| An Ethical Hacker is an expert hired by a company to | | | | vulnerabilities he uncovered. The list in and of itself, |
| attempt to attack their network and computer system | | | | however, is not particularly useful. What's most |
| the same way a hacker would. Ethical Hackers use | | | | valuable is the instructions for eliminating the |
| the same techniques and tactics as those used by | | | | vulnerabilities that the Ethical Hacker provides. |
| illegal hackers to breach corporate security systems. | | | | An Ethical Hacker works to uncover three key pieces |
| The end result is the company's ability to prevent an | | | | of information. First, he determines what information an |
| intrusion before it ever occurs. | | | | illegal hacker can gain access to. Next, he explores |
| A company can't know if their security system is solid | | | | what an illegal hacker could do with that information |
| unless they test it. It's hard, though, for a company's IT | | | | once gained. Last, the Ethical Hacker ascertains |
| team to thoroughly ring out the system. Try as they | | | | whether an employee or staff member would be |
| might, the techs can't go at the system with all the | | | | alerted to the break-in, successful or not. |
| malicious or mischievous motives of a true illegal | | | | At first it might sound strange that a company would |
| hacker. To thoroughly uncover vulnerabilities, the theory | | | | pay someone to try to break into their system. Ethical |
| goes; you must examine your security system through | | | | hacking, though, makes a lot of sense, and it is a |
| the eyes of an illegal hacker. | | | | concept companies have been employing for years. |
| The word hacking has strongly negative connotations, | | | | To test the effectiveness and quality of product, we |
| and, for the most part, rightly so. But ethical hacking is | | | | subject it to the worst case scenario. The safety |
| much different. It takes place with the explicit | | | | testing performed by car manufacturers is a good |
| permission of the company whose system is being | | | | example. Current regulatory requirements including |
| attacked. In fact, their "good guy" role is underscored | | | | HIPAA, Sarbanes Oxley, and SB-1386 and BS 799 |
| by the nickname "white hat" Ethical Hackers have | | | | require a trusted third party to check that systems are |
| been given. The nickname is a throwback to old | | | | secure. |
| Westerns where the good cowboys could be | | | | In order to get the most out of the assessment, a |
| identified by their white hats. | | | | company should decide in advance the nature of the |
| The company and the Ethical Hacker enter into a | | | | vulnerabilities they're most concerned with. Specifically, |
| legally binding contract. The contract, sometimes called | | | | the company should determine which information they |
| a "get out of jail free card," sets forth the parameters | | | | want to keep protected and what they're concerned |
| of the testing. It's called the "get out of jail free card" | | | | would happen if the information was retrieved by an |
| because it's what harbors the Ethical Hacker from | | | | illegal hacker. |
| prosecution. Hacking is a felony, and a serious one at | | | | Companies should thoroughly assess the qualifications |
| that. The terms of the agreement are what transform | | | | and background of any Ethical Hacker they are |
| illegal behavior into a legal and legitimate occupation. | | | | considering hiring. This individual will be privy to highly |
| Once the hacker has exhausted his attempts, he | | | | sensitive information. Total honesty and integrity is of |
| reports back to the company with a list of the | | | | the utmost importance. |