Career Overview: What I Do As an Ethical Hacker
Sometimes you hear about serious vulnerabilities being discovered before exploiting them, such as the infamous Heartbleed bug last year. Security researchers are working hard to fix these dangerous flaws before they are discovered by hackers with more malicious intent. This type of preventive burglary is sometimes referred to as a white hat, or simply “ethical hacking.”
These hackers work with businesses to probe their networks for security holes, social engineering vulnerabilities, and more, while taking into account the mindset of a person who may have criminal motivation. To find out what such a job is, we spoke with Ben Miller, an ethical hacker at Parameter Security .
First of all, tell us a little about your current position and how long you have been in it.
I am an “ethical hacker” at Parameter Security , which means that companies basically hire me to try to hack into their computer networks in order to figure out how a real criminal would do it. People in this profession use all sorts of tricks to get inside – you can get inside, trick employees by phone or email, pretend to be another person, it really doesn’t matter. I have never come across a business that cannot be compromised. I have infiltrated a wide variety of companies and organizations, from banks to hospitals, Fortune 500 companies, manufacturers, city utilities, government agencies, and more.
I’ve been a full-time hacker for the past five years, and this is truly one of the most interesting and challenging jobs anyone can have. It’s also incredibly helpful because I know I am helping to protect companies and institutions from malicious hackers who would otherwise have nothing to prevent them from hacking.
What prompted you to choose your career path?
I knew from a young age that I was interested in computers. I grew up on a farm in northeastern Missouri, and while I early understood the value of hard work, perseverance, and achieving my own goals, I also realized as a child that I had no desire to return home dirty and bloodied from farm work. daily. Fortunately, my discerning father bought the family computer when I was in elementary school. It was an IBM compatible 286 processor system. I learned nifty tricks in Windows 3.1 and MSDOS, such as “DELTREE”, which removes all file structures and how to change background colors. I enjoyed teaching safe tricks in elementary school and soon got accepted into the school curriculum to help teachers solve their computer problems.
However, it was only when I saw the movie Sneakers that I realized how great the potential of my interest in computers is. Seriously, this film made a big impact on me – and I bet that others in the field who were around at the same time probably thought the same way too. In fact, this was my first look at the world of ethical hacking, and I was immediately interested in it. I saw Robert Redford using social engineering to accomplish these incredible feats, and how Whistler never faced obstacles, but simply used technology and logic to overcome them. I have always been drawn to technology, but seeing its potential, perhaps also the “cool” factor, and how they can be used for good deeds in the world, I was very excited.
All kinds of people are attracted to ethical hacking, with any experience and motivation, but I think that in the end most of these people just gravitate towards technology from the very beginning, and it is a challenge and creative thinking to find a way to bypass software control or make a program do what. something completely new that constantly pushes them to go further and further until it becomes a career.
How did you get a job? What kind of education and experience did you need?
Ethical hacking is not a routine job. You don’t need to have a college degree or certificate to do this. All you need is a good knowledge of computers, software and programming languages, creativity and drive.
In my case, I went to college in 1999 and got my degree in Computer Systems and Networking. Unfortunately, the dot-com bubble burst right after I graduated, so it was hard for me to find a good job in the field. I ended up going back to college to study religion, and it wasn’t until 2006 that one of my friends told me about opening a network administrator at a county hospital. While I worked there, I spent a lot of time making sure the hospital network is HIPAA compliant so that it does not expose patient data and is not vulnerable to hackers who try to steal it. I knew that if I was going to keep criminals out of the hospital, I would have to learn their tricks and how they worked, so I took the Certified Ethical Hacker course offered by a local company. This course, taught by my future boss, focused on the mindset and methods of a criminal hacker – it basically taught you to think like a criminal hacker. After the second day, I realized that this is what I want to do on a full-time basis, and my ethical hacking instructor (Dave Chronister) hired me a year later, when I proved myself in this area.
Do you need any licenses or certificates?
You do not need to have any certifications to be an ethical hacker, but it is always beneficial to obtain one as it proves your knowledge and experience in key areas. There are dozens of certifications, and their value to your career depends a lot on the companies you want to work for. Study your certificate or course before spending money! However, if you are doing forensic investigations for clients, a private investigator license is required in most states.
Problem solving, persistence, and good communication skills are all key qualities you need to possess for this job.
What are you doing besides what most people see? What do you actually spend most of your time on?
