Ethical hacking protects computer systems by breaking into them
Over Winter Break, Rutgers saw its networks besieged by two separate Distributed Denial of Service (DDoS) attacks. In previous years, articles said the networks had been “hacked,” but in reality, hacking is a very different type of attack.
Hacking is part of the cryptography field because it requires so-called hackers to “break code,” said Dylan Herman, a School of Engineering sophomore. Ethical hacking, also known as penetration testing, is a legal and growing aspect of the digital age.
“(But) hacking isn’t really aimed at breaking codes, (and) it’s also not programming, because a good programmer can have terrible security,” he said.
Herman was a member of the Cyber-Knights, a club aimed at teaching students about ethical hacking. At the moment, the club is defunct.
This type of system-breaking is designed to let companies protect their computers by finding security holes before attackers do, according to the SANS Institute.
Hacking into systems is very different in real life when compared to the characters depicted in movies, Herman said.
“A lot of people have this misconception from entertainment, and they think it’s when people code,” he said. “It’s a lot cooler in movies and shows.”
Cryptography has two essential rules when securing a system. The first relates to authentication, where the recipient of some data has to verify it came from the right source. The other is encryption, or making sure no one else can see the data, he said.
Hacking computing systems is a way for attackers to take advantages of flaws in security, sometimes by finding weaknesses in either the authentication or encryption protocol.
There are several steps in the process, Herman said. The first is passive reconnaissance, where an attacker researches the target. It is followed by active reconnaissance, which is an analysis of the technical aspect.
“The third step is exploitation, which is what all the effort goes to,” he said. “Exploitation works on a piece of software … it gives the hacker complete control over (the target) and its services.”
During this step, an attacker will create a back-door or put in some malicious software that will continue to give them information or access without requiring them to actively control the machine, he said.
“The exploitation (itself) is only meant to be a small, temporary hole,” he said. “The post-exploitation (does the real work).”
This is a technical form of hacking, but other forms include gaining access to systems by exploiting people, he said.
“There’s a form of hacking called social engineering, also known as ‘hacking the human,’ where instead of attacking the machine like email phishing, you pretend to be someone you’re not and you get a password from a person,” he said.
Social engineering revolves around convincing people that an attacker is not a threat, whether that is by pretending to be a worker at a company to gain access to its computers, or having an actual worker provide log-in information, he said.
Between 2013 and 2014, illicit activity involving hackers increased dramatically, to the point where nearly half of all adults in America had their information put at risk for theft, according to U.S. News and World Report.
This in turn has caused security as a field to grow as well, Herman said.
“Security is a very new field, but it’s becoming a very big field," he said. “It’s starting to pay good money.”
Six years ago, the field grew 6 percent, according to PC World, with professionals earning up to six figures. At the time, experts predicted a 40 percent increase in security spending over the next five years.
“As technology evolves, and it’s evolving at an incredibly rapid pace, people want things done faster, and a lot is done by the Internet,” Herman said. “While that creates efficiency, (it also creates holes).”
At least part of this is because programmers do not usually focus on security, Herman said.
“Making a program and security is a lot,” he said. “You have to think not just “what will the user like,” but also how to make it secure. Little things … can (bring sites down).”
Sometimes a program is made vulnerable due to laziness or because the person who created it did not think of all avenues for exploitation.
For these reasons, penetration testers are usually a separate group who focus less on the user interface and more on the potential vulnerabilities, he said.
According to Business In Vancouver, a single team of ethical hackers uncovered more than 100 possible exploits last year, and nearly 150 during the previous several years, all of which put various computing systems and companies at risk. Their goal is to ensure corporations can fix their vulnerabilities before attackers find them.
Unlike denying a system service, hacking requires practice and skill. While there are many resources online to help people learn the basics of hacking, they do not all translate well to attempting it in the real world, he said.
Helping students advance their skills is one aim of the Cyber-Knights. Herman plans to restart it again this semester as a digital “Capture The Flag” club. He said it would be a fun way to teach people some of the basic abilities used in hacking.
“It’ll be interesting to see where it goes,” he said.