Ethical hacking - or, less colourfully, penetration testing - involves simulating the attacks a malicious or criminal hacker could carry out on a network, so that security can be tightened to prevent them. Recent incidents such as the massive loss of customer data by TK Maxx's US parent have raised awareness among businesses, and the UK government is tightening data security. Ethical hackers are in demand.
The work is less glamorous than is portrayed on film and TV, but the fictional stereotype of the hacker as an unsociable night owl is not far from the truth. Testing has to be done round the clock to pinpoint when the network is vulnerable. Although many automated tools are available, malicious hackers are continually finding ways to beat them, so much of the work is manual, and is both tediously repetitive and intellectually demanding.
Films often show hackers being recruited from the "dark side", but ethical hacking is a grey area involving practices that are technically illegal (tight contracts need to be drawn up to protect practitioners from prosecution), and trust is paramount because ethical hackers will be probing the client's innermost secrets. Businesses and consultancies will not hire anyone with a background in illegal hacking.
Where did it originate?
In 1993, Dan Farmer and Wietse Venema posted a paper on UseNet called Improving the Security of Your Site by Breaking Into It, and subsequently bundled the tools they had used in their investigations and put them online as Security Analysis Tool for Auditing Networks (Satan).
What's it for?
Forget the back bedroom - ethical hacking must be done from facilities with exceptional logical and physical security. Techniques you will need to understand include password guessing and cracking, session hijacking and spoofing, denial-of service attacks, exploiting buffer overflow vulnerabilities and SQL injection.
How difficult is it to master?
According to a paper in the IBM Systems Journal, "Ethical hackers typically have very strong programming and computer networking skills. It should be noted that an additional specialisation in security is not always necessary, as strong skills in the other areas imply a very good understanding of how the security on various systems is maintained." There are courses that claim to introduce the basic skills in as little as three days, and senior qualifications that involve years of practice and study. Most practitioners use informal skills they have taught themselves, however.
Where is it used?
Many IT services companies, such as IBM, offer ethical hacking. The most demanding institution in the UK is CESG, the Information Assurance arm of GCHQ, which assesses penetration testing consultants for their fitness to work on government systems. Details of CESG's "Check Service Assault Course" can be found on its website.
Rates of pay
£30-65,000 up to £550 a day for contractors.
The most widespread international qualification is the Certified Ethical Hacker devised by the International Council of Electronic Commerce Consultants (EC-Council), which is offered by a number of UK specialist security trainers. Within the UK, security consultant 7Safe offers certified security testing at associate and professional level, with higher qualifications in forensic investigation.
7Safe's courses are accredited by the universities of Bedford and Glamorgan, which both offer ethical hacking courses, as do the universities of Northumbria and Coventry.
See also The Open Source Security Testing Methodology Manual (OSSTMM).
This was first published in August 2008