Ethical Hacking vs. Penetration Testing

These two terms are often considered to be similar, however there is a thin but distinct line between them.

Penetration testing is an official procedure aimed at finding security vulnerabilities, flaws risks, and unreliable environment. In other words, penetration testing can be considered to be a successful but not harmful attempt to penetrate a specific information system, Compared to ethical hacking, penetration testing is a more narrowly focused phase. Hence, penetration testing is some subset of ethical hacking.

Generally speaking, organizations conduct pen tests to strengthen their corporate defense systems comprising all computer systems and their adjoining infrastructure. It is to be noted that while penetration testing can help organizations fortify their cyber security defenses, this measure should be performed on a regular basis since malicious entities discover weak points in emerging systems, programs, and applications. Even though a pen test may not provide answers to all of your security concerns, such a test will significantly minimize the possibility of a successful attack.

A penetration test target may be a white box (which provides background and system information) or black box (which provides only basic or no information except the company name). A penetration test can help determine whether a system is vulnerable to attack, if the defenses were sufficient, and which defenses (if any) the test defeated.

Penetration testing is never a casual undertaking. It involves lots of planning, which includes getting explicit permission from management to perform tests, and then running tests as safely as possible.

Any organization that has a network connected to the Internet or provides an online service should consider subjecting it to a penetration test.

Various standards such as the Payment Card Industry Data Security Standard require companies to conduct penetration testing from both an internal and external perspective on an annual basis and after any significant change in the infrastructure or applications.

Ethical hacking, on the other hand, is an all-embracing term that includes all hacking methods, and other related cyber attack methods. An ethical hacker’s role is similar to that of a penetration tester, but it involves broader duties. According to the EC-Council, the ethical hacking definition is “an individual who is usually employed with an organization and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods and techniques as a malicious hacker.”

. An ethical hacker might employ all or some of these strategies to penetrate a system:

· Scanning ports and seeking vulnerabilities. An ethical hacker uses port scanning tools like Nmap or Nessus to scan one’s own systems and find open ports. The vulnerabilities with each of the ports can be studied and remedial measures can be taken.

· An ethical hacker will examine patch installations and make sure that they cannot be exploited.

· The ethical hacker may engage in social engineering concepts like dumpster diving – rummaging through trash bins for passwords, charts, sticky notes, or anything with crucial information that can be used to generate an attack.

· An ethical hacker may also employ other social engineering techniques like shoulder surfing to gain access to crucial information or play the kindness card to trick employees to part with their passwords.

· An ethical hacker will attempt to evade IDS (Intrusion Detection systems), IPS (Intrusion Prevention systems), honeypots, and firewalls.

· Sniffing networks, bypassing and cracking wireless encryption, and hijacking web servers and web applications.

· Ethical hackers may also handle issues related to laptop theft and employee fraud.

Detecting how well the organization reacts to these and other tactics help test the strength of the security policy and security infrastructure. An ethical hacker attempts the same types of attacks as a malicious hacker would try – and then help organizations strengthen their defenses.

Many large companies, such as IBM, maintain employee teams of ethical hackers, while there are plenty of firms that offer ethical hacking as a service. Before launching the ICO campaign we have performed the same test of our system and were very satisfied with the results, though some upgrading was done fast.