Working as an ethical hacker
The term “ethical hacker” as it is used today is, if you ask me, somewhat imprecise. After all, a hacker in it for the money could be said to follow his or her own moral compass on what is right and what is wrong – the only difference is that those ethics aren’t compatible with those held by most people.
The majority of people in the security industry use the term interchangeably with the term “white hat” – a computer hacker that performs all kinds of penetration testing against an organization’s information systems, at the behest of that same organization and so that it can secure those systems against black hats (straight up “bad guys” hacking for money) and grey hats.
John Yeo, EMEA Director at Trustwave, is one of those. “An ethical hacker or penetration tester is someone who is an expert practitioner when it comes to using the same tools and techniques as the bad guys do, but in a controlled manner, within a professional services wrapper,” he says.
On the other hand, freelance security tester, researcher and developer Robin Wood has a more flexible look at things.
“I would say if you are ethical you are doing things without malicious intent,” he says. “It doesn’t mean you always stay strictly within the letter of the rules or law but when you stray outside you do it out of curiosity rather than any desire to do harm.”
Technically, his idea of what an ethical hacker is closer to the meaning of the term “grey hat” – a hacker that may act illegally, but is mostly motivated by the challenge of breaking into systems and by the wish to help organizations with inadequate defenses to strengthen their security posture. Sometimes, the grey hat might want to be compensated for his or her trouble.
In short, the technical difference between a white hat and a grey hat is the former has secured an organization’s permission to test and attack their systems, and the latter has not.
But what I get from both of my collocutors is that an inquisitive mind, flexibility and a constant desire to ask “but what if?” is crucial for any hacker, as well as the ability to think like a bad guy.
“You need to have a desire to know how things work and what happens when you ask them to do things they were never designed to do,” says Wood.
Yeo definitely fits that definition. “I spent my youth playing with computers and had a fascination with any kind of gadgets and electronics – wanting to know how and why they worked like they do, to the point where you can make it do something it wasn’t designed to do,” he shared with Help Net Security. “Being fortunate enough to have a computer at home from a young age helped, as well as being an early internet adopter.”
Wood also started hacking while still underage. “I got started playing around on the high school network with a friend. Luckily the IT teacher, who also ran the network, didn’t mind us exploring and put up with it in return for us helping her out with admin chores,” he says.
Other similarities between the two is that they both chose to pursue a Computer Science degree (“I thought that would be a lot more inspiring than it actually was,” Yeo admits) and then went on to become penetration testers (Wood did a nine year stint as a desktop and web app developer before turning to security research and pentesting).
As one of the regional directors at Trustwave SpiderLabs, Yeo is now responsible for running a team of consultants across multiple countries in the EMEA region.
“The majority of my time is spent meeting with customers, I don’t conduct very much ethical hacking or forensic investigation work myself anymore, I instead have the pleasure of scouring the region for top of the market talent, hiring them into the team and providing a fun environment that retains great people,” he explained, but added that it can be very hard to resist getting involved when one of the team has something really interesting going on.
Wood, on the other had, is currently an independent contractor. “I freelanced for a few years then contracted with a local security firm for a year then moved to full time with them for two years,” he said. “I went back freelancing last July and have been ran off my feet with work since.”
To prepare himself for his chosen profession, he has done a couple of SANS courses and various other independent ones.
“I find it hard to learn unless I’m in a classroom or have a very focused reason for learning so don’t work well with normal home learning courses. Having said that, the ones that have engaged me more than most are the ones from SecurityTube,” he shared.
The goals that he wants to achieve with ethical hacking is to expand his own knowledge and that of people around him. “I enjoy teaching and love seeing people get a glimpse into the security world, whether it is popping their first shell or realizing how many email addresses their company is leaking through Google.”
Yeo is more concentrated on growing the breadth and depth of capability of Trustwave SpiderLabs’ global team. The team itself has been growing pretty quickly, he noted, and it now includes over 100 ethical hackers and security researchers, which make around 10 percent of the entire company workforce around the globe. And they have been busy – all in all, they performed a little over 2500 penetration testing engagements in 2012.
When it comes to knowledge, tools and techniques used by ethical hackers, they don’t differ that much from those employed by black hats.
“Some people swear that you can’t be a real pen-tester if you don’t use BackTrack/Kali, I’d say that is rubbish,” says Wood. “I’m currently on a test where the best tool is a web browser and a JavaScript console, the next job may require Linux command line tools, the one after that may be MS SQL Server so I can connect to and audit SQL databases. Having said all that, one tool I use on nearly every job is Dradis to keep my notes together and to help when report writing.”
The report writing is definitely one thing that white hats are doing more than black hats, and is part of their responsibilities to those who hired them.
“It’s important for the ethical hacker to be a good consultant – there’s little use being a highly skilled penetration tester if you’re not able to convey the specific technical details of complex vulnerabilities in a coherent manner,” says Yeo. “The ultimate objective is helping customers understand their risk and help them secure their data; being a technically gifted and committed penetration tester is only part of the journey.”