An Introduction to Ethical Hacking

Written by Farah Hamoudah

Farah Hamoudah is a System Analyst under the Pre Sales team and project development division at KUWAITNET. Her interests are rooted in cyber security awareness, citizen development, and youth social advocacy.

In line with the world’s increasing dependence on digitisation amidst a global pandemic, the cybersecurity landscape continues to evolve new threat actors, vulnerabilities, and exploits every day. Gaps in enterprise security infrastructure have particularly exposed organizations across industries to advanced persistent threats (APTs) with ransomware attacks (malware that encrypts the victim’s data and holds it at ransom) exponentially making a recurring appearance throughout 2021. So, how can the enterprises of today build resiliency against ever-changing attack vectors? To accomplish this, ethical hacking must be at the core of each organizational function and performed periodically to proactively anticipate intrusion, explore and close gaps.

Ethical hacking or white-hat hacking, is the legal act of bypassing application, system, or infrastructure security controls to identify breaches and put the defenses to the ultimate test. The techniques an ethical hacker uses in the process varies in categorization to encompass social engineering, network, operating system, and application level attacks. The goal is to showcase that exploits exist and account for them without destroying system functionality, tampering with data, or raising privacy concerns.

While ethical hacking is an umbrella term for finding ways to gain unauthorized access to a particular system, in contrast to that, penetration testing refers to the formal procedure of conducting a security audit. The outcome may be specific or comprehensive in scope, such as detecting lack of security awareness culture, weak compliance controls (e.g. HIPAA, PCI DSS, GDPR, etc), data protection mechanisms, and other security measures. The four main types of penetration testing extend to categories of network, physical (on-site), application, and social engineering tests. 

The network simulation attack involves examining internal and/or external facing network assets and publicly available organizational information. On-site pen testing may demonstrate corporate espionage at the enterprise’s physical location. Application penetration simulations address design flaws, weak security protocols, or missing patches. Social engineering tests the human-factor susceptibility level to sharing sensitive organizational information or unknowingly giving a threat actor system-level access. Test reports are often detailed in outcomes and include comprehensive security recommendations for fortifying resilience. 

The post-exploitation phase occurs when the victim’s system is compromised and the threat actor is free to maneuver across resources, directories, accounts, etc. No matter the pen-testing approach, the simulation must attempt to align with real world attacks as much as possible to garner justifiable results and actionable solutions.The ethical hacker must diversify attack scenarios with known adversary tactics such as  privilege escalation, defense evasion, credential access, lateral movement, exfiltration, and command and control.

Defining a robust security strategy and penetration testing framework should be sought as more than a mere compliance requirement, and instead seen as a continuous, iterative exercise in skilling up in-house security, building a transparent culture, and striving for an offensive approach against adversaries of all types to defend the perimeter and protect the enterprise.

Backup, Data, Details, Enterprise, Hosting, Secure, Solution, Teamwork, Technology, Websecurity, cyberbackup,