Sponsored Links: Who is an Ethical Hacker The term ‘ethical hacker’ might sound like a contradiction of ideas but you may be surprised to learn that there are actually very good (and legal!) reasons to employ a hacker. An ethical hacker is a computer and network expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit. Ethical hackers would be using the same methods as a criminal hacker, but instead of doing so for their own advantage they hand the information over to the legitimate owners on their behalf. Lets face it, if there weren’t people out hired by banks and credit card companies trying to gain access to their systems through illegal means, we would not be able to relax in the knowledge that our private information and our nest eggs are safe. Ethical H@cking is also known as ‘penetration testing’, ‘intrusion testing’, and ‘red teaming’. Each individual ethical hacker is referred to as a ‘white hat’. This term derives its meaning from the old black and white film days, where the bad guys wore black hats and the good guys wore white hats. Many larger companies employ ethical hackers to make sure their systems do not have any flaws, and most importantly, so that they are on hand to fix any flaw that might occur. Some people get ethical hackers confused with hacktivists, and although they deal with the same thing, their motives are different. Whereas the EH is privately employed and being paid to find problems, the hacktivist works alone and simply for the sake of trying to find errors in public websites and reporting or even exploiting the security vulnerabilities they find. Hacktivism is considered a form of social activism, and has gained a reputation more for being exploited than for any overall help they might have given. There are several universities that offer Bachelor degrees in Ethical H@cking, and the industry is growing at a consistent rate, proving that it will be the way forward in information technology and a prerequisite for any company wishing to maintain an impenetrable online platform. Astonishingly, there are only 2.2 million ethical hackers working worldwide, which if you break it down by countries’ major cities and employment hubs, you would find that this is quite a low figure. The current average jobs per hacker average is coming in around 5 ethical H@cking jobs available worldwide for every 1 qualified EH. This makes for a very lucrative industry and pay rates are consistently high in this area. I know, you want to become an ethical hacker but don’t know what skills you need. The most important skill is computer programming writing, in languages such as C, C++, Ruby, Python and Perl. Also, web applications such as Microsoft .NET and PHP are essential skills for anyone wanting to analyze disassembled binaries. Broad knowledge of operating systems from Windows to Linux is required, as well as experience with routers, switches and firewalls. Adaptability and resourcefulness are key to any good ethical hacker’s ability to get to the bottom of a problem. It would be fair to say that everything isn’t black and white in this industry either. There are critics who would argue that there is no such thing as ethical H@cking. In an article in Forbes magazine has a thought provoking analogy that relates an ethical hacker to a locksmith. The idea is this: If you find yourself on the wrong side of a locked door, you do not think to yourself ‘I need an ethical locksmith’ – unless you are a thief. Instead, you look for a locksmith, plain and simple. You trust that the person can do the job you hired them to do, no more and no less. Calling the locksmith ethical doesn’t legitimize his breaking in”. It just goes to show that in all things you can always find opposing opinions. Interesting fact: One of the first examples of ethical hackers at work was in the 1970s, when the United States government used groups of experts called red teams to hack its own computer systems. Ethical H@cking has continued to grow in an otherwise lackluster IT industry, and is becoming increasingly common outside the government and technology sectors where it began. It seems that even the EC Council can be hacked. They were reported to have been compromised by a hacker called Godzilla, getting access to the training course material for several of their certification programs. Who Should Become an Ethical Hacker? To become an ethical hacker, you have to be good at what you do. More than good actually, you need to have a good understanding of everything that goes in and comes out of a computer system; from the software to the hardware, an ethical hacker has a solid understanding of the internal processes of a computer system, websites and computer networks. With that in mind, you would not be surprised to find out that it takes most people several years to accumulate such well rounded information. Most ethical hackers will have worked in various roles within the information technology sector, working their way up through the ranks. Some might have gained their knowledge from working for themselves and building up a solid clientele of local businesses, and there are those who are self taught through reading books and learning both a program language (at least one) and a scripting language. One reason why people decide to become ethical hackers is because they have the skills, and although they enjoy using them, they aren’t particularly inclined to do anything