Often, when we think of hackers we see a hooded person, tapping away on their keyboard in a dark room with neon lit screen, mirroring a scene from Mr Robot. However, whilst hacking, or penetration testing as we like to call it, is really interesting work, it’s often delivered in a professional setting by teams of highly intelligent professionals.
We wanted to provide some high-level insight into the difference between hacking in accordance with the law and also what type of testing can be considered as illegal. Illegal hacking includes:
Hacking for fun – Most hackers love what they do, it is a passion as much as a job. However, conducting hacking activity against a company or a person without their permission is viewed as an offence under the Computer Misuse Act 1990 “unauthorised access to computer material”.
The Computer Misuse Act (1990) is one of the primary pieces of legislation that covers hacking offences, along with other pieces of legislation such as the Data Protection Act 2018.
Hacking for political purposes – When a political party, politician or specific campaign resonates with hackers they can often take the law into their own hands by hacking personal accounts, websites, emails and/or networks relating to political parties. This happened recently to Donald Trump during the US presidential election.
Hacking as part of organised crime – Often when it comes to organised crime hacking is big business and can be very sophisticated in nature. Hacking for profit has proven extremely lucrative and the techniques used mean that hackers can often evade law enforcement.
Hacking for notoriety – These types of attacks are normally performed by the younger generation of hacker along with script kiddies trying to prove their knowledge to groups they may belong to. These types of attacks are often website defacements but, in some cases, can be larger in scale.
Predominately these forms of hacking are illegal, as there is no authorisation for these individuals to access or conduct active testing on these systems, which subsequently leads into a number of additional offences. Individuals who perform this activity are often referred to as Black Hat Hackers — you read more about them here.
The other side of the coin
When it comes to legal forms of hacking, there are generally several kinds, including:
Research – This type of hacking consists of passive techniques, which means (without being too granular) conducting activity that does not actively impact on a computer, system or service. Online reconnaissance, researching only data and viewing websites encryption details could be seen as passive. Honeypots are another form of research and can be very useful in understanding how hackers conduct attacks and what type of techniques they are utilising.
Bug Bounty – Many organisations such as Twitter and Facebook offer monetary rewards for vulnerabilities found in their systems. Hackers often have careers trying to find vulnerabilities known as Zero Days and once found they submit them to the relevant company and subsequently get rewarded.
Professional Penetration Testing – Working as a penetration tester is one of the best legal ways for security professionals to apply their skills and make a career out of hacking. Bridewell has a number of penetration testers who conduct this form of hacking, dedicated to checking our customers’ systems and finding vulnerabilities before malicious hackers do We do this with the full permission of our customers and the scope of what to test and for how long is generally agreed beforehand. The types of penetration testing include:
- Web Application Penetration Testing
This is where a company requires their website or web applications tested and many testers use the OWASP Top 10 vulnerabilities to assess the systems against.
- Infrastructure Penetration Testing
This is where company may have a network consisting of servers, routers, switches, firewalls and PCs. A company or individual will be procured to conduct penetration testing on all of this equipment
- Mobile Device and Mobile Application Penetration Testing
Mobile device penetration testing can be the act of performing a security assessment against devices that access or hold sensitive information and their physical security, as well as performing penetration tests against applications that are created specifically for mobile devices such as applications on the iOS and Android platforms. This type of testing is similar to a web application test.
Red team engagements are full attack simulations of what a real-world attack would look like. Penetration tests are normally scoped with only a portion of the infrastructure available to test with everything else being out-of-scope. Red team assessments can take weeks and even months to complete as the team performing the engagement will perform a hefty amount of reconnaissance against the target before slowly progressing into active testing and attempting to be as quiet and undetected as possible. In this type of testing everything can be in scope including social engineering and physical entry assessments.
There is often a perceived fine line between operating within the law and outside of it. Hackers are generally very inquisitive by nature; it is a key trait of being a good hacker/penetration tester. But ultimately organisations need to be prepared for the illegal kind and invididuals should have approval prior to commencing any testing. This is why proactive penetration testing of your systems is critical to protecting your data and business when operating online. Vulnerability scanning, and web application scans are a good way of checking for vulnerabilities, but they only provide part of the process a real hacker would go through in order to get access to your system and data and in some scenarios your premises.
Penetration testing involves several additional stages and techniques, which can go way beyond simple scans of your network. If this is something you are interested in, Bridewell is a CREST Registered penetration testing service company and one of our expert penetration testers can discuss your requirements and provide you with some sound advice on protecting your systems and data.