We often hear the term 'ethical hacker', but what exactly does this involve and is it something you can actually make a career out of?
We spoke to Jim O'Gorman president of online penetration testing training provider Offensive Security to find out what being an ethical hacker is all about and what skills you need if you want to become one.
BN: How would you define an ethical hacker?
JO: I think the best definition would be someone that will not cause any harm based on their hacking activities, and is taking the actions with the approval of all proper parties. They might technically be a penetration tester, someone chasing bug bounties, an auditor, or some other title. But it all falls under the moniker of 'ethical hacking.' Permission is the key. If you haven't obtained permission before taking action it’s not really ethical hacking.
BN: What are some of the biggest misconceptions about ethical hackers?
JO: When people talk about the work that hackers do, they typically focus on the fun parts. Yet, while the fun parts are cool, they're just one extremely small component of the work. Educating yourself, reading tool outputs, implementing, automating, and writing reports take up the bulk of an ethical hacker’s time. By comparison, the actual 'hacking' is a very small part of the equation. While each of these phases can be rewarding, it's not the sort of activity that people typically think of when discussing ethical hacking. There is a reason this is still work, not just a game.
BN: Say a hacker finds a vulnerability -- how deep should they penetrate into an environment before alerting the company?
JO: This needs to all be defined before the work starts -- and should never be in question. For a bug bounty program, this is a critical concept that must be laid out before any work gets done. In the case of an assessment, this is defined in the statement of work.
As for what should be in the statement of work, that really depends on the goals of the assessment and the desire of the stakeholders. Is the point of the assessment to identify vulnerabilities so that they can be remedied? Or is it to demonstrate the worst case scenario if the organization falls under targeted attack? Or something else? How the organization answers these questions defines the level and amount of work to be done.
BN: What advice would you give to anyone wanting to start a career as an ethical hacker?
JO: Get hands-on experience. Just getting a degree isn't enough. In order to prove you can offer something to an organization, you need to demonstrate that you can do the actual work. Get involved in an open source project and start to build a portfolio. You have to show that you know more than just the theory in order to be taken seriously.
BN: What are the most important skills for a would be ethical hacker to develop?
JO: The most important skill to learn isn't really a skill, it's just persistence. Ethical hackers must be dogged, refuse to give up and know how to work beyond the tools that they have.
The nature of hacking is doing things that you are not supposed to do. The goal is to make something happen that should not happen. By definition, this means everything is structured against you. Accomplishing anything is difficult; it's supposed to be.
For example, think of a software application. A team of programmers, QA professionals, beta testers, compiler protections, etc. are all there to make the application do what it is designed to do. As a hacker, it's your job to make it do something else. Your job is to make everyone else that worked on that application irrelevant. The goal is to make it do what you want it to do, rather than what it was designed for.
Despite the less than ideal state of cybersecurity today, this is still really hard. If you think it will be easy, this is not the field for you. Trying harder whenever you feel like giving up is critical for finding any kind of success.
BN: What sort of employment could a prospective ethical hacker look forward to?
JO: There are a wide range of jobs available for individuals with the right skill-set and attitude. The obvious one is penetration testing. If you know how to break into systems, you might as well start down a career path that allows you to put those skills to work. Just remember that it’s a solid career option -- but not the only option.
If you know how to break into systems, you theoretically should also have a better idea of how to protect them from getting broken into. Numerous system and network administrators are putting their time and effort into learning ethical hacking skills because of this idea -- that knowing how to break something means you also gain a unique perspective on how to make it better.
BN: What are the downsides of working as an ethical hacker?
JO: First and foremost, an ethical hacker's work is frustrating by nature. Most people don't understand what ethical hackers do -- and sometimes doing your job right means ruining someone else’s day. That’s never fun.
A significant industry problem is the adversarial attitude that many have towards a lot of assessment work. The goal is to provide value to the organization that is getting the assessment. But for the practitioners it can often devolve into the hackers wanting to 'win' by breaking in, and the defender wanting to 'win' by keeping them out. Too often we see employees defending their egos rather than focusing on adding value for an organization.
Instead, what you want to do is have both sides work together to truly understand the defenses, and understand how certain attacks are (or aren't) bypassing them. Collaboration can make testing and protection more effective, leading to adversaries not bothering with your organization's systems because they're simply 'too much work.'