Often depicted as hooded basement-dwellers, faces lit only by blue light, hackers come in all shapes and sizes - and notably wear different coloured hats. The annoying, destruction-wielding hackers are known as black hats whereas those who use their hacking abilities for ethical, productive purposes are known as white hats.
Ethical hackers are in short supply in the industry and they serve an important purpose in the overall protection of modern businesses and other organisations. The old saying ‘attack is the best form of defence’ certainly rings true in the cyber security industry, and it’s why ethical hackers are paid handsomely for their services. Their role is to use their hacking abilities and knowledge of systems to find security vulnerabilities in software and infrastructure so they can be patched before criminals can exploit them.
Their work is invaluable to businesses that handle large quantities of sensitive or personally identifiable information, or those that are subject to tight regulations such as banking and financial services firms.
White hats can most commonly be found working in-house at businesses or independently, either as contractors or as modern-day bounty hunters - hackers who look for security vulnerabilities in companies that offer bug bounty programmes. There are a number of large companies such as Apple and Microsoft that offer lucrative bug bounties that increase in monetary reward based on how severe the vulnerability is.
There are a multitude of routes one can take to become an ethical hacker and, as previously mentioned, a number of different ways these hackers can monetise their skill set. The cyber security industry has been intent on attracting new talent to the scene and there is an abundance of resources to get you on your way to becoming a fully-fledged white hat.
What is an ethical hacker?
Before delving any deeper, it's important to clear up any misconceptions of what an ethical hacker is, rather than making judgements on what's morally right and wrong.
The truth about cyber security training
Stop ticking boxes. Start delivering real change.
Jeff Schmidt, global head of business continuity, security and governance at BT, describes an ethical hacker as a computer security expert. They must specialise in penetration testing (i.e. working out how easy it is to break into computer systems) and other testing methods to ensure infrastructure is sufficiently secured against potential hacks.
However, another expert in the field of cyber security, Conrad Constantine, a research team engineer at AlienVault, thinks the description of any role as a "hacker," whether ethical or not, is irrelevant.
"Nobody says they are going to go see an ethical locksmith or an ethical lawyer do they?" he told IT Pro.
But what the role is called is simply semantics. It could be we decide to refer to them as a white hat hacker or penetration tester. The important differentiator between an ethical hacker and a criminal hacker is that the former carries out security testing with the full consent of the company they are working on behalf of.
If they did not have permission, the offence would be punishable under the Computer Misuse Act.
Ian Glover, chairman of CREST, prefers the penetration tester label and his definition goes a little further in that it recognises you need to be more than just a techie in order to truly fulfil the role. He believes you need to have consultancy skills as well.
A penetration tester, he says, has to be able to "communicate the results of the tests at a level tailored to the audience", Glover says, and "provide technical consultancy and recommendations to customers as to how any reported vulnerabilities could be mitigated".
What certifications and training do ethical hackers need?
OK, so talking of the necessary skills for the job, what qualifications do you need? Peter Chadha, chief executive and founder of DrPete, reckons that all you need is "a vast amount of technical knowledge of IT systems and software and, in particular, how to exploit their vulnerabilities", but acknowledges that there are formal qualifications available.
"Most commonly the EC-Council Certified Ethical Hacker certification, a self-study or classroom course with a 200 multiple choice question exam at the end," Chadha says, adding: "Communications-Electronics Security Group (CESG) [now part of the National Cyber Security Centre] approval is also required for any penetration test on a company, and this is appointed by a government department."
This involves the CHECK scheme, where penetration testers prove themselves through practical examination under lab conditions. "There are two levels of approval," Chadha explains. "A penetration test member and a penetration test team lead, and government departments will require at least one team lead working on any project."
Security awareness training strategies for account takeover protection
Why you need an inside-the-perimeter strategy for internal threats
Phil Robinson, director of Digital Assurance and a Founder Associate Member of the Institute of Information Security Professionals points towards the Tiger Scheme and CREST certifications. "There are entry level testing certifications, for those wishing to be part of a testing team and working under the management of a team leader, and senior testing certifications for more experienced individuals to either work on their own or to lead a team," Robinson told IT Pro.
"It also helps to have a reasonable general background and experience alongside certifications such as a Masters in Information Security," he added.
As far as the CREST certification is concerned, Ian Glover points out that in order to pass at the lower level a candidate will need "knowledge and skills on a wide range of relevant subjects, and in addition they would normally require two to three years regular and frequent practical experience, equating to about 6,000 hours experience and research." When it comes to the higher level that increases to five years or 10,000 hours.
Can cyber criminals become ethical hackers?
But what about if that 'experience and research' was largely garnered on, for want of a better phrase, the dark side? Can, and do, black hat hackers cross the divide and enter the legit world of the penetration tester?
Dominique Karg, is the co-founder and brilliantly titled chief hacking officer at AlienVault. He has no problem with poachers turned gamekeeper.
