How to Become an Ethical Hacker
Set of criteria and guidance to aspiring cybersecurity professionals
Throughout the years, I received many questions on how to become an ethical hacker. Based on my experience, in this story I want to provide the criteria for becoming an ethical hacker. As my experience was on a specific domain, the context and environment I set are digital transformation programs in large business organisations. My aim is to create awareness on this topic by reflecting my industry experience in the field.
To make the criteria easy to read and understand, I categorized the requirements under six broad categories:
1. Architecture, Design, and Industry Expertise,
2. Core Security Expertise,
3. Analytical Skills,
4. Technical Skills,
5. Interpersonal Skills
6. Business, Stakeholder, Project, and Organizational Skills
1. Architecture, Design, and Industry Knowledge
Even though ethical hackers are considered technical specialists, they also need to understand architecture, design, and governance schemes. These skills enable ethical hackers to understand requirements and architectural decisions, understand the architectural and design constraints, and interpret viability assessment work-products.
Some key points are to understand the business process, consumption model, application landscape, data platforms and practices.
Ethical hackers must know their specific industry details because the rules and regulations may vary in different industries.
In architecture phases (e.g. macro design), ethical hackers perform pragmatically. They can conduct quick experiments, proof of concept, and proof of technology in urgent solution delivery cases.
Ethical hackers participate in design authority and architecture review boards as security subject matter experts.
2. Core Security Expertise
From specialty point of view, ethical hackers must have broad and deep demonstrated security and cybersecurity experience. Their security knowledge must be end-to-end and up-to-date.
They need to follow the security news, development, and trends carefully. Global security awareness is a critical requirement for them. At the highest level, they need to know the theories and mechanisms for an end-to-end security requirements perspective in digital transformation programs.
Security architecture is a critical knowledge area for ethical hackers. They must have deep technical knowledge of security systems, security frameworks, security patterns, and integration of security components.
Since encrypted messages in internetworks are critical in transforming business environments, ethical hackers must have a deep understanding of cryptography.
Social engineering is one of the most significant risks in business organizations. Social engineering is a widespread and the easiest way to exploit vulnerable users. Users' lack of knowledge, social fear, confusion, assumptions can create tremendous risks. Ethical hackers know how criminal hackers use social engineering to hack complex systems. They inform all stakeholders and educate the users not to fall into the social engineering traps.
In addition, ethical hackers understand how the dark side of the Internet works. In digital transformation programs, the "darknet" or "darkweb" poses high risks and creates a huge fear for digital assets. To this end, ethical hackers inform the stakeholders and the users to take necessary measures and precautions to protect their assets proactively.
3. Analytical Skills
One of the fundamental roles of ethical hackers is to analyze systems, networks, solutions, applications, data, and databases. They can deep dive to analytical matters. They have a sharp eye for detail. They are observant and be able to see intricate and obscure patterns. They can perform the role of a security auditor in incident management teams.
4. Technical Skills
Programming (coding) and scripting skills are essential for ethical hackers. Some common languages are Python, C++, and Java. The language requirements may vary based on the program platforms. I used these 3 as an example.
Ethical hackers must possess core hacking techniques such as sniffing, scanning (e.g. W3af, Nessus, Burp), reverse engineering, disk/memory forensics, vulnerability analysis, frameworks such as Metasploit, and DoS attack. There are many more specialist hacking techniques, and those details are beyond the scope of this article.
Operating system knowledge is also essential. Some commonly used operating systems are Linux, Windows, Unix, ZoS, Android, macOS, iOS and other proprietary operating systems.
Networking and internet-working skills are critical. Ethical hackers need to understand network protocols, wireless protocols, architectures, frameworks, patterns, devices, functions, tools, connectivity, mobility, communications, and integration both in local and wide area networks.
As ethical hackers have to deal with data from many angles, understanding the data platforms, practices, storage, data lakes, data lifecycle management, databases, information, and knowledge systems. They also deal a lot with the Big Data for special forensic investments.
