How To Become A White Hat Hacker
Ethical hacking is the perfect career choice for those interested in problem solving, communication and IT security. Here's what it takes to become a white hat hacker.
A white hat hacker, or ethical hacker, uses penetration testing techniques to test an organization's IT security and to identify vulnerabilities. IT security staff then uses the results of such penetration tests to remediate vulnerabilities, strengthen security and lower an organization's risk factors.
Penetration testing is never a casual undertaking. It involves lots of planning, which includes getting explicit permission from management to perform tests, and then running tests as safely as possible. These tests often involve the very same techniques that attackers use to breach a network for real.
Background and Education Requirements
White hat hacking involves a great deal of problem solving, as well as communication skills. A white hat hacker also requires a balance of intelligence and common sense, strong technical and organizational skills, impeccable judgement and the ability to remain cool under pressure.
At the same time, a white hat needs to think like a black hat hacker, with all of their nefarious goals and devious skills and behavior. Some top-rate white hat hackers are actually former black hat hackers who got caught, and for various reasons decided to leave a life of crime behind and put their skills to work in a positive (and legal) way.
There is no standard education criteria for a white hat hacker — every organization can impose its own requirements on that position — but a bachelor's or master's degree in information security, computer science or even mathematics can provide a strong foundation.
For those who aren't college bound, a military background, especially in intelligence, can help your resume get noticed by hiring managers. Military service is also a plus for employers who require security clearances.
A number of white hat hacking and security-related IT certifications can help a candidate get a foot in the door, even without copious amounts of hands-on experience.
Achieving the Certified Ethical Hacker (CEH) certification from the EC-Council is one recommended starting point. The CEH is a vendor-neutral credential, and CEH certified professionals are in high demand. The median salary of an ethical hacker is about $72,000, according to PayScale, and the top range can climb to well higher than $100,000. On the consulting side, the EC-Council states that CEH professionals can expect to be paid $15,000 to $ 45,000 per assignment.
The intermediate-level CEH credential focuses on system hacking, enumeration, social engineering, SQL injection, Trojans, worms, viruses and other forms of attack, including denial of service (DoS). Candidates must also demonstrate knowledge of cryptography, penetration testing, firewalls, honeypots and more.
The EC-Council recommends a five-day CEH training class for candidates without prior work experience. To do well in the course, students should have Windows and Linux systems administration skills, familiarity with TCP/IP and working knowledge of virtualization platforms. However, self-study options are also available to help candidates pass the single required exam. Be aware that the EC-Council requires candidates to have at least two years of information security experience and to pay a $100 application fee.
Becoming a certified white hat hacker also involves staying on the legal side of hacking, never engaging in illicit or unethical hacking activities and protecting the intellectual property of others. As part of the certification process, candidates need to agree to uphold the EC-Council's code of ethics and never associate with unethical hackers or malicious activities.
In addition to the CEH, the SANS GIAC curriculum is definitely worth a look. The organization has granted more than 81,000 credentials to date. Candidates who start with GIAC's Security Administration certs, beginning with the GSEC, might find themselves better positioned to climb an active, well-respected and deep security curriculum. The GIAC Penetration Tester (GPEN) and the GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) are both noteworthy for aspiring white hat hackers.
Another set of ethical hacking certifications comes from mile2. The organization's Pen Testing Hacking series includes the foundational Certified Vulnerability Assessor (CVA), followed by the Certified Professional Ethical Hacker (CPEN), the Certified Penetration Testing Engineer (CPTE) and finally the advanced-level Certified Penetration Testing Consultant (CPTC). And, qualifying U.S. veterans can use their GI Bill benefits to earn cyber security certifications and training through mile2.
Related Certifications in Forensics
Some dabbling into computer forensics is always a good idea for somebody who works in information security. For those interested in the investigative side of security, continue with EC-Council's certification lineup and then tackle the Computer Hacking Forensic Investigator (CHFI) credential. The CHFI focuses on the forensics investigation process and utilizing the right tools and techniques to obtain computer forensic evidence and data. As part of the CHFI's certification training, candidates also learn how to recover deleted files, crack passwords, investigate network traffic and use a variety of forensic tools to gather information.
A few other worthy forensics-related certs include the GIAC Certified Forensics Analyst (GCFA), and the Certified Computer Forensic Technician and Certified Computer Crime Investigator certs from the High Tech Crime Network.
Candidates who show interest in working in InfoSec, along with the appropriate background and a certification or two to start with, should have few problems finding ethical hacking work right away. Over time, you'll be able to use continuing education and certification to steer your career exactly where you'd like it to go.