fbpx
Wikipedia

White hat (computer security)

November 11, 2023

A white hat (or a white-hat hacker, a whitehat) is an ethical security hacker.[1][2] Ethical hacking is a term meant to imply a broader category than just penetration testing.[3][4] Under the owner's consent, white-hat hackers aim to identify any vulnerabilities or security issues the current system has.[5] The white hat is contrasted with the black hat, a malicious hacker; this definitional dichotomy comes from Western films, where heroic and antagonistic cowboys might traditionally wear a white and a black hat, respectively.[6] There is a third kind of hacker known as a grey hat who hacks with good intentions but at times without permission.[7]

White-hat hackers may also work in teams called "sneakers and/or hacker clubs",[8] red teams, or tiger teams.[9]

History edit

One of the first instances of an ethical hack being used was a "security evaluation" conducted by the United States Air Force, in which the Multics operating systems were tested for "potential use as a two-level (secret/top secret) system." The evaluation determined that while Multics was "significantly better than other conventional systems," it also had "... vulnerabilities in hardware security, software security and procedural security" that could be uncovered with "a relatively low level of effort."[10] The authors performed their tests under a guideline of realism, so their results would accurately represent the kinds of access an intruder could potentially achieve. They performed tests involving simple information-gathering exercises, as well as outright attacks upon the system that might damage its integrity; both results were of interest to the target audience. There are several other now unclassified reports describing ethical hacking activities within the US military.

By 1981 The New York Times described white-hat activities as part of a "mischievous but perversely positive 'hacker' tradition". When a National CSS employee revealed the existence of his password cracker, which he had used on customer accounts, the company chastised him not for writing the software but for not disclosing it sooner. The letter of reprimand stated "The Company realizes the benefit to NCSS and encourages the efforts of employees to identify security weaknesses to the VP, the directory, and other sensitive software in files".[11]

The idea to bring this tactic of ethical hacking to assess the security of systems and point out vulnerabilities was formulated by Dan Farmer and Wietse Venema. To raise the overall level of security on the Internet and intranets, they proceeded to describe how they were able to gather enough information about their targets to have been able to compromise security if they had chosen to do so. They provided several specific examples of how this information could be gathered and exploited to gain control of the target, and how such an attack could be prevented. They gathered up all the tools they had used during their work, packaged them in a single, easy-to-use application, and gave it away to anyone who chose to download it. Their program called Security Administrator Tool for Analyzing Networks, or SATAN, was met with a great amount of media attention around the world in 1992.[9]

Tactics edit

While penetration testing concentrates on attacking software and computer systems from the start – scanning ports, examining known defects in protocols and applications running on the system, and patch installations, for example – ethical hacking may include other things. A full-scale ethical hack might include emailing staff to ask for password details, rummaging through executive dustbins, usually without the knowledge and consent of the targets. Only the owners, CEOs, and Board Members (stakeholders) who asked for such a security review of this magnitude are aware. To try and replicate some of the destructive techniques a real attack might employ, ethical hackers may arrange for cloned test systems, or organize a hack late at night while systems are less critical.[12] In most recent cases these hacks perpetuate for the long-term con (days, if not weeks, of long-term human infiltration into an organization). Some examples include leaving USB/flash key drives with hidden auto-start software in a public area as if someone lost the small drive and an unsuspecting employee found it and took it.

Some other methods of carrying out these include:

These methods identify exploit known security vulnerabilities and attempt to evade security to gain entry into secured areas. They can do this by hiding software and system 'back-doors' that can be used as a link to information or access that a non-ethical hacker, also known as 'black hat' or 'grey hat', may want to reach.

