Setting the stage

Understanding all the various players and positions in the world of hacking and penetration testing, is central to comprehending the big picture. Let us start by painting the picture with broad brush strokes. Please understand that the following is a gross oversimplification; however, it should help you see the difference between the various groups of people involved.

It may help to consider the Star Wars universe where there are two sides of the “force”: Jedis and Siths. Good vs Evil. Both sides have access to an incredible power. One side uses its power to protect and serve, whereas the other side uses it for personal gain and exploitation.

Learning to hack is much like learning to use the force. The more you learn, the more power you have. Eventually, you’ll have to decide whether you’ll use your power for good or bad. There’s a classic poster from the Star Wars Episode I movie that depicts Anakin as a young boy. If you look closely at Anakin’s shadow in the poster, you’ll see it’s the outline of Darth Vader. Try searching the Internet for “Anakin Darth Vader Shadow” to see it. Understanding why this poster has appeal is critical. As a boy, Anakin had no aspirations of becoming Darth Vader, but it happened nonetheless.

It’s probably safe to assume that very few people get into hacking to become a supervillain. The problem is that journey to the Darkside is a slippery slope. However, if you want to be great, have the respect of your peers and the gainfully employed in the security workforce, you need to commit yourself to using your powers to protect and serve. Having a felony on your record is a one-way ticket to another profession. It’s true that there is currently a shortage of qualified security experts, but even so, not many employers today are willing to take a chance, especially if those crimes involve computers.

In the pen testing world, it’s not uncommon to hear the terms “white hat” and “black hat” to describe the Jedis and Siths. Throughout this course, the terms “white hat”, “ethical hacker” or “penetration tester” will be used interchangeably to describe the Jedis. The Siths will be referred to as “black hats”, “cracker” or “malicious attackers”.

It’s important to note that ethical hackers complete many of the same activities with many of the same tools as malicious attackers. In nearly every situation, an ethical hacker should strive to act and think like a real black hat hacker. The closer the penetration test simulates a real-world attack, the more value it provides to the customer paying for the PT.

Please note how the previous paragraph says “in nearly every situation”. Even though white hats complete many of the same tasks with many of the same tools, there’s a world of difference between the two sides. At its core, these differences can be boiled down to three key points: authorization, motivation and intent. It should be stressed that these points are not all-inclusive, but they can be useful in determining if an activity is ethical or not.

The first and simplest way to differentiate between white hats and black hats is authorization. Authorization is the process of obtaining approval before conducting any tests or attacks. Once authorization is obtained, both the penetration tester and the company being audited need to agree upon the scope of the test. The scope includes specific information about the resources and systems to be included in the test. The scope explicitly defines the authorized targets for the penetration tester. It’s important that both sides fully understand the authorization and scope of the PT. White hats always respect the authorization and remain within the scope of the test. Black hats will have no such constraints on the target list.

The second way to differentiate between an ethical hacker and a malicious one is through examination of the attacker’s motivation. If the attacker is motivated or driven by personal gain, including profit through or extortion or other devious methods of collecting money from the victim, revenge, fame or the like, he or she should be considered a black hat. However, if the attacker is preauthorized and his or her motivation is to help the organization and improve their security, he or she can be considered a white hat.

Finally, if the intent is to provide the organization with a realistic attack simulation so that the company can improve its security through early discovery and mitigation of vulnerabilities, the attacker should be considered a white hat. It’s also important to comprehend the critical nature of keeping PT findings confidential. Ethical hackers will never share sensitive information discovered during the process of penetration testing with anyone other than the client. However, if the intent is to leverage information for personal profit or gain, the attacker should be considered a black hat.