If you’re fascinated by technology in general and cybersecurity in particular, you might consider pursuing a career as an ethical hacker, also known as a white hat hacker or a legal hacker. In this blog you will get answers to the questions, What is ethical hacking? and Is ethical hacking legal? You’ll get an ethical hacking definition below and a look at a potential career path, which may involve becoming a penetration tester.

GCU’s own Hackers with Halos works diligently with the Cyber Center of Excellence to teach the knowledge and tools needed to prepare would-be security professionals with an arena to practice in. This environment was created in conjunction with GCU’s cybersecurity degree programs to potentially prepare students for the world of offensive and defensive cyber warfare. 

Ethical hacking is the act of penetrating networks to find threats and vulnerabilities in those systems. Ethical hackers conduct these penetration tests with the permission, and usually at the request, of businesses who want to ensure that malicious attackers cannot exploit their computer systems.

An ethical hacker has the technical skills and knowledge to identify issues within a target system. That hacker works within the rules of the business and law and does not exploit their findings. Their goals are to assess the security of a system and report on their findings.

Black hat hacking, ransomware and similar cybersecurity threats are significant threats to all sorts of organizations. In fact, in 2022 alone, organizations around the world reported over 493 million ransomware attacks.¹ Cybersecurity professionals, such as ethical hackers, fight against cybercrime in an attempt to protect organizations and individuals.

Ethical hackers aren’t the same as malicious hackers, and the main difference lies in the intent. A malicious hacker targets an organization’s or an individual’s technology with the intent to exploit financial resources, cause financial loss or trigger reputational damage. In some cases, a malicious hacker may simply be wreaking havoc just for fun.²

In contrast, a white hat hacker, or ethical hacker, targets an organization’s technology with the intent of finding vulnerabilities so that they can be fixed before malicious hackers can exploit them. Once the vulnerabilities are fixed, the ethical hacker may again target the computer system to determine whether the problem was fully resolved.²

Four Primary Protocols of Ethical Hacking

Unlike malicious hackers, white hat hackers follow ethical guidelines. The four main protocols of ethical hacking are:²

• Authorization: Ethical hackers must obtain permission before accessing a computer system.
• Boundaries: Before accessing a computer system, an ethical hacker will define the scope of the security test. An ethical hacker will only perform work within that scope.
• Confidentiality: Sometimes, an ethical hacker must sign and abide by a non-disclosure agreement (NDA) if they may come across sensitive data.
• Proper reporting: Ethical hackers are duty-bound to report all vulnerabilities they find. They may also provide guidance on fixing the problems.

There are many types of security vulnerabilities that an ethical hacker might identify during the course of their work. Here’s a look at some of the most common ones:³

• Security misconfigurations
• Injection attacks
• Vulnerable system components
• Authentication vulnerabilities
• Social engineering

Ethical Hacking vs. Penetration Testing

Now that you have a general idea of what ethical hacking involves, let’s take a look at the differences between ethical hacking vs. penetration testing. A penetration test, or pen test, is a pre-determined, coordinated and authorized simulated attack on a computer system. It’s designed to identify security vulnerabilities and determine the potential risk they may pose.⁴

Ethical hacking encompasses penetration testing, but it’s a broader category. Ethical hacking can also involve social engineering tests, web application hacking and wireless network hacking to identify security concerns.⁴

There are no universal requirements to become an ethical hacker. However, these professionals typically need a relevant bachelor’s degree and, for some employers, relevant work experience in an entry-level technology-oriented position. In addition, some employers prefer to hire cybersecurity professionals with industry certifications.⁵

Some industry certifications you might pursue include the following:

• Certified Ethical Hacker (CEH) offered by the EC-Council
• Global Information Assurance Certification (GIAC) offered by the SANS Institute
• GIAC Penetration Tester (GPEN) offered by the SANS Institute
• Offensive Security Certified Professional (OSCP) offered by Offensive Security

Additionally, it would not hurt to have more basic certifications to demonstrate your broad range of skills and knowledge. Consider earning these certifications:

• Network+
• Cisco Certified Network Associate (CCNA)
• Security+
• TruSecure ICSA Computer Security Associate (TICSA)

Yes, ethical hacking is legal. However, some ethical hackers may be required to submit to a thorough background check. Some of them may need to obtain security clearance, particularly when applying to positions that would involve conducting vulnerability assessments of government agency or military computer systems.⁶

When a penetration tester conducts a vulnerability assessment, they tend to follow these steps:⁷

1. Planning and Reconnaissance

An ethical hacker will begin by making a plan for how to hack their target system. They will study the technology used by the business or owner and consider ways into the system. They may specifically look through search engines, web services, email systems, social networking sites and local network tech.

2. Scanning

Once the target point is identified, more active measures are used to gain insights on potential weak points in the target system. Scanning the target system provides the attacker with technical knowledge that would otherwise not be available by passive means.

3. Gaining Access

When the hacker gets an idea of how the application or program or system runs both while it is down and while it is functioning, they will begin to attack it using various methods such as SQL injections, scripting and finding back doors. They will use the vulnerabilities they detected during scanning and exploit them.

Sometimes, this means they will steal or intercept traffic to the site or application. Other times, they can interfere with privileges in order to assess how much damage could be caused by a malicious hacker.

4. Maintaining Access

Once the hacker is inside the system or application, they will test to see how persistent they can be and for how long. This allows them to assess what it would take to steal sensitive information. They may also time how long they can stay within a system in order to spread a virus inside the network or to gain access to a larger level of information, such as a server.

5. Analysis

Finally, the ethical hacker will analyze the results. They will put together a report about the vulnerabilities they discovered and what they were able to access. This report will let the owner of the targeted application or system know how long it took to gain access, as well as how long they were able to remain unnoticed in the system. All of this information can be used to create a plan to fix the problems.

Now that you’re familiar with the ethical hacking definition and concepts like ethical hacking vs. penetration testing, you may decide you’d like to pursue a career in cybersecurity. The Bachelor of Science in Software Development degree program at Grand Canyon University’s College of Science, Engineering and Technology can provide you with the opportunity to explore competencies in computer programming and web technologies. Fill out the form on this page to learn more about becoming a student at GCU.