While assessing the security of an organization’s IT asset(s), ethical hackers aim to think like an attacker. In doing so, they look for attack vectors against the target. The initial goal is to perform reconnaissance, gaining as much information as possible.
Once the ethical hacker gathers enough information, they use it to look for vulnerabilities against the asset. They perform this assessment with a combination of automated and manual testing. Even sophisticated systems may have complex countermeasure technologies which may be vulnerable.
They don’t stop at uncovering vulnerabilities. Ethical hackers use exploits against the vulnerabilities to prove how a malicious attacker could exploit it.
Some of the most common vulnerabilities discovered by ethical hackers include:
- Injection attacks
- Broken authentication
- Security misconfigurations
- Use of components with known vulnerabilities
- Sensitive data exposure
After the testing period, ethical hackers prepare a detailed report. This documentation includes steps to compromise the discovered vulnerabilities and steps to patch or mitigate them.