When you think of a hacker, you’ll likely imagine a person in a dark room illegally breaking into a computer server to steal information or install malicious software. It’s an image that’s been sculpted by film and TV, inspired by real-world criminal cases. However, not only is the picture largely exaggerated by media, but it also does a huge disservice to those in the community who work to help defend against such attacks. National security agencies are a big recruiter of those with hacking talents, keen to exploit the same skills that are often being used against them by nation-state hackers or criminal groups. Those that secure these highly sought after security jobs are known as white hat hackers. Recruitment paths vary between countries. For example, both the UK and the Netherlands operate a scheme that encourages coding-savvy 12-19-year-olds to take up ethical hacking challenges, with the hope of pushing them towards white hacker roles and away from criminal enterprise. Since the demand for ethical hackers far exceeds supply, salaries tend to be much higher than average IT roles, especially within the first year. However, the industry fights a constant tug of war, as those hackers motivated by financial reward will likely defect to criminal groups, given the potential financial reward. This is particularly true of those with intricate knowledge of protected industry secrets, which can be used against legitimate businesses. What is an ethical hacker? Before delving any deeper, it's important to clear up any misconceptions of what an ethical hacker is, rather than making judgements on what's morally right and wrong.

Jeff Schmidt, global head of business continuity, security and governance at BT, describes an ethical hacker as a computer security expert. They must specialise in penetration testing (i.e. working out how easy it is to break into computer systems) and other testing methods to ensure infrastructure is sufficiently secured against potential hacks. However, another expert in the field of cyber security, Conrad Constantine, a research team engineer at AlienVault, thinks the description of any role as a "hacker," whether ethical or not, is irrelevant. "Nobody says they are going to go see an ethical locksmith or an ethical lawyer do they?" he told IT Pro. But what the role is called is simply semantics. It could be we decide to refer to them as a white hat hacker or penetration tester. The important differentiator between an ethical hacker and a criminal hacker is that the former carries out security testing with the full consent of the company they are working on behalf of. If they did not have permission, the offence would be punishable under the Computer Misuse Act. Ian Glover, chairman of CREST, prefers the penetration tester label and his definition goes a little further in that it recognises you need to be more than just a techie in order to truly fulfil the role. He believes you need to have consultancy skills as well. A penetration tester, he says, has to be able to "communicate the results of the tests at a level tailored to the audience" Glover says, and "provide technical consultancy and recommendations to customers as to how any reported vulnerabilities could be mitigated". What qualifications and training do ethical hackers need? OK, so talking of the necessary skills for the job, what qualifications do you need? Peter Chadha, chief executive and founder of DrPete, reckons that all you need is "a vast amount of technical knowledge of IT systems and software and, in particular, how to exploit their vulnerabilities", but acknowledges that there are formal qualifications available.

"Most commonly the EC-Council Certified Ethical Hacker certification, a self-study or classroom course with a 200 multiple choice question exam at the end," Chadha says, adding "Communications-Electronics Security Group (CESG) [now part of the National Cyber Security Centre] approval is also required for any penetration test on a company, and this is appointed by a government department." This involves the CHECK scheme, where penetration testers prove themselves through practical examination under lab conditions. "There are two levels of approval" Chadha explains "a penetration test member and a penetration test team lead, and government departments will require at least one team lead working on any project." Phil Robinson, director of Digital Assurance and a Founder Associate Member of the Institute of Information Security Professionals points towards the Tiger Scheme and CREST certifications. "There are entry level testing certifications, for those wishing to be part of a testing team and working under the management of a team leader, and senior testing certifications for more experienced individuals to either work on their own or to lead a team," Robinson told IT Pro. "It also helps to have a reasonable general background and experience alongside certifications such as a Masters in Information Security," he added. As far as the CREST certification is concerned, Ian Glover points out that in order to pass at the lower level a candidate will need "knowledge and skills on a wide range of relevant subjects, and in addition they would normally require two to three years regular and frequent practical experience, equating to about 6,000 hours experience and research." When it comes to the higher level that increases to five years or 10,000 hours. Can cyber criminals become ethical hackers? But what about if that 'experience and research' was largely garnered on, for want of a better phrase, the dark side? Can, and do, black hat hackers cross the divide and enter the legit world of the penetration tester?

Dominique Karg, is the co-founder and brilliantly titled chief hacking officer at AlienVault. He has no problem with poachers turned gamekeeper. "I think they're the only ones that can do the job well," he says, adding "I got my ethical hacking job that way. I had to choose between being taught something I already knew at the university or getting paid for what I liked to do anyway. The decision was easy." Related Resource Seven strategies to securely enable remote workers Sustain business operations during a crisis by following these strategies Download now Ian Glover agrees that we have to recognise where the industry has come from. "There are individuals within the industry that have crossed from the dark to the light," he says, but warns that the situation is changing very quickly. "There is no reason now to have worked on the dark side to enter or progress in the industry," Glover argues, concluding "in fact the high ethical standards that CREST member companies sign up to would make it difficult for them to employ such individuals." Marcus Ranum, chief security officer at Tenable Network Security, thinks that a track record as a recreational hacker simply shows errors in judgement and a willingness to put self-interest first. "That's not something that should impress a prospective client," he insists. "After all, if you were acting like a sociopath last month, why should I believe you're not one today?" What kinds of ethical hacker job roles are available? While 'ethical hacker' is a useful umbrella term, actual job roles in the field are listed in many different forms. The most commonly-advertised jobs are generally for penetration testers, but many similar roles are often labelled as 'security analysts', 'information security consultants', 'network security specialists' and the like. You may also find these kinds of jobs advertised as 'red team' roles. Many organisations that practise this form of offensive security split their security staff into 'red teams' and 'blue teams'. Red teams assume the role of attackers, trying to compromise the network and outwit the internal security operatives on the blue team, whose job is to keep the business' systems safe. How much money do ethical hackers make? Assuming you have got this far and still want to enter the world of ethical hacking, how much can you expect to earn and just how buoyant is the job market? Ian Glover reckons that someone entering the market can expect in the region of 25,000. A registered level professional would expect to earn in the region of 55,000 and a team leader could be looking at 90,000-plus.