<img alt="" src="https://secure.refl3alea.com/149779.png" style="display:none;">
LEGAL IT BLOG

Recommended Blogs

  • Sprout academy - Your free work from home study platform

    At Sprout IT we’ve always prided ourselves on providing ongoing help and business support for our clients and their ...

    Read More
  • Cyber Security – what to watch out for in 2020

    Mobile, AI and cloud will continue to be exploited by criminals this year as awareness of these risks is not a common ...

    Read More
  • Data protection for employees working from home

      Given the current Pandemic of Covid-19, more employees than ever are now working from home and organisations must ...

    Read More
  • Data protection – 4 quick fixes to protect your law firm’s data

    9 in 10 of Britain’s biggest legal firms are at a heightened risk of being a victim of a cyberattack resulting in the ...

    Read More
  • The Big GDPR Q&A for legal – what are the common questions and answers about GDPR right now

    GDPR has now been a reality for solicitor’s practices and barristers’ chambers since 25th May 2018 and our recent ...

    Read More
Understanding Ethical Hacking: An Overview
BY SproutIT

 

Ethical hacking is the deliberate exploitation of an IT system with the permission of its owner with the goal to find vulnerabilities.

 

Otherwise known as penetration testing, ethical hacking has become essential to mitigate cyber-attacks from hackers who are intending to damage a company for illegal gain.

 

Every law firm handles critical personal data that must be handled with the utmost care. As such, it is a top priority of any practice to understand the risks of hacking and how the risk can be reduced.

 

 

How is ethical hacking different from hacking?

The line between ethical hacking and regular hacking can be difficult to define. After all, each type of hacker uses the same methods to achieve their intended result.

 

Each type of hacker is named after a different type of hat due to a trope from old spaghetti western movies.

 

Characters who wear white hats are usually the main protagonist whereas black hat wearing characters tend to be the antagonists. You can remember which type of hacker is which by thinking about their morality; lighter coloured hats are following the law closer to the letter.

 

 

How is ethical hacking different from hacking_

 

 

 

How do you know you can trust a hacker?

 

Because ethical hacking is a growing industry, some black hat hackers are pretending to be ethical. If your company doesn't thoroughly background check the hacker, you may be unwittingly putting yourself at more risk.

 

So, how do you know who to work with?

 

The best option is to locate a Certified Ethical Hacker (CEH). These hackers have been certified by the EC-Council which is the world’s largest cyber security technical certification body. With their expert training and certification, you can only hire white hat hackers through the service.

 

Their training course is geared towards protection against large scale attacks, which means the courses they accredit for are trusted by the largest security organisations in the world, including ANSI and GCHQ.

 

 

What methods do ethical hackers use?

 

All hackers use the same methods to gain access into a firm’s data. However, ethical hackers report all of their findings back to the company that hired them, so all of their cyber-attacks are staged in 5 steps.

 

 

Reconnaissance

 

Before any hack can be taken out, the ethical hacker must define to the company the scope of the tests. This is especially useful in deciding the largest problem areas that a firm has with their cyber security.

 

Sometimes vulnerabilities are already known about and the goal of the hacker is to discern how much damage an exploit could cause. Usually, ethical hackers are doing penetration testing to find these vulnerabilities in the first place.

 

To gain access, they employ a method called footprinting. Footprinting is the process of collecting as much information as possible about the IT system that is being targeted. This is done to find specific potential targets to get into a system that is more likely to allow a large attack.

 

 

Scanning

 

Scanning tests a firm’s reaction to different intrusion attempts. This not only includes the response of the technologies a company uses, but also the reactions of the employees of the company.

 

Employees are one of the biggest vulnerabilities as a poorly trained workforce could easily allow for the two easiest access methods to take place. Password brute forcing is the first which is less common with more firms forcing employees to use strong passwords. But, if a firm doesn't enforce strong passwords, a brute force attack can gain access in seconds.

 

Phishing is the second – phishing is an attempt to entice an employee to hand over information unwittingly. The most common method is to fake being a member of the firm they work for and to ask for certain documents or a password.

 

 

Gaining Access

 

Once potential methods have been scanned for, web applications a law firm uses are attacked using common techniques. These include:

 

  • SQL injections - unwanted code can be executed within a web application via its text boxes if improperly programmed
  • cross-site scripting - websites sometimes give permission to external sources to work. If one of these external sources are vulnerable, so is the website
  • backdoors - hackers can find backdoors, which allow a service to be entered without using authentication from a user
  • session mismatches - an interruption between a user using an application and an application processing it can allow a hacker to assume the users identity

 

Maintaining Access

 

After access is gained once, an ethical hacker needs to find a way to maintain that access. This usually means installing a virus or another bug into the system that can execute the same access method repeatedly.

 

This step is when the true scale of the vulnerability is uncovered. If a hacker cannot maintain access, the scale of the vulnerability is diminished. Otherwise, if a large amount of information can be stolen, particularly without being uncovered for a long time, the scale of the vulnerability is massive.

 

Analysis

 

After all attempts have taken place, the ethical hacker produces a report that outlines each of the exploits they were able to use and what steps need to be taken to secure the system. These are examples of solutions that an ethical hacker could suggest:

 

  • employee training
  • changing software providers
  • improving security connection between web applications and third parties
  • removing unnecessary permissions from employees

 

Who can you trust to improve cyber security?

We are Sprout IT, an award-winning company specialising in solutions for legal firms. Our services are built from the ground up around the needs of your firm, so we can be sure we cover all of your use cases to avoid cyber attacks.

 

Because all of our services are built to work together, our infrastructure plans are safe against cross-site scripting and are free from backdoors. We also provide training to all employees to make sure that phishing cannot take place.

 

To get in contact with our expert team about your cybersecurity, please call Sprout IT today on 020 7036 8530 or email us.

 

 

Cyber Security legal IT legal technology hacking ethical hacking