Ethical Hackers: Hacking for Fun and Profit
As information security becomes more important, the term “ethical hacker” is becoming common. Few people, however, understand what this means or the skills required to be an ethical hacker.
Searchsecurity.com, a well-known source for security information, offers the following definition of an ethical hacker: “An ethical hacker is a computer and network expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit. To test a security system, ethical hackers use the same methods as their less-principled counterparts but report problems instead of taking advantage of them. Ethical hacking is also known as penetration testing, intrusion testing and red teaming. An ethical hacker is sometimes called a white hat, a term that comes from old Western movies, where the ‘good guy’ wore a white hat and the ‘bad guy’ wore a black hat.”
Unfortunately, many security professionals disagree on what constitutes a “hacker.” Some believe that with the proper training, anyone can become a hacker, while others feel hacking is more of an art than a science, meaning that it is something that cannot truly be taught. Either way, becoming an ethical hacker requires a variety of skills and background knowledge.
Ethical hackers come from a wide range of backgrounds. Some start as programmers, while others begin as network administrators. Despite these differences, the primary factor motivating most individuals to become an ethical hacker is an extreme interest in information security. No matter what the background, most successful ethical hackers are resourceful and able to adapt to different situations.
To attain this goal, many skills are necessary. The first is the ability to write programs in many programming languages, especially C, C++, Perl, Python, and Ruby. For those working with Web applications, Microsoft .NET and PHP are especially useful. Knowledge of assembly language is also essential for those who want to analyze disassembled binaries. Even for those who do not come from a programming background, some programming ability is highly recommended.
Knowledge in many areas of technology also is required to be a successful ethical hacker. Knowledge of a variety of operating systems, especially Microsoft Windows and various versions of Linux, is critical. Experience with various network devices, including switches, routers and firewalls, is also very important.
Further, an ethical hacker needs in-depth networking knowledge, including what “normal” packets look like. By using this knowledge and various programs, a hacker can craft custom packets that assist in information gathering and compromising the network. When combined with the ability to write programs, an ethical hacker can build any tools necessary for the task at hand.
An ethical hacker also should have a basic understanding of TCP/IP protocols such as SMTP, ICMP and HTTP. This allows ethical hackers to confirm the results from automated scans instead of just relying on what the automated test says. This is essential for ensuring accurate reports.
In addition to technical skills, an ethical hacker needs a number of soft skills. The first of these is the ability to write effectively, which is critical when writing reports that summarize the results of a penetration test or writing the details of new exploits. Ethical hackers also need critical-thinking skills. They need to be able to follow precise methodologies in their work and thoroughly analyze data. This helps ensure consistent and accurate results are obtained.
Perhaps the most important skill, however, is adaptability. When testing software and systems, ethical hackers never know what will come up, so the ability to be resourceful and flexible is vital.
Due to the skills required, ethical hackers are capable of performing a wide range of security-related jobs. However, quite often, ethical hackers are involved in testing networks and software for vulnerabilities. Such tests consist of using the same steps and programs outside attackers use in an effort to find and resolve potential security problems before the bad guys do the same. When testing applications, an ethical hacker reports the problems found to the software vendor so the problems can then be resolved, hopefully before the vulnerability becomes known by those with less scrupulous ethics.
As with the job type, ethical hackers can work for a variety of employers. Some work for large corporations, testing systems and networks for vulnerabilities, while others work for or start independent consulting firms that offer similar services to their customers. Many ethical hackers also are employed with various government agencies. In these cases, appropriate security clearances are required.
Certifications and Training
Due to the popularity of ethical hacking, many related certifications have began to appear, along with associated training, which attempt to provide potential ethical hackers a way to gain critical skills and validate them to employers.
The Certified Ethical Hacker (CEH) from EC-Council introduces candidates to the tools hackers use so those same tools can be used to help secure the network from malicious individuals. In addition to the CEH, EC-Council has developed other certifications for those with more advanced skills. The EC-Council Certified Security Analyst (ECSA) is designed to complement the CEH certification by teaching the candidates how to analyze the data gathered with the tools covered on the CEH exam.
After attaining the CEH and ECSA certifications, ethical hackers can choose to attain another certification from EC-Council, the Licensed Penetration Tester (LPT). Unlike most certifications, the LPT does not require any exams other than the previously earned CEH and ECSA. Instead, the LPT requires candidates to agree to a code of ethics, provide evidence professional experience and submit to a criminal background check. In addition, they must attend a special LPT workshop.
Another certification for those interested in penetration testing is the Certified Pen Testing Specialist (CPTS), offered by Mile 2. This certification is similar to the CEH. In fact, according to Mile 2, the training course for the CPTS also prepares attendees for the CEH exam.
One certification that appears to be gaining some popularity is the OSSTMM Professional Security Tester Accredited Certification (OPST) from the Institute for Security and Open Methodologies (ISECOM). This international organization, created in 2001, also has developed a methodology for performing security tests, the Open Source Security Testing Methodology Manual (OSSTMM). From this experience, it created the OPST certification, which tests the methodology used more than the tools.
A companion to the OPST is the OSSTMM Professional Security Analyst (OPSA), also offered by ISECOM. While the OPST is about gathering data, the OPSA is about analyzing that data. The combination of both certifications qualifies the certification holder as an OSSTMM Auditor. Another popular certification is the SANS GIAC Certified Incident Handler (GCIH). This certification and the accompanying training help candidates understand the techniques and utilities those with malicious intent use. SANS also offers other certifications potential ethical hackers might consider, including the GIAC Web Application Security (GWAS) and GIAC Certified Intrusion Analyst (GCIA) certifications.
Steve Fletcher has more than 10 years of experience as an IT consultant with a focus on information security. He can be reached at editor (at) certmag (dot) com.