illegal like hack into someone’s system uninvited. It is a far more enticing idea to most hackers to accept the comparably large salary (anywhere between $50.000 – $100,000 per year to start with an expected twenty percent increase over a few years) to work for companies that want their systems probed and penetrated. With the reliance modern society has on computer technology and the personal details that are necessary components of an internet transaction, the need for systems to remain impenetrable is vital. Companies know that it is worth paying an ethical hacker to assess their system and recommend any upgrades that may be necessary or risk a breach that could result in large sums of money, credit card details and sensitive information to be stolen. While there are critics who say it is implausible to put the word ‘ethical’ in front of ‘H@cking’, the growing industry is all the proof that is required to see that there is a definite worldwide demand for ethical hackers in both the private sector and in governments worldwide. While some large corporations such as IBM offer their information technology employees training and certification in ethical H@cking, government agencies such as the NSA offer their own version of the certification to their information surveillance employees. This creates the potential that one certification might be more valued by employers than another. The EC-Council has became very popular for this reason; due to their impartiality in the business industry they can offer a standard all-encompassing ethical H@cking course. Currently, the Certified Ethical H@cking certification is on offer through the EC-Council. Bear in mind however, extensive computer training is just one requirement to become an ethical hacker. Patience in the H@cking game is not just a virtue, it is a true necessity, along with sound problem solving skills and the ability to think outside the box. While effectively there is no difference between the training of a criminal hacker (or ‘black hat’) and an ethical hacker, the ability for one to be able to get inside of the other one’s mindset is high, and it allows companies to be on even footing with their potential threats by testing their system for penetration vulnerabilities and tightening it up when required. Keep in mind, if you have not started your path to becoming an ethical hacker, there are considerations that should be kept in mind before choosing which path is right for you. If you decide to work for yourself you will need to purchase liabilities and errors omission insurance at an annual rate of around $3000. As well, hiring an attorney to draft a Statement of Intent for client businesses to sign before you enter their system is mandatory for making sure you stay on the right side of the law. What Ethical Hacker Certifications are There? If you have been thinking about becoming an ethical hacker, you would not be alone. Within the information technology sector, the ethical H@cking industry is growing at an astounding rate. As more and more businesses maintain an online presence these days, the need for computer security has never been greater. In such a specialized sector, The EC-Council ( International Council of Electronic Commerce Consultants) offer certification as a Certified Ethical Hacker. The course is available online and is called a ‘vendor neutral certification’ which means the course is not offered through internal information technology employers or government contractors, but through an impartial organization. The goal of the ethical hacker certification course is to cover the standards and language involved in common exploits, vulnerabilities and countermeasures. There are also Penetration Tester Certifications available, which are essentially the same job (also called ‘white hats’ in common parlay). Some people choose to enlist into government service through either the National Guard or as a part time Reservist to avail of free information technology classes and will be able to attain Ethical Hacker Certification while they are getting paid for it. There is an additional benefit to doing it this way, in that when you are looking for a job as an ethical hacker companies tend to give extra points to candidates who learned their trade through government service due to the strict vetting process that the military routinely does on all soldiers, whether they are part time enlistees or not. Also, getting a leg into the door of any large company’s information technology sector can be a direct path towards training to be an ethical hacker. Although it may take more time than teaching yourself or enrolling in any military schemes, you will have a consistent wage while learning your trade from the ground up, and there will be room to grow within the company to the job you desire. Corporations such as IBM have very large internal information technology groups and offer the advantage of a solid wage as well, with a benefits package as well. Obviously, by the very nature of the Certified Ethical H@cking test, this will most likely be the hardest computer certification you will ever have attained. To get through the test you will need to pass a total of twenty one domains that are covered over fifty questions. There is a two hour time limit for the entire test and the questions are multiple choice. You can answer the questions in any order you choose as the test allows you to return to