An ethical hacker is a computer security expert who uses penetration testing skills to help secure an organization’s networks and information system assets. An ethical hacker is also known as a white-hat hacker. Ethical hackers work with information technology and network operations teams to fix vulnerabilities before black hat hackers discover them, operating with the organization’s permission and within the boundaries, they have set.
Ethical hacker activities are in sharp contrast to those of black hat hackers. Black hat hackers are threat actors that may operate alone or in groups. Nation-states and organized crime often sponsor black hat hackers. Black hat hackers break into otherwise security networks and information system assets with the primary purpose of stealing, destroying, or modifying data, extorting or stealing funds, or in some cases making the networks and information systems unusable.
There are also gray hat hackers who will engage in hacking activity, usually without malicious intent. Sometimes gray hat hackers might violate laws or ethical standards but without the malicious intent. Often, they may not have the consent of the owner. They might not report a vulnerability directly but may first request a fee to identify the exploit.
Ethical, black, and gray hat hackers all seek to identify vulnerabilities. Ethical hackers seek to improve the defensive capabilities of the networks and information systems, while black hat hackers seek to exploit these same assets. The ethical hacker ultimately has the goals and objectives of a defender. The ethical hacker also knows the black hat hacker’s tactics, techniques, and procedures, giving them insight into the best ways to stop successful cyber attacks.
Ethical Hacker Activities
Ethical hackers generally use real attack techniques to find vulnerabilities proactively. Real attack techniques are often the best way to determine the effectiveness of security defenses. The methods used by ethical hackers can range from using social engineering, exploiting endpoint vulnerabilities, spoofing protocols, and much more.
Ethical hackers spend considerable time learning new skills and techniques, staying current with technological developments and changes within the IT and network infrastructure. They also often follow threat actors’ activities to understand their tactics, techniques, and procedures. Following threat actors also enables ethical hackers to learn about current and emerging threats. Finally, ethical hackers will also recommend specific security best practice improvements due to their activity.
Much of the ethical hacking activity focuses on early cyber kill chain activity. As a result, ethical hackers can often not move laterally into internal networks or perform data exfiltration. In addition, ethical hackers involved in penetration testing generally do not go deep into the organization’s networks in order to limit the potential impact their activities.
Ethical Hackers – Economic Rewards
Ethical hackers are compensated in several ways. In some cases, they may be directly employed by cybersecurity companies or by the security operations teams of large organizations as penetration testers. For example, a full-time penetration tester pays approximately $117,994 in the United States (June 2021).
Ethical hackers can also earn a living directly by collecting bug bounties. Many companies have set up vulnerability disclosure programs that encourage hackers to discover security vulnerabilities within their organizations. Many bug bounty disclosures have paid more than $100,000 to an ethical hacker who discovers vulnerabilities. Ethical hacker activity allows these vulnerabilities to be addressed and fixed before being found and exploited by black hat hackers and other threat actors.
The DOD Embraces Ethical hackers
In May of 2021, the U.S. Department of Defense (DOD) expanded its vulnerability disclosure program to include all publicly accessible DOD information systems. The program’s genesis was the “Hack the Pentagon” initiative that enabled the Defense Digital Service to offer a bug bounty program to engage directly with ethical hackers. Previously, there was no way to quickly notify the DOD if a vulnerability was discovered.
The original policy enabled ethical hackers to report on DOD public-facing websites and applications vulnerabilities. The expansion announced in May 2021 allows for research and reporting vulnerabilities related to all DOD publicly-accessible networks, frequency-based communication, Internet of Things, industrial control systems, and more. The DOD Cyber Crime Center oversees the program.
The success of ethical hackers in the DOD program has been exceptional. Since the vulnerability disclosure program’s launch, ethical hackers have submitted 29,000 vulnerability reports. Of these, over 70 percent of them were determined to be valid.
Ethical Hackers and Moral Leadership
Ethical hackers understand that moral boundaries are essential and must always be respected. Ethical hackers are intellectually curious and often enjoy the challenge of finding holes in security systems. Their status lets them satisfy this curiosity while helping to defend organizations. Ethical hackers generally have a solid moral compass and seek to stop the malicious activities of black hat hackers. Many are cybersecurity professionals that have been ethical hackers throughout their careers. Ethical hackers would never probe or scan a system without prior request and approval.
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.