While malicious hackers exploit vulnerabilities to take advantage of a network, ethical hackers infiltrate organizations' networks -- with the owners' explicit consent -- to discover weaknesses before threat actors do.
"It's important to think like an adversary," said Bryson Payne, a professor and founding director of the Center for Cyber Operations Education (now the Institute for Cyber Operations) at the University of North Georgia.
To help get in an adversary mindset, Payne wrote Go H*ck Yourself, a guide on how to conduct hacks on your own devices. One lesson, for example, teaches readers how to access their computer if they've forgotten their password. Payne emphasized that he teaches these hacks so readers have a better understanding of cybersecurity, which, in turn, enables the readers to be safer online.
Before conducting any of the hacks, it's important to understand the basics of ethical hacking's morals and legality. Here, Payne explains why ethical hacking is legal, the benefits of ethical hacking and what organizations should look for when hiring an ethical hacker or penetration tester.
Editor's note: This transcript has been edited for length and clarity.
More on Go H*ck Yourself
Check out an excerpt from Chapter 2 of Go H*ck Yourself to learn how to perform an ethical physical access hack.
Is ethical hacking legal?
Bryson Payne: Yes, as long as you're accessing a system that you own and control, or you have the explicit written permission from the system owner to test for security. It's how we help protect systems from attack. An ethical hacker uses the same tools and techniques as an unethical hacker, but they use them to help system owners protect their information, customers, employees and families.
Why is ethical hacking important?
Payne: The first thing you learn as an ethical hacker is how to think like an adversary. That's an important skill to have in everything from chess to business negotiations to cybersecurity.
As ethical hackers, we try to break in the same way an unethical hacker would try to conduct an attack. We think about the ways an attacker could get access to files and data, and we attempt to add layers of security to the system to protect it from the outside in.
Is ethical hacking ever illegal?
Payne: Ethical hackers must always be aware of ethics. If the rules are not clearly laid out from the beginning, it's easy for an ethical hacker to go outside the scope of engagement on a pen test. We still document the scope in written form because it's important for the ethical hacker and the organization to know what is being tested and what is out of scope.
An ethical hacking assignment can go wrong if it's not handled well throughout the process. That's why we train ethical hackers to make ethical considerations. In the book, I mention how each hack can be used ethically and unethically so people understand the line and always stay on the right side of it. For example, physical access hacks help regain access to files on a laptop that you can't remember the password for. Think the pictures from your vacations are gone? A simple physical access hack can regain access to them. These same hacks, however, can also be used unethically by someone who steals your laptop. Within minutes, they have access to everything on the laptop and steal data or wipe the hard drive and sell the laptop.
Ethical hackers need permission to hack an organization's network. What does this look like?
Payne: An ethical hacker could set up a range of network addresses the company wants tested. And then, for example, the company's production or development servers might be within scope -- but usually not both. That way, the company doesn't worry about their main site going down while a pen test is happening. Going into the test, companies need to define the network range an ethical hacker has the right to test and which one the organization wants to keep protected and outside the testing scope.
Ethical hackers use the same tools as hackers, which means they have the potential to cause the same negative impacts as an attacker can. That is why we set rules upfront. We don't want to worry about addressing an impact on the business that we didn't intend.
An ethical hacking engagement might also specify which types of physical attacks are allowed. Some pen testing companies send someone into your lobby -- if you agreed to that as part of your scope -- to see if there's a network port. As people sit in the lobby waiting for an interview, there might be an open network jack that someone could plug their device into and see the entire company network.
In addition to physical access attacks, ethical hackers can test social engineering tactics. For example, an ethical hacker could try to get an administrative assistant or help desk employee to reset a password. This must all be agreed upon as part of an ethical hacking test. It just depends on how much the company wants to test and how much they're willing to pay. Each new layer of testing usually brings up the cost, but it also brings a great deal of information about an organization's security defenses.
What are the benefits of hiring an ethical hacker?
Payne: Having an ethical hacker -- either a full-time employee or someone hired from a pen testing company -- look at security from the inside of your organization gives you a better sense of your overall risk.
Most businesses do the bare minimum by just setting up a firewall, installing antivirus and conducting annual cybersecurity awareness training to teach employees not to click on phishing emails. These practices, however, don't give you a sense of what your organization looks like to a motivated attacker trying to get into your organization.
Pen tests are real-world examples of what unethical hackers do to get into your organization. An ethical hacker offers a clearer picture of ways you can protect yourself from threats that a firewall, antivirus and security training can't resolve.
What should organizations look for when hiring an ethical hacker?
Payne: A good track record is important. Pick an ethical hacker or penetration company that has done ethical hacking engagements for other organizations -- either in your own industry or at the same scale as the size of your organization. A pen test for a small company is different than an engagement for a large organization.
Also, make sure they show you a written rules of engagement before agreeing to a pen test. Know that they understand the scope -- the most important part of pen testing -- so your organization stays fully operational during the pen test attack.
About the author
Bryson Payne is an award-winning cyber coach, author, TEDx speaker and founding director of the Center for Cyber Operations Education (now the Institute for Cyber Operations) at the University of North Georgia (UNG). He is a tenured professor of computer science at UNG, where he has taught aspiring coders and cyber professionals. In 2017, he received the University System of Georgia Chancellor's Service Excellence Leader of the Year Award. He has also been awarded the Department of the Army Commander's Award for Public Service medal from U.S. Army Cadet Command and the Order of Thor medal from the Military Cyber Professionals Association. Payne holds a Ph.D. in computer science from Georgia State University. He is also the author of Teach Your Kids to Code and Learn Java the Easy Way, published by No Starch Press.