I can look deep inside critical networks (like banks, hospitals, utilities, large companies) and see how vulnerable they really are if the right attacker attacks them. It’s like seeing how sausage is made because you see how these really important systems often run on old software and hardware, or they have vulnerable programs that are still not fixed, or they are related to which shouldn’t be. , or the default passwords are left in place. The entire network that can protect your money or personal records, or help maintain light and water, is a patchwork quilt of problematic systems that are not as difficult to use as we would like to think.
I also see attacks or hear about attacks on Twitter long before they hit the news.
I spend most of my time probing or scanning networks, looking for vulnerabilities, etc., but the same amount of time I spend talking to a client and documenting what I did in a written report. I say to student hackers and new hires, “As a hacker, you will write more reports than you ever did in school!” Reporting the results is that part of the interaction that the client will retain and will be able to ponder for a long time after the “warm fog” of your personal concern disappears. It should be just as good.
But clients see almost everything we do – it’s a very open process, so they can explore and see their network from our perspective. The only thing they miss is the look on my face at 2am when I finally test the exploit while watching replays of How It’s Done .
What misconceptions do people often have about your job?
Perhaps most importantly, people think that the term “hacker” always means a criminal or [someone] an attacker. A hacker is basically someone who enjoys tinkering with tools and software, finding ways to solve problems, or discovering new possibilities for using technology. Those who do this to steal money or harm people are simply criminals. We should not call ourselves “ethical hackers” – instead, we should emphasize that the bad guys are “criminal hackers.”
People also see the attacks we simulate and feel like we are doing magic. Hackers understand the important truth that computers do only what they are told, and often the actions of users are not in their interests. Whether they run improperly coded software or click an email promising something, users (including IT staff!) Are often unaware of the scary things they end up doing.
Another misconception is that “all penetration tests are the same.” Unfortunately, in an industry as young and shrouded in mystery as information security, there is a huge lack of knowledge about what a penetration test should include (i.e., a company’s ethical hacker test). Efforts like Pentest-Standard.org try to at least educate business and IT pros on what to expect from a good penetration test from a knowledgeable company.
What’s your average uptime?
It really depends on what you are doing. If you are hired to conduct a penetration test for a company, then you will probably work 8 to 10 hours a day, and the work can last from 2 to 10 weeks. However, if you are working with software looking for vulnerabilities, then it really depends on you. I never had time when I sat at the table and asked: “When can I go home?” More often than not, my wife reminds me that sleep is good and that I can probably cope with what I do after I get some sleep.
However, if you are called to help the company recover from a disruption (what we call “incident response”), then all bets will not be accepted. This is when you’re in crisis mode and you can easily pull out a few nights trying to stop the attack, control the damage, and figure out how to get the company back on track.
What personal tips and shortcuts have made your job easier?
Always listen and read. You may know an incredible way to do something, but someone else may know another way that is faster or easier. Document what you do, why and when, so that when something goes wrong, you can understand what happened. Banging your head against a wall you should have walked around before is a HUGE waste of time.
Plus, as my boss likes to say, and I learned, too, “No client has ever been angry about you talking to them too much.” In nearly five years, I have only had one client who said that I didn’t need to call or email every day of the week while I was on their network. People like to know what is going on, even if what is going on: “we look at the results of the tool, looking for something to break.”
What are you doing differently from your colleagues or colleagues in the same profession? What are they doing instead?
Unfortunately, there are many companies in this area who believe that ethical hacking is simply scanning for network vulnerabilities. The problem with this type of thinking is that it doesn’t really show the client the full picture. Okay, I know this program and this program are vulnerable, but what does this actually mean? What could an attacker have done with this vulnerability? How far could they go?
In our company, we are very motivated. We see the ethical hacker test in terms of the real consequences for this institution, that is, what an attacker wants to do (steal your data, perform illegal wire transfers, interfere with computer equipment, etc.) and how can they do it ? When we find vulnerabilities on a network, we look at their practical implications, and you have to get creative to see the full potential of a security vulnerability and piece all the pieces together to figure out how a criminal might get the data. or financial robbery.
What’s the worst part of a job and how do you deal with it?
The worst part of this job is when you get clients who don’t really want to know how vulnerable they are. Sometimes it’s because they are indifferent (many companies still feel that it’s cheaper to just fix a problem after a hacked company than to spend money upfront to improve security), but more often it’s based on fear. Kind of like when your car starts to make a weird noise, but you don’t want to take it to the auto shop because you’re afraid of how much it will cost. While they are not only concerned about cost, in many cases you are dealing with a CIO who is worried about their career; if there are too many problems in the report, he or she will look bad.