Legality edit

Belgium edit

Belgium legalized white hat hacking in February 2023.[13]

United Kingdom edit

Struan Robertson, legal director at Pinsent Masons LLP, and editor of OUT-LAW.com says "Broadly speaking, if the access to a system is authorized, the hacking is ethical and legal. If it isn't, there's an offense under the Computer Misuse Act. The unauthorized access offense covers everything from guessing the password to accessing someone's webmail account, to cracking the security of a bank. The maximum penalty for unauthorized access to a computer is two years in prison and a fine. There are higher penalties – up to 10 years in prison – when the hacker also modifies data". Unauthorized access even to expose vulnerabilities for the benefit of many is not legal, says Robertson. "There's no defense in our hacking laws that your behavior is for the greater good. Even if it's what you believe."[4]

Employment edit

The United States National Security Agency offers certifications such as the CNSS 4011. Such a certification covers orderly, ethical hacking techniques and team management. Aggressor teams are called "red" teams. Defender teams are called "blue" teams.[8] When the agency recruited at DEF CON in 2020, it promised applicants that "If you have a few, shall we say, indiscretions in your past, don't be alarmed. You shouldn't automatically assume you won't be hired".[14]

A good "white hat" is a competitive skillful employee for an enterprise since they can be a countermeasure to find the bugs to protect the enterprise network environment. Therefore, a good "white hat" could bring unexpected benefits in reducing the risk across systems, applications, and endpoints for an enterprise.[15]

Notable people edit

See also edit

References edit

  1. ^ "What is white hat? - a definition from Whatis.com". Searchsecurity.techtarget.com. Retrieved 2012-06-06.
  2. ^ Okpa, John Thompson; Ugwuoke, Christopher Uchechukwu; Ajah, Benjamin Okorie; Eshioste, Emmanuel; Igbe, Joseph Egidi; Ajor, Ogar James; Okoi, Ofem, Nnana; Eteng, Mary Juachi; Nnamani, Rebecca Ginikanwa (2022-09-05). "Cyberspace, Black-Hat Hacking and Economic Sustainability of Corporate Organizations in Cross-River State, Nigeria". SAGE Open. 12 (3): 215824402211227. doi:10.1177/21582440221122739. ISSN 2158-2440. S2CID 252096635.{{cite journal}}: CS1 maint: multiple names: authors list (link)
  3. ^ Ward, Mark (14 September 1996). "Sabotage in cyberspace". New Scientist. 151 (2047).
  4. ^ a b Knight, William (16 October 2009). "License to Hack". InfoSecurity. 6 (6): 38–41. doi:10.1016/s1742-6847(09)70019-9.
  5. ^ Filiol, Eric; Mercaldo, Francesco; Santone, Antonella (2021). "A Method for Automatic Penetration Testing and Mitigation: A Red Hat Approach". Procedia Computer Science. 192: 2039–2046. doi:10.1016/j.procs.2021.08.210. S2CID 244321685.
  6. ^ Wilhelm, Thomas; Andress, Jason (2010). Ninja Hacking: Unconventional Penetration Testing Tactics and Techniques. Elsevier. pp. 26–7. ISBN 978-1-59749-589-9.
  7. ^ "What is the difference between black, white, and grey hackers". Norton.com. Norton Security. Retrieved 2 October 2018.
  8. ^ a b "What is a White Hat?". Secpoint.com. 2012-03-20. Retrieved 2012-06-06.
  9. ^ a b Palmer, C.C. (2001). "Ethical Hacking" (PDF). IBM Systems Journal. 40 (3): 769. doi:10.1147/sj.403.0769.
  10. ^ Paul A. Karger; Roger R. Scherr (June 1974). MULTICS SECURITY EVALUATION: VULNERABILITY ANALYSIS (PDF) (Report). Retrieved 12 Nov 2017.
  11. ^ McLellan, Vin (1981-07-26). "Case of the Purloined Password". The New York Times. Retrieved 11 August 2015.
  12. ^ Justin Seitz, Tim Arnold (April 14, 2021). Black Hat Python, 2nd Edition: Python Programming for Hackers and Pentesters. No Starch Press. ISBN 978-1-7185-0112-6.
  13. ^ Drechsler, Charlotte Somers, Koen Vranckaert, Laura (3 May 2023). "Belgium legalises ethical hacking: a threat or an opportunity for cybersecurity?". CITIP blog. Retrieved 7 May 2023.{{cite web}}: CS1 maint: multiple names: authors list (link)
  14. ^ . National Security Agency. 2012. Archived from the original on 2012-07-30.
  15. ^ Caldwell, Tracey (2011). "Ethical hackers: putting on the white hat". Network Security. 2011 (7): 10–13. doi:10.1016/s1353-4858(11)70075-7. ISSN 1353-4858.

