“Hacking” is the first thought that comes automatically to one’s mind when you mention “Information security”. From the sublime Computer professional to the amateur computer user, everyone understands the term perfectly. With technological advances, hacking and other exploits have shown an exponential increase in the world. “Hacking” is using sophisticated and new ways to infiltrate systems without the user’s explicit permission and knowledge to grab personal data, financial information and cause other damage.
In the light of this explanation, there are two terms that are used interchangeably and often confused. They are “ethical hacking” and “pen testing”. This post first explains the different types of hackers and explains the term “pen testers” and details the differences between them.
Types of hacking:-
While the word “hacking” is commonly strewn around, did you know that there are different types of hackers? Some of them are “white hat hackers”, “black hat hackers” and “grey hat hackers”.
The latest example of this type of hacker wreaking havoc is the ‘Capital One’ data breach where the personal information of 106 million customers was compromised (Source: @ cnet) White hat hackers: “To beat a hacker, you have to think like one …” is a saying I read long back…and that is exactly what “white hat hackers” or “ethical hackers” do. They are employed by corporations to find vulnerabilities, flaws, backdoors, security weaknesses within the rules prescribed to improve the security posture of an organization. “Ethical hackers” then have to disclose the findings of the flaws that have been detected during the course of their analysis. The process of “ethical hacking” encompasses all the procedures and attack methods.
Having talked about hackers and “ethical hacking” let us see what ‘pen testing’ is;
“Penetration testing” or “Pen testing” involves discovering vulnerabilities, risks and flaws on target systems. This almost sounds similar to a “ethical hacker” but is more limited in scope. Some of the tools that can be used to perform a pen test are Wireshark, Metasploit and Nmap. The pen testing findings are then used to strengthen the security posture of the system by plugging in the vulnerabilities that have been discovered. It is important to note that “pen testing” is not a one-time test. It has to be done periodically by the organization since new security threats are emerging every day.
Having seen the definitions of “ethical hacking” and “pen testing”, let us now list the differences between the two: