Today I will introduce you to Ethical Hacking and Penetration Testing.
Ethical Hacking is the process of attempting to find out the vulnerabilities of a network through penetration testing. It is also used as a security test, where ethical hackers report the vulnerabilities and provide solutions to make the network more secure.
The procedure of penetration testing goes like this:
- Define the scope of the test, such as providing details on what would be tested and by whom it will be tested
- Performing the penetration testing
- Deliver the results of the test.
What does it take to be an ethical hacker? It simply requires you to understand the laws and what you should do legally in your area, knowledge in computers and networks, being able to use the necessary tools and communication.
There are three types of penetration testing methodologies:
- Black box model: Where the company does not know about the penetration testing and the tester is not given any information about the network. The purpose is to find out whether an attack could be detected by the security
- White box model: Where sufficient information is given to the tester, and the tester is allowed to ask the company about the network.
- Grey box model: A hybrid of the white box and black box methods, tester is only given some information about the network
There are also two types of penetration testing teams, the Blue Team and the Red Team. The Red team’s purpose is to find out the system’s vulnerabilities, while the Blue team’s purpose is to figure out how surprise attacks from outside might occur.
There are also other types of methodologies, such as the OSPT. The OSSTMM Professional Security Test (OSPT) is designed by the ISECOM (Institute for Security and Open Methodologies), which is based on the Open Source Security Testing Methodology Manual (OSSTMM). It consists of 5 domains, which are:
- Information security
- Process security
- Internet Technology security
- Communication security
- Wireless security
Others such as the ISSAF (Information System Security Assessment Framework) and the OWASP (Open Web Application Security Project) are also different types of methodologies.
Why ethical hacking? In this day, where we use software such as cloud computing to store files, the demand for security is higher as more users are able to access the data. This can lead to hackers exploiting the files that are in the server. To make the data more secure, what we can do is to find out its vulnerabilities, and we can do that through penetration testing. From the results of penetration testing, we can find out the solution to prevent our computers from being attacked.
In ethical hacking, there are things that we can do legally. What we should do is to find out what is legal in our area/country, because some activities are not allowed in some countries (such as port scanning). Over here in Indonesia, we have the UU ITE.
It is also possible to get specific certifications in ethical hacking, one of them being the CEH (Certified Ethical Hacker), which is developed by the International Council of Electronic Commerce Consultants (ECCouncil). Other certifications such as the CompTIA Security+ and Network+ are also able to help for the certification.