Ethical hacking is the deliberate exploitation of an IT system with the permission of its owner with the goal to find vulnerabilities.
Otherwise known as penetration testing, ethical hacking has become essential to mitigate cyber-attacks from hackers who are intending to damage a company for illegal gain.
Every law firm handles critical personal data that must be handled with the utmost care. As such, it is a top priority of any practice to understand the risks of hacking and how the risk can be reduced.
How is ethical hacking different from hacking?
The line between ethical hacking and regular hacking can be difficult to define. After all, each type of hacker uses the same methods to achieve their intended result.
Each type of hacker is named after a different type of hat due to a trope from old spaghetti western movies.
Characters who wear white hats are usually the main protagonist whereas black hat wearing characters tend to be the antagonists. You can remember which type of hacker is which by thinking about their morality; lighter coloured hats are following the law closer to the letter.
How do you know you can trust a hacker?
Because ethical hacking is a growing industry, some black hat hackers are pretending to be ethical. If your company doesn't thoroughly background check the hacker, you may be unwittingly putting yourself at more risk.
So, how do you know who to work with?
The best option is to locate a Certified Ethical Hacker (CEH). These hackers have been certified by the EC-Council which is the world’s largest cyber security technical certification body. With their expert training and certification, you can only hire white hat hackers through the service.
Their training course is geared towards protection against large scale attacks, which means the courses they accredit for are trusted by the largest security organisations in the world, including ANSI and GCHQ.
What methods do ethical hackers use?
All hackers use the same methods to gain access into a firm’s data. However, ethical hackers report all of their findings back to the company that hired them, so all of their cyber-attacks are staged in 5 steps.
Before any hack can be taken out, the ethical hacker must define to the company the scope of the tests. This is especially useful in deciding the largest problem areas that a firm has with their cyber security.
Sometimes vulnerabilities are already known about and the goal of the hacker is to discern how much damage an exploit could cause. Usually, ethical hackers are doing penetration testing to find these vulnerabilities in the first place.
To gain access, they employ a method called footprinting. Footprinting is the process of collecting as much information as possible about the IT system that is being targeted. This is done to find specific potential targets to get into a system that is more likely to allow a large attack.
Scanning tests a firm’s reaction to different intrusion attempts. This not only includes the response of the technologies a company uses, but also the reactions of the employees of the company.
Employees are one of the biggest vulnerabilities as a poorly trained workforce could easily allow for the two easiest access methods to take place. Password brute forcing is the first which is less common with more firms forcing employees to use strong passwords. But, if a firm doesn't enforce strong passwords, a brute force attack can gain access in seconds.
Phishing is the second – phishing is an attempt to entice an employee to hand over information unwittingly. The most common method is to fake being a member of the firm they work for and to ask for certain documents or a password.
Once potential methods have been scanned for, web applications a law firm uses are attacked using common techniques. These include:
- SQL injections - unwanted code can be executed within a web application via its text boxes if improperly programmed
- cross-site scripting - websites sometimes give permission to external sources to work. If one of these external sources are vulnerable, so is the website
- backdoors - hackers can find backdoors, which allow a service to be entered without using authentication from a user
- session mismatches - an interruption between a user using an application and an application processing it can allow a hacker to assume the users identity
After access is gained once, an ethical hacker needs to find a way to maintain that access. This usually means installing a virus or another bug into the system that can execute the same access method repeatedly.
This step is when the true scale of the vulnerability is uncovered. If a hacker cannot maintain access, the scale of the vulnerability is diminished. Otherwise, if a large amount of information can be stolen, particularly without being uncovered for a long time, the scale of the vulnerability is massive.
After all attempts have taken place, the ethical hacker produces a report that outlines each of the exploits they were able to use and what steps need to be taken to secure the system. These are examples of solutions that an ethical hacker could suggest:
- employee training
- changing software providers
- improving security connection between web applications and third parties
- removing unnecessary permissions from employees
Who can you trust to improve cyber security?
We are Sprout IT, an award-winning company specialising in solutions for legal firms. Our services are built from the ground up around the needs of your firm, so we can be sure we cover all of your use cases to avoid cyber attacks.
Because all of our services are built to work together, our infrastructure plans are safe against cross-site scripting and are free from backdoors. We also provide training to all employees to make sure that phishing cannot take place.
To get in contact with our expert team about your cybersecurity, please call Sprout IT today on 020 7036 8530 or email us.