Ethical Hacking

Hacks, ransomware, data breaches. Unfortunately, they have become part of everyday life. It doesn’t just feel like they happen more often. The numbers confirm that they do. That is why it is so important to secure systems properly. To do that effectively, you also need to understand how hackers operate.
A few years ago I earned my Certified Ethical Hacker certification. Since then, I have been working to keep my employer, our clients, and our software secure. At the same time, I try to help colleagues become more aware of security risks.

How hackers operate

To understand how security can be improved, it helps to look at how hackers typically work. Their approach usually consists of five phases.

Phase 1: Reconnaissance
A hacker, often working with others, gathers as much information as possible about the target. They want to know which systems and networks are used, who works there, who the customers are, and more. Much of this information can be found online. This process is known as Open Source Intelligence (OSINT).

Phase 2: Scanning
In this phase the hacker actively searches for vulnerabilities in the systems they have identified.

Phase 3: Gaining access
Once a vulnerability is discovered, the hacker attempts to exploit it to gain access to the target system.

Phase 4: Maintaining access
Breaking into a system can be difficult. That is why hackers often leave something behind that allows them to keep access to the system, even if it is restarted.

Phase 5: Covering tracks
Hackers do not want to be detected, and certainly do not want to be personally identified. That is why they try to avoid triggering security systems and make sure they leave no traces in log files.

Vulnerabilities

Hackers are constantly looking for weaknesses in systems. People often assume this means a bug in the software. While that can certainly be the case, it is not the only possibility. In fact, the problem often sits between the keyboard and the chair, also known as PEBKAC.

Once you start looking at your environment with a hacker mindset, you will likely notice vulnerabilities you never thought about before.

Take Wi-Fi as an example. What would happen if someone created a hotspot on their phone with the same network name and password as the company network? There is a good chance that laptops and phones would connect to that hotspot instead of the real network.

Another example is the USB hub built into many monitors. Most people know not to plug an unknown USB stick into their laptop. But what if someone plugs that USB stick into the back of the monitor instead? The monitor is trusted automatically.

Social engineering

People are probably the biggest vulnerability of all. This became clear again during the major hack of a telecom provider in early 2026.

Why do people still fall for phishing emails, vishing calls, or other forms of social engineering? The reason is simple. People are influenced by patterns and habits that can be exploited. We are taught to help others, to be polite, to respond quickly, and to avoid causing problems.

Hackers make clever use of these traits. Fear and urgency are especially powerful tools to push people into actions they normally would not take.

That does not mean we should stop helping each other or stop being friendly. Quite the opposite. But we do need to recognize the difference between helping a colleague and helping a hacker.

Training and regular repetition are essential here.

OWASP Top 10

Not everything can be blamed on human error. Software itself also needs to be built as securely as possible. Absolute security does not exist, but there are good starting points.

One of them is the OWASP Top 10. OWASP is an open-source project that focuses on web application security through conferences, training, and shared knowledge. Every four years they publish a list of the ten most critical security risks.

This list is essential reading for software developers. At the same time, it is also a useful guide for hackers looking for potential vulnerabilities.

The OWASP Top 10 includes well-known issues such as Injection, but also newer challenges that have become more prominent in recent years, such as vulnerabilities in the software supply chain.

In a separate blog I will explore the OWASP Top 10 in more detail.

Practice

Theory is important. But attacking your own software is one of the best ways to understand where problems can occur. It also helps you recognize vulnerabilities much faster.

That is why I always recommend practicing with penetration testing tools. These tools are designed to detect and exploit vulnerabilities.

To access a wide and reliable collection of tools, you can use environments that bundle them together. The best known example is Kali Linux. Kali can even be downloaded through the Microsoft Store and provides an extensive environment for scanning and testing applications, similar to the way hackers would.

Be careful, though. These tools can cause real damage. Always start by practicing on small applications that are specifically designed to be broken. You can build these yourself or use Docker images that contain intentionally vulnerable applications.

Only after that should you move on to testing the application you actually want to assess, and even then only in a test or acceptance environment. Once you fully understand how the tools work, they can be used safely in production environments.

People often ask whether these tools are illegal. The answer is no.

You can buy a crowbar at a hardware store or a balaclava at a winter sports shop. There is nothing illegal about either of those. Even breaking open your own front door is not illegal. Doing the same thing at someone else’s house is a very different matter. The same principle applies to these tools.

Ethical

For me, the ethical aspect lies in the motivation to keep organizations and software secure.

Rule number one: always get written permission.

You should never attempt to ethically hack a system or user without prior approval. First, because doing so would be illegal. Second, because unexpected damage may occur. Someone with the authority to make that decision must be aware of and accept that risk.

If you decide to look beyond your own systems and inform other organizations about vulnerabilities you discover, it is useful to know that a new standard is emerging: security.txt.

This is a text file placed on a website, similar to a robots.txt file, that provides contact information and guidelines for reporting vulnerabilities.

More information can be found on the website of the Dutch National Cyber Security Centre.

An open door

To state the obvious: hacking is not legal. Even if your intentions are good, entering a system without permission to see how far you can get is not allowed.

To continue the door analogy: if you walk past a house and see the front door standing open, you may look inside from the street. You may also ring the doorbell to warn the owner. What you cannot do is walk inside.

Betabit offers training courses that explain the fundamentals of ethical hacking with the goal of helping teams build more secure applications.

If you would like to know more, feel free to contact us.