Criminal vs. Ethical Hackers: Who Wins?

When a company is ready to put their infrastructure and applications to the test, they use ethical hackers. These experts look for security gaps in a system. They use frameworks to guide their actions, like OWASP and NIST 800-115. The ethical hacker will find vulnerabilities and flaws. After these are patched and fixed, the result will be a more secure system.

Can an ethical hacker simulate what a skilled criminal hacker can accomplish? Does passing a penetration test ensure you will not get hacked? Consider the following comparison of their situations and decide.

 

Criminal Hackers

criminal-1

Ethical Hackers

shield

Time For a worthy prize, criminals can spend weeks and months attempting to break in. Time is no constraint.  Companies use ethical hackers for the length of a contract or on an hourly paid basis. Unless money is unlimited, time is not.
Advantage

✔️

 

Tools There are many tools available that help people get into systems. Most are open source and widely available. In addition, criminals can get tools fast, without the need for internal approvals, as with a corporation. Ethical hackers use similar tools as criminals to test. There could be restrictions to certain type of software that are not legal however. 
Advantage

✔️

✔️

Ethics Criminals out for money have no qualms about resorting to unethical methods to achieve goals. "Hacktivists" break into websites and systems with the goals of righting a wrong or bringing awareness to injustice. But in either case, there is likely little concern for ethics to break in. The name is a hint! "Ethical" in the hacker term means these people do not engage in anything against accepted morals or values to test. Unless there is a clear mandate to go into "grey areas", keeping on the straight and narrow might prevent ethical hackers from pushing a system.
Advantage

✔️

 

Motivation Setting aside ethical or legal concerns, money is a good indicator of where talent goes.  The business model of hacking is complex. One study said a hacker can earn $80,000 per month! If there is a power forcing the criminals to do the hacking, that could also be an extreme motivator. The average salary of an Certified Ethical Hacker is $118,000 so there is some pressure to earn that wage and succeed. The intrinsic motivation to help companies is impossible to calculate. The drive to test and excel can be strong.
Advantage

✔️

✔️

Scope A criminal hacker can go to any lengths to commit the act.  Much like time, the scope of an engagement is defined from the outset. Unless the scope is very broad, the test is going to include what is agreed upon.
Advantage

✔️

 

 

What Can be Done

We established that a penetration test is beneficial, but the test might not meet the level of effort and time that a dedicated criminal can bring to bear in an actual. Lessen the chance of getting hacked by following best practices for security. Here are just a few tips:

  • Update and patch your software
  • Never share passwords
  • Backup your data regularly
  • Beware of emails coming from unrecognized addresses 

Read more tips on how to stay secure. For more on ethical hacking, download our PDF:

pentest and ethical hacking

Did you enjoy this blog article? Comment below with your feedback.

 

About CIPHER

Founded in 2000, Cipher is a global cybersecurity company that delivers a wide range of services: Managed Security Services (MSS), Managed Detection and Response (MDR), Cyber Intelligence Services (CIS), Red Team Services (RTS), Governance, Risk and Compliance (GRC) and Cybersecurity Technology Integration (CTI). These services are supported by the Cipher Lab, an elite threat and cyber intelligence research and development lab, and also by five 24x7 Security Operations Centers (SOC).

Cipher is a highly accredited company holding ISO 27001, ISO 22301, ISO 20000, ISO 9001, SOC I, SOC II, PCI QSA, PCI ASV and CREST certifications. The quality of service has led Cipher to win many awards from world-renowned research companies such as Gartner, Frost & Sullivan and Forrester. Clients consist of companies from mid-size enterprises to world-renowned corporations and government agencies, with countless success stories.

Recent Security Posts

Essential-Cyber-Security-Tips-Guide.jpg

Twitter Feed