What Is Ethical Hacking?

By Amber Ankerholz, 27 October, 2021

The practice of ethical hacking involves “an authorized attempt to gain unauthorized access to a computer system, application, or data,” according to the definition from Synopys. More specifically, the practice involves using the tools and techniques of malicious attackers to identify security vulnerabilities and resolve them before they can be exploited.

Ethical hackers, who are sometimes known as white hats, “use their knowledge to secure and improve the technology of organizations,” Synopsys says. “They provide an essential service to these organizations by looking for vulnerabilities that can lead to a security breach.” Ethical hackers then report vulnerabilities to the organization and suggest ways to remediate the issues.

Ethical hacking is also part of the rapidly growing field of IT security, which the U.S. Bureau of Labor Statistics says is "projected to grow 33 percent from 2020 to 2030." In this article, we’ll look more closely at the practice of ethical hacking as one way to get started with a career in cybersecurity.

What Do Ethical Hackers Do?

As Garry Kranz writes, “ethical hackers use many of the same methods and techniques to test IT security measures, as do their unethical counterparts, or black hat hackers. However, rather than taking advantage of vulnerabilities for personal gain, ethical hackers document threat intelligence to help organizations remediate network security through stronger infosec policies, procedures and technologies.”

These hacking techniques generally include the following, Kranz says:

Identifying vulnerabilities with port scanning tools, such as Nmap, Nessus, Wireshark, and others
Scrutinizing patch installation processes
Performing network traffic analysis
Attempting to evade intrusion detection systems, honeypots, and firewalls

Professional Skills

Building any career in IT security or cybersecurity requires a strong background and practical experience in several areas, such as:

Networking and network security
System administration
Intrusion detection
Hardware and software configuration

The skills required for ethical hacking then build on these fundamentals. For example, the SANS Ethical Hacking training course teaches the “methodologies, techniques, and tactical tools of modern adversaries” and offers “advanced and intensive training” in exploitation development, wireless and mobile device hacking, and penetration testing.

Hacking professionally, however, involves much more than just penetration testing and other tactical skills, notes Christopher Hadnagy, CEO of Social-Engineer, LLC. “The social engineering side, security awareness, and the other parts that all lead to the part of being a professional” are equally important, he says. Thus, Hadnagy has developed a Social Engineering Code of Ethics with 11 points to help maintain professionalism in the industry.

This code of ethics includes guidelines such as:

Avoid engaging in, or being a party to, unethical, unlawful, or illegal acts that negatively affect your professional reputation, the information security discipline, the practice of social engineering, or others’ well-being.
Minimize risks to the confidentiality, integrity, or availability of information of your employer, clients, and individuals involved in engagements.
When training future social engineers, consider that training will leave a lasting impact on your students, and the methodology with which you train will echo through all students’ future engagements.

Jobs and Qualifications

Note that jobs related to ethical hacking go by many names and comprise many duties. The following list from ITCareerFinder shows a few relevant job titles and corresponding salaries:

Certified Ethical Hacker: $89,000
Computer Forensics Investigator: $88,000
Cybersecurity Analyst: $98,000
IT Security Specialist: $104,000
Network Security Engineer: $109,000
Vulnerability Analyst: $89,000

Qualifications also vary but, according to the Berkeley School of Information, “employers — typically in the computer, business, financial, and consulting industries — tend to hire analysts with experience in a related occupation where they’ve learned to plan and carry out security measures that protect an organization’s computer networks and systems.” Certifications are also important as they can help validate a candidate’s skills in specific areas.

Check out the training links and other resources below to learn more.

Training and Events

10 Cybersecurity Awareness Initiatives Around the World — A list of cybersecurity awareness initiatives from CyberWarrior.
21 Virtual Cybersecurity Events to Attend This Fall and Winter — This list of cybersecurity events from Tessian includes in-person events, virtual summits, and webinars.
Become an Ethical Hacker — This 18-course learning path from LinkedIn Learning offers basic knowledge and skills needed for a career in information security.
Black Hat — Black Hat events provide the latest in research, development, and trends in information security.
Black Hat Trainings — Black Hat training courses are taught by industry experts and provide interactive skill-building for both offensive and defensive hackers.
Certified Ethical Hacker — Ethical hacking training and certification from EC-Council
Cybersecurity Awareness Month — Annual awareness initiative from the U.S. Cybersecurity & Infrastructure Security Agency (CISA).
Ethical Hacking Dual Certification Boot Camp — Information security and hacking training from Infosec Institute.
RSA Conference — In-depth learning and career-enhancing networking opportunities.
SANS Institute — Industry-leading cybersecurity training, certifications, events, and other resources.
SANS Ethical Hacking Curricula — SANS ethical hacking courses provide offensively focused, hands-on training.
Udemy Ethical Hacking Courses — A list of ethical hacking training courses from Udemy.