Ethical hacking vs penetration testing Evalian

Ethical hacking and penetration testing: what’s the difference?

July 7th, 2021 Posted in Data Protection, Information Security

In 1998, the US-based hacker collective, L0pht Heavy Industries, found a way to shut down the Internet within 30 minutes. Rather than cause a global disaster, they reported their findings to the Committee of Governmental Affairs, to prevent a malicious actor from discovering and exploiting the same vulnerabilities.  

L0pht Heavy Industries is one of the first, and most prominent examples of ethical hacking: a cyber security discipline in which information security personnel are authorised by a company to find and exploit potential attack vectors in its computing infrastructure. The aim, unlike malicious hacking, is to discover these weaknesses so that they can be remediated. 

From this description, you might think that ethical hacking sounds a bit like penetration testing. In many ways, you’d be correct. Penetration testing is a form of ethical hacking, but ethical hacking is a broader concept, meaning there are differences. In this blog, we aim to help you understand them. For a deeper dive into penetration testing, we suggest you read our guide here 

What is ethical hacking?

Ethical hacking is also commonly known as white hat hacking. It is an all-encompassing term that refers to the use of hacking and cyber attack techniques for an altruistic purpose. Unlike malicious ‘black hat’ hackers, who attempt to exploit security vulnerabilities for their own illicit gain, white hat hackers are the ‘good guys’. They test to identify vulnerabilities so they can be remediated before the ‘bad guys’ seek to exploit them for their own purposes.  

Ethical hackers use an array of different techniques in order to exploit company vulnerabilities and find sensitive data. From manipulating system misconfigurations to phishing emails and business email compromise attacks, these hackers will use whatever tools they have at their disposal to find a route in.   

It might sound strange to ask someone to attack your systems. But one of the best ways to prevent a breach is to effectively simulate one, which is what ethical hackers can do. They use the same multi-layered techniques and thinking that a cyber criminal would. But rather than steal sensitive data at the end of their mission, they help you to find better ways to protect it.  

Similar, but not the same

Clearly then, penetration testing falls within the category of ethical hacking. Testers are engaged by organisations to test target systems. They use the same types of techniques, tools and tactics that would be used by a real-world attacker. They are also doing so for positive, white hat, reasons.  

A penetration test is a pre-agreed and time-limited engagement delivered at the client’s request. There is a form of ethical hacking, though, which is quite the opposite. Some ethical hackers carry out what is often referred to as security research on publicly available systems and applications.  

This involves using similar tools and techniques as pen testers but without the agreement of the target organisation or the limit of an agreed scope or time. If the researcher / ethical hacker finds an exploitable vulnerability, they disclose this to the target company for remediation.  

Bug bounties

Historically, this type of ethical hacking has been done for the ‘challenge’. It also helps improve security at organisations that might collect and process sensitive data. Security research has become more commercial in recent years. Tech companies have recognised the value of incentivising people to disclose vulnerabilities rather than try to exploit them.  

As such, tech companies are increasingly offering ‘bug bounties’ or payments to ethical hackers who disclose vulnerabilities to them. Facebook, for example, has a written bug bounty program that sets out its approach to working with ethical hackers and rewarding them. In a November 2020 post to its site, Facebook disclosed that it had paid out $11.7m in bug bounties since 2011. 

Not all researchers carry out ethical hacking to earn bug bounties though. Many are still doing it in their spare time for truly altruistic reasons. Likewise, not all organisations respond positively to disclosure – especially here in the UK, where the current Computer Misuse Act 1990 effectively makes security research illegal. It is not uncommon for security researchers on Twitter to ask for advice when responding to legal action. This is because they have disclosed vulnerabilities to a company that wants to control the narrative around the issue. 

What is penetration testing?

As we’ve seen, then, penetration testing is a form of ethical hacking but with a narrower focus and limited scope. It is typically part of a commercial arrangement, in which testing of the target is pre-approved by a client organisation.  

Penetration testing, in itself, is a type of security assessment. A company hires a suitably skilled penetration tester to identify real-world security vulnerabilities within its IT infrastructure, systems or applications, using a combination of tools and manual exploit techniques.  

At the end of the test, the tester shares a comprehensive report. This will include the vulnerabilities found and guidance on how to make the business more secure. This advice is based on the severity of the issues identified, typically by referring to CVSS 3.1 and the tester’s own real-world experience. 

Within penetration testing, there are different types of tests, focused on different aspects of an organisation’s IT estate, such as:  

  • External network tests; 
  • Internal network tests; 
  • Web application tests;  
  • Mobile application tests; and 
  • Wireless network tests 

Penetration tests are usually carried out an annual basis, or after an organisation deploys new infrastructure or applications (especially internet facing systems).  For organisations of all sizes, they are an invaluable tool for improving cyber security. By finding unpatched vulnerabilities in systems, applications and networks, they provide independent validation that a company’s security defences are resilient.  

Which one is right for you?

The short answer is, both – because penetration testing is a form of ethical hacking. A penetration test is an assurance exercise for your organisation. These tests should form part of your vulnerability management programme. They should include regular vulnerability scanning and patching in line with vendor guidance.  

Carrying out penetration testing provides peace of mind. It also helps demonstrate compliance with regulatory and legal obligations. Importantly, it provides your customers with confidence that their data is secure in your systems.

If your organisation has public infrastructure and collects and works with personal or sensitive data, then you may also be subject to ethical hacking by security researchers. You won’t know about their research unless they find a vulnerability and, even then, you should validate the nature of the vulnerability yourself. There is growing trend where scammers contact organisations to highlight an insignificant matter and request payment.  

With this in mind, it is worth adding a security.txt file to your website, which provides researchers with contact details for notifying the organisation about vulnerabilities, to ensure the disclosure gets to the right people in your business. Likewise, you can include your public key to enable the researcher to disclose information in encrypted form, to help prevent it falling into the hands of a malicious party. Google’s security.txt information is here, as an example, and you can learn more about a standard approach to take through this link. 

Need help?

If your organisation needs help running a penetration test on an application or infrastructure, we’re here to help. We can assess your environment and run a full penetration test and provide additional security assessment and assurance services. Contact us for a friendly chat. 

AH Headshot 250x250

Written by Alex Harper

Alex is a senior security consultant, specialising in security testing of IT infrastructure, web applications and mobile applications. He started his career as a software developer before moving into ethical hacking and security consulting. His qualifications include Cyber Scheme Team Leader (CSTL), Offensive Security Certified Professional (OSCP) and Qualified Security Team Member (QTSM).