You’ve probably heard the phrase “you don’t know what you don’t know”. It’s a stage of learning most people find themselves in at one time or another. When it comes to cybersecurity, hackers succeed by finding the security gaps and vulnerabilities you missed. That’s true of malicious attackers. But it’s also true of their equivalent on your side: a certified ethical hacker.

A certified ethical hacker (CEH) can be one of your best specialists for protecting against threat actors.

What Is Ethical Hacking?

An ethical hacker is a professional penetration tester, an offensive security researcher and a consultant or employee who practices the dark arts of cyber hacking. The term ‘ethical hacking’ was coined in the 1990s by former IBM executive John Patrick to distinguish constructive hackers from the emerging world of cyber criminals.

Both ethical and malicious cybersecurity gurus can use similar techniques to breach systems and access data on corporate networks. The difference is that one seeks to exploit flaws and vulnerabilities for personal gain. The other seeks to fix them for the benefit of their client. They are also sometimes called white hat hackers (as opposed to attackers, or black hats). Ethical hackers use their attacking skills for the benefit of the ‘victim’.

What all ethical hackers have in common is that they try to see the client’s system from the threat actor’s point of view.

Freelance ethical hackers, doing the work because of the rewards offered by bug bounties or just the challenge of it, can help find vulnerabilities. Anyone can practice ethical hacking. But only certified ethical hackers have proven they have the range of knowledge most organizations should be looking for.

What Are Certified Ethical Hackers?

Certified ethical hacker certification for non-governmental organizations exists on two levels. The basic CEH certification is granted after passing a knowledge test. At the next level, CEH Master level requires succeeding in pen testing on simulated systems.

Three major groups issue CEH licenses: the International Council of E-Commerce Consultants, the Certified Penetration Tester course offered by the Information Assurance Certification Review Board  and the Global Information Assurance Certification. You can find education and test prep for CEH through a number of online sources. Both the training and the testing can be done online.

Ambitious young cybersecurity workers can (and probably should) gain CEH certification as part of their training. It’s helpful even if they have no intention of working as a full time CEH.

What Skills Do Ethical Hackers Possess?

A certified ethical hacker calls on three broad skill areas. The first is the skill and knowledge needed for finding gaps and vulnerabilities. One key element of this training is breadth. Because of the certification process, expect CEH specialists to lack blind spots in the general areas of hacking.

The second is creativity — thinking outside the box and trying surprising ways to breach networks. This is actually a bigger part of the work than it sounds. Clients that employ CEHs should try to have protection from all kinds of hacks. The role of the CEH is to find the blind spots, the gaps and vulnerabilities that have fallen through the cracks.

And the third is trustworthiness — the professional practice of gaining access to sensitive company data while always safeguarding it and never abusing the access granted by the client. CEH pros must take the ethical part of their title seriously. In addition to gaining access to sensitive or private data and keeping it private and secure, CEHs limit their social engineering to ethical versions of it. For example, it’s ethical to drop a thumb drive in the parking lot to see if an employee picks it up and plugs it in. But it’s unethical, and against the code of of the CEH profession, to use threats of violence or violations of personal employee data.

How You Can Use Ethical Hackers

A certified ethical hacker can be very helpful to your organization’s cybersecurity efforts. Here is a short list of what they can bring to the table:

  1. Finding vulnerabilities, whether they’re gaps in software, physical security or policy
  2. Dumpster diving and also scanning public websites looking for information that can help an attack
  3. Port scanning with port scanning tools to find open ports
  4. Figuring out how threat actors can evade firewalls, honeypots and intrusion detection systems
  5. Penetration testing (The difference between pen testing and ethical hacking in general, is that pen testing is scheduled, and more narrowly focused on specific aspects of cybersecurity)
  6. Help with the running of a cybersecurity crisis simulation
  7. Expose insider threats
  8. Participate in and help organize red team/blue team exercises
  9. Perform network traffic analysis
  10. Conduct a wide variety of covert social engineering hacks. They can test not only cybersecurity systems and policies, but also employee knowledge, awareness and readiness.
  11. Scrutinize and test patch installation processes to make sure your employees conduct them in a way that works best
  12. Educate the security team on the latest methods used by cyber criminals.

In short, CEHs can function as the beta tester or quality assurance engineer for your cybersecurity defense ‘product’.

What If You Don’t Have a Certified Ethical Hacker?

CEHs are great to have on staff. But if you don’t have one, you can hire a freelancer to do the job. Freelance ethical hackers perform hacking as a service just as the bad guys can.

Another lower-cost option is to organize an internal team to try their hand at ethical hacking. It’s probably not as good as hiring a certified ethical hacker, but better than nothing. Or, you could offer bounties for people outside the business to try their hand at breaching your cyber defenses.

The bottom line is that the work of CEHs can be extremely valuable. You need to put your investment in cybersecurity infrastructure, expertise, employee training and all the rest to the test.

More from Cloud Security

How Posture Management Prevents Catastrophic Cloud Breaches

We've all heard about catastrophic cloud breaches. But for every cyberattack reported in the news, many more may never reach the public eye. Perhaps worst of all, a large number of the offending vulnerabilities might have been avoided entirely through proper cloud configuration. Many big cloud security catastrophes often result from what appear to be tiny lapses. For example, the famous 2019 Capital One breach was traced to a misconfigured application firewall. Could a proper configuration have prevented that breach?…

How to Implement Cloud Identity and Access Governance

Creating identity and access governance across cloud environments is crucial for modern organizations. In our previous post, we discussed how important human and non-human identities are for these environments and why their management and the governance of their access can be difficult. In the face of these challenges, our cloud identity and access governance (CIAG) approach offers an orchestration layer between cloud identity and access management (IAM) and enterprise IAM, as the following graphic shows. As we continue our CIAG…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Why Are Cloud Misconfigurations Still a Major Issue?

Cloud misconfigurations are by far the biggest threat to cloud security, according to the National Security Agency (NSA). The 2022 IBM Security X-Force Cloud Threat Landscape Report found that cloud vulnerabilities have grown a whopping 28% since last year, with a 200% increase in cloud accounts offered on the dark web in the same timeframe. With vulnerabilities on the rise, the catastrophic impact of cloud breaches has made it clear that proper cloud security is of the utmost importance. And…