Hackers Wanted. Ethics Required

As the uncertainty of computer security is exposed through ongoing security breaches in the public and private sectors, one thing is certain: the demand for professionals well versed in cyber-security is exploding.

One area in particular, “ethical hacking” or “penetration testing”, is particularly in demand. These so-called “white hat” hackers get paid to hack into computer systems and find vulnerabilities that malicious “black hat” hackers might exploit.

“The demand for experienced ethical hackers is extremely high right now,” said Steve Graham, Senior Director of the International Council of E-Commerce Consultants (EC-Council).

The demand is being fueled by an ongoing breach of sensitive information by malicious hackers, Graham said. He points to the study by the Privacy Rights Clearninghouse, which found that more than 500 million sensitive records had been breached worldwide since 2005.

Penetration testing, or “pen” tests, has become an integral part of cyber security since, without them, finding flaws in a computer system is often very difficult. Pen tests involve an analysis of a system for any potential vulnerabilities that could result from poor or improper system configuration, hardware or software flaws, or operational weaknesses in process or technical countermeasures.

“If you have sensitive data worth protecting and spend time to segregate, protect, insure and create defense layers to minimize risks, without third party pen tests, you still don’t have that validation piece that is necessary,”said Hord Tipton, executive director of the International Information Systems Security Certification Consortium (ISC2).


Want a Job as an Ethical Hacker? Think Outside the Box

The “information assurance” industry as it’s called at the Information School (iSchool) at the University of Washington, is such a relatively new field that HR professionals have been challenged to create accurate job descriptions for penetration testers. Yet one common trait employers of pen testers look for is the ability to think outside the box, according to iSchool.

Pen testers must think like a malicious hacker and even write malicious code that implants viruses into computer networks. They should have knowledge of different operating systems such as Unix and Windows and a complete understanding of how hardware and software interact, which includes knowing different software languages and how applications are assembled. They need to know networking and how data flows through wires and the air and how firewalls are constructed and configured.

Ethical hackers not only must have a strong technical acumen, but also excellent social skills to be adept at “social engineering”, or conning to find the social weaknesses in an organization. They may try to gain access to a company’s servers by posing as a technician or tricking employees by planting portable hardware devices that contain malware, trojans or viruses.

“They need to have a broader knowledge of how the full environment works,” Tipton said. “They need to have a holistic view of how pieces fit together and how package gets from data base to desktop.”

Pen testers also need to know the penetration tools on the market that will create applications attacks, network attacks and so on, said Alberto Solino, director of security consulting services (SCS) for CoreSecurity Technologies. Pen testers must also be continually involved in research and training, Solino said.

IOActive is constantly looking for good pen testers who have an inherent curiosity of how hackers operate and an interest in finding system vulnerabilities. The company routinely recruits at hacking conferences like Def Con and Black Hat Technical Security conferences. They aren’t as concerned about certifications, but rather verifiable experience such as Common Vulnerabilities and Exposures (CVE), where a person identified a security flaw. They also look for experience in cryptography and digital rights management.

“If you want to get into pen testing and security, find out what part of it that interests you,” said Mike Davis, principle security consultant for IOActive. “First do things on your own. If you want to go secure apps, then go do it and put on your blog.”


–Chandler Harris