unanswered questions throughout the length of the test. Some of the questions will require only one right answer whereas others may have multiple answers. The entire test was compiled to be able to computer evaluate the full range of security testing practices on the market. The questions will cover how individual H@cking tools are used and will evaluate the test taker’s knowledge of professional security tools and how each of them are used. The individual twenty-one domains are as follows: 1. Ethics and Legal Issues 2. Foot Printing 3. Scanning 4. Enumeration 5. System H@cking 6. Trojans and Back Doors 7. Sniffers 8. Denial of Service 9. Social Engineering 10. Session Hijacking 11. H@cking Web Servers 12. Web Application Vulnerabilities 13. Web Based Password Cr@cking Techniques 14. SQL Injection 15. H@cking Wireless Networks 16. Virus and Worms 17. H@cking Novell 18. H@cking Linux 19. IDS, Firewalls, and Honeypots 20. Buffer Overflows 21. Cryptography These domains comprise a full body of ethical H@cking knowledge. It’s good that the exams first domain is centered on ethics and legal issues. This is an important domain. Always make sure you have written consent to perform any type of penetration test or security audit. Ethical H@cking – What is the EC Council? The International Council of Electronic Commerce Consultants (EC-Council) is a member-supported professional organization. The purpose of the EC-Council is to support and enhance the role of individuals and organizations who design, create, manage or market Security and E-Business solutions. The EC-Council is known primarily as a professional certification body. Its best-known certification is the Certified Ethical Hacker. Other than the EH certification the EC Council offers certifications in several technology based areas including Computer H@cking Forensic Investigation, Security Analyst, Licensed Penetration Tester and many more. Whether you would consider the near $3000 price tag on a certification to be value or not, it is definitely an investment and has a comparative fee to other trades and certifications. The company also operates a series of IT security conferences and cosponsored SC Magazine’s 2007 salary survey, as well as the EC-Council University. Basically, the company provides top notch it security and hacker training to individuals as well as offering their services to universities. The certifications offered by the EC Council are held in high esteem, and is one of industry’s most recognized IT Security learning program that is mandated/approved by government agencies including the National Security Agency (NSA)/ Committee on National Security Systems (CNSS) of the United States, the US Department of Defense (DoD), and many more. The company offers grants and scholarship assistance to students and offers incentives to universities to use their programs including free classes and training materials like manuals and software. When you hear the word ‘hacker’ it is hard not to think of some kind of illegal deception, so it is interesting to note that the EC Council has a code of ethics. It is: “to keep private any confidential information gained in her/his professional work, (in particular as it pertains to client lists and client personal information). Not collect, give, sell, or transfer any personal information (such as name, e-mail address, Social Security number, or other unique identifier) to a third party without client prior consent.” Ironically, for a company that talks about upholding personal information like the EC Council does, it might surprise you to hear that there are reported instances of spamming done by them or people on their behalf to market their certification courses. In a way this could be looked at as a contradiction in terms, as it would be questionable as to what side of ethics spamming falls on. One fact that you would come across when running a search on the EC Council is a current situation that surrounds a couple of their certification courses. In particular, there are different certifications that in essence contain the same skills set. The fear is that in the future one degree might prevail as the top choice, while the other one suffers, all the while being the same knowledge from the same institute. This will likely be fixed by an amalgamation of certain certifications in the future. It is said that EC Council certifications testing immerses the student into scanning, testing, H@cking and securing their own systems. The overall learning includes gaining knowledge in perimeter defenses, intrusion detection, policy creation, social engineering, buffer overflows, virus creation and other security related areas. Interesting Facts: It seems that even the EC Council can be hacked. They were reported to have been compromised by a hacker called Godzilla (whose main claim to fame prior to this was H@cking into the Pakistani governments websites), gaining access to the training course material for several of their certification programs. While remaining anonymous, the hacker was quoted as saying "This could take a very deadly turn if played by the cyber terrorist.They are the same organization who train DOD, CIA, NSA ,NASA etc." Godzilla said this is important because "If a cyber terrorist infects this material with Trojans and malware the same content will be accessed by the defense people. And this is the easy way to enter into the network of defense.