ETHICAL HACKING (BCY702)

MODULE-1
Introduction: Hacking Impacts, The Hacker
The Framework: Planning the test, Sound Operations, Reconnaissance, Enumeration,
Vulnerability Analysis, Exploitation, Final Analysis, Deliverable, Integration.
Security Program: The Process of Information Security, Component Parts of Information
Security Program, Risk Analysis and Ethical Hacking.

Introduction: Hacking Impacts, The Hacker

1) Hacking Impacts :
At the risk of stating the obvious, hacking—computer crime—can result in massive
financial losses for companies, governments, and individuals alike. The costs
associated with computer crime can manifest themselves in various ways, which may
range from the obscure to a clear hit to the bottom line.
Digital assets where costs from hackers can manifest themselves fall into four major
categories: resources, information, time, and reputation.

1. Resources. Resources are computer-related services that perform actions or tasks

on the user’s behalf. Core services, object code, or disk space can be considered
resources that, if controlled, utilized, or disabled by an unauthorized entity, could result
in the inability to capture revenue for a company or have an impact on an important
process resulting in the failure to meet expected objectives.
2. Information. Information can represent an enormous cost if destroyed or altered
without authorization. However, there are few organizations that assign a value to
information and implement the proportionate controls necessary to ensure its
protection. Data can be affected in several ways that will have a discernible cost related
to the type of effect: loss, disclosure, and integrity.
a. Loss. The loss of data is relatively easy to measure when compared to
disclosure and integrity. Information takes time to collect or produce, requires resources
to be managed, and will certainly (to some degree) have value. There are many
examples of intentional and unintentional acts resulting in the loss of information. Not
 having a backup of your data when a hard drive fails is a painful experience we all hope
we have to survive only once.
b. Disclosure. Nearly every entity that uses information has the potential to be
negatively affected by its uncontrolled disclosure. Although the impact of an
unauthorized disclosure is one of the most difficult to measure, such a breach is
noteworthy because it represents the traditional fear of hacking: proprietary information
theft. If someone steals your car, there is a cost that can be quickly determined because
of the crime’s physical nature. Information, on the other hand, is intangible, and the
thief may not perceive content to be as valuable as the owner does; therefore, the
disclosure may have little or no impact. Contrary to the assumption of the hacker’s
ignorance, industrial espionage is the deliberate use of illegally obtained information
for the betterment of the competition. In any event, the exposure of critical information
could cost a company a great deal of money through competitive disadvantage or the
revelation of unwanted information to the public.
c. Integrity. Ensuring information is accurate and complete is necessary for
any organization. If data were to be manipulated it could become a loss to the owner.
This can be as simple as the cost of an item online being $99.99 but represented as
$9.99 because a hacker found a way of manipulating cookies to move the decimal point
one position to the left. However, there are much more sinister examples that are very
difficult to equate with a financial loss. Integrity is the foundation of several forms of
legislation. One of the most prevalent is the Sarbanes Oxley Act that was passed by the
U.S. government to ensure that financial reporting is accurate. It can be readily assumed
that publicly traded companies use vast computing systems to track financial metrics.
Therefore, you can conclude that information security plays a significant role in
ensuring the data is accurate and there is a record of changes.

3. Time. The loss of time can be related to costs in the form of payroll, not meeting critical
deadlines, or an unavailable E-commerce site that would normally produce thousands of dollars
in revenue if it were available. Anything that consumes time, consumes money, and
expenditures for recovering from an incident can represent the greatest form of financial loss.

4. Brand and Reputation. There are many companies who have very recognizable brands, so
much so that the color alone will promote images of the company. For example, Brown . . .
UPS. It wasn’t until mid-2002 that UPS started to take advantage of their color recognition and
started the “Brown” marketing campaign, “What can Brown do for you?” Very smart move on
 their part. Blue and orange . . . FedEx. Even Coke seems to have taken ownership of the color
red.

2) The Hacker :
Definition:
A hacker originally meant a person who explored computers for fun and learning. Later, the
term was misused to describe computer criminals (actually called crackers). Today, “hacker”
is commonly used to mean someone who breaks into systems.

First of all, the term “hacker,” historically speaking, is inaccurate. In the early days of
computing a hacker was someone who investigated the workings of computers for fun and a
challenge. Cracker was a term used to identify people who would break computers to use them
for free or use system resources. Somewhere between the Internet revolution and the movies,
hacker was adopted to describe computer criminals .

Importance for security:

 Businesses and consultants must understand hacker society, their motivations, and status.
 Hackers can be internal threats (e.g., employees misusing access) or external threats
(unknown attackers on the Internet).
 Testing security must include both internal and external hacker threats to fully measure risks.

TYPE OF HACKER:

There are several types of hackers, but we can reduce this to three basic characteristics that we
can use to categorize the enemy:

a. Script kiddies

b. Hackers

c. Über hacker
a. Script kiddies

Definition:
A script kiddie is an inexperienced hacker who uses tools created by others to perform attacks. They
lack deep knowledge but can still cause damage.

“Script kiddie” refers to a hacker wannabe who leverages tools created by other, more knowledgeable
hackers to perform malicious acts. There are several degrees of damage that can be caused by people
who fall into this category. Simply stating that they are less informed and unenlightened by the art of
hacking does not immediately insinuate they are harmless

Categories of Script Kiddies:

i. Unstructured – Random attacks without a plan.

ii. Structured – More focused, target-specific attacks using tools.
iii. Determined – Persistent attackers who repeatedly use tools until they succeed.

i. Unstructured:
Unstructured hackers are pranksters or nuisances who perform short-lived, juvenile attacks such
as port scans and minor log-filling activities. They lack skills to cover their tracks and often
hack for excitement or curiosity (recreational hackers). While their damage is usually limited,
internal employees doing such hacking can unintentionally affect critical systems and pose the
greatest threat.

ii. Structured:
Structured hackers use the right tools with opportunistic behavior to create large
impacts. A major example is DDoS attacks using tools like Trin00, where insecure
systems are turned into “zombies” to launch massive synchronized attacks. With the
rise of insecure PCs, cable modems, and free toolsets online, even script kiddies can
conduct destructive attacks, making them a serious threat.

iii. Determined:
Determined script kiddies rely on persistence rather than skill. By continuously trying
different attacks, they eventually succeed—sometimes by sheer luck. For example, a
young hacker in Texas compromised 200+ systems simply by not giving up and testing
every method until one worked. This shows determination greatly increases the chance
of success.
 b. Hackers :
Definition:
Hackers are the next step after script kiddies. They explore computers for learning, challenge,
and social recognition, often inflicting chaos.

Characteristics of Hackers

Hackers are intelligent individuals who hack for education, challenge, and social status. They:

 Compete for recognition and power in the hacker community.

 Gain clout by controlling more remote systems.
 Are skilled in logic and problem-solving, thinking beyond traditional methods.
 Use creativity and technology together (e.g., Fax Trick) to exploit systems.

Point: Unlike script kiddies, hackers rely on logic and innovation, not just ready-made tools.

Types of Hackers:

i.Malicious – Cause damage for power, revenge, or fun.

ii.Solvers – Hack to fix personal/technical problems.
iii.Hacktivists – Hack for political or social causes.
iv.Vigilantes – Hack against crimes (e.g., child exploitation, terrorism).

 Malicious :

Malicious hackers hack with the intent to damage, destroy, or disrupt information systems.
They include:

 Malware writers and those who corrupt or delete data.

 Motivated by hate, revenge, or desire for reputation.
 Sometimes destroy systems to cover their tracks after other attacks.
 Dangerous because they combine high skill with no conscience about the
consequences.
 Solvers :

Solvers hack systems mainly to fix a problem for themselves or others.

 They change or remove information to solve issues (e.g., deleting misconduct records,
obtaining software).
 Often hack to prove a point by exposing system weaknesses.
 Example: Hacker “Kane” (Netherlands) breached a Seattle hospital in 2000, exposing
5000 patient records to show poor security.
 Motivation is less about money and more about demonstrating insecurity in systems.

 Hacktivists :

Hacktivists are hackers who act for a social, political, or activist cause.

 Groups may include anarchists, racists, animal rights, or environmental activists.

 They target companies that oppose their beliefs (e.g., animal testing firms, mining
companies, software makers).
 Their attacks often harm law-abiding groups with similar goals.
 Hacktivism can also be used for “positive change” (electronic civil disobedience,
online activism).
 They are dangerous because of their strong motivation and persistence.

 Vigilante Hackers:

Vigilantes are hackers who attack targets they see as criminals or enemies of society, often
outside the law.

 Targets: Commonly focus on child pornography networks, terrorism-linked sites, or

groups they consider harmful.
 Motivation: A sense of justice—fighting “scum of the Earth.” They use hacking to
damage, disrupt, or stop such activities.
 Examples:
o After 9/11 (2001), vigilantes attacked the Iranian Ministry of Interior site and
the Afghan presidential site, taking it offline for nearly a month.
 Law & Ethics Issues:
 o Even though their intentions may be noble, vigilante actions are illegal.
o The FBI often arrests them since attacks destroy evidence needed for
prosecutions.
 Identity: In real life, many vigilantes are respected individuals, but online they adopt an
alternate persona to fight perceived wrongs.

Point: Vigilantes are skilled hackers fighting for justice, but their actions blur legal and ethical
boundaries, often causing unintended harm.

c) Über Hackers :

Über hackers (German über = “super”) are elite, highly skilled hackers with vast experience
and near-unlimited capability.

 Skills: Mastery in programming, logic, operating systems, applications, hardware,

networks, and protocols.
 Nature:
o Create the tools used by other hackers.
o Known for strong technical ability combined with unethical behavior.
 Fear Factor:
o Considered the most dangerous hackers, sought after by shady businesses and
even governments.
 Power: Can either stay hidden in legitimate professions or use skills for personal gain.
 Types:
1. Extortionists – Use their skills to blackmail or demand money.
2. Spies – Conduct espionage for organizations or governments.

Point: Über hackers are “super hackers” with unmatched skills and pose the greatest threat
because of their power and immorality.
The Framework:

Planning the test, Sound Operations, Reconnaissance, Enumeration, Vulnerability

Analysis, Exploitation, Final Analysis, Deliverable, Integration.

Planning the test :

Proper planning is the most important phase of a penetration test, as it determines the scope,
objectives, and acceptable risks of the project. During this phase, existing business processes,
security policies, culture, laws, regulations, best practices, and industry requirements are
considered to guide decisions. Planning ensures that the test aligns with business needs and
risk tolerance while defining how information will be shared and collected. It directly
influences the execution, deliverables, and integration of results into the security program,
making it critical for a controlled and effective penetration test.

Sound Operations :

How is the test going to be supported and controlled? What are the underlying actions that must
be performed regardless of the scope of the test? Who does what, when, where, how long, who
is out of bounds, and what is in bounds of a test all need to be addressed. Logistics of the test
will drive how information is shared and to what degree (or depth) each characteristic will be
performed to achieve the desired results. Operational features will include determining what
the imposed limitations of the tester are and how they are evaluated during the test.

Reconnaissance :

Reconnaissance is the process of gathering freely available information about a target to assist
in an attack. It may involve ping sweeps, searching online forums, or even physical methods
like dumpster diving. Advanced techniques include social engineering, impersonation,
phone/network tapping, and false relationships to extract data. The extent of reconnaissance
depends on the risk accepted by the company and tester. This phase helps identify valuable
information but also raises questions about what actions provide real business value. Unlike
other phases, reconnaissance can be controlled and measured with high precision, linking
framework, tasks, and methods clearly.
ENUMERATION :

Enumeration (network or vulnerability discovery) is the process of actively obtaining detailed

information about a target’s systems, applications, and networks. Unlike reconnaissance, this
phase blurs the line between passive and active attacks. The main technique is port scanning,
usually performed with tools like Nmap, to identify open ports and services. Port scanning
uses the TCP three-way handshake (SYN → SYN+ACK → ACK) to determine which
applications a system is willing to communicate with.

The information collected helps build a detailed picture of the target’s environment and forms
the basis of an attack plan or vulnerability analysis. Enumeration requires logical reasoning, as
testers must assess not only what data is collected but also its value in the hands of an attacker.
Successful testers combine technical skills with analytical thinking to find connections and
weaknesses, making enumeration both a technical step and an art form in penetration testing.