November 11, 2023
white, computer, security, white, white, hacker, whitehat, ethical, security, hacker, ethical, hacking, term, meant, imply, broader, category, than, just, penetration, testing, under, owner, consent, white, hackers, identify, vulnerabilities, security, issues,. A white hat or a white hat hacker a whitehat is an ethical security hacker 1 2 Ethical hacking is a term meant to imply a broader category than just penetration testing 3 4 Under the owner s consent white hat hackers aim to identify any vulnerabilities or security issues the current system has 5 The white hat is contrasted with the black hat a malicious hacker this definitional dichotomy comes from Western films where heroic and antagonistic cowboys might traditionally wear a white and a black hat respectively 6 There is a third kind of hacker known as a grey hat who hacks with good intentions but at times without permission 7 White hat hackers may also work in teams called sneakers and or hacker clubs 8 red teams or tiger teams 9 Contents 1 History 2 Tactics 3 Legality 3 1 Belgium 3 2 United Kingdom 4 Employment 5 Notable people 6 See also 7 ReferencesHistory editOne of the first instances of an ethical hack being used was a security evaluation conducted by the United States Air Force in which the Multics operating systems were tested for potential use as a two level secret top secret system The evaluation determined that while Multics was significantly better than other conventional systems it also had vulnerabilities in hardware security software security and procedural security that could be uncovered with a relatively low level of effort 10 The authors performed their tests under a guideline of realism so their results would accurately represent the kinds of access an intruder could potentially achieve They performed tests involving simple information gathering exercises as well as outright attacks upon the system that might damage its integrity both results were of interest to the target audience There are several other now unclassified reports describing ethical hacking activities within the US military By 1981 The New York Times described white hat activities as part of a mischievous but perversely positive hacker tradition When a National CSS employee revealed the existence of his password cracker which he had used on customer accounts the company chastised him not for writing the software but for not disclosing it sooner The letter of reprimand stated The Company realizes the benefit to NCSS and encourages the efforts of employees to identify security weaknesses to the VP the directory and other sensitive software in files 11 The idea to bring this tactic of ethical hacking to assess the security of systems and point out vulnerabilities was formulated by Dan Farmer and Wietse Venema To raise the overall level of security on the Internet and intranets they proceeded to describe how they were able to gather enough information about their targets to have been able to compromise security if they had chosen to do so They provided several specific examples of how this information could be gathered and exploited to gain control of the target and how such an attack could be prevented They gathered up all the tools they had used during their work packaged them in a single easy to use application and gave it away to anyone who chose to download it Their program called Security Administrator Tool for Analyzing Networks or SATAN was met with a great amount of media attention around the world in 1992 9 Tactics editWhile penetration testing concentrates on attacking software and computer systems from the start scanning ports examining known defects in protocols and applications running on the system and patch installations for example ethical hacking may include other things A full scale ethical hack might include emailing staff to ask for password details rummaging through executive dustbins usually without the knowledge and consent of the targets Only the owners CEOs and Board Members stakeholders who asked for such a security review of this magnitude are aware To try and replicate some of the destructive techniques a real attack might employ ethical hackers may arrange for cloned test systems or organize a hack late at night while systems are less critical 12 In most recent cases these hacks perpetuate for the long term con days if not weeks of long term human infiltration into an organization Some examples include leaving USB flash key drives with hidden auto start software in a public area as if someone lost the small drive and an unsuspecting employee found it and took it Some other methods of carrying out these include Disk and memory forensics DoS attacks Frameworks such as Metasploit Network Security Reverse engineering Security scanners such as Burp Suite Nessus W3af Social engineering tactics Training Platforms Vulnerability researchThese methods