"I think they're the only ones that can do the job well," he says, adding "I got my ethical hacking job that way. I had to choose between being taught something I already knew at the university or getting paid for what I liked to do anyway. The decision was easy."
Ian Glover agrees that we have to recognise where the industry has come from. "There are individuals within the industry that have crossed from the dark to the light," he says, but warns that the situation is changing very quickly.
"There is no reason now to have worked on the dark side to enter or progress in the industry," Glover argues, concluding "in fact the high ethical standards that CREST member companies sign up to would make it difficult for them to employ such individuals."
Marcus Ranum, chief security officer at Tenable Network Security, thinks that a track record as a recreational hacker simply shows errors in judgement and a willingness to put self-interest first. "That's not something that should impress a prospective client," he insists. "After all, if you were acting like a sociopath last month, why should I believe you're not one today?"
What kinds of ethical hacker job roles are available?
Much like how cyber security as an industry is somewhat of a catch-all term for different sub-fields, the term ‘ethical hacker’ also encompasses many different types of jobs, the most common and perhaps most glamorised being a penetration tester.
Penetration testers, or pen testers, are hired to probe a business for cyber security weaknesses through both digital and kinetic means. Some penetration testers are hired to assess the physical security of a company’s office building, for example, since this can be an entry point through which hackers could conduct local attacks. Other common job roles are security analysts, information security consultants, and network security specialists.
There are also opportunities to get involved in corporate red team-blue team exercises, which involve cyber security staff taking part in virtual war games to hone skills and ensure everyone is prepared to face a real cyber attack when the time comes. Ethical hackers will typically get drafted in to participate on the red team - the offensive team the company’s staff try to keep out of their systems - and these kinds of roles can often pay well too, especially on a contract or consultancy basis.
What's the average salary for an ethical hacker?
Experts speaking to IT Pro all said that there is plenty of money to be made as an ethical hacker, with the demand for such talents far outweighing the supply. Newcomers to the job market can expect to make around £25,000, according to Ian Glover, while a registered professional with some experience could be looking at a salary in the region of £55,000. A team leader should be expecting even more; a sum north of £90,000 would be about right in the current market.
Peter Chadha adds that a penetration tester working as a contractor can easily earn between £400-£500 a day. As for market buoyancy, Glover told IT Pro that "the demand for high-quality individuals working for professional companies far outstrips supply."
"The UK is seen as one of the leaders in this area and the opportunity to work on international projects is increasing every day."
John Yeo, director at Trustwave SpiderLabs, put it in a nutshell when he told us that given the recent uptick in mainstream media awareness of the types of malicious compromises that take place on a regular basis, and the reality that now cyber security is much higher on every organisation's executive agenda "in many respects it has never been better".
Another way to ethically make money from hacking is to take part in bug bounty programmes, which are used by companies like Google, Microsoft, Uber, and even PornHub to encourage hackers to discreetly report flaws instead of exploiting them. However, bug bounty programmes aren’t only reserved for major tech companies. The UK’s Ministry of Defence (MoD) recently introduced its own programme through which white hat hackers can disclose vulnerabilities to the UK government department without fear of prosecution.
Apple is especially well-known for handsomely rewarding its ethical hackers, having launched a bug bounty programme in 2016 which pays security experts between $25,000 (£18,000) and $1 million (£720,000) for a disclosed security issue. What's more, the company states that vulnerabilities which “were previously unknown to Apple” could potentially “result in a 50% additional bonus” added to the payout.
In October 2020, the tech giant paid a team of penetration testers at least $288,500 (£222,813) for finding and disclosing critical vulnerabilities in its network. Out of the 55 bugs reported by the team, the 11 most critical ones made it possible to access Apple’s infrastructure and use it to potentially steal confidential information such as private emails and iCloud data.
Only a few months prior, developer Bhavuk Jain managed to identify a security vulnerability in the "Sign in with Apple" feature which could have been used to enable hackers to take control of a user's account. For this discovery, the tech giant chose to award Jain with a $100,000 (£72,280) payout.
So what are you waiting for?
How to apply for a job as an ethical hacker
Who should you approach if you actually want to get started in the penetration testing field? We ask the experts...
- Ian Glover: "Anyone interested in a career in the industry should contact CREST who will provide advice and guidance on the best way to enter and then progress in the industry. We are also working with a number of universities to provide internship and work placement opportunities for individuals, with a great deal of success."
- Marcus Ranum: "Get a job working as an auditor. Penetration testing can be thought of as a 'more aggressive audit' and there's a lot of intellectual overlap in the field."
- Jeff Schmidt: "The Cyber Security Challenge UK is a good starting point to get an understanding of the cyber learning opportunities and careers within the industry."
- Peter Chadha: "Search for the equivalent of CESG team members and network with them to build connections and knowledge in this area."
- John Yeo: "Invest the time and effort in going to conferences and get to know the various characters within the industries for which this isn't just a day a job, but enjoy it so much that they're regulars on the conference circuit."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.