A take on defining hackers, ethical hackers and penetration testers by Matthew Strahan (SA Consultant):
A short time ago there was a discussion here about the term “ethical hacker” versus the term “penetration tester”.
The term “ethical hacker” is thrown around quite a lot nowadays without any real concern of whether it’s accurate or not. When people ask what I do, I find that “ethical hacker” or “professional hacker” gets the point across much quicker than a full discussion of what a penetration tester or a security consultant actually does.
The interesting thing is that I don’t really like to think of myself as a “hacker” or “cracker” since those terms are fundamentally different to what a “penetration tester” does.
Though we may use similar tools to the hackers, we are by nature, defenders, and hackers are by nature attackers.
Lets look at the difference between attacking and defending.
Attackers have a simple plan. They look for a vulnerability and try to take advantage of it. Be it a crack in the castle walls (so to speak) or a SQL injection for example, it’s all the same thing. If there’s no vulnerability, then there’s no way in. A single vulnerability and the attackers have won!
Now flip to the other side, the men on the castle walls (the good guys). These guys have one goal; to keep the attackers out. The only problem is, as mentioned, the attackers need only a single vulnerability to gain a foothold. To properly defend, the defenders need to ensure that every single vulnerability is found and fixed!
It turns out that it’s almost always easy to find a bad vulnerability, but finding all of them is pretty hard. Needless to say, the defenders have a harder job. This is hardly surprising – it’s always much easier to destroy something than it is to create it.
A hacker is an attacker. They have the easier job. A single critical vulnerability and the hackers have won. We’ve reported before – most web applications we see for the first time, do have critical vulnerabilities!
A penetration tester has to find the whole set. If we find a critical vulnerability in the first ten minutes of testing that doesn’t mean we can say “oh, I’ve compromised the application, I might go get some ice cream”. Our job requires that we test every single attack vector to see if it’s vulnerable!
Defending is where the real challenge is at. Good penetration testers must be much more skilled than the black hats.
I don’t really like being called a hacker!
I take your point Matthew. The term ethical hacker is akin to calling an undercover drug squad cop an ethical drug dealer. Neither has a particularly good ring about it.
The test in both scenarios is intent.
So how did the term ‘ethical hacker’ originate ? I’m buggered if I know. But if I were a betting man, I reckon it might’ve originally been a quick & easy way to describe what you do, to non-technical people.
For a laugh, try telling a non-techo bloke down at the pub that you’re a ‘penetration tester’ and see what reaction you get. If you just happen to be in a pub on Oxford St, Sydney, the reaction you receive might be more than you’d anticipated.
The problem is, ‘Ethical hacker’ might not be a palatable job title, but until someone comes up with a better term, I reckon it might be around for some time to come.
Here’s an idea. SA dot com should run a competition to re-name the job title ‘Ethical hacker’.
Big Galoot
Probably the term “Security Tester” or maybe “IT Security Tester” is best to avoid the puns. Of course I’m also a “Security Consultant” and “Security Researcher”, so there are plenty of other titles I can use.
I guess what bugs me about the term “ethical hacker” is that it leads to a misapprehension of the purpose of penetration testing and security reviews. It makes it appear as if our goal is to break the system or embarrass people, neither of which are even close to being truthful. Our goal is to improve security, not break it.
Calling us hackers also makes us appear unprofessional and lacking in business skills when that’s definitely not the case. We follow set methodologies when conducting our tests to ensure that they are comprehensive and complete. We study and read the latest updates in the field to keep our skills up to date. We also connect with the business, give context to our findings and give the business help in fixing the findings.
Maybe I’m just arrogant
My question is, how can a the positive adjective of ‘ethical’ be associated with the negative verb ‘hacking’ ? Where’s an English teacher when you need one ?
“We follow set methodologies when conducting our tests to ensure that they are comprehensive and complete. We study and read the latest updates in the field to keep our skills up to date.”
where do you get those methodologies? who designs them? are they hackers, perchance? if not, what assurance can you give your customers that you actually know what the hell you are doing? Are you just following some other lame “ethical hacker” instructions, running some pre-written tools and standard scans and exploits, or do you actually have the skills, dedication and tenacity of a real attacker? If you aren’t actually as capable as a real attacker, then what exactly do you get paid to do? Run nessus?
Why not design your own methodologies? Why not approach the penetration test completely freeform? Why not attack a target with no prior knowledge, no set plan or procedure, no limitations, no considerations, no biases or presuppositions.. do you actually EVER “hack” ? If not, your word (in the form of a pentest report) is worth absolutely fuck-all.
I discover bugs and attack vectors and new vulnerabilities and new techniques. I document them. You wait until they are codified and standardised in some lame SANS checklist, then you follow my preset instructions.
No wonder you don’t like to be called a hacker. You aren’t even close. I feel sorry for people who have paid you for security advice – they’ve been duped, bigtime.
^^^ wow what a jerk!