Ethical hacking is challenging and lucrative but training is expensive

As criminal IT activity increases, security skills are in demand

What is it?
Ethical hackers are security professionals who attempt to break into IT systems to identify weaknesses that could be exploited by malicious intruders.

All unauthorised hacking, including defacing websites, is criminal, but the amount of serious IT-based criminal activity - fraud, theft and industrial espionage - is on the increase.

According to one site listing ethical hackers' resources, most large organisations now make use of their services.

Service providers range from former criminal hackers turned consultants, to IBM's Global Security Analysis Lab and the UK government's CESG, part of GCHQ, which has expanded its customer base from the public to the private sector.

Where did it originate?
The US military began testing its own IT security back in the 1960s. But it wasn't until 1993 that the concept of ethical hacking emerged, when San Francisco security expert Dan Farmer and a security programmer at the Netherlands University of Eindhoven, Wietse Venema, posted to Usenet the techniques they used to gather information that could have compromised the security of a number of target networks.

They also bundled the tools they had used, in an application they called Security Analysis Tool for Auditing Networks, or Satan.

What is it for?
According to IBM's ethical hacking team, the three questions to ask are: "what can an intruder see on the target systems?", "what can an intruder do with that information?" and, most importantly, "does anyone at the target notice the intruder's attempts or successes?".

Ideally, the ethical hacker is allowed to take a no-holds-barred approach, because a potential intruder would be under no constraints, but clearly there is a limit to what can be done with live production systems and confidential data.

Security is tested both from the point of view of an external intruder and that of an internal dissident, because by some measures, more security breaches are committed by employees.

Although authorised hacking in general breaks no laws, there are issues of liability to be sorted out in advance in case the hacker does inadvertent damage. And there are untested grey areas. For example, IBM and other large service providers will not hire former criminal hackers because it is impossible to know how genuinely "reformed" they are.

How difficult is it to master?
According to IBM, "Boldethical hackers typically have very strong programming and computer networking skills, and have been in the computer and networking business for several years".

IBM says additional specialisation in security is not always necessary, as strong skills in the other areas imply a very good understanding of how the security on various systems is maintained.

The work also demands high motivation and the ability to persist at tedious manual tasks for days on end, often at anti-social hours, while waiting to spot and use an opportunity.

What makes it special?
Ethical hacking combines the application of constantly evolving technologies with a high level of intellectual challenge.

Rates of pay
Employers are likely to describe the work as vulnerability assessment or penetration testing. Salaries range from £30,000 to £60,000, or £300 and above per day.

There is a variety of cross-industry and single-vendor qualifications, including 7Safe's CSTP (Certified Security Testing Professional) and the EC-Council's Certified Ethical Hacker programme, which is offered by many UK training organisations.

Like other IT security training, ethical hacking courses tend to be expensive. For five days, expect to pay close to £2,000+VAT.

One key resource is the Open Source Security Testing Methodology Manual, which is available freely on the web.





Read more on Hackers and cybercrime prevention