By Tara savage, Security Marketing Manager, BT
Becoming a certified ethical hacker (also known as a white-hat hacker) is something most security professionals think about at one time or another during their career.
But apart from giving you a seriously cool job title for your business card, what’s actually involved and could it be for you?
Here’s the lowdown from those in the know.
Dispelling the myths — what is an ethical hacker?
We’re talking about a computer security expert who specialises in penetration testing and other testing methodologies to make sure an organisation’s information systems are secure.
Usually an ethical hacker is someone with a spotless reputation who is employed by an organisation to try to penetrate networks and/or computer systems in the same way that a hacker would. However, the difference is that a white hat hacker will use the information they find about security vulnerabilities to find and fix weaknesses, rather than exploit them.
What makes it ethical (and not criminal) is that the owner of the systems and networks to be ‘attacked’ has given legal consent to the work via a signed ethical hacking agreement.
What’s the dream career path to become a sought-after white hat hacker?
It all starts with qualifications.
There are several qualifications available (and the amount of theory involved does vary between them) but they all prepare you for CREST (Council of Registered Ethical Security Testers) and Tiger certification (backed by university standards), providing a recognised career path into and up through the industry.
Step one is to achieve the CREST registered tester qualification.
CSTA (Certified Security Testing Associates), CSTP (Certified Security Testing Professional) and CWSA (Certified Wireless Security Analyst) certification training are all aligned with this examination.
Step two is to achieve the exclusive CREST Certified tester accreditation.
And step three is to go on to CAST (Certified Associate in Software Testing) certification.
Is it possible to exchange a black hat for a white? Can recreational hackers apply?
Because it’s all about trust, reputation and background are important; most companies will require security professionals to be free from criminal record and, in some cases, to have relevant security clearances. They may also require ethical hackers to sign non-disclosure and confidentiality agreements, since the nature of the work give the white hatters access to the most sensitive of information.
This makes companies very cautious and worried about brand and reputational damage should an ethical hacker turn out not to be so ethical, so they’ll tend to go for the safe option of penetration testing companies that are part of the CHECK scheme or are CREST or tiger registered.
Ex-hackers have been hired in the past, but it is more the exception than the rule.
What’s the salary for being a good guy?
A quick search online will show that a seasoned and experienced professional can command anywhere up to a six figure sum.
However, for a lot of people in the profession, the chosen career path is more about a genuine desire to make a difference; typically most ethical hackers are passionate about their field in cyber security.
Will ethical hackers ever be out of a job?
It’s unlikely. The market’s extremely buoyant at the moment and demand is unlikely to decrease in the longer term either. 2011 alone was dubbed “the year of the hack”, bringing awareness of data-breaches and brand and reputational damage into the boardroom. Awareness is still growing and now the need for ethical hacking services is on every CISO’s agenda.