Penetration Testing vs. Ethical Hacking: What’s the Difference?

February 14, 2023

Technology offers powerful tools that improve patient care, but the ongoing digitization of healthcare has opened the sector up to malicious attempts to access sensitive data and disrupt critical systems. CommonSpirit Health, a healthcare group based out of Chicago with 700 care sites and 142 hospitals, fell victim to such an attack late in 2022 when unknown hackers breached its systems and stole private patient information. Although the full extent of the damage is still unknown, the U.S. Department of Health and Human Services believes the incident affected over 620,000 people.

The CommonSpirit Health breach was just one of many recent cyber attacks on healthcare systems — and across sectors. Colonial Pipeline Company famously shut down for nearly a week in 2021 following an attack where malicious hackers extorted an almost $5 million ransom in cryptocurrency. The shutdown also affected everyday citizens, causing gas shortages and driving up gasoline prices across the Eastern U.S. Colonial Pipeline Chief Executive Joseph Blount later told senators that hackers breached their systems with just one password.

These types of attacks are frustratingly common but also preventable, and an increasing number of organizations are investing in proactive cyber security measures such as penetration testing and ethical hacking to curb malicious incursions. This creates opportunity but also raises questions. How can hacking be ethical? What is an ethical hacker vs. a penetration tester? How do people learn ethical hacking? And how do learning pathways such as the Ethical Hacking certificate program offered by San Diego State University’s Cyber Tech Academy prepare cyber security professionals to counter evolving threats?

What Is an Ethical Hacker?

In many respects, ethical hackers seem similar to malicious hackers. They both attempt to breach network systems, acquire passwords and access confidential information by any means. However, ethical hackers are cyber security professionals paid by organizations to act like malicious hackers and find vulnerabilities in their security systems. Their work is often part of an organization’s broader cyber security strategy. 

When they’re successful, ethical hackers don’t hold the information hostage and attempt to extort the company or organization. Instead, they carefully document the hacking techniques they employed and report their findings. This information can help organizations repair security gaps and prevent malicious hackers from following the same path to gain unauthorized access.

What Is a Penetration Tester?

Penetration testers use predetermined hacking techniques to evaluate security at a specific point in a system. Generally, penetration testing is limited in scope and not utilized to uncover broad vulnerabilities. Cyber security professionals often use pen tests to confirm systems are in compliance with cyber security regulations or confirm that existing security measures are functioning as intended.

Penetration testers typically work on teams that carry out the specified attacks as required and report their findings to their employer or the target organization. If tests reveal problems with one or more systems, penetration testers are not responsible for fixing those issues. The organization’s security team determines and implements the most appropriate repairs.

Ethical Hacker vs. Penetration Tester: What You Need to Know

Penetration testing and ethical hacking are very similar, and sometimes the terms are used interchangeably. However, there are differences between them, and prospective cyber security professionals should understand the role each plays in broader security strategy.

Penetration testers and ethical hackers share the same goal: ensuring systems are secure. They use similar techniques, adopting methods often used by malicious hackers, but for good instead of evil. However, they differ in scope and responsibilities. Ethical hackers try to anticipate malicious hackers’ behavior to expose system vulnerabilities before they become problems. Penetration testers focus on specific systems and methods to ensure security and compliance.

To better comprehend the difference between penetration testing and ethical hacking, imagine a healthcare organization has just launched a Cloud-based patient database accessible from all the hospitals in their network. The new system must comply with healthcare regulations to ensure patient data remains confidential. The organization hires third-party penetration testers to test patient data access according to relevant legal requirements to prove their compliance. At the same time, in-house ethical hacking teams try various malicious hacking methods to breach the system, revealing unknown security gaps before they are exploited.

When the third-party penetration testers finish their work, they compile a report either affirming compliance with rules and regulations or identifying weaknesses where their attacks succeeded. Meanwhile, ethical hackers remain in constant contact with the larger cyber security team, reporting vulnerabilities as they’re uncovered, so the organization can immediately repair them.

Ethical Hacking and Penetration Testing Require Different Skills

Ethical hacking and penetration testing use different skills, and there are different credentials that validate those competencies. CompTIA’s popular PenTest+ certification, for instance, evaluates proficiency in planning and scoping for penetration tests, vulnerability scanning, and reporting and communication related to penetration tests and common attack methods and exploits. The Certified Ethical Hacker (CEH) certification considers a broader set of hacking techniques and system vulnerabilities. It also includes penetration testing techniques, making it a higher-level credential.

Cyber security professionals should be mindful of how penetration testing and ethical hacking relate to one another. Penetration testing is more focused and requires a less diverse skill set. Aspiring ethical hackers often build a foundation of penetration testing knowledge before they pursue ethical hacking training online or enroll in in-person ethical hacking courses.

How to Learn Ethical Hacking and Penetration Testing Skills

Ethical hacking and penetration testing skills rank highly in ISACA’s 2022 State of Cybersecurity report, and professionals looking to advance their careers and keep up with new developments in this ever-evolving discipline will eventually need to develop them. San Diego State University’s Ethical Hacking certificate program covers penetration testing fundamentals, vulnerability scanning, attack vector research, common cyber threats and new attacks against cloud technologies. In as few as 14 weeks, students learn how to communicate with other cyber security teams and non-experts with penetration testing reports. They practice these skills in hands-on environments, replicating the actual day-to-day work of ethical hackers, and graduate with in-demand cyber security skills.

Instructor Eric Nielson is an information security incident response expert who reviews and updates the Ethical Hacking certificate curriculum every 18 months with real-world challenges — ensuring certificate holders are well-prepared to counter the latest cyber security threats. San Diego State University’s program produces cyber security professionals with the problem-solving skills necessary to adapt to new developments in the industry, so they’ll be ready to succeed in top cyber security jobs related to ethical hacking and penetration testing.