If someone tells you they are a hacker, you might automatically have a negative opinion about them. You might form a mental picture of a mysterious figure sitting in a dark room, their face lit only by the glow of a computer screen. And you might be right – but not necessarily. It’s possible the person who tells you this does so proudly, because their work as a hacker is not only legal but extremely important. They might be a white hat hacker.
What is a white hat hacker?
A white hat hacker is a security hacker whose work is done ethically and in line with the law. In fact, they are also sometimes called “ethical hackers” and their work is sought after by both companies and governments. A white hat hacker uses his or her hacking skills to identify security failures and vulnerabilities in networks or software.
White hat hackers only begin hacking to discover these vulnerabilities when they are legally permitted to do so. This is sometimes called “penetration testing” and it is done with the organization’s knowledge and approval (in fact, they’re paying the white hat hacker to hack them).
Often, white hat hackers were once “bad guys” – the so-called black hat hackers (more on these colorful hats soon) who used to do their hacking outside the law, and with malicious intent. This is where many of them developed their unique skills and understanding of computer networks, and their talent is so in-demand that many governments are keen to offer amnesty for their unlawful hacking if they join the good guys.
What is the difference between a white, a black and a gray hat hacker?
Those aforementioned black hat hackers – the bad guys – are at the opposite end of the spectrum, and are the ones more accurately described by the unsavory mental image you first imagined. Their hacking is done outside the law, often with malicious intent. They may seek to disrupt networks, steal data, or crash companies’ or agencies’ websites.
Gray hat hackers fall somewhere in between white hats and black hats. Gray hat hackers work to discover and expose vulnerabilities in networks, hardware, and software, just as white and black hats. Like black hats, they often work without clear legal authority, and their work therefore typically violates the law. Unlike black hats, however, they do not hack for malicious reasons – most often, their intent is actually to bring weaknesses to the attention of the owners, with the goal of improving system and network security.
However, gray hats are not white hats. While white hat hackers work explicitly for those they hack and alert only their employers to potential vulnerabilities, gray hat hackers often lack this formal business relationship, and report their findings differently. Gray hat hackers expose the vulnerabilities and flaws they find not only to the company or other “target” but to the general public as well – and thus to black hat hackers. It’s quite commonly assumed that a gray hat's intention is to show off their skills and gain notoriety and appreciation.
So where do all these hat colors come from? We have American cinema to thank, and in particular Westerns, in which heroic cowboys often wore white hats, while the villainous cowboys wore black hats.
What are the key concepts of white hat hacking?
The work of white hat hackers helps companies, government agencies, or other organizations make sure that their cyber networks and computer systems are as secure as possible. That makes all of us safer. Our personal data may be stored by multiple companies, so it’s important that it is kept securely and not vulnerable to black hat hackers.
This makes the work of white hat hackers extremely valuable. How do they do it? White hats will scan networks for malware and impersonate a black hat hacker by using the same methods to pretend to attack the systems, even sending phishing attacks to unsuspecting staff in order to see if they would fall victim to an actual attack by, for instance, clicking on a link in an email.
White hat hackers are one of the primary reasons why large organizations and government entities often have less downtime and fewer issues with their websites. Many of them also provide the “good guys” with extensive knowledge of black hat hacking operations, as many used to be black hats themselves.
Crucially, one of the key concepts to white hat hacking work is that it always follows certain “rules of engagement” – white hats will never hack beyond what is necessary to do their work, and they will always do so in a way previously agreed by the organization they are ethically hacking. Also important is how they report – white hat hackers will disclose their findings, including potential network vulnerabilities – only to the entity they were hacking, and not the public. This prevents their results from being known to black hats.
How does ethical hacking work?
Regardless of the color of their hat, hackers who perform typical hacking work like penetration tests all use the same techniques. As we know, however, white hat hackers do it in order to help an organization improve its security. So what are the common techniques used?
Pen testing: White hat hackers use their skills to identify possible system entry points and vulnerabilities and then attempt to penetrate (the “pen” in pen test) the organization's network or exposed system.
Email phishing: White hat hackers will conduct anti-phishing campaigns to identify possible issues within an organization's network before an actual attack can occur. Email phishing is a technique to trick email recipients into providing sensitive personal information or opening a malicious file or link.
Denial-of-service (DoS) attack: DoS attacks temporarily disrupt or weaken the performance of a system or network, often causing it to go offline or become otherwise unusable for people. White hat hackers are often employed to simulate DoS attacks in order to help a company create a set response should such an attack actually occur.
Social engineering: Social engineering attacks take advantage of human nature and trust in order to trick employees into breaking security protocols or giving away sensitive information. To combat these attacks, white hat hackers may use behavioral techniques to test the security level of a company's systems.
Security scanning: White hat hackers will develop ways to automate the process of finding vulnerabilities.
Are there any issues with white hat hacking?
Although the work of white hat hackers is essential to create robust and effective IT security, their work is not without issues. They often have restrictions placed on them during their activities, blunting their effectiveness. On the other hand, their tests and simulated attacks can cause system crashes or data breaches, which could cost companies both revenue and customers.
The work of white hat hackers may also be brought into question when it is confused with ethical – but not white hat – hacking. Let’s say you’re a computer hacker – an ethical hacker, at least in your mind – and one morning you want to see if there are any vulnerabilities with your online banking system. If you discover any, you’ll notify your bank (and only your bank) so they can fix it. White hat to the rescue, right? Many would say no. Even though your intentions were noble (unlike a black hat), and you wouldn’t alert anyone but the bank of your findings (as a gray hat often would), your hacking was not actually done at the direction of the bank. You were not contracted to do the hacking, and thus it was not exactly legal.
A similar example actually happened recently in Germany. In August 2021, a hacker alerted the Christian Democratic Union (CDU) party that there was a security vulnerability in its election campaign app. How did the CDU respond? It pressed charges against the hacker. The hacker did everything a white hat hacker would do – their intent was noble, their hacking was purposeful and targeted, and they alerted only the app owner and developers. But because no formal work contract or professional relationship of any kind existed between the hacker and the CDU, some saw the hack as malicious and unethical.
Evaluating such acts from a human rights perspective can be difficult. Although we strongly believe that law must be followed unless you have a very good reason not to follow it, sometimes you do have such reasons. And even though it is against the law to hack without permission, if you can prove that your acts were not dangerous to society and you were motivated by the public good, you will quite probably be acquitted.
These issues can make the work of “ethical hackers” controversial. But despite this, it is quite clear that white hat hackers deliver an important service not only to the organizations they work for, but to the general public as well. With so much of our lives now online, we need to know that our freedoms and democratic values are no less secure because of it.
Further reading on this topic: