What does an Ethical Hacker do?

There is a stigma attached to the word ‘hacking’ and for very good reason. Hacking is associated with the malicious and unauthorised intrusion into a computer or network from an outside party or system with the express aim of stealing, sabotaging, damaging, compromising systems, software or data. As individuals who can undertake such an operation, often without leaving any trace of their identity or origin, hackers are highly experienced and skilled, often with a background in coding and programming.

In this article, we’re going to take a look at the area of cyber security known as ethical hacking (also referred to as penetration testing), what ethical hackers do and exactly when and why hacking can ever be ethical.

When is Hacking Ethical?

Hacking becomes ethical when its purpose is to identify the risks and vulnerabilities of a given system or network to outside attack. By attempting to bypass a system’s security measures, ethical hackers can expose inherent flaws and then deploy effective countermeasures and fixes to improve the system’s overall cyber security. For this reason, ethical hackers must be able to put themselves into the shoes of a would-be cybercriminal or cyber terrorist in order to best try to outwit the target system’s security.

 

 

what does an ethical hacker do

 

Because ethical hackers use the same techniques as malicious hackers, many are often themselves reformed hackers, who have been headhunted by security agencies or the IT security departments of large companies. In this sense, ethical hacking is inherently the same as malicious hacking in its methodology and practice. Crucially though the end goal is one of exposure and not exploitation.

How does an Ethical Hacker help improve Cyber Security?

An ethical hacker’s first task is to seek to understand and learn how a system operates and its underlying cyber security measures. They will then research and meticulously document their attempts at bypassing that system’s security, before discussing their findings with those responsible for designing the IT security infrastructure, as well as senior management. The results of the investigations are then used by the organisation to fix any backdoors or vulnerabilities in their system. They will then work closely with the teams responsible for implementing these fixes, often to re-test them and identify any remaining vulnerabilities or unintended consequences.

In creating their methods and investigations, an ethical thinker must penetrate a system from a hacker’s perspective. While doing so, they must also keep in the back of their mind the real-world consequences of the possible cyber security attacks. ‘What would an attacker do? Bypass first-level security? Make illegal wire transfers? Steal customer information? How can the system not only prevent but quickly identify and recover from such malicious attacks?’

The ethical hacker must perform his hacking through an open process where managers and the IT team collaboratively know their system’s vulnerable points and how to counteract high-skilled malicious attacks.

Information security, the industry where ethical hacking belongs to, is still young and developing. There is a significant lack of knowledge of what ethical hacking is and what its results should include. Because of that, the roles, responsibilities, and tasks of an ethical hacker can vary greatly from day to day.

How to become an Ethical Hacker

The job market for ethical hackers continues to grow, along with the cases of cybercrime that organisations are subjected to. It can go by the titles of Information Security Analyst, Security Consultant, or simply Ethical Hacker. In the UK the average annual salary of an ethical hacker / penetration tester is £37,442.

Whilst there are no mandatory qualifications for becoming an ethical hacker, successful candidates will have a strong background in coding and programming and several years’ experience working in IT or IT security.

 

certified ethical hacker course

 

For those wishing to pursue a career in penetration testing, it is recommended that a foundation course in IT security like the CompTIA Security+ and Network+ qualification, ISO27001 Foundation courses. For those with experience in IT security, the Certified Ethical Hacker course is very relevant but more general cyber security courses can lead to a role in penetration testing such as the Certified Information Systems Security Professional (CISSP). You may then consider specialising in ethical hacking by obtaining a more advanced certification such as the OSCP or Kali Certified Penetration Tester qualification.

 

oscp-ethical-hacking-course

 

One of the most important factors to become a good ethical hacker is to learn how a hacker thinks. Hacking is not all about technical knowledge. It involves tactical and strategic thinking, problem solving and a certain degree of creativity. As controversial as it might be to say it, the reason that some of the best ethical hackers in the world are former cybercriminals is that they have more experience than most of thinking like a criminal.

It’s likely if you’re reading this though that you don’t have a background in cybercrime and if that’s the case, then one way to demonstrate your propensity for penetration testing is to build your own testing environment in which you can practice and document your results. This will also help you learn in a simulated real world environment, giving you the vital experience that it is very hard to learn in a classroom.

Is a Degree in Cyber Security worth it?

Cyber security professionals at the start of their career can expect to have the fastest growing salaries in the UK, according to Robert Half. But many people wanting to go into IT security are still confused as to the career path to take. In this article we’re going to take a look at cyber security degrees and whether they’re the best route into the profession.

is-a-cyber-security-degree-worth-it

The Case for getting a Cyber Security Degree

Let’s make no mistake; cyber security is not an easy field to get into without a degree. Whilst it’s by no means impossible and there are cyber security professionals without one, the odds of landing a solid entry job are stacked considerably more in your favour if you have a relevant degree under your belt.

Of course, experience and industry recognised cyber security certification is also essential, most entry level cyber security jobs will require you to have a relevant degree. A degree in cyber security would obviously qualify you but, so too would degrees in many related fields like forensic computing and computer science.

STEM subjects (Science, Technology, Engineering and Mathematics) are also relevant entry points into the field of cyber security. Although these subjects themselves aren’t directly related to IT and IT security, they do teach students the relevant disciplines such as logical thinking, problem solving, solving equations and mathematical certainty. Many of these are directly applicable to programming, coding and other related fields.

Whilst many will argue that experience and relevant IT certification will trump a degree when it comes to applicable knowledge and practical skill development, the fact is that almost all entry level IT security jobs will require a degree. In this sense a degree in computer science or any STEM subject should be seen as an absolute must.

The Case for getting a Cyber Security Master’s Degree

Of course the educational route needn’t stop at degree level and many universities now offer master’s degrees in cyber security or information security (infosec). The jury seems to be mostly out on this one when it comes to just how useful a master’s degree can be, compared to relevant experience and certification. It really depends on the field you want to go into and what the expectations are. If you have an idea of where you’d like to end up, then it makes sense to find those jobs online and see what the entry requirements are.

There’s quite a lot of forum discussions on this online but this typically impassioned thread from Reddit is pretty illuminating, especially from the point of view of becoming a penetration tester (ethical hacker) .

PostGrad.com has put together a list of the ten best cyber security related masters courses in the UK and Europe, which is well worth checking out. GCHQ in the UK also approves certain post degree courses and CBR have listed their top ten master’s courses here.

Is a Cyber Security Degree more Important than Certification?

Bachelor degrees in cyber security are not an alternative to taking a relevant courses and qualifications in cyber security and shouldn’t be seen as such. It’s extremely important to separate education (GCSEs, A Levels, Degree, Master’s Degree, etc), certification (CISSP, Certified Ethical Hacker, etc) and experience (industry, internships, setting up your own testing environment, etc).

Employers will look at all three areas separately and being educated to degree level will show academic commitment, as much as it will show relevant education in the field. The one area I didn’t mention here are soft skills, which can in part be honed through experience, tutorship and professional development.

What will you learn on a Bachelor’s Degree Course?

Cyber security degrees will focus on the information security aspect of computing, whilst computer science degrees can be tailored to specialise in cyber security related fields. With both you will learn some key principles relating to IT security including:

• The fundamentals of cybercrime, including common methods and motivations
• Digital forensics, what it is and how it can help uncover cyberattacks and trace attackers
• Strategies for protecting information systems and networks
• Use of common programs that can monitor and track cybercrime online
• Common logical mathematics, programming and coding

What you study will depend on the particular course you are taking and any specific modules you opt for within that degree. It pays to have an idea of what you want to do post university so you can tailor your course to the career you most want to pursue.

Post Graduate Job Opportunities

In 2012, US State Department senior advisor Alec Ross said “If any college student asked me what career would most assure 30 years of steady, well-paying employment, I would respond, ‘cybersecurity’.” This was a pertinent comment six years ago and it arguably more pertinent today, especially in the light of a growing IT recruitment crisis.

But knowing what area or field to get into can be difficult at this early stage of your cyber security career. One thing’s for sure and that is that you’ll almost certainly need to aquire some certification or qualifications on your journey. It’s also likely that your employer may well pay for you to do this to fast track your career.

Two jobs that can often represent the first step on the cyber security ladder are Network Security Engineer and Security Administrator, both of which are responsible for the day to day administration of an organisation’s cyber security infrastructure.

For more information on the various roles out there, check out our sister site’s guide to cyber security job salaries in the UK.

For league tables on all UK computer science degrees, check out this site.