What’s in a phrase? Not a lot if you’re gossiping casually, though style, fashion or taste might perhaps shape your choice of words. But words mean a lot if you’re aspiring to operate in a professional manner, because precise definitions are the basis of the body of knowledge that underpins any professional practice.
So perhaps it’s about we cleaned up our choice of terminology. I was reminded of this today when a professional body asked me for my views on the term “ethical hacking”. It’s one of those phrases that’s crept into usage to describe what I’d call “penetration testing”, though I’m not entirely if that’s an accurate description for the activity of live testing of systems or infrastructure to identify security vulnerabilities. But ethical hacking is definitely a misnomer. Firstly, because it has a different objective from hacking, i.e. it’s intended to detect security vulnerabilities, not achieve a penetration of a system. And secondly, because it’s a straightforward business requirement and has little to do with ethics.
There are lots of security glossaries around. Microsoft has one but it doesn’t include the word testing (bit worrying that). SANS has one that includes penetration testing but describes it as merely testing the external perimeter security. The IETF has a better definition for penetration testing, but falls down when it comes to “hacker” by describing it as “someone who figures things out and makes something cool happen”. Arghhh!