Ethical Hacker : Question & Answers asked
We often hear the term ‘ethical hacker’, but what exactly does this involve and is it something you can actually make a career out of?
How would you define an ethical hacker?
The best definition would be someone that will not cause any harm based on their hacking activities, and is taking the actions with the approval of all proper parties. They might technically be a penetration tester, someone chasing bug bounties, an auditor, or some other title. But it all falls under the moniker of ‘ethical hacking.’ Permission is the key. If you haven’t obtained permission before taking action it’s not really ethical hacking.
What are some of the biggest misconceptions about ethical hackers?
When people talk about the work that hackers do, they typically focus on the fun parts. Yet, while the fun parts are cool, they’re just one extremely small component of the work. Educating yourself, reading tool outputs, implementing, automating, and writing reports take up the bulk of an ethical hacker’s time. By comparison, the actual ‘hacking’ is a very small part of the equation. While each of these phases can be rewarding, it’s not the sort of activity that people typically think of when discussing ethical hacking. There is a reason this is still work, not just a game.
Say a hacker finds a vulnerability — how deep should they penetrate into an environment before alerting the company?
This needs to all be defined before the work starts — and should never be in question. For a bug bounty program, this is a critical concept that must be laid out before any work gets done. In the case of an assessment, this is defined in the statement of work.
As for what should be in the statement of work, that really depends on the goals of the assessment and the desire of the stakeholders. Is the point of the assessment to identify vulnerabilities so that they can be remedied? Or is it to demonstrate the worst case scenario if the organization falls under targeted attack? Or something else? How the organization answers these questions defines the level and amount of work to be done.
What advice to be given to anyone to start a career as an ethical hacker?
Get hands-on experience. Just getting a degree isn’t enough. In order to prove you can offer something to an organization, you need to demonstrate that you can do the actual work. Get involved in an open source project and start to build a portfolio. You have to show that you know more than just the theory in order to be taken seriously.
What are the most important skills for a would be ethical hacker to develop?
The most important skill to learn isn’t really a skill, it’s just persistence. Ethical hackers must be dogged, refuse to give up and know how to work beyond the tools that they have.
The nature of hacking is doing things that you are not supposed to do. The goal is to make something happen that should not happen. By definition, this means everything is structured against you. Accomplishing anything is difficult; it’s supposed to be.
For example, think of a software application. A team of programmers, QA professionals, beta testers, compiler protections, etc. are all there to make the application do what it is designed to do. As a hacker, it’s your job to make it do something else. Your job is to make everyone else that worked on that application irrelevant. The goal is to make it do what you want it to do, rather than what it was designed for.
Despite the less than ideal state of cybersecurity today, this is still really hard. If you think it will be easy, this is not the field for you. Trying harder whenever you feel like giving up is critical for finding any kind of success.
What sort of employment could a prospective ethical hacker look forward to?
There are a wide range of jobs available for individuals with the right skill-set and attitude. The obvious one is penetration testing. If you know how to break into systems, you might as well start down a career path that allows you to put those skills to work. Just remember that it’s a solid career option — but not the only option.
If you know how to break into systems, you theoretically should also have a better idea of how to protect them from getting broken into. Numerous system and network administrators are putting their time and effort into learning ethical hacking skills because of this idea — that knowing how to break something means you also gain a unique perspective on how to make it better.