White hat
Encyclopedia
The term "white hat" in Internet slang
Internet slang
Internet slang is a type of slang that Internet users have popularized, and in many cases, have coined. Such terms often originate with the purpose of saving keystrokes. Many people use the same abbreviations in texting and instant messaging, and social networking websites...

 refers to an ethical hacker, or a computer security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...

 expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization's information systems
Information systems
Information Systems is an academic/professional discipline bridging the business field and the well-defined computer science field that is evolving toward a new scientific area of study...

. Ethical hacking is a term coined by IBM
IBM
International Business Machines Corporation or IBM is an American multinational technology and consulting corporation headquartered in Armonk, New York, United States. IBM manufactures and sells computer hardware and software, and it offers infrastructure, hosting and consulting services in areas...

 meant to imply a broader category than just penetration testing.
White-hat hackers are also called "sneakers
Hacker (computer security)
In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...

", red team
Red Team
A red team is a group of penetration testers that assess the security of an organization, which is often unaware of the existence of the team or the exact assignment. Red teams provide a more realistic picture of the security readiness than exercises, role playing, or announced assessments...

s, or tiger team
Tiger team
A tiger team is a group of experts assigned to investigate and/or solve technical or systemic problems. The term may have originated in aerospace design but is also used in other settings, including information technology and emergency management...

s.

History

One of the first instances of an ethical hack being used was a “security evaluation” conducted by the United States Air Force of the Multics operating systems for "potential use as a two-level (secret/top secret) system." Their evaluation found that while Multics was "significantly better than other conventional systems," it also had "... vulnerabilities in hardware security, software security, and procedural security" that could be uncovered with "a relatively low level of effort." The authors performed their tests under a guideline of realism, so that their results would accurately represent the kinds of access that an intruder could potentially achieve. They performed tests that were simple information-gathering exercises, as well as other tests that were outright attacks upon the system that might damage its integrity. Clearly, their audience wanted to know both results. There are several other now unclassified reports that describe ethical hacking activities within the U.S. military. The idea to bring this tactic of ethical hacking to assess security of systems was formulated by Dan Farmer
Dan Farmer
Dan Farmer is an American computer security researcher. In a summer course in 1989, in order to graduate from Purdue University he started the development of the COPS program for identifying security issues on Unix systems under Gene Spafford, first releasing it after leaving Purdue in late 1989...

 and Wietse Venema
Wietse Venema
Dr. Wietse Zweitze Venema is a Dutch programmer and physicist best known for writing the Postfix email system. He also wrote TCP Wrapper and collaborated with Dan Farmer and Samuel Johnson to produce the computer security tools SATAN and The Coroner's Toolkit.-Biography:He studied physics at the...

. With the goal of raising the overall level of security on the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...

 and intranets, they proceeded to describe how they were able to gather enough information about their targets to have been able to compromise security if they had chosen to do so. They provided several specific examples of how this information could be gathered and exploited to gain control of the target, and how such an attack could be prevented. They gathered up all the tools that they had used during their work, packaged them in a single, easy-to-use application, and gave it away to anyone who chose to download it. Their program, called Security Analysis Tool for Auditing Networks, or SATAN
Satan
Satan , "the opposer", is the title of various entities, both human and divine, who challenge the faith of humans in the Hebrew Bible...

, was met with a great amount of media attention around the world.

Tactics

While penetration testing concentrates on attacking software and computer systems from the start – scanning ports, examining known defects and patch installations, for example – ethical hacking, which will likely include such things, is under no such limitations. A full blown ethical hack might include emailing staff to ask for password details, rummaging through executive’s dustbins or even breaking and entering – all, of course, with the knowledge and consent of the targets. To try and replicate some of the destructive techniques a real attack might employ, ethical hackers arrange for cloned test systems, or organize a hack late at night while systems are less critical.

Some other methods of carrying out these include:
  • DoS attack
    Denial-of-service attack
    A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...

    s
  • Social engineering
    Social engineering (security)
    Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information...

     tactics
  • Security scanners such as:
    • W3af
      W3af
      w3af is an open-source web application security scanner. The project provides a vulnerability scanner and exploitation tool for Web applications...

    • Nessus
      Nessus
      Nessus can have a number of meanings:* Nessus , a famous centaur from Greek mythology* The Tunic or Shirt of Nessus, the poisoned shirt of the centaur Nessus, in the story of Hercules...

  • Frameworks such as:
    • Metasploit


Such methods identify and exploit
Exploit (computer security)
An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...

 known vulnerabilities
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...

, and attempt to evade security to gain entry into secured areas.

Legality

Struan Robertson, legal director at Pinsent Masons LLP, and editor of OUT-LAW.com
OUT-LAW
OUT-LAW.COM is an award-winning legal news and information site developed by international law firm Pinsent Masons, a highly-regarded law firm specialising in technology, telecoms, intellectual property, outsourcing and information law....

, says “Broadly speaking, if the access to a system is authorized, the hacking is ethical and legal. If it isn’t, there’s an offence under the Computer Misuse Act. The unauthorized access offence covers everything from guessing the password, to accessing someone’s webmail account, to cracking the security of a bank. The maximum penalty for unauthorized access to a computer is two years in prison and a fine. There are higher penalties – up to 10 years in prison – when the hacker also modifies data”, Unauthorized access even to expose vulnerabilities for the benefit of many is not legal, says Robertson. “There’s no defense in our hacking laws that your behavior is for the greater good. Even if it’s what you believe.”

Employment

The United States National Security Agency
National Security Agency
The National Security Agency/Central Security Service is a cryptologic intelligence agency of the United States Department of Defense responsible for the collection and analysis of foreign communications and foreign signals intelligence, as well as protecting U.S...

 offers certifications such as the CNSS 4011. Such a certification covers orderly, ethical hacking techniques and team-management. Aggressor teams are called "pink" teams. Defender teams are called "yellow" teams.

See also

  • Black hat
    Black hat
    A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....


Computer hacking
  • Exploit (computer security)
    Exploit (computer security)
    An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...

     
  • Grey hat
    Grey hat
    A grey hat, in the hacking community, refers to a skilled hacker whose activities fall somewhere between white and black hat hackers on a variety of spectra. It may relate to whether they sometimes arguably act illegally, though in good will, or to show how they disclose vulnerabilities...

  • Hacker (computer security)
    Hacker (computer security)
    In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...


  • Hacker ethic
    Hacker ethic
    Hacker ethic is the generic phrase which describes the moral values and philosophy that are standard in the hacker community. The early hacker culture and resulting philosophy originated at the Massachusetts Institute of Technology in the 1950s and 1960s...

  • IT risk
    IT risk
    Information technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...

  • Metasploit
  • Penetration test
    Penetration test
    A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders...

  • Vulnerability (computing)
    Vulnerability (computing)
    In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...

  • Wireless & RFID Identity Theft
    Wireless Identity Theft
    Wireless identity theft, also known as contactless identity theft or RFID identity theft, is a form of identity theft described as "the act of compromising an individual's personal identifying information using wireless mechanics." Numerous articles have been written about wireless identity theft...



External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK