TÜViT hilft im Bereich IT Security: Was ist ein guter Hacker?
Quick question

What is a ‘good’ hacker?

Cyber attacks are an increasing threat to private individuals, companies and government agencies alike – the consequences can be immense. To avoid these, TÜViT experts uncover vulnerabilities and provide security. #explore got straight to the point with Dennis Schröder.

What are ‘good’ hackers and what do they do?

In contrast to malicious or ‘black-hat’ hackers, who act unlawfully, for instance, by hacking into applications on their own initiative for financial gain, ‘good’ or ‘white-hat’ hackers are security professionals who are expressly instructed by the customer and thereby remain within the bounds of the law. Aside from their ethical code, the two camps essentially differ in terms of their motivation. ‘Good’ hackers identify vulnerabilities on behalf of the customer and gives practical recommendations as to how they can be fixed, whereas malicious hackers use this information solely for their own benefit. At TÜViT, IT security professionals work on behalf of companies and public authorities. They accordingly carry out what are known as penetration tests in the form of coordinated ‘hacker attacks’, with the aim of verifying the effectiveness of the existing IT security measures. The TÜViT IT security experts are deployed in various testing and certification procedures across different industrial sectors such as trade, logistics, industry, finance and insurance, the automotive sector, the telecommunications industry and the government agency sector.

What must these IT security professionals be able to do?

The demands are very high – in addition to soft skills, the IT security professionals must be very well-versed in the various disciplines of both “offensive” and “defensive” security. In addition to system, network and application security, these include mobile and industrial security, as well as specific knowledge of security solutions, such as Web application firewalls, client and server operating systems, plus cryptographic algorithms, scripting and programming languages. Also crucial if the project-specific challenges are going to be met are creativity and a passion for IT security. This is because systems, networks or applications are never hacked or hijacked strictly by the book! The ideal profile of a ‘good’ hacker includes enthusiasm, ambition, perseverance, expertise, focused work and discretion.

What does a penetration test look like?

Penetration testing can be very specifically adapted to customer requirements. Depending on the characteristics of the penetration test in question, one example might be the analysis for security vulnerabilities of external network access points, including the various Web applications. The underlying process of information-gathering to establish the objectives is a bit like putting together a jigsaw puzzle: the IT security expert looks for information on the Internet and collates it into a set of usable findings. Social networks are often particularly useful in this process. This is because staff profiles and job postings provide clues as to which hardware and software components are used by the organisation in question. A complete picture may not necessarily emerge, but the information gleaned is enough to generate a first impression and carry out the first active attacks.

We basically often find that many organisations across the sectors feel secure because they have invested significant funds in IT security products and the infrastructure works for the end user without major outages. This impression can be misleading if the mix of measures implemented can’t withstand practical attacks by experienced IT security professionals but is only robust enough to pass muster in theoretical situations and plausibility checks. What particularly often leads to critical vulnerabilities that can be exploited by all sorts of attackers are unforeseen attack scenarios and situations in which the security measures are either inadequately or not at all integrated with one another. The aim of penetration testing is to identify these vulnerabilities and make recommendations as to how any gaps can be closed.



Dennis Schröder has been working in the IT security field at TÜViT since 2008. As Product Manager for Cyber Security Services, he and his team are responsible for penetration testing in the context of technical safety investigations and certifications. While studying at the University an der Ruhr in Bochum he first recognised his vocation when he and his fellow students got together in an experiment to calculate possible PINs by doing no more than reading out particular data from their own private debit cards. When the top ten probable PINs were published in the paper, the PIN of his own debit card was indeed one of them. The reason, as a member of staff informed him in confidence, was a known vulnerability in the product solution in use at the time by his bank. Since then one thing has been clear to him: "IT security vulnerabilities are everywhere - it's just a matter of having the motivation and resources to identify and exploit them and to sort them out."