greater good. Students can study topics such as data mining, using artificial intelligence in hacking and security analysis and the finer points of penetration testing.

Courses such as St. Bonaventure’s exist to help normalize the practices involved in ethical hacking and to encourage people with an interest in cybersecurity to learn specialized techniques. 

Of course, any hacker learning the trade must also develop their own internal code of ethics while studying. This can be supported through courses and online modules, alongside working with seasoned industry experts.

A degree in cybersecurity backed by ethical hacking skills is highly valuable, especially as hacking threats evolve in scope and grow ever more prevalent globally.

Those wishing to get into ethical hacking must prove they’ve graduated from a security-focused discipline. Companies that employ reformed hackers, for all the best intentions in the world, do so at their own risk.

Earning a degree that covers ethical hacking skills, principles and an ethical code of conduct is likely to open many doors for those looking to break into the industry. A degree or associated qualification shows companies that you’re serious about cybersecurity, and that you’ve obtained ethical hacking skills through non-nefarious means.

Why do people become ethical hackers?

Ethical hacking is a fascinating line of work for people already interested in cybersecurity and data protection. It uses tools and techniques which can be used to commit crimes, so it’s morbidly fascinating for many people. 

One of the biggest appeals of working in ethical hacking is that people can use these techniques to benefit others. Millions of innocent people are at risk of data harvesting through poor security management, so many ethical hackers get into their line of work to help protect the interests of the many, rather than the few.

Some ethical hackers also believe it’s right to show companies how they can better protect themselves against malicious attacks and avoid losing customer data. Some people might even think businesses who aren’t already protecting themselves efficiently are doing so out of ignorance, and that they need to help fill in the knowledge gaps.

Ethical hacking is fascinating, particularly because one job is always going to be much different from the next. While the techniques might remain the same, it’s always interesting to see how far some systems will resist attacks, and to find new ways to protect big data.

Cybersecurity is an industry that’s futureproof too. There will always be a need for data protection and anti-hacking measures, so any ethical hackers breaking into the industry will likely have plenty of opportunities available to them for the years to come. As far as career progression goes, working as a cybersecurity expert will be lucrative for as long as hackers continue to develop new strategies.

Is ethical hacking ethically right?

Given recent changes to US law, and the fact businesses benefit from security insights delivered through ethical hacking, it’s safe to say the practice is proving useful. Provided there’s a clear contract and action plan agreed upon between hackers and the companies they work for, and hackers maintain an ethical code of conduct, the practice is unlikely to face many challenges.

Getting into ethical hacking can be lucrative. Changes to legislation and relaxing attitudes to internal hacking mean there’s never been a better time to learn and develop these techniques while getting into the cybersecurity industry.

Ethical hacking can help provide companies with insight into their security strategies and protect the data of innocent people they store. Many ethical hackers see themselves as forces for the greater good — and it’s getting easier and easier to agree with them.