Ethical Hacking…

First off, what is ‘hacking’ according to the dictionary:-

hacking present participle of hack (Verb)
Cut with rough or heavy blows.
Ride a horse for pleasure or exercise.

OK so my dictionary is a bit ‘old’ like myself. When I started computing at school, just about everyone who spent after school hours learning computers coding, learning new tricks to get things to run faster and ‘better’, and could decipher someone else’s code, and above all else actually enjoyed all of this was looked at and called a hacker.

On line systems in those days consisted of a few dial-up bulletin boards, some scattered on-line dial-up services and the Prestel service, the internet and the world-wide web hadn’t been invented.

Sure, people started trying to get into ‘on-line’ systems and look round, change things and this was called cracking done by crackers and to stop running up huge phone bills people learned about phone phreaking, but this came later to the UK since we still had a lot of analogue phone systems which limited this.

This definition of ‘Hacking’ now has changed somewhat into the now more modern form as defined by the Urban Dictionary of:-

Hacking is the gaining of access (wanted or unwanted) to a computer and viewing, copying, or creating data(leaving a trace) without the intention of destroying data or maliciously harming the computer.

This represents the Good Guys most of the time for they are the ones who search for these exploits to prevent crackers use a method called cracking(opposite of hacking).

Hacking and hackers are commonly mistaken to be the bad guys most of the time. Crackers are the ones who screw things over as far as creating virus, cracks, spyware, and destroying data.

So what is ‘Ethical hacking’, well the generally accepted term is used by the ‘white hat hackers’ (the good guys), who at the request of the owners of a system attempt to get into a system, document what they find, and state what the security floors are in the system, and give advice on how to make the system more secure. Companies are obliged to perform tests on a regular basis to meet some regulations, and to protect the company from the ‘black hat’ hackers and crackers (the bad guys) that would cause harm to the system and thus cost time/money/lives.

I hold EC-Council Certified Ethical Hacker (CEH) and EC-Council Certified Security Analyst status as well as Cisco CCNA Security and I’m working on my Cisco CCNP Security.  So, this makes me a ‘good guy’, or does it?

In the UK there is no ‘government approved’ status for Ethical Hacker.  In the USA and parts of Europe I can get a FBI/Police check done and then get a license for Ethical Hacking.  I can then put the plaque up on the wall and go seek business.

In the UK, there since there is no ‘licensing’ of ethical hacking, anyone can set-up shop, and there is a mix of ‘accreditations’ one can hold such as CISSP, CISM, CISA, GIAC and similar and a company can get ISO 27001 the formal set of specifications against which organisations may seek independent certification of their Information Security Management System (ISMS).

But, nowhere can an independent contractor get a ‘license’ to practice in this country.

Now, what does this mean…. Well the big companies such as Deloitte who do financial audits employ Ethical Hackers, and will charge a company a nice sum to audit the IT systems, but where does this leave the Ma and Pa shops, and small businesses?

The UK government states small businesses are the key to the UK’s success, and if you look into Europe you can see this works well for the Germans.  But is this lack of ‘control/licensing’ going to hurt the small companies? After all, they have no way of telling if the guy trying to sell them a ‘service of an Ethical Hacking test’ can be trusted to any level or set of standards, and you can’t expect them to pay for the big guys to do the job even IF the likes of Deloitte would so such a small job…


Repost from