How do you become an ethical hacker?
We examine what certifications do you need, what jobs are available and how much you can expect to be paid
What does a hacker look like? According to seemingly all stock images, they reside in dark rooms, wear hoodies, and their only light source is a computer screen - which is also their weapon of choice.
This imagery is largely inspired by movies, such as The Matrix or the more recent Girl with the Dragon Tattoo, and should be taken with a grain of salt. Modern hackers don't always fit this rather simplistic cliche. In reality, they could look just like the average person whom you would pass on the street, which is a key fact to remember when preventing social engineering hacks like shoulder surfing.
However, the image that a hacker is a shady figure in a dark room also negates the fact that not all are bad. Some are in it for the greater good. It's hard to believe, but some people dedicate their lives to preventing cyber attacks by actually conducting them. Once successfully inside a system, however, they then inform the owner of any vulnerabilities.
These types of hacking talent are in high demand, particularly with national security agencies. The people that usually fill these roles are known as 'white hat hackers' or occasionally 'ethical' hackers. The routes into this line of work varies; in the UK and the Netherlands, there are schemes that encourage code-savvy 12-19-year-olds to take up ethical hacking challenges, with the aim of pushing them towards a white hacker role in the future.
Since the demand for ethical hackers far exceeds supply, salaries tend to be much higher than average IT roles, especially within the first year. However, the industry fights a constant tug of war, as those hackers motivated by financial reward will likely defect to criminal groups, given the potential financial reward. This is particularly true of those with intricate knowledge of protected industry secrets, which can be used against legitimate businesses.
What is an ethical hacker?
Before delving any deeper, it's important to clear up any misconceptions of what an ethical hacker is, rather than making judgements on what's morally right and wrong.
Jeff Schmidt, global head of business continuity, security and governance at BT, describes an ethical hacker as a computer security expert. They must specialise in penetration testing (i.e. working out how easy it is to break into computer systems) and other testing methods to ensure infrastructure is sufficiently secured against potential hacks.
However, another expert in the field of cyber security, Conrad Constantine, a research team engineer at AlienVault, thinks the description of any role as a "hacker," whether ethical or not, is irrelevant.
"Nobody says they are going to go see an ethical locksmith or an ethical lawyer do they?" he told IT Pro.
But what the role is called is simply semantics. It could be we decide to refer to them as a white hat hacker or penetration tester. The important differentiator between an ethical hacker and a criminal hacker is that the former carries out security testing with the full consent of the company they are working on behalf of.
If they did not have permission, the offence would be punishable under the Computer Misuse Act.
Ian Glover, chairman of CREST, prefers the penetration tester label and his definition goes a little further in that it recognises you need to be more than just a techie in order to truly fulfil the role. He believes you need to have consultancy skills as well.
A penetration tester, he says, has to be able to "communicate the results of the tests at a level tailored to the audience", Glover says, and "provide technical consultancy and recommendations to customers as to how any reported vulnerabilities could be mitigated".
What certifications and training do ethical hackers need?
OK, so talking of the necessary skills for the job, what qualifications do you need? Peter Chadha, chief executive and founder of DrPete, reckons that all you need is "a vast amount of technical knowledge of IT systems and software and, in particular, how to exploit their vulnerabilities", but acknowledges that there are formal qualifications available.
"Most commonly the EC-Council Certified Ethical Hacker certification, a self-study or classroom course with a 200 multiple choice question exam at the end," Chadha says, adding: "Communications-Electronics Security Group (CESG) [now part of the National Cyber Security Centre] approval is also required for any penetration test on a company, and this is appointed by a government department."
The technology of trust
How to protect your most valuable commodityDownload now
This involves the CHECK scheme, where penetration testers prove themselves through practical examination under lab conditions. "There are two levels of approval," Chadha explains. "A penetration test member and a penetration test team lead, and government departments will require at least one team lead working on any project."
Phil Robinson, director of Digital Assurance and a Founder Associate Member of the Institute of Information Security Professionals points towards the Tiger Scheme and CREST certifications. "There are entry level testing certifications, for those wishing to be part of a testing team and working under the management of a team leader, and senior testing certifications for more experienced individuals to either work on their own or to lead a team," Robinson told IT Pro.
"It also helps to have a reasonable general background and experience alongside certifications such as a Masters in Information Security," he added.
As far as the CREST certification is concerned, Ian Glover points out that in order to pass at the lower level a candidate will need "knowledge and skills on a wide range of relevant subjects, and in addition they would normally require two to three years regular and frequent practical experience, equating to about 6,000 hours experience and research." When it comes to the higher level that increases to five years or 10,000 hours.
Can cyber criminals become ethical hackers?
But what about if that 'experience and research' was largely garnered on, for want of a better phrase, the dark side? Can, and do, black hat hackers cross the divide and enter the legit world of the penetration tester?
Dominique Karg, is the co-founder and brilliantly titled chief hacking officer at AlienVault. He has no problem with poachers turned gamekeeper.