VULNERABILITY ANALYSIS :

There is a logical and pragmatic approach to analyzing data. During the enumeration phase, we
try to perform an interpretation of the information collected looking for relationships that may
lead to exposures that can be exploited. The vulnerability analysis phase is a practical process
of comparing the collected information with known vulnerabilities.

Most information can be collected from the Internet or other sources, such as newsgroups or
mailing lists, which can be used to compare information about the target to seek options for
exploitation. However, information provided by vendors and even data collected from the
target can be used to formulate a successful attack.

Information collected during the reconnaissance phase from the company can provide
information about vulnerabilities unique to its environment. Data obtained directly from the
company can actually support the discovery of vulnerabilities that cannot be located anywhere
else.

As mentioned above, information found on the Internet is very helpful. Known vulnerabilities,
incidents, service packs, updates, and even available hacker tools help in identifying a point of
attack. The Internet provides a plethora of insightful information that can easily be associated
with the architecture of the target.

EXPLOITATION :
The exploitation phase is where all the planning, reconnaissance, and enumeration efforts are
converted into actual attacks. It involves executing strategies to exploit vulnerabilities in systems
and applications, either through simple tools or complex, multi-step techniques.

1. Role of Planning in Exploitation

 Earlier phases ensure a business-centric foundation for the test.

 Exploitation must always remain within scope, time, and objectives defined in
planning.
 Every action during exploitation reflects prior planning and directly impacts outcomes.

2. Attack Structure: Threads and Groups

 Threads: Ordered tasks designed to achieve a goal (e.g., privilege escalation).

o Can be single-step or multi-step.
o Each thread may vary but often shares useful similarities.
 Groups: Collections of related threads combined to form access strategies.
o Used to create structured, comprehensive attacks.
o Provide multiple approaches for gaining access.

3. Continuous Evaluation During Exploitation

Each stage is reviewed to ensure alignment with objectives. Two main considerations:

a) Expectations Check

 Ensures results align with planning and company assumptions.

 If unexpected results occur, planning and earlier phases may need revisiting.
 Helps confirm that tests remain within agreed scope.
b) Technical Check

 Focuses on system behavior and technical responses.

 Detects unexpected system reactions (e.g., crashes, errors).
 Prevents harm to the target and ensures ethical limits are respected.

4. Importance of Exploitation Phase

 Translates planning into real-world attacks.

 Provides insights into tactics of penetration testing execution, not just exploitation
techniques.
 Ensures ethical hacking remains controlled, goal-oriented, and safe.

Final Analysis :

The final analysis phase reviews all collected data and exploits to ensure a successful
engagement. Vulnerabilities are categorized to assess exposure levels and to support a clear
deliverable with mitigation plans. This phase connects the exploitation results with reporting
and remediation.

Its main goal is to take a comprehensive view of the engagement, identify overlooked
opportunities, and classify vulnerabilities to give a clear picture of the target’s security posture.
Final analysis involves both interpretation and evidence-based results—ensuring only well-
supported vulnerabilities are highlighted. This makes communication of risks and
recommendations accurate, valuable, and easier for organizations to act upon.

Deliverables:

The deliverable is the final report that communicates the results of a penetration test. Its quality
depends on the scope, company demands, and tester approach. Reports can range from short
vulnerability lists with patches, tool-generated outputs, or highly detailed step-by-step accounts
of exploitation. None of these are wrong, but they vary in usefulness depending on business
needs.
A good deliverable should go beyond listing vulnerabilities. It must:

1. Provide clear commentary and explanations of findings.

2. Rank vulnerabilities with respect to business impact.
3. Include measurable levels of risk and raw results.
4. Explain backdoors, how they were created, and how to remove them.
5. Document the engagement process, including planning, expectations, and limitations.
6. Contain status updates and correspondence where relevant.

Exceptional deliverables help organizations translate test results into valuable security
improvements by making risks understandable to both executives and technical teams.

