So, you want to be an ethical hacker?
If you are the kind of person who gets just a little breathless at the very mention of malware and decidedly dizzy when yet another DDoS attack makes the headlines, perhaps you should consider a career as an ethical hacker? But how do you become one? Davey Winder has been investigating...
Ethical hacking defined
The first question that needs to be answered is understanding just what an ethical hacker is. Jeff Schmidt, global head of business continuity, security and governance at BT, defines an ethical hacker as a "computer security expert, who specialises in penetration testing and other testing methodologies to make sure an organisation's information systems are secure." This sounds about right to me.
Conrad Constantine, a research team engineer at AlienVault, is not so happy about the whole ethical hacker term in the first place though, telling IT Pro "putting the word ethical as a qualifier to hacker implies that there is something inherently unethical about hacking. Nobody says they are going to go see an ethical locksmith or an ethical lawyer do they?"
By ethical hacker surely we mean pen tester. Whether you call the job ethical hacking, white hat hacking or penetration testing is up to you. The main thing is that it is being done with the full consent of the company whose resources are being explored. Otherwise it would remain a crime under the Computer Misuse Act.
Nobody says they are going to go see an ethical locksmith or an ethical lawyer do they?
Ian Glover, chairman of CREST, prefers the penetration tester label and his definition goes a little further in that it recognises you need to be more than just a techie in order to truly fulfil the role. He believes you need to have consultancy skills as well.
A penetration tester, he says, has to be able to "communicate the results of the tests at a level tailored to the audience" Glover says, and "provide technical consultancy and recommendations to customers as to how any reported vulnerabilities could be mitigated".
OK, so talking of the necessary skills for the job, what qualifications do you need? Peter Chadha, chief executive and founder of DrPete, reckons that all you need is "a vast amount of technical knowledge of IT systems and software and, in particular, how to exploit their vulnerabilities" but acknowledges that there are formal qualifications available.
"Most commonly the EC-Council Certified Ethical Hacker certification, a self-study or classroom course with a 200 multiple choice question exam at the end," Chadha says, adding "Communications-Electronics Security Group (CESG) approval is also required for any penetration test on a company, and this is appointed by a government department."
This involves the CHECK scheme, where penetration testers prove themselves through practical examination under lab conditions. "There are two levels of approval" Chadha explains "a penetration test member and a penetration test team lead, and government departments will require at least one team lead working on any project."
Phil Robinson, director of Digital Assurance and a Founder Associate Member of the Institute of Information Security Professionals points towards the Tiger Scheme and CREST certifications. "There are entry level testing certifications, for those wishing to be part of a testing team and working under the management of a team leader, and senior testing certifications for more experienced individuals to either work on their own or to lead a team," Robinson told IT Pro.
"It also helps to have a reasonable general background and experience alongside certifications such as a Masters in Information Security," he added.
As far as the CREST certification is concerned, Ian Glover points out that in order to pass at the lower level a candidate will need "knowledge and skills on a wide range of relevant subjects, and in addition they would normally require two to three years regular and frequent practical experience, equating to about 6,000 hours experience and research." When it comes to the higher level that increases to five years or 10,000 hours.
Feel the force
But what about if that 'experience and research' was largely garnered on, for want of a better phrase, the dark side? Can, and do, black hat hackers cross the divide and enter the legit world of the penetration tester?
Dominique Karg, is the co-founder and brilliantly titled chief hacking officer at AlienVault. He has no problem with poachers turned gamekeeper.
"I think they're the only ones that can do the job well" he says, adding "I got my ethical hacking job that way. I had to choose between being taught something I already knew at the university or getting paid for what I liked to do anyway. The decision was easy."
Ian Glover agrees that we have to recognise where the industry has come from. "There are individuals within the industry that have crossed from the dark to the light," he says, but warns that the situation is changing very quickly.
"There is no reason now to have worked on the dark side to enter or progress in the industry," Glover argues, concluding "in fact the high ethical standards that CREST member companies sign up to would make it difficult for them to employ such individuals."
Marcus Ranum, chief security officer at Tenable Network Security, thinks that a track record as a recreational hacker simply shows errors in judgement and a willingness to put self-interest first. "That's not something that should impress a prospective client," he insists. "After all, if you were acting like a sociopath last month, why should I believe you're not one today?"
Assuming you have got this far and still want to enter the world of ethical hacking, how much can you expect to earn and just how buoyant is the job market? Ian Glover reckons that someone entering the market can expect in the region of £25,000. A registered level professional would expect to earn in the region of £55,000 and a team leader could be looking at £90,000-plus.
Peter Chadha adds that a penetration tester working as a contractor can easily earn between £400-£500 a day. As for market buoyancy, Glover told IT Pro that "the demand for high quality individuals working for professional companies far outstrips supply."
"The UK is seen as one of the leaders in this area and the opportunity to work on international projects is increasing every day."
John Yeo, director at Trustwave SpiderLabs, put it in a nutshell when he told us that given the recent uptick in mainstream media awareness of the types of malicious compromises that take place on a regular basis, and the reality that now cybersecurity is much higher on every organisation's executive agenda "in many respects it has never been better".
So what are you waiting for?
Applying for the job
Who should you approach if you actually want to get started in the penetration testing field? We ask the experts...
Ian Glover: "Anyone interested in a career in the industry should contact CREST who will provide advice and guidance on the best way to enter and then progress in the industry. We are also working with a number of universities to provide internship and work placement opportunities for individuals, with a great deal of success."
Marcus Ranum: "Get a job working as an auditor. Penetration testing can be thought of as a 'more aggressive audit' and there's a lot of intellectual overlap in the field."
Jeff Schmidt: "The Cyber Security Challenge UK is a good starting point to get an understanding of the cyber learning opportunities and careers within the industry."
Peter Chadha: "Search for the equivalent of CESG team members and network with them to build connections and knowledge in this area."
John Yeo: "Invest the time and effort in going to conferences and get to know the various characters within the industries for which this isn't just a day a job, but enjoy it so much that they're regulars on the conference circuit."