The only way to deal with this aspect of the job is to stick to your weapon – do your best, not hold back in penetration testing, and communicate as clearly as possible where the company is vulnerable and what that might mean. … At the end of the day, the client needs to take the right steps to protect themselves and their clients, you just need to hope they do it.
What is the most enjoyable part of the job?
This may be the hardest question to answer. Honestly, there is a thrill to knowing that what I am doing would be illegal, except in a legal document that says I am allowed to do it without getting into a quandary. One of my favorite compliments from my previous job was, “You think like a criminal!” (They didn’t take it as a compliment.)
I work with great people, make fun, work hard. We study together and laugh a lot! When my wife and I had our third son, they bought baby supplies and superhero jumpsuits.
I am changing the way companies think about security and ultimately the lives of thousands of people, which is also very rewarding. The earnings are also much better than I thought when I watched Sneakers.
What advice can you give to people who need to use your services?
Yes, don’t expect me to be a superhero. Often times, clients think that by hiring you, you will clean everything up, fix all their problems and make them 100% safe. There is no 100% security. It’s not like that at all. Clients need to be realistic – the goal of this type of work is to figure out which assets in your company are most important and what risks they can accept. You cannot prevent every attack from succeeding – no matter how good your security is, in the end someone will always be able to get through. In this way, ethical hackers not only help you prevent an attack, but also figure out what steps to take to limit the damage of a successful attack.
You cannot protect that which you do not know exists. Therefore, the best documents to have on hand before hiring an ethical hacker to conduct a penetration test is a complete list of systems, people, information, and a risk assessment document that addresses common business risks.
The purpose of a penetration test is to then find a weak spot, exploit it, show how a critical, unacceptable risk can be implemented (e.g., sensitive information that will be removed from your network and safely placed on the tester’s secure network), which you can then work with. to fix it.
The hard work for the client comes AFTER the test to learn how to run the business in a less risky way.
How much money can you expect at your job?
I’m not the type to talk about money, but I do believe that if you work hard, hone your skills (including interpersonal skills like negotiation!), You can make as much money as you want in this area. Whether you want to make a lot of money right out of school or just after getting certified, you will work for a company that owns you, makes you travel a lot, and considers sleep a luxury. If you want to find a balance between life and work, you will need several years of experience in both “mainstream” IT and security to start making big bucks.
Also, the location matters a lot, I am in a good area in terms of cost of living and that helps.
How are you progressing in your field?
This is pretty subjective. Some people become specialists in key areas such as software security (mobile and web applications), production control systems (utilities, manufacturing plants, etc.), social engineering (i.e., hacking people), etc. E. Others learn management skills and eventually start working. hacker teams.
In both cases, you should focus on improving your knowledge and getting the most out of your hands-on experience. Certification is good, but nothing beats doing these tests or managing teams on the ground.
Another way to stand out is to conduct original research on security issues and present them at one of the many industry conferences that are held annually. It will also help you in your career if you can do a boot camp at one of these conferences where you learn basic skills.
What do your clients or clients underestimate / overestimate?
Customers usually underestimate their involvement in the security process. They tend to believe that hiring a super hacker is all they need to keep the boogeymen away. They also tend to underestimate their assets. I did hear banks say, “We’re too small to be hacked.” It’s the same with hospitals, international companies, etc. They all have reason to say, “This won’t happen to us!” until it happens.
Companies also make the mistake of comparing themselves to their peers. This question is often asked in boardrooms: “How do we compare to other businesses like ours?” No one wants to spend more money on security than their peers, as they feel like they’re wasting their money if they do.
However, customers often overestimate compliance standards. Whether it’s PCI standards for retailers, HIPAA for the healthcare industry, or something else, simply adhering to compliance standards doesn’t mean you’re truly safe. Compliance standards are simply a basic measure of what an organization must do to avoid being fined or imprisoned – companies must go far beyond them to be truly safe.
What advice would you give to those who want to become your profession?
DO IT! We need more people who enjoy solving puzzles, breaking and repairing things, and interacting with people and having amazing experiences.
I love to study! If you cringe at the thought of quickly learning a new skill, operating system, programming syntax, or attack technique, you will quickly get bored with my consultant / boutique style job. However, there is hope! Take what you truly love, find better ways to protect it in a cost-effective way, and work in blue teams (ie, defense-oriented teams) who also desperately need more safety-conscious people.
This interview has been edited for clarity.