INTEGRATION :
The value of a penetration test depends on how well its results are integrated into the organization’s
security program. A good deliverable can be combined with risk analysis, policies, and past test results
to support mitigation and defense.
Key factors in integration are

Mitigation – Vulnerabilities that pose unacceptable risks must be fixed. This may involve
testing, piloting, implementing, and validating changes. Some fixes are simple, while others
require complex solutions.

Defense – Security must be strengthened strategically by addressing weaknesses in

networks, systems, applications, and policies. Defense planning builds a strong foundation to
minimize the impact of future or undetected vulnerabilities.

Incident Management – The ability to detect, respond, and recover from attacks is critical.
By analyzing how attacks occurred and which vulnerabilities were exploited, organizations can
improve incident response plans and focus on protecting the most critical areas.
 Security Program

The Process of Information Security :

 Identify Risk
 Risk Analysis Process
 Quantify Risk
 Inherent Risk
 Control Risk
 Detection Risk
 Handling Risk
 Address Risk
 Mitigate Risk

 Identify Risk

Identification of risk involves recognizing assets, threats, and vulnerabilities.

 Assets: things of value (tangible like hardware, intangible like goodwill).

 Threats: events that can harm assets.
 Vulnerabilities: weaknesses that allow threats to exploit assets.
 Risk arises from the combination of threats and vulnerabilities.

Ethical hacking helps identify vulnerabilities by simulating attacks, providing insight for
better security planning. Proper scope of threats, assets, and vulnerabilities ensures accurate
risk analysis, leading to effective security controls.
  Risk Analysis Process

 Risk is the probability of a threat exploiting a vulnerability causing damage, disruption, or

loss.

 Risk analysis ensures security is cost-effective, relevant, and aligned with business goals.

 It helps in identifying and prioritizing risks and justifying cost vs. benefit of
countermeasures.

 It quantifies/qualifies the impact of threats and guides investment to protect valuable

assets.

 Regular risk analysis with penetration testing improves system design, configurations, and
overall security.
  Quantifying risk
o Quantifying risk is necessary to prioritize and create an effective risk mitigation
strategy.
o It helps allocate resources like technology, training, or consultancy to address high-
impact risks first.
o Organizations can quantify risk in different ways (e.g., dollars per event or simple
high/medium/low ranking).
o Quantitative analysis uses measurable data (e.g., money lost) with methods like
Annualized Loss Expectancy (ALE = Loss × ARO).
o Qualitative analysis uses relative factors like Exposure Factor (EF) and forecasts, often
applied to organizations with high market-value-to-asset ratios.

 Inherent Risk
Inherent risk arises when unrelated faults in networking, applications, services, or systems
combine to create significant vulnerabilities. Security is applied in layers, but interactions
between systems may not ensure full protection. Inherent risk is managed at two levels:
pervasive controls, which are enterprise-wide, and detailed controls, which are system-specific
and managed by responsible resources.

 Control Risk
Control risk is the possibility that weaknesses in an enterprise may not be prevented, detected,
or corrected in time by internal controls. It is usually considered high unless effective internal
controls are in place and tested. For example, manually reviewing system logs increases control
risk due to errors and delays, whereas automated log processing reduces it to a manageable
level.

 Detection Risk
Detection risk is the risk associated with the ability (or inability) to detect an attack or event.
In an enterprise, detection risk associated with identifying breaches of security in an application
system is ordinarily high because of poor monitoring practices or poorly tuned technology
  Handling Risk

There are four main methods of handling risk:

1. Transference
o This involves shifting the risk to another party, often through insurance or
outsourcing.
o Example: If a company hosts its website through an external provider,
responsibility for server security and data protection can be transferred via
contracts and SLAs.
o Advantage: Reduces direct burden on the enterprise but requires strong
agreements and accountability.
2. Denial
o This occurs when an organization ignores or rejects risks, often due to financial
constraints.
o Denial is highly dangerous, as unmitigated risks may lead to severe losses.
o Example: A financially strained company may not invest in security measures,
leaving it vulnerable to attacks.
o It is the least effective strategy and should be avoided.
3. Reduction
o The most common method, where countermeasures are implemented to
minimize risks.
o It can include updating technology, strengthening processes, or adopting better
business practices.
o Example: Using paid antivirus solutions like Symantec or McAfee instead of
free software ensures timely support and stronger protection against evolving
threats.
o Limitation: Risk cannot be fully eliminated, but exposure is significantly
lowered.
4. Acceptance
o Here, the enterprise acknowledges and accepts the risk when the cost of
mitigation is higher than the potential loss.
o Example: A financial company executive accepted a $500,000–$1 million
technical risk since it was less than 0.1% of their daily exposure.
 o Acceptance is based on the assumption that the likelihood of exploitation is low,
making it a calculated business decision.
o This method is often used when risks are small and manageable compared to
larger business risks.