"I think they're the only ones that can do the job well," he says, adding "I got my ethical hacking job that way. I had to choose between being taught something I already knew at the university or getting paid for what I liked to do anyway. The decision was easy."
Ian Glover agrees that we have to recognise where the industry has come from. "There are individuals within the industry that have crossed from the dark to the light," he says, but warns that the situation is changing very quickly.
"There is no reason now to have worked on the dark side to enter or progress in the industry," Glover argues, concluding "in fact the high ethical standards that CREST member companies sign up to would make it difficult for them to employ such individuals."
Marcus Ranum, chief security officer at Tenable Network Security, thinks that a track record as a recreational hacker simply shows errors in judgement and a willingness to put self-interest first. "That's not something that should impress a prospective client," he insists. "After all, if you were acting like a sociopath last month, why should I believe you're not one today?"
What kinds of ethical hacker job roles are available?
While 'ethical hacker' is a useful umbrella term, actual job roles in the field are listed in many different forms. The most commonly-advertised jobs are generally for penetration testers, but many similar roles are often labelled as 'security analysts', 'information security consultants', 'network security specialists' and the like.
You may also find these kinds of jobs advertised as 'red team' roles. Many organisations that practise this form of offensive security split their security staff into 'red teams' and 'blue teams'. Red teams assume the role of attackers, trying to compromise the network and outwit the internal security operatives on the blue team, whose job is to keep the business' systems safe.
How much money do ethical hackers make?
Assuming you have got this far and still want to enter the world of ethical hacking, how much can you expect to earn and just how buoyant is the job market? Ian Glover reckons that someone entering the market can expect to make in the region of £25,000. A registered level professional would expect to earn in the region of £55,000, while a team leader could be looking at £90,000-plus.
Peter Chadha adds that a penetration tester working as a contractor can easily earn between £400-£500 a day. As for market buoyancy, Glover told IT Pro that "the demand for high-quality individuals working for professional companies far outstrips supply."
"The UK is seen as one of the leaders in this area and the opportunity to work on international projects is increasing every day."
John Yeo, director at Trustwave SpiderLabs, put it in a nutshell when he told us that given the recent uptick in mainstream media awareness of the types of malicious compromises that take place on a regular basis, and the reality that now cyber security is much higher on every organisation's executive agenda "in many respects it has never been better".
Another way to ethically make money from hacking is to take part in a bug bounty programme, which are used by companies like Google, Microsoft, Uber, and even PornHub to encourage hackers to discreetly report flaws instead of exploiting them. However, bug bounty programmes aren’t only reserved for major tech companies. The UK’s Ministry of Defence (MoD) recently introduced its own programme through which white hat hackers can disclose vulnerabilities to the UK government department without fear of prosecution.
Apple is especially well-known for handsomely rewarding its ethical hackers, having launched a bug bounty programme in 2016 which pays security experts between $25,000 (£18,000) and $1 million (£720,000) for a disclosed security issue. What is more, the company states that vulnerabilities which “were previously unknown to Apple” could potentially “result in a 50% additional bonus” added to the payout.
In October 2020, the tech giant paid a team of penetration testers at least $288,500 (£222,813) for finding and disclosing critical vulnerabilities in its network. Out of the 55 bugs reported by the team, the 11 most critical ones made it possible to access Apple’s infrastructure and use it to potentially steal confidential information such as private emails and iCloud data.
Only a few months prior, developer Bhavuk Jain managed to identify a security vulnerability in the "Sign in with Apple" feature which could have been used to enable hackers to take control of a user's account. For this discovery, the tech giant chose to award Jain with a $100,000 (£72,280) payout.
So what are you waiting for?
How to apply for a job as an ethical hacker
Who should you approach if you actually want to get started in the penetration testing field? We ask the experts...
- Ian Glover: "Anyone interested in a career in the industry should contact CREST who will provide advice and guidance on the best way to enter and then progress in the industry. We are also working with a number of universities to provide internship and work placement opportunities for individuals, with a great deal of success."
- Marcus Ranum: "Get a job working as an auditor. Penetration testing can be thought of as a 'more aggressive audit' and there's a lot of intellectual overlap in the field."
- Jeff Schmidt: "The Cyber Security Challenge UK is a good starting point to get an understanding of the cyber learning opportunities and careers within the industry."
- Peter Chadha: "Search for the equivalent of CESG team members and network with them to build connections and knowledge in this area."
- John Yeo: "Invest the time and effort in going to conferences and get to know the various characters within the industries for which this isn't just a day a job, but enjoy it so much that they're regulars on the conference circuit."
The ultimate law enforcement agency guide to going mobile
Best practices for implementing a mobile device programFree download
The business value of Red Hat OpenShift
Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShiftFree download
Managing security and risk across the IT supply chain: A practical approach
Best practices for IT supply chain securityFree download
Digital remote monitoring and dispatch services’ impact on edge computing and data centres
Seven trends redefining remote monitoring and field service dispatch service requirementsFree download