identify exploit known security vulnerabilities and attempt to evade security to gain entry into secured areas They can do this by hiding software and system back doors that can be used as a link to information or access that a non ethical hacker also known as black hat or grey hat may want to reach Legality editBelgium edit Belgium legalized white hat hacking in February 2023 13 United Kingdom edit Struan Robertson legal director at Pinsent Masons LLP and editor of OUT LAW com says Broadly speaking if the access to a system is authorized the hacking is ethical and legal If it isn t there s an offense under the Computer Misuse Act The unauthorized access offense covers everything from guessing the password to accessing someone s webmail account to cracking the security of a bank The maximum penalty for unauthorized access to a computer is two years in prison and a fine There are higher penalties up to 10 years in prison when the hacker also modifies data Unauthorized access even to expose vulnerabilities for the benefit of many is not legal says Robertson There s no defense in our hacking laws that your behavior is for the greater good Even if it s what you believe 4 Employment editThe examples and perspective in this article deal primarily with the United States and do not represent a worldwide view of the subject You may improve this article discuss the issue on the talk page or create a new article as appropriate June 2011 Learn how and when to remove this template message The United States National Security Agency offers certifications such as the CNSS 4011 Such a certification covers orderly ethical hacking techniques and team management Aggressor teams are called red teams Defender teams are called blue teams 8 When the agency recruited at DEF CON in 2020 it promised applicants that If you have a few shall we say indiscretions in your past don t be alarmed You shouldn t automatically assume you won t be hired 14 A good white hat is a competitive skillful employee for an enterprise since they can be a countermeasure to find the bugs to protect the enterprise network environment Therefore a good white hat could bring unexpected benefits in reducing the risk across systems applications and endpoints for an enterprise 15 Notable people editTamer Sahin born 1981 Turkish white hat hackerSee also editBug bounty program IT risk MalwareMustDie Wireless identity theftReferences edit What is white hat a definition from Whatis com Searchsecurity techtarget com Retrieved 2012 06 06 Okpa John Thompson Ugwuoke Christopher Uchechukwu Ajah Benjamin Okorie Eshioste Emmanuel Igbe Joseph Egidi Ajor Ogar James Okoi Ofem Nnana Eteng Mary Juachi Nnamani Rebecca Ginikanwa 2022 09 05 Cyberspace Black Hat Hacking and Economic Sustainability of Corporate Organizations in Cross River State Nigeria SAGE Open 12 3 215824402211227 doi 10 1177 21582440221122739 ISSN 2158 2440 S2CID 252096635 a href Template Cite journal html title Template Cite journal cite journal a CS1 maint multiple names authors list link Ward Mark 14 September 1996 Sabotage in cyberspace New Scientist 151 2047 a b Knight William 16 October 2009 License to Hack InfoSecurity 6 6 38 41 doi 10 1016 s1742 6847 09 70019 9 Filiol Eric Mercaldo Francesco Santone Antonella 2021 A Method for Automatic Penetration Testing and Mitigation A Red Hat Approach Procedia Computer Science 192 2039 2046 doi 10 1016 j procs 2021 08 210 S2CID 244321685 Wilhelm Thomas Andress Jason 2010 Ninja Hacking Unconventional Penetration Testing Tactics and Techniques Elsevier pp 26 7 ISBN 978 1 59749 589 9 What is the difference between black white and grey hackers Norton com Norton Security Retrieved 2 October 2018 a b What is a White Hat Secpoint com 2012 03 20 Retrieved 2012 06 06 a b Palmer C C 2001 Ethical Hacking PDF IBM Systems Journal 40 3 769 doi 10 1147 sj 403 0769 Paul A Karger Roger R Scherr June 1974 MULTICS SECURITY EVALUATION VULNERABILITY ANALYSIS PDF Report Retrieved 12 Nov 2017 McLellan Vin 1981 07 26 Case of the Purloined Password The New York Times Retrieved 11 August 2015 Justin Seitz Tim Arnold April 14 2021 Black Hat Python 2nd Edition Python Programming for Hackers and Pentesters No Starch Press ISBN 978 1 7185 0112 6 Drechsler Charlotte Somers Koen Vranckaert Laura 3 May 2023 Belgium legalises ethical hacking a threat or an opportunity for cybersecurity CITIP blog Retrieved 7 May 2023 a href Template Cite web html title Template Cite web cite web a CS1 maint multiple names authors list link Attention DEF CON 20 attendees National Security Agency 2012 Archived from the original on 2012 07 30 Caldwell Tracey 2011 Ethical hackers putting on the white hat Network Security 2011 7 10 13 doi 10 1016 s1353 4858 11 70075 7 ISSN 1353 4858 Retrieved from https en wikipedia org w index php title White hat computer security amp oldid 1181982632, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.