 Address Risk
Addressing risk involves using prioritized risks for decision-making. The options include:

 Acceptance: Justified when probability, harm, or cost is low, or when mitigation cost
exceeds asset value.
 Transference: Passing the risk to another party (e.g., insurance companies) with higher
risk tolerance.
 Mitigation: Using controls to reduce probability, harm, or cost. Examples: access
control (reduces unauthorized access), encryption (reduces disclosure harm), and
backup (reduces recovery cost). The chosen method must be justifiable and aligned
with organizational goals.

 Mitigate Risk

Mitigating risk means selecting and deploying controls to reduce risk. It begins with a high-
level mitigation strategy set by management, defining the organization’s goals. This leads to
subordinate controls like standards, procedures, configurations, and devices, often arranged
in multiple layers. Effective mitigation requires a management infrastructure to ensure controls
remain updated, relevant, and effective against evolving risks.
Component Parts of Information Security Program :

 Risk Assessment

Risk assessment in information security identifies and quantifies risks, forming the basis for
addressing them. It begins with defining the security domain to set scope, boundaries, and
assets at risk, aligned with the security architecture model (extended, perimeter, control,
resource layers). This modular approach helps integrate other security components like incident
response, ensuring feedback supports continuous improvement. A risk assessment is a living
document, requiring ownership, review, and accuracy, providing cohesiveness, flexibility, and
proof of due diligence in the security program.

 Management System

Information Security Management System (ISMS) is a structured framework designed to

manage risks by accepting, transferring, or mitigating them. It is increasingly compared to
Total Quality Management (TQM) since it ensures the quality and effectiveness of
information security across the organization.

One widely adopted standard is ISO 17799 (successor to BS7799), which provides a holistic
approach to security by focusing on ten functional control areas:

1. Information Security Policy – defines management support and goals.

2. Organizational Security – establishes a framework to sustain the security
infrastructure.
3. Asset Classification and Control – ensures protection of organizational assets.
4. Personnel Security – addresses risks from human interaction.
5. Physical & Environmental Security – protects premises and infrastructure.
6. Communications & Operations Management – ensures secure, repeatable
operations.
7. Access Control – regulates access to assets based on requirements.
8. System Development & Maintenance – integrates security controls in systems.
9. Business Continuity Management – counters interruptions to operations.
10. Compliance – ensures regulatory, statutory, and contractual adherence.
The ISMS is guided by risk assessments and penetration testing, and implemented through:

 Security organizations (roles, committees, forums for awareness).

 Codified practices (policies, standards, guidelines, procedures).
 Ancillary programs (business continuity, incident response, security awareness).

Since no two organizations are identical, every ISMS is unique. Its success depends on
identified risks, upper management support, cultural fit, and stakeholder buy-in, ensuring
both short-term success and long-term sustainability.

 Controls :
Controls in information security are mechanisms implemented to mitigate risks and protect
assets. They can be physical devices, configurations, roles, or processes, impacting networks,
platforms, and operations. Many controls depend on supporting roles, policies, and procedures.
Examples include:

1. Firewalls (network control) – enforce access rules but need supporting procedures,
admin roles, and configuration management.
2. Sniffers (network monitoring) – detect anomalies but require monitoring policies to
prevent misuse.
3. Hardening scripts (platform control) – secure systems against exploits, needing updates
and role management.
4. System logging – requires log servers, enabled configurations, and roles to analyze logs.

 Maintenance Plan :

Maintenance Plan in information security ensures the program remains effective against
evolving threats.

