Penetration testing and black and white hat hackers
Introduction
A hacker is someone who tries and sometimes succeeds in getting access to computer systems to which they have no right of access. They are attempting to get unauthorised access to data. They do this for a variety of reasons, including just to prove they can, or for fun but also, to view it for 'secret' information, or to steal it for personal gain.
Black hat hacking
People who try to gain unauthorised access to computer systems are known as black hat hackers. They are essentially criminals, trying to bypass security measures so that they can access files of data for malicious or criminal reasons. They might want to view data, change it, delete it, steal it to resell it, steal it to make it public or steal it to use themselves to make money. When a black hat hacker finds a vulnerability in a network, they keep this information to themselves as it is very valuable; it will let them into the system any time they want until the flaw is found, reported and blocked by others.
White hat hacking
White hat hackers are often called ethical hackers. They are not trying to break into a system for malicious or criminal reasons. They are attempting to break into a system perhaps because they own it and want to test how secure it is, or perhaps because they are employed by a security company to test a system's levels of security by running penetration tests. They are open about their activities with others in their team, document their findings and help the process of making data and the systems they live in more secure.
Penetration hacking
A penetration test is a deliberate attack by a white hat hacker on a computer system, with the aim of finding security weaknesses in it. This might include anything from actually gaining unauthorised access to data at different security levels, gaining access to a system's software so that the white hat hacker can run functions such as searching through data, or finding weak pathways into other systems from the system they are probing.
Tests may be designed using a white box or black box approach (you may recall that these terms were discussed when we looked at the topic of testing in Systems Analysis). White box penetration tests are where the hacker has lots of information about the target system, such as the type of computers that are being used, the software that runs on them, perhaps some information about how security is organised who who is responsible for it. Black box penetration tests are where the company is considered to be inside a black box and all the hacker knows is what the company's name is. They don't know any other details except those that they can find out for themselves.
Penetration tests should help identify the strengths and weaknesses of a target computer system and the potential threats that could result from an attack. This information can be used to inform a company about further measures they need to take to improve their data and system security and can be used to justify allocating a budget for this purpose.