A white hat hacker, or ethical hacker, uses penetration testing techniques to test an organization’s information technology (IT) security and identify vulnerabilities. IT security staff then use the results of such penetration tests to remediate vulnerabilities, strengthen security and lower the organization’s risk factors.
Penetration testing is never a casual undertaking. It involves lots of planning, which includes getting explicit permission from management to perform tests and then running them as safely as possible. These tests often involve the same techniques that attackers use to breach a network. Many businesses choose to work with managed service providers to outsource this side of IT.
A white hat hacker is an ethical information security developer or engineer who uses their skills on behalf of organizations to test security configurations.
Ethical hacking began in the late 1960s, as corporations and government agencies started to test the emerging telecommunications technologies and computers for security vulnerabilities. However, an unfortunate side effect of ethical hacking is black hat hackers, who illegally seek information for personal gain.
White hats essentially have an organization’s consent to look for exploits and vulnerabilities within an IT infrastructure to make sure they can keep black hats out.
While a white hat hacker reinforces security and plays by the rules, a black hat hacker is essentially a cybercriminal. Black hats operate with malicious intent to break laws, steal information and money, blackmail people, or take down corporations. Phishing schemes, malware, viruses and other cyberattacks are all attempts to gain access to your system, and the results can be devastating. Successful attacks can accomplish anything from slowing down your computer to ceasing company operations, such as when hackers shut down the Colonial Pipeline in 2021.
There’s a third type of hacker known as a “gray hat hacker,” which is a security specialist who looks for vulnerabilities, but usually without permission. They tend to break the law frequently.
White hat hacking involves a great deal of problem-solving and communication skills. A white hat hacker also requires a balance of intelligence and common sense, strong technical and organizational skills, impeccable judgment and the ability to remain cool under pressure.
At the same time, a white hat hacker needs to think like a black hat hacker, with all their nefarious goals and devious behaviors. Some top-rate white hat hackers are former black hat hackers who got caught and, for various reasons, decided to leave the life of crime behind and put their skills to work in a positive (and legal) way.
There are no standard education criteria for a white hat hacker – every organization can impose its own requirements – but a bachelor’s or master’s degree in information security, computer science or mathematics provides a strong foundation.
For those who aren’t college-bound, a military background, especially in intelligence, can help your resume get noticed by hiring managers. Military service is also a plus for employers that prefer to hire employees that already have a security clearance.
The U.S. Air Force conducted one of the earliest ethical hacks on the Multics operating system in 1974. This security evaluation revealed multiple vulnerabilities that could be easily exploited.
Many white hat hacking and security-related IT certifications can help a candidate get a foot in the door, even without copious amounts of hands-on experience.
Achieving the Certified Ethical Hacker (CEH) certification from the EC-Council is one recommended starting point. The CEH is a vendor-neutral credential, and CEH-certified professionals are in high demand. The median salary of an ethical hacker is slightly above $80,000, according to PayScale, and the top range can reach well over $100,000. On the consulting side, the EC-Council states that CEH professionals can expect to be paid $15,000 to $45,000 per contract or short-term assignment.
The intermediate-level CEH credential focuses on system hacking, enumeration, social engineering, SQL injection, Trojans, worms, viruses and other forms of attack, including denial of service. Candidates must also demonstrate a thorough knowledge of cryptography, penetration testing, firewalls and honeypots.
The EC-Council recommends a five-day CEH training class for candidates without prior work experience. To do well in the course, students should have Windows and Linux systems administration skills, familiarity with TCP/IP and working knowledge of virtualization platforms. However, self-study options are also available to help candidates pass the single required exam. The EC-Council requires candidates to have at least two years of information security experience and pay a $100 application fee.
Becoming a certified white hat hacker also involves staying on the legal side of hacking, never engaging in illicit or unethical hacking activities, and always protecting the intellectual property of others. As part of the certification process, candidates need to agree to uphold the EC-Council’s code of ethics and never associate with unethical hackers or malicious activities.
In addition to the CEH, the SANS GIAC curriculum is worth a look. Candidates who start with GIAC’s Cyber Defense certs, beginning with the GSEC, might find themselves better positioned to climb through an active, well-respected and deep security curriculum. The GIAC Penetration Tester (GPEN) and the GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) are both noteworthy certs for aspiring white hat hackers.
Another set of ethical hacking certifications comes from Mile2. The Mile2 Cybersecurity Certification Roadmap series includes the foundational Certified Vulnerability Assessor (CVA), followed by the Certified Professional Ethical Hacker (CPEH), the Certified Penetration Testing Engineer (CPTE) and the advanced-level Certified Penetration Testing Consultant (CPTC). Qualifying U.S. veterans can use their GI Bill benefits to earn cybersecurity certifications and training through Mile2.
Not all aspects of penetration testing are digital, nor do they always rely on digital means or methods of pursuit. Security experts generally refer to the security features of a site or facility, and physical access controls involved in entering or using facilities or equipment in person, under the heading of physical security. Full-fledged penetration testing thus also involves attempts to compromise or circumvent physical security as well.
Trained penetration testers may try to tailgate through an access gate, ask somebody to hold the door for them when seeking to bypass a badge reader or keypad entry control system, or use other forms of social engineering to get around physical security controls and barriers. Because getting up close and personal with equipment is a necessary first step in attacking its security, physical security and related security controls, policies and procedures are every bit as important as similar measures on the digital side of the security fence.
Most information security certifications – including the CISSP, CISM and Security+ – provide some coverage of physical security in the common bodies of knowledge they ask candidates to learn and understand as they prepare for testing.
For those specifically interested in physical security, the Physical Security Professional (PSP) credential from ASIS International is probably the creme de la creme of physical security certifications. It’s worth checking out for those who want to understand the full range of penetration testing methods, approaches, and techniques, especially in the realm of physical security. [Related: 18 Ways to Secure Your Devices From Hackers]
Candidates with interest in information security, along with the appropriate background and a certification or two to start with, should have few problems finding ethical hacking work right away. Over time, you’ll use continuing education and more certifications to steer your career exactly where you’d like it to go.
Eduardo Vasconcellos contributed to the writing and research in this article.