1. Ongoing Initiative – Security is continuous; today’s controls may not meet tomorrow’s
threats.
2. Program Review – Annual reaffirmation of goals by management, risk assessments,
and review of standards, procedures, and user authorizations.
3. Program Audit – Measures program effectiveness and identifies gaps through self-
audits or internal reviews.
4. Independent/External Audits – Provide unbiased evaluation, often based on standards
(e.g., ISO17799) or legal requirements (e.g., HIPAA).
5. Enhancement Loop – Audit findings feed back into program improvement, ensuring
relevance and compliance.
 RISK ANALYSIS AND ETHICAL HACKING :

Definition and Scope

 Risk Analysis: Identifies and quantifies risks by evaluating assets, vulnerabilities,

threats, and security controls. It is collaborative and broad, often considering
organizational processes, people, and policies.
 Ethical Hacking: A simulated attack to find vulnerabilities that can be exploited. It is
adversarial, independent, and technical, mimicking how attackers would exploit
weaknesses.

Method of Assessment

 Risk Analysis: Involves reviewing security architecture, policies, controls, and

organizational practices. Example: checking firewall rules against security policies.
 Ethical Hacking: Involves penetration testing, scanning, probing, and exploiting
vulnerabilities. Example: actively attacking a firewall to find misconfigurations.

TABLE 5.1
Role of Ethical Hacking and Risk Analysis in Evaluating Security

Evaluating Threats and Determining Effectiveness of Establishing Value of

Vulnerabilities Security Controls Assets
Ethical hacking Ethical hacking and risk analysis Risk analysis

 Risk analysis is collaborative – works with management, staff, and processes.

 Ethical hacking is independent – testers act like adversaries without relying on

organizational cooperation.

 Risk Analysis is often assumed to be more resource-intensive, broad, and costly, but can
also be focused on a department, system, or application.

 Ethical Hacking is seen as faster, finite, and more controlled but can become large-scale if
the entire company is tested.

1. Strengths of Risk Analysis

o Identifies asset value, risk exposure, and business impact.
o Evaluates processes, procedures, and governance.
 o Can uncover systemic issues like poor change management that lead to
vulnerabilities.
2. Strengths of Ethical Hacking
o Reveals real-world exploitability of vulnerabilities.
o Provides practical insights into what attackers can do.
o Useful for demonstrating the effectiveness (or weakness) of technical controls.
3. Complementary Role
o Risk analysis provides strategic, process-driven insights.
o Ethical hacking provides technical, hands-on vulnerability validation.
o Used together, they form a comprehensive assessment, linking vulnerabilities
to asset value, business impact, and remedies.
4. When to Use Each
o Risk Analysis Preferred: When an organization prioritizes process,
compliance, governance, or when the objective is to understand root causes of
risk.
o Ethical Hacking Preferred: When the goal is to test real exploitability of
current systems and provide proof of vulnerabilities.
5. Conclusion

 Both methods are valid but serve different purposes.

 Risk Analysis gives a broad, internal perspective and is ideal for strategic planning.
 Ethical Hacking gives an adversarial, external perspective, useful for tactical
vulnerability testing.
 When combined, they provide the most complete picture of security posture,
supporting both proactive risk management and reactive vulnerability mitigation.
Aspect Risk Analysis
Ethical Hacking

• Identifies technical vulnerabilities • Considers all aspects (technical,

directly management, policy, operations)
• Shows real-world exposure to threats • Safe — no risk of damaging systems

• Demonstrates effort needed to exploit • Reviews configurations, controls &

Pros
flaws policies

• Provides outsider’s (attacker’s) • Evaluates asset value & business

perspective impact

• Technically comprehensive (systems, • Determines overall risk exposure &

apps, infra) priorities

• Identifies gaps in processes, roles,
• Offers insights into tools & tactics used
responsibilities
by hackers
• Ignores management practices & policy • Vulnerabilities based on assumptions
• Limited by firewalls/IDS/chokepoints (not actual exploits)
• Risk of downtime or disruption • Doesn’t prove alternate attack paths

• Tester may be detected • May rely on limited sampling/scans

Cons
• Doesn’t consider asset value • Less realistic (no attacker perspective)

• Depends on tester’s skill & methods • Results can be high-level

• Results may lack integration with wider • Time-consuming process

security strategy