What Is Ethical Hacking?

The practice of ethical hacking involves “an authorized attempt to gain unauthorized access to a computer system, application, or data,” according to the definition from Synopys. More specifically, the practice involves using the tools and techniques of malicious attackers to identify security vulnerabilities and resolve them before they can be exploited.
Ethical hackers, who are sometimes known as white hats, “use their knowledge to secure and improve the technology of organizations,” Synopsys says. “They provide an essential service to these organizations by looking for vulnerabilities that can lead to a security breach.” Ethical hackers then report vulnerabilities to the organization and suggest ways to remediate the issues. 

Ethical hacking is also part of the rapidly growing field of IT security, which the U.S. Bureau of Labor Statistics says is "projected to grow 33 percent from 2020 to 2030." In this article, we’ll look more closely at the practice of ethical hacking as one way to get started with a career in cybersecurity.

What Do Ethical Hackers Do?

As Garry Kranz writes, “ethical hackers use many of the same methods and techniques to test IT security measures, as do their unethical counterparts, or black hat hackers. However, rather than taking advantage of vulnerabilities for personal gain, ethical hackers document threat intelligence to help organizations remediate network security through stronger infosec policies, procedures and technologies.”

These hacking techniques generally include the following, Kranz says:

  • Identifying vulnerabilities with port scanning tools, such as Nmap, Nessus, Wireshark, and others
  • Scrutinizing patch installation processes
  • Performing network traffic analysis
  • Attempting to evade intrusion detection systems, honeypots, and firewalls

Professional Skills

Building any career in IT security or cybersecurity requires a strong background and practical experience in several areas, such as: 

  • Networking and network security
  • System administration
  • Intrusion detection 
  • Hardware and software configuration

The skills required for ethical hacking then build on these fundamentals. For example, the SANS Ethical Hacking training course teaches the “methodologies, techniques, and tactical tools of modern adversaries” and offers “advanced and intensive training” in exploitation development, wireless and mobile device hacking, and penetration testing.

Hacking professionally, however, involves much more than just penetration testing and other tactical skills, notes Christopher Hadnagy, CEO of Social-Engineer, LLC. “The social engineering side, security awareness, and the other parts that all lead to the part of being a professional” are equally important, he says. Thus, Hadnagy has developed a Social Engineering Code of Ethics with 11 points to help maintain professionalism in the industry. 

This code of ethics includes guidelines such as:

  • Avoid engaging in, or being a party to, unethical, unlawful, or illegal acts that negatively affect your professional reputation, the information security discipline, the practice of social engineering, or others’ well-being.
  • Minimize risks to the confidentiality, integrity, or availability of information of your employer, clients, and individuals involved in engagements.
  • When training future social engineers, consider that training will leave a lasting impact on your students, and the methodology with which you train will echo through all students’ future engagements.

Jobs and Qualifications

Note that jobs related to ethical hacking go by many names and comprise many duties. The following list from ITCareerFinder shows a few relevant job titles and corresponding salaries:

  • Certified Ethical Hacker: $89,000
  • Computer Forensics Investigator: $88,000
  • Cybersecurity Analyst: $98,000
  • IT Security Specialist: $104,000
  • Network Security Engineer: $109,000
  • Vulnerability Analyst: $89,000

Qualifications also vary but, according to the Berkeley School of Information, “employers — typically in the computer, business, financial, and consulting industries — tend to hire analysts with experience in a related occupation where they’ve learned to plan and carry out security measures that protect an organization’s computer networks and systems.” Certifications are also important as they can help validate a candidate’s skills in specific areas.

Check out the training links and other resources below to learn more.

Training and Events

Other Resources

FOSSlife Newsetter