Digital mobility knowledge is critical for ethical hackers. They understand the digital technologies, mobile networks, workflows in these mobile networks, protocols, and device relationships.
Ethical hackers have a broad understanding of the mechanisms and implications of emerging technology stacks such as IoT (Internet of Things), Cognitive Computing, Cloud Computing, Edge and Fog Computing, Artificial Intelligence, and Big Data Analytics.
5. Interpersonal Skills
One of the key distinguishing factors of ethical hackers is caring, trustworthy, and reliable nature.
Contrary to criminal hackers, ethical hackers, have empathy and compassion for users.
Ethical hackers must be non-judgemental and can approach people with corrective actions. They are team players and mentors for other security professionals.
6. Business, Stakeholder, Project, and Organizational Skills
Ethical hackers need to have excellent stakeholder management skills. Some critical capabilities in this area are communicating at all levels and speaking the business language. They can articulate risks, issues and dependencies both to technical and business stakeholders. While they can see the big picture, they are also capable of delving into details.
In large business organizations, ethical hackers closely work with project managers. Therefore, they understand the project methods and tools. They have a particular focus on agile methods as security and cybersecurity issues are usually considered emergency issues requiring expedited delivery with priority number one approach.
Ethical hackers do not spend too long with root cause analysis during critical situations. They have to deal with incident management processes. During the incident management process, they must identify risks, issues, and dependencies very quickly.
They still need to provide input to the problem management team, but it happens after the priority incidents are resolved. Therefore a reasonable knowledge service management framework such as ITIL is desirable for ethical hackers.
They don't have to know everything about service management as it is a broad domain. However, ethical hackers need to know how to elicit information and gain tacit knowledge by interacting with architects, specialists, project managers, and power users during the incidents. Event and configuration management are other areas they get involved in the service management domain.
Since the legal departments in digital transformation programs use ethical hackers, they also need to understand the legal issues, hacking implications, and other legal security concerns, and be able to speak effectively with legal professionals.
Sponsoring executives also require their lead ethical hackers to have inventive and innovative mindset to contribute to their innovation agenda in their critical security initiatives such as Cloud security.
Certification Requirements for Ethical Hackers
I witnessed job applicants going for ethical hacking roles without certification. However, nowadays, it is a prerequisite to have recognized certification for ethical hackers. The certification covers knowledge, skills, competencies, and proven experience in the areas mentioned above.
The most popular and globally recognized qualification is provided by The International Council of Electronic Commerce Consultants (EC-Council). EC-Council provides a qualification called CEH (Certified Ethical Hacker). CEH is the most fundamental requirement for the certification of ethical hackers.
Other essential qualifications are Advanced Penetration Tester, Certified Network Defender, and Forensic Investigator provided by EC-Council. There are several other education and certification programs on the market, such as OSCP (Offensive Security Certified Professional), FUH (Foundstone Ultimate Hacking).
There are also many online training programs on ethical hacking technical skills. However, I haven't come across a training program covering all aspects mentioned in the criteria I introduced in this article. The reason is, the role of ethical hacker is not merely knowledge based but experience and expertise based.
Ethical hackers are critical security specialists and subject matter experts in digital transformation programs. They have an important mission in these programs. They possess unique skills, experience, and expertise.
I provided an overview of the knowledge, skills, competencies, and experience requirements of ethical hackers in digital transformation programs. The content in this article can guide security executives and managers to recruit qualified ethical hackers for their business-critical initiatives in their programs.
The aspiring ethical hackers who plan to work in digital transformation programs can create a checklist and plan their path using the criteria.
There is a tremendous demand for ethical hackers. The field is rapidly developing, and there are not adequate number of qualified ethical hackers to meet the current market demands.
The original and full version of this article was published on another platform: https://medium.com/illumination-curated/ethical-hacking-8579d5709f0b
Reference: Architecting Digital Transformation by Dr Mehmet Yildiz https://books2read.com/u/mZBqRe