The link between ethical hacking and penetration testing is fairly obvious, as the former frequently requires the latter’s use. Ethical hacking is the attempt by employees of a company to hack into that company’s system or network in order to expose flaws or ways in which a malicious attack could be launched against that company. Penetration testing is the process of attempting to break into a secure system in order to simulate how a malicious attacker might attack it. This means that companies frequently hire people to conduct ethical hacking and penetration testing for them.
A “white hat” hacker is someone who is hired by a company to perform ethical hacking and penetration testing on that company’s system. He or she uses the same methods and software as a “black hat” hacker who might attack a system in order to obtain information for malicious purposes. If a white hat hacker does gain access to a system, however, he or she must report the system’s vulnerabilities as well as how the attack was carried out. A black hat hacker would most likely keep such information hidden and use it for personal gain.
The way both terms are used in the computer security industry has led to an association between ethical hacking and penetration testing. White hat hackers frequently use the term “ethical hacking” to describe the services they offer. For all intents and purposes, someone engaged in ethical hacking is attempting to gain access to a secure system or network using the same methods and software that a malicious hacker might use. The main distinction between ethical hacking and malicious hacking is that an ethical hacker does not install malicious software in a compromised system or use it for personal gain.
Penetration testing is one of the most common methods for achieving ethical hacking. This is essentially an attempt to breach a system’s or network’s security. Ethical hacking and penetration testing are used to ensure that flaws are discovered through continuous testing and to provide information on how to fix those flaws.
“Black box” testing means that an ethical hacker has no prior knowledge of the system he or she is attempting to access and is attacking it in the same way that an outsider would. This simulates an attack from the outside against a company. In contrast, “white box” testing gives an ethical hacker information about the system in order to simulate an attack by a hacker with inside knowledge of the system, such as a former employee’s attempt.