How can you trust an ethical hacker

Security

What does "Ethical Hacking" mean?

Ethical hackers are security experts who simulate hacker attacks on the systems of companies and government agencies in order to test whether the respective configuration can withstand the attack. With the help of so-called penetration tests, the external experts identify security gaps and attack possibilities. They help shut them down before criminal hackers become aware of them. Ethical hackers are therefore also referred to as penetration testers, or pentesters for short.

You can see how a pentester works in the following video:

What types of hacker attacks are you talking about?

The attack scenarios are constantly changing. Phishing attacks and social engineering are currently in vogue with criminal hackers. In order not to have to laboriously work through the company's security mechanisms, the attackers infiltrate the company network via fake emails with prepared Word or PDF attachments or websites on which malware is hidden: when opening the attachment or simply calling it up On the website, the malware installs itself automatically and unnoticed by the user as soon as the user is online. Popular targets of attack are also mobile devices that are connected to the company network.

How do ethical hackers go about it?

First of all, a comprehensive security analysis is important as part of security management in the company. This aims to recognize threats with the help of penetration tests and vulnerability scans, to assess their probability of occurrence and their potential for damage and to derive the risks for the company from this.

What methods do ethical hackers use?

The penetration test is the most important tool in ethical hacking. It includes all common methods with which hackers attempt to break into a system or network without authorization (penetration). The penetration test simulates as many known attack patterns as possible and thus determines how susceptible the system is to such attacks. Penetration tests are systematically prepared, planned and carried out. In contrast to the automatically running vulnerability scan, manual tests are particularly important.

What is the difference between a criminal and an "ethical" hacker?

The methods of the pentester are no different from a "real" hacker. The main difference is the intention of the attack: while criminal hackers have fraudulent intentions, "ethical" hackers use the attack to uncover security gaps - and are paid for it by the customer. Some therefore prefer terms such as pentester or security consultant to differentiate themselves from hackers with bad intentions.

Which weak points can be identified using simulated attacks?

In principle, almost all weak points can be tracked down. Of course, vulnerabilities that enable access to sensitive data, such as unauthorized changes to configuration settings or the smuggling of malware via phishing emails, are particularly important. Such risks are increasing - not just in businesses, but also in vehicles that are increasingly turning to rolling computers. A newer model already has a large number of software-controlled control systems and infotainment functions. From 2018, a permanently installed SIM card will be mandatory for new vehicles in Europe.