Ethical Hacking Terminology
Being able to understand and define terminology is an important part of a CEH’s responsibility.
This terminology is how security professionals acting as ethical hackers communicate.
This “language” of hacking is necessary as a foundation to the follow-on concepts in
later chapters of this book. In this section, we’ll discuss a number of terms you need to be
familiar with for the CEH certification exam:
This terminology is how security professionals acting as ethical hackers communicate.
This “language” of hacking is necessary as a foundation to the follow-on concepts in
later chapters of this book. In this section, we’ll discuss a number of terms you need to be
familiar with for the CEH certification exam:
Threat An environment or situation that could lead to a potential breach of security.
Ethical hackers look for and prioritize threats when performing a security analysis.
Malicious hackers and their use of software and hacking techniques are themselves threats
to an organization’s information security.
Exploit A piece of software or technology that takes advantage of a bug, glitch, or vulnerability,
leading to unauthorized access, privilege escalation, or denial of service on a
computer system. Malicious hackers are looking for exploits in computer systems to open
the door to an initial attack. Most exploits are small strings of computer code that, when
executed on a system, expose vulnerability. Experienced hackers create their own exploits,
but it is not necessary to have any programming skills to be an ethical hacker as many
hacking software programs have ready-made exploits that can be launched against a computer
system or network. An exploit is a defined way to breach the security of an IT system
through a vulnerability.
Vulnerability The existence of a software flaw, logic design, or implementation error that
can lead to an unexpected and undesirable event executing bad or damaging instructions to
the system. Exploit code is written to target a vulnerability and cause a fault in the system
in order to retrieve valuable data.
can lead to an unexpected and undesirable event executing bad or damaging instructions to
the system. Exploit code is written to target a vulnerability and cause a fault in the system
in order to retrieve valuable data.
Target of Evaluation (TOE) A system, program, or network that is the subject of a
security analysis or attack. Ethical hackers are usually concerned with high-value TOEs,
systems that contain sensitive information such as account numbers, passwords, Social
Security numbers, or other confidential data. It is the goal of the ethical hacker to test
hacking tools against the high-value TOEs to determine the vulnerabilities and patch them
to protect against exploits and exposure of sensitive data.
Attack An attack occurs when a system is compromised based on a vulnerability. Many
attacks are perpetuated via an exploit. Ethical hackers use tools to find systems that may be
vulnerable to an exploit because of the operating system, network configuration, or applications
installed on the systems, and to prevent an attack.
There are two primary methods of delivering exploits to computer systems:
Remote The exploit is sent over a network and exploits security vulnerabilities without
any prior access to the vulnerable system. Hacking attacks against corporate computer
systems or networks initiated from the outside world are considered remote. Most people
think of this type of attack when they hear the term hacker, but in reality most attacks are
in the next category.
Local The exploit is delivered directly to the computer system or network, which requires
prior access to the vulnerable system to increase privileges. Information security policies
should be created in such a way that only those who need access to information should be
allowed access and they should have the lowest level of access to perform their job function.
These concepts are commonly referred as “need to know” and “least privilege” and, when
used properly, would prevent local exploits. Most hacking attempts occur from within an
organization and are perpetuated by employees, contractors, or others in a trusted position.
In order for an insider to launch an attack, they must have higher privileges than necessary
based on the concept of “need to know.” This can be accomplished by privilege escalation
or weak security safeguards.