Last year, Cosmos Bank in Pune was attacked by cybercriminals. Hackers broke into the ATM server of the bank and stole the details of Visa and Rupay debit card owners. This attack resulted in a loss of Rs 94 crore for the bank as well as a major privacy breach for the users. Hackers are not always as cool as V from V for Vendetta with his Guy Fawkes mask and cool daggers, single handedly destroying fascism. Attacks like the one at Cosmos Bank are a threat not just to businesses but also to folks who use those businesses. How was it possible for hackers to pull off something as huge as the theft of INR 94 crores without even being physically present? Can it be stopped? Where does ethical hacking come into play? Let’s learn about this a little more.
What is hacking?
When we read the word hacking, we may instantly think of a black screen running endless lines of bright green code like Matrix, but really, what is hacking? To put it simply, hacking is using computer skills to find the weaknesses in a computer or a network and then, exploiting those weaknesses by gaining unauthorised access to the system or network.
Think of a computer or a network as a room. A hacker would survey the room from the outside, identify all the weaknesses in that room such as breakable windows, weak locks, etc., and find out ways to break into that room without raising any alarms.
Types of hacking
Based on the kind of target, hacking is divided mainly into five types.
1. Web application hacking: This type of hacking targets applications that require the use of the internet on your browser. It includes email programs, Google apps, shopping carts, online forms, etc.
2. System hacking: This type of hacking seeks access to individual computers on a network by cracking passwords, installing spyware into the system, etc.
3. Web server hacking: A web server is a computer that displays web content. Attacks on a web server can affect websites and the users as they are hosted on web servers.
4. Wireless network hacking: This kind of hacking involves intercepting wireless connection and traffic from non-secure networks. Hackers can steal sensitive user information—credit card numbers, passwords, etc. All devices incorporated with IoT capability, even modern washing machines, toasters, etc. are susceptible to attacks if they haven’t been secured properly.
5. Social engineering: Social engineering is very different from others as it requires the use of social skills for a hacker to manipulate and deceive people into revealing their personal information.
Types of hackers
Based on their reason for hacking, hackers are broadly divided into four types.
1. Black hat: Black hat hackers are also called crackers. They hack into systems or networks illegally with an intent to harm people or organisations. They are the burglars of the world of IT.
2. White hat: They’re also called ethical hackers. They’re the experts on information security and their work is completely legal. They safeguard computer networks and systems from malicious attacks.
3. Grey hat: As the name suggests, they’re a bit of both white and black hat. What they do is illegal, but they don’t have any malicious intent. Grey hat hackers are mostly recreational hackers and do it for fun.
4. Hacktivist: Hacktivists use hacking to promote their social or political cause. Hacktivism is usually anti-establishment – related to freedom of speech/information, human rights, etc.
There are a lot of myths that surround hacking—an image of a shady-looking guy sitting behind 20 screens hacking away into a bank’s system. As we saw earlier, there is “bad” hacking as well as “good” hacking or ethical hacking. So what is ethical hacking exactly and how is it different from the common notion of hacking? Let’s find out.
What is ethical hacking?
Let’s go back to the above-mentioned example of a room. A coder or programmer would simply build the room to function—four walls, a floor, a ceiling, windows, a door, etc. A black hat hacker would find the slightest vulnerabilities in that room to exploit and break in. That’s where an ethical hacker would come into the picture. It’s her job to find those weaknesses, patch them up, and make the room impenetrable so that a burglar is unable to get in. In other words, an ethical hacker needs to think like a black hat hacker but her work is completely legal and, you guessed it, ethical. While black hat hacking involves breaking into a system or network with malicious intent, ethical hacking is carried out with the permission of the owner of the target system or network to find vulnerabilities and figure out how they can be made secure.
To understand the basics of ethical hacking, let’s look at the process that ethical hacking typically follows.
Process of ethical hacking
1. Reconnaissance: In the first stage, hackers gather all the necessary information about the target—the domain name and its history, IP address, employee information, phone numbers, etc. This stage is also called footprinting.
2. Scanning: This stage involves scanning each component of the target’s entire system for any vulnerabilities that can be exploited. The hackers try to figure out how they would break into the system.
3. Gaining access: This is the stage when hackers directly break into the target system or network without raising any alarms, using various tools at their disposal—like Metasploit, Sn1per, THC Hydra, etc. Once they’ve entered the system, they raise their access level to admin so that they are free to move around within the system.
4. Maintaining access: In this stage, hackers create a backdoor in the system by creating their own vulnerability and uploading it into the system so that they don’t lose access to it.
5. Clearing tracks: This is a standard hacker protocol, white and black hat alike. In this stage, hackers remove all evidence of their unauthorised activity in the target system by deleting their history, log files, changing registry settings, etc.
6. Reporting: This is the final stage in the process of ethical hacking—one which differentiates it from illegal hacking. Here, hackers create a report of the process they followed as well as how vulnerabilities were found and utilised to gain access. The report also includes remedial strategies and techniques that would need to be employed in order to prevent these attacks in the future.
Now that you know what ethical hacking is, let’s see how to become an ethical hacker.
Skills required to learn ethical hacking
Good news is that you don’t have to be a programming expert or from a computer science background to learn ethical hacking. Following are some skills required to don that white hat.
2. Basic IT skills: Basic knowledge of your computer system and which cable goes where is knowledge enough. If you learn how to run a Windows Command Prompt or edit Windows registry, you’re already off to a good start!
3. Knowledge of key concepts: You will need to have a fundamental understanding of key concepts in hacking such as Vulnerability Assessment and Penetration Testing, SQL injections, etc.
4. Networking: Hacking is incomplete without networking, so another important skill you need to have in your bag is knowing the ABCs of computer networking and its elements which include proxy, VPN, processes like NAT and IP addressing, etc.
Careers in ethical hacking
As businesses become increasingly aware of the necessity for online security, the demand for cybersecurity experts has become so high that it is now one of the most popular and well-paid careers in the field of IT. So what options does a career in ethical hacking provide?
1. Financial services security: Financial institutions like banks stand to lose not just money but also the trust of their users if they’re attacked by cybercriminals. Therefore, they require the assistance of ethical hackers to keep their systems protected and maintain the trust of their users.
2. Wireless network security: Wireless networks of public spaces like hotels, malls, airports, etc. are usually not secure and are easy to duplicate or intercept. Ethical hackers are needed in order to secure these networks and ensure that sensitive user information is not stolen or misused.
3. Information security in businesses: All businesses that utilise technology are susceptible to attacks and need the expertise of ethical hackers in order to protect their web portals, user information, etc. from malicious attacks. Other areas where ethical hackers are required include IT companies, information security companies, defense organisations, forensic labs, etc.
[Author Sarvesh Agrawal is the Founder and CEO of Internshala, an internships and trainings platform (internshala.com)]