What is Ethical Hacking or a Ethical
Hacker:
An ethical hacker is a computer and network expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit. To test a security system, ethical hackers use the same methods as their less principled counterparts, but report problems instead of taking advantage of them. Ethical hacking is also known as penetration testing, intrusion testing and red teaming. An ethical hacker is sometimes called a white hat, a term that comes from old Western movies, where the "good guy" wore a white hat and the "bad guy" wore a black hat.
An ethical hacker is a computer and network expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit. To test a security system, ethical hackers use the same methods as their less principled counterparts, but report problems instead of taking advantage of them. Ethical hacking is also known as penetration testing, intrusion testing and red teaming. An ethical hacker is sometimes called a white hat, a term that comes from old Western movies, where the "good guy" wore a white hat and the "bad guy" wore a black hat.
One of the first examples of ethical hackers at work was in the 1970s, when the United States government used groups of experts called red teams to hack its own computer systems. According to Ed Skoudis, Vice President of Security Strategy for Predictive Systems' Global Integrity consulting practice, ethical hacking has continued to grow in an otherwise lackluster IT industry, and is becoming increasingly common outside the government and technology sectors where it began. Many large companies, such as IBM, maintain employee teams of ethical hackers.
In a similar but distinct category, a hacktivist is more of a vigilante: detecting, sometimes reporting (and sometimes exploiting) security vulnerabilities as a form of social activism.
What are Hackers:
A hacker is someone who likes to tinker with electronics or computer
systems. Hackers like to explore and learn how computer systems work,
finding ways to make them do what they do better, or do things they
weren’t intended to do. There are two types of hackers:
White Hat – These are considered the good guys. White hat hackers don’t
use their skills for illegal purposes. They usually become Computer
Security experts and help protect people from the Black Hats.
Black Hat – These are considered the bad guys. Black hat hackers usually
use their skills maliciously for personal gain. They are the people that hack
banks, steal credit cards, and deface websites.
These two terms came from the old western movies where the good guys
wore white hats and the bad guys wore black hats.
systems. Hackers like to explore and learn how computer systems work,
finding ways to make them do what they do better, or do things they
weren’t intended to do. There are two types of hackers:
White Hat – These are considered the good guys. White hat hackers don’t
use their skills for illegal purposes. They usually become Computer
Security experts and help protect people from the Black Hats.
Black Hat – These are considered the bad guys. Black hat hackers usually
use their skills maliciously for personal gain. They are the people that hack
banks, steal credit cards, and deface websites.
These two terms came from the old western movies where the good guys
wore white hats and the bad guys wore black hats.
About Hackers :
The estimated number of individuals in each group and their potential salaries are a rough approximation and are not backed by actual data, but serve to illustrate the order-of-magnitude difference between each level. Here is some more detailed information about each group, including the members’ skill sets and some examples of who they are.
Scriptkiddie – The scriptkiddie is the most numerous of all self-proclaimed hackers and the least knowledgeable. Scriptkiddies are able to download and run a program written by someone else, but probably aren’t good enough to even read and fully understand the instruction manual, if one exists. Scriptkiddies are behind a lot of attacks on the internet, but do very little damage to systems with proper security measures in place. A scriptkiddie-hour is worth nothing. These are mostly teenagers who think hacking is cool and want to do it, but know nothing about security. The cost of their time is completely offset by the entertainment and education value of hacking.
Power-User/Hacker – This group of hackers has some basic understanding of networking, firewalls, and exploits. A power-user/hacker can probably download and compile source code for an exploit, possibly making changes to high-level C++ code. Power-user/hackers cannot read, write, or modify assembly code and would not be able to fix a “neutered” exploit (security professionals will often post slightly-modified sample exploits for new vulnerabilities that do not work as-is). So-called “botnet herders” who maintain networks of compromised computers mostly fit in this and the next category, as do more skilled teen-aged hackers. Their time is worth something, though it is probably not much more than $10-15/hour.
Adept Hacker – More adept hackers are knowledgeable about network and system programming, as well as exploit functionality. An adept hacker can write mediocre malware (but not a more sophisticated root kit), read some assembly code, debug a binary without symbols, fix broken buffer overflow exploits, and possibly write or make changes to shell code. Adept hackers can also write exploits for known logic vulnerabilities that do not require shell code, such as SQL injection bugs. However, an adept hacker still cannot write an exploit from start to finish for a complex buffer overflow vulnerability or find new vulnerabilities (with the possible exception of simple cross-site scripting bugs). Adept hackers could probably fetch a reasonable salary as a software developer or security analyst, $50,000 to $80,000, which equates to about $25-$40/hour. Most poorly-written malware and variations of existing malware are written by adept hackers.
Expert Hacker – There are very few expert hackers out there. An expert hacker can write decent root kit malware, write exploits for known buffer overflow vulnerabilities without sample code, and find low-hanging vulnerabilities in software without having the source code. Expert hackers are very valuable, as they also have the necessary skills to do penetration testing, software security analysis, and intrusion detection system design. An expert hacker’s time is precious, and usually goes toward building tools used by less-skilled hackers. As a senior technical specialist, an expert hacker could command a salary of $120,000 to $200,000, or $60-$100/hour. Expert hackers who choose a less righteous path may become authors of more successful malware or worms such as Code Red, Blaster, and Slammer.
Hacker King/Queen – There are a few select individuals who are at the cutting edge of computer security. These are the people who discover most security vulnerabilities, develop new classes of attacks, and come up with new methods of designing software and intrusion detection systems to combat security threats. Reputable security research institutions typically will have one or two hacker kings/queens, and large organizations like Microsoft, Carnegie Mellon University, or the government may have several. These people are well-known within their communities, which may or may not be public (e.g. organized crime, military, academia, etc.). Those who do work in the public realm may be found giving exciting presentations at top security conferences. Examples include Sam King and Joanna Rutkowska, who independently developed new virtual machine-based rootkits that are extremely difficult to detect and remove. Dawson Engler and company have also done a lot of research on new methods for automatically finding bugs in software, which has lead to the discovery of several new exploitable security vulnerabilities. (See “Five Hackers Who Left a Mark on 2006” for other examples.) As far as the value of their time, hacker kings/queens are the type that could start their own companies or serve as the vice president of technology for an existing security company. Many are not motivated by money and work for the government or non-profit organizations, but would likely be worth an excess of $300,000/year working in a private enterprise.
As always, the boundaries between these groups are not clear-cut. However, the groups should give you a general picture of the hacking job market. The hacker-hour rates associated with each group lead to a methodology for determining the approximate cost of different attacks.
0 comments:
Post a Comment