White hat (computer security)

A white hat (or a white-hat hacker, a whitehat) is an ethical security hacker.^[1][2] Under the owner's consent, white-hat hackers deliberately hack software or system with the aim of identifying any vulnerabilities or security issues it has, helping to reinforce it from black hat hackers. ^[3]

The white hat is contrasted with the black hat, a malicious hacker; this definitional dichotomy comes from Western films, where heroic and antagonistic cowboys might traditionally wear a white and a black hat, respectively.^[4] There is a third kind of hacker known as a grey hat who hacks with good intentions but at times without permission or proper consent.^[5]

White-hat hackers may also work in teams called "sneakers", hacker clubs,^[6] red teams, or tiger teams.^[7]

History of term

The modern contrast between white hat and black hat derives from the convention in Western films in which heroic characters were associated with white hats and villains with black hats. By the mid-1960s, white hat was being used more generally in American English to mean a person perceived as one of the "good guys" or as being on the side of right.^[4]

The computing sense developed from this wider moral contrast. The Oxford English Dictionary records white hat in computing slang from 1990, defining it as a person who engages in computer hacking for benign or altruistic purposes, especially to test security systems and prevent illegal acts. The related expression white-hat hacker was in use by the late 1990s, and by the early 2000s was being used for security testers contracted to probe networks and systems for weaknesses.^[8]

Employment

Interviews of staff in the UK in 2011 suggest that ethical hackers working for companies have skills around social engineering, mobile tech, and social networking.

In professional employment, the work of white-hat hackers substantially overlaps with penetration testing and ethical security testing with the ethical hacker most closely covering the role of a penetration tester, simulating the attacks used by malicious hackers in order to understand how systems can be defended.^[9]

White-hat roles may be filled by in-house staff or by third-party specialists contracted to test an organisation's security.^[9] In this setting, the distinction from malicious hacking is not primarily technical method, but authorisation, scope and professional discipline: white hats use attacker-like techniques within agreed legal and ethical boundaries.^[9] The penetration testing or ethical security testing industry had become organised around professional organisations, recognised qualifications and structured development routes, while also stressing that practitioners must not exceed the boundaries agreed with the client.^[9]

Notable certifications include the United States National Security Agency offering certifications such as the CNSS 4011. Such a certification covers orderly, ethical hacking techniques and team management.^[6] When the agency recruited at DEF CON in 2020, it promised applicants that "If you have a few, shall we say, indiscretions in your past, don't be alarmed. You shouldn't automatically assume you won't be hired".^[10]

Tools

Main articles: Penetration_test § Tools, and List of security assessment tools

A wide variety of security assessment tools are available to assist with penetration testing, including free-of-charge, free software, and commercial software.

Legality

Belgium

Belgium legalized white hat hacking in February 2023.^[11]

China

In July 2021, the Chinese government moved from a system of voluntary reporting to one of legally mandating that all white hat hackers first report any vulnerabilities to the government before taking any further steps to address the vulnerability or make it known to the public.^[12] Commentators described the change as creating a "dual purpose" in which white hat activity also serves the country's intelligence agencies.^[12]

United Kingdom

Struan Robertson, legal director at Pinsent Masons LLP, and editor of OUT-LAW.com says "Broadly speaking, if the access to a system is authorized, the hacking is ethical and legal. If it isn't, there's an offense under the Computer Misuse Act. The unauthorized access offense covers everything from guessing the password to accessing someone's webmail account, to cracking the security of a bank. The maximum penalty for unauthorized access to a computer is two years in prison and a fine. There are higher penalties – up to 10 years in prison – when the hacker also modifies data". Unauthorized access even to expose vulnerabilities for the benefit of many is not legal, says Robertson. "There's no defense in our hacking laws that your behavior is for the greater good. Even if it's what you believe."^[13]

Notable people

• Jim Browning, alias of a Northern Ireland white hat hacker, scam baiter, and journalist, with investigations published on YouTube and on BBC programmes such as Panorama and Scam Interceptors
• Charlie Miller, an American white hat hacker previously employed by the National Security Agency and Uber who has, amongst other exploits, published successful hacks into the vulnerabilities of the computer on a 2014 Jeep Cherokee along with Chris Valasek, being able to take control of acceleration, braking, and steering
• Jennifer Arcuri, an American technology entrepreneur founded the white hat consultancy Hacker House in 2016.

See also

• Bug bounty program
• IT risk
• Locksmith
• MalwareMustDie

References

1. "What is white hat? - a definition from Whatis.com". Searchsecurity.techtarget.com. Archived from the original on 2011-02-01. Retrieved 2012-06-06.
2. Okpa, John Thompson; Ugwuoke, Christopher Uchechukwu; Ajah, Benjamin Okorie; Eshioste, Emmanuel; Igbe, Joseph Egidi; Ajor, Ogar James; Okoi, Ofem, Nnana; Eteng, Mary Juachi; Nnamani, Rebecca Ginikanwa (2022-09-05). "Cyberspace, Black-Hat Hacking and Economic Sustainability of Corporate Organizations in Cross-River State, Nigeria". SAGE Open. 12 (3): 215824402211227. doi:10.1177/21582440221122739. ISSN 2158-2440. S2CID 252096635.
3. Filiol, Eric; Mercaldo, Francesco; Santone, Antonella (2021). "A Method for Automatic Penetration Testing and Mitigation: A Red Hat Approach". Procedia Computer Science. 192: 2039–2046. doi:10.1016/j.procs.2021.08.210. S2CID 244321685.
4. Wilhelm, Thomas; Andress, Jason (2010). Ninja Hacking: Unconventional Penetration Testing Tactics and Techniques. Elsevier. pp. 26–7. ISBN 978-1-59749-589-9.
5. "What is the difference between black, white, and grey hackers". Norton.com. Norton Security. Archived from the original on 15 January 2018. Retrieved 2 October 2018.
6. "What is a White Hat?". Secpoint.com. 2012-03-20. Archived from the original on 2019-05-02. Retrieved 2012-06-06.
7. Palmer, C.C. (2001). "Ethical Hacking" (PDF). IBM Systems Journal. 40 (3): 769. doi:10.1147/sj.403.0769. Archived (PDF) from the original on 2019-05-02. Retrieved 2014-07-19.
8. "white hat, n. meanings, etymology and more | Oxford English Dictionary". www.oed.com. Archived from the original on 2024-06-06. Retrieved 2026-05-31.
9. Caldwell, Tracey (2011-07-01). "Ethical hackers: putting on the white hat". Network Security. 2011 (7): 10–13. doi:10.1016/S1353-4858(11)70075-7. ISSN 1353-4858.
10. "Attention DEF CON® 20 attendees". National Security Agency. 2012. Archived from the original on 2012-07-30.
11. Drechsler, Charlotte Somers, Koen Vranckaert, Laura (3 May 2023). "Belgium legalises ethical hacking: a threat or an opportunity for cybersecurity?". CITIP blog. Archived from the original on 17 May 2023. Retrieved 7 May 2023.
12. Brar, Aadil (18 January 2024). "China Raises Private Hacker Army To Probe Foreign Governments". Newsweek. Archived from the original on 20 January 2024. Retrieved 20 January 2024.
13. Knight, William (16 October 2009). "License to Hack". InfoSecurity. 6 (6): 38–41. doi:10.1016/s1742-6847(09)70019-9. Archived from the original on 9 January 2014. Retrieved 19 July 2014.