To some, the term ‘ethical hacker’ may seem like an oxymoron. After all, most of the mainstream coverage of hackers sheds a negative light on these groups or individuals. Hackers are often portrayed as sketchy individuals with evil motives, sometimes doing irreversible damage to businesses and reputations through complex DDoS attacks or simple social engineering tactics.
So what is an ethical hacker? An ethical hacker is someone who uses the same methods as a hacker, but works for organizations or with organizations to find security vulnerabilities. Basically, the ethical hacker is paid to hack into systems or networks. Many large enterprises work with ethical hackers to pinpoint vulnerabilities in their IT systems in order to prevent damaging security breaches in the future.
According to a recent IT Salary Report by Global Knowledge & TechRepublic, the average salary of a certified ethical hacker (CEH) in 2014 is $71,331. CEH is also one of the highest paying certifications this year.
Perhaps the most well-known certified ethical hacker is Edward Snowden. In 2010, while working as a contractor for the NSA, Snowden honed his hacking skills and received Certified Ethical Hacker certification from the International Council of E-commerce Consultants. Snowden is a controversial figure, and his work as a CEH is no exception; there is much debate around whether his actions comply with the ethical codes that CEHs are supposed to abide by.
This code of conduct dictates that certified ethical hackers agree not to illegally hack or compromise systems that they don’t have authorization to.
Certified ethical hacker James Conrad is a security researcher and tester that specializes in Windows products. He provides certified ethical hacker training at CBT Nuggets, an online resource for IT training and certification.
Conrad says that there is a growing demand for certified ethical hacker training as high-profile security breaches, like Target for example, are unfortunately becoming more common.
“A lot of the breaches, like Target and so on, are cautionary tales, and no one wants to be a cautionary tale,” Conrad says. “If your company gets compromised, heads can roll. It’s sad, and scary, and it’s not always the administrators fault, but nevertheless that’s their job.”
Conrad says there are a few main objectives behind security professionals becoming a certified ethical hacker.
“The objective for most certified ethical hackers is to number one become better at security within their own organization where they already have a job and they’re already in the IT department,” he says. “They want to understand security better and understand how hackers do what they do. Also, they want to learn how to counter those security attacks.”
“The second objective would be for folks who are interested in IT and want to make a career as a security tester or a penetration tester,” Conrad says. “This means that you’re hired to go to an organization for anywhere from a few days to two or three weeks and see if you can use the same techniques that hackers use to compromise the systems in that organization.”
The third objective that Conrad outlines is “someone with less than pure motives or someone who really wants to be a black hat or grey hat hacker.”
According to CBT Nuggets, 60 percent of the students of its Certified Ethical Hacker training course come from large organizations or enterprises. The remaining 40 percent are individual customers. Unfortunately there is no breakdown on the number of individuals coming from web hosting or cloud providers, though this training could be valuable to those working in security at a web host or cloud provider.
Large enterprises and organizations with branch offices can be surprisingly susceptible to security vulnerabilities. While they often have more security resources than a small or mid-sized business, the complexity that branch offices bring can create more challenges.
“The vast majority of organizations still do not have a circumspect security defense,” Conrad says. “What will often happen is there is a core security team, and the security team goes to conferences and they get training and they watch some videos, and that’s great and will go a long way towards helping them.”
“Then you’ll have, especially in large organizations, hundreds of thousands of branch offices that could still have anywhere between a handful of users and thousands of users,” he says. “In some of those smaller branch offices, they may not even have a full-time IT person there and they kind of get forgotten about.”
Training, Conrad says, “has to be applied at all levels.”
“You can’t just have a set of rock star security professionals at your home office,” he says.
The training that CBT Nuggets provides revolves around what hackers actually do. This differs from a lot of other security training that teaches concepts or best practices, but doesn’t actually offer practical demonstrations.
“We actually show how hackers will perform reconnaissance on your organization and find a target and exploit it,” Conrad says.
The training course includes 21 videos, with more than 13 hours of course material. CBT Nuggets offers a 7-day free trial, and after that, monthly or annual plans, which cost up to $99 per month. The plans include speed control, which allows trainees to play videos at a faster pace, closed captions, notes, bookmarks, and access to supplementary course material in NuggetLabs. So far there have been more than 12,000 views of the Ethical Hacker v8.0 training course.
In terms of some of the most popular hacks right now, Conrad says spam and phishing emails are still one of the most effective ways for hackers to penetrate systems, as are social engineering attacks.
“The perception is that attackers somehow breach through firewall then they worm your way into your system and they’re able to break the most secure channels you have,” he says. “The most effective hack right now is actually social engineering, which takes several different paths.”
“It could be a breach of physical security and being able to sneak into a building and getting something you’re not supposed to,” he says.
Some of the most popular emails still include pharmaceutical emails, which have been around for years, but also emails that claim to be an outstanding invoice.
“If you’re a company that has around 100,000 employees and you send a spam phishing email to all of them, out of 100,000 users, one person could click on it,” Conrad says.
Otherwise, one of the scariest threats for companies is remote access toolkits.
“A lot of these remote access toolkits can be hidden in such a way that even an antivirus can’t find them – they completely conceal themselves,” Conrad says. “On a corporate level it gets really scary.”