Successful ethical hackers possess a variety of skills. First and foremost, they must be
completely trustworthy. While testing the security of a client’s systems, the ethical
hacker may discover information about the client that should remain secret. In many
cases, this information, if publicized, could lead to real intruders breaking into the
systems, possibly leading to financial losses. During an evaluation, the ethical hacker
often holds the “keys to the company,” and therefore must be trusted to exercise tight
control over any information about a target that could be misused. The sensitivity of
the information gathered during an evaluation requires that strong measures be taken
to ensure the security of the systems being employed by the ethical hackers
themselves: limited-access labs with physical security protection and full ceiling-to
-floor walls, multiple secure Internet connections, a safe to hold paper documentation
from clients, strong cryptography to protect electronic results, and isolated networks
for testing.
Ethical hackers typically have very strong programming and computer networking
skills and have been in the computer and networking business for several years.
They are also adept at installing and maintaining systems that use the more popular
operating systems (e.g., UNIX** or Windows NT**) used on target systems. These
base skills are augmented with detailed knowledge of the hardware and software
provided by the more popular computer and networking hardware vendors. It should
be noted that an additional specialization in security is not always necessary, as strong
skills in the other areas imply a very good understanding of how the security on
various systems is maintained. These systems management skills are necessary for the
actual vulnerability testing, but are equally important when preparing the report for
the client after the test.
Finally, good candidates for ethical hacking have more drive and patience than most
people. Unlike the way someone breaks into a computer in the movies the work that
ethical hackers do demands a lot of time and persistence. This is a critical trait, since
criminal hackers are known to be extremely patient and willing to monitor systems for
days or weeks while waiting for an opportunity. A typical evaluation may require
several days of tedious work that is difficult to automate. Some portions of the
evaluations must be done outside of normal working hours to avoid interfering with
production at “live” targets or to simulate the timing of a real attack. When they
encounter a system with which they are unfamiliar, ethical hackers will spend the
time to learn about the system and try to find its weaknesses. Finally, keeping up
with the ever-changing world of computer and network security requires continuous
education and review.
One might observe that the skills we have described could just as easily belong to a
criminal hacker as to an ethical hacker. Just as in sports or warfare, knowledge of
the skills and techniques of your opponent is vital to your success. In the computer
security realm, the ethical hacker’s task is the harder one. With traditional crime
anyone can become a shoplifter, graffiti artist, or a mugger. Their potential targets
are usually easy to identify and tend to be localized. The local law enforcement
agents must know how the criminals ply their trade and how to stop them. On the
Internet anyone can download criminal hacker tools and use them to attempt to
break into computers anywhere in the world. Ethical hackers have to know the
techniques of the criminal hackers, how their activities might be detected, and how
to stop them.
Given these qualifications, how does one go about finding such individuals? The best
ethical hacker candidates will have successfully published research papers or released
popular open-source security software. The computer security community is strongly
self-policing, given the importance of its work. Most ethical hackers, and many of the
better computer and network security experts, did not set out to focus on these issues.
Most of them were computer users from various disciplines, such as astronomy and
physics, mathematics, computer science, philosophy, or liberal arts, who took it
personally when someone disrupted their work with a hack.
completely trustworthy. While testing the security of a client’s systems, the ethical
hacker may discover information about the client that should remain secret. In many
cases, this information, if publicized, could lead to real intruders breaking into the
systems, possibly leading to financial losses. During an evaluation, the ethical hacker
often holds the “keys to the company,” and therefore must be trusted to exercise tight
control over any information about a target that could be misused. The sensitivity of
the information gathered during an evaluation requires that strong measures be taken
to ensure the security of the systems being employed by the ethical hackers
themselves: limited-access labs with physical security protection and full ceiling-to
-floor walls, multiple secure Internet connections, a safe to hold paper documentation
from clients, strong cryptography to protect electronic results, and isolated networks
for testing.
Ethical hackers typically have very strong programming and computer networking
skills and have been in the computer and networking business for several years.
They are also adept at installing and maintaining systems that use the more popular
operating systems (e.g., UNIX** or Windows NT**) used on target systems. These
base skills are augmented with detailed knowledge of the hardware and software
provided by the more popular computer and networking hardware vendors. It should
be noted that an additional specialization in security is not always necessary, as strong
skills in the other areas imply a very good understanding of how the security on
various systems is maintained. These systems management skills are necessary for the
actual vulnerability testing, but are equally important when preparing the report for
the client after the test.
Finally, good candidates for ethical hacking have more drive and patience than most
people. Unlike the way someone breaks into a computer in the movies the work that
ethical hackers do demands a lot of time and persistence. This is a critical trait, since
criminal hackers are known to be extremely patient and willing to monitor systems for
days or weeks while waiting for an opportunity. A typical evaluation may require
several days of tedious work that is difficult to automate. Some portions of the
evaluations must be done outside of normal working hours to avoid interfering with
production at “live” targets or to simulate the timing of a real attack. When they
encounter a system with which they are unfamiliar, ethical hackers will spend the
time to learn about the system and try to find its weaknesses. Finally, keeping up
with the ever-changing world of computer and network security requires continuous
education and review.
One might observe that the skills we have described could just as easily belong to a
criminal hacker as to an ethical hacker. Just as in sports or warfare, knowledge of
the skills and techniques of your opponent is vital to your success. In the computer
security realm, the ethical hacker’s task is the harder one. With traditional crime
anyone can become a shoplifter, graffiti artist, or a mugger. Their potential targets
are usually easy to identify and tend to be localized. The local law enforcement
agents must know how the criminals ply their trade and how to stop them. On the
Internet anyone can download criminal hacker tools and use them to attempt to
break into computers anywhere in the world. Ethical hackers have to know the
techniques of the criminal hackers, how their activities might be detected, and how
to stop them.
Given these qualifications, how does one go about finding such individuals? The best
ethical hacker candidates will have successfully published research papers or released
popular open-source security software. The computer security community is strongly
self-policing, given the importance of its work. Most ethical hackers, and many of the
better computer and network security experts, did not set out to focus on these issues.
Most of them were computer users from various disciplines, such as astronomy and
physics, mathematics, computer science, philosophy, or liberal arts, who took it
personally when someone disrupted their work with a hack.
