Private enterprises and public entities are looking for ways to better protect information and preserve the integrity of their data, while individuals want to ensure that the internet remains open and provides equal access to information to all. People are now being recognized as a powerful tool to solve these problems.
As a result, the negative perception surrounding hackers is shifting. Most large technology companies run notable bug bounty programs, including Google, Apple and Tesla. Recently the U.S. government added programs such as “HackthePentagon”and “HacktheArmy,” and the recent Department of Defense Vulnerability Disclosure Policy.
In ride the “Ethical Hackers” – the new white knights of the cybercrime world.
So. what makes a good hacker?
Anatomy of a hacker
It’s not that hard to be a good hacker. Odds favor hackers because while the organizations they target have to make sure every tool, system and interaction is secure, the hacker needs to find just that one vulnerability – that one open seam in an organization; that one employee who will click a phishing email to gain access; or that one vulnerability that allows a data breach.
Personality Traits of a Great Hacker
Great hackers, good and bad, have 4 critical personality traits:
Curious: Great hackers have a natural curiosity. They continually ask why a certain system works the way it does, how an organization operates, what the responsibilities of their victim are—until they get down to the very root of that technology or user persona. Assumptions and opinions that have not been vetted through curiosity are a sure-fire way to be unsuccessful or, worse, get caught.
Social: Every hacker attacks technology, but smart hackers attack people, and great hackers know when to do either, neither or both. Hackers must be curious about people as much as they are about technology. People have proven repeatedly to be the weakest link when it comes to security, accounting for 63% of breaches. Great hackers recognize this weakness and strive to understand the psychology of whom they are attacking. A hacker can find vulnerabilities to exploit by understanding how his victim thinks and operates. A great ethical hacker learns the same information and uses it to countermand the bad guys.
Adaptable: Great hackers learn from their triumphs and failures—especially from the community at large. Many hackers get caught after decades of success because they overestimate their ability to be covert. They must adapt their tactics, techniques and procedures to accomplish what they set out to do.
Motivated: The hacker that makes headlines is the one usually the bad guy motivated by financial gain, to influence politics, or even to just embarrass a victim. The hackers our times need most are those who are motivated to protect the people and organizations that could be potential targets—the ones who are motivated by doing the right thing. It’s that very motivation that is the biggest differentiator between who hacks to protect the integrity of data and who hacks to disrupt it—which brings me to an important aspect of the need to bolster our cyber defense that is less discussed.
There’s no question that given today’s threat landscape, leveraging great ethical hackers to protect the integrity of data and our access to information is a logical way forward. We just need to ensure these individuals have a strong moral compass and ultimately will help make cyberspace safer for all. We all need to contribute in playing whatever part we can—to educate, train, join forces or simply encourage such global citizens.
How do you become an Ethical Hacker?
What you need to do to get started on the road to becoming an ethical hacker depends on where you are in the IT field.
Start with the basics: Earn your A+ Certification and get a tech support position. After some experience and additional certification (Network+ or CCNA), move up to a network support or admin role, and then to network engineer after a few years. Next, put some time into earning security certifications (Security+, CISSP, or TICSA) and find an information security position. While you’re there, try to concentrate on penetration testing–and get some experience with the tools of the trade.
For a hacker, networking know-how is vital; but make sure that you gain experience in related areas as well. Discover and play with Unix/Linux commands and distributions. Make sure you also learn some programming–maybe C, LISP, Perl, or Java. And spend some time with databases such as SQL.
It’s important never to engage in “black hat” hacking–that is, intruding or attacking anyone’s network without their full permission. Engaging in illegal activities, even if it doesn’t lead to a conviction, will likely kill your ethical hacking career. Many of the available jobs are with government-related organizations and require security clearances and polygraph testing. Even regular companies will perform at least a basic background check.
Becoming a Certified Ethical Hacker (CEH)
Becoming a Certified Ethical Hacker (CEH) involves earning the appropriate credential from the EC-Council after a few years of security-related IT experience. The certification will help you understand security from the mindset of a hacker. You’ll learn the common types of exploits, vulnerabilities, and countermeasures.
Qualification for a CEH (a vendor-neutral certification) involves mastering penetration testing, foot-printing and reconnaissance, and social engineering. The course of study covers creating Trojan horses, backdoors, viruses, and worms. It also covers denial of service (DoS) attacks, SQL injection, buffer overflow, session hijacking, and system hacking. You’ll discover how to hijack Web servers and Web applications. You’ll also find out how to scan and sniff networks, crack wireless encryption, and evade IDSs, firewalls, and honeypots.
Through approved EC-Council training partners, you can take a live, five-day onsite or online training course to prepare for the CEH cert. You can generally take live online classes over five consecutive days; onsite courses typically offer the content spread over a couple weeks for locals. In addition, you can take self-paced courses and work with self-study materials (including the CEH Certified Ethical Hacker Study Guide book) with or without the training courses. The EC-Council also offers iLabs, a subscription based-service that allows you to log on to virtualized remote machines to perform exercises.
The EC-Council usually requires that you have at least two years of information-security-related work experience (endorsed by your employer) in addition to passing the exam before it will award you the official CEH certification.
So, are you in?