How to Become an Ethical Hacker
Your syllabus: getting from infosec newbie to ethical hacker
Are you: a student trying to break into cybersecurity? A tech professional looking to transition into a role in security? Or simply, someone who is interested in hacking and doesn’t know how to get started? If so, this post is for you!
Almost all the messages I receive on social media is about becoming an ethical hacker. The road to becoming an ethical hacker is indeed convoluted: there are no colleges offering a “hacking” major and there seems to be an ever-growing list of skills that need to be mastered.
In this post, I am going to outline the skills one needs to become an ethical hacker, and how to go about mastering them. This will give you a good framework on how to get from infosec newbie, to master hacker.
What is an “ethical hacker”?
First off, what exactly is an ethical hacker?
A hacker is someone who gains unauthorized access to computer systems using their technical knowledge. This is illegal and fuels a large part of modern criminal activity. However, thanks to the change in the landscape in the infosec industry, is it now possible to make a living as a hacker legally. Those who do are referred to as “ethical hackers”.
An ethical hacker is someone who attempts to penetrate computer systems and networks with the permission of their owners in order to find security vulnerabilities that a malicious hacker could exploit. This helps organizations strengthen their systems against cyberattacks.
The detailed job descriptions of ethical hackers vary, as hacking different systems require specific domain knowledge. But in general, ethical hackers identify weaknesses and vulnerabilities in a system and uses them to gain unauthorized access. They also document their findings and give suggestions on how to remediate the vulnerabilities found.
Programming and CS fundamentals
Strong skills come from good fundamentals. The best hackers often come from a CS/programming background, because knowing how to build software gives you a comprehensive perspective about how the software works and helps you break them. In addition, an ethical hacker often has to automate large parts of their workflow and programming skills are required for that.
So the first thing to master is basic programming skills. I recommend using Codecademy for this. Codecademy will teach you the basics of how to program. A good general-purpose language to learn is Python. It is easy to learn and great for quickly automating security tasks.
Codecademy will teach you the basics of programming, but you will also need an understanding of the theoretical fundamentals of computer science if you want to become a competent programmer. For this, I recommend Stanford’s free CS101 course. It will complement your learning on Codecademy and give you a good basis to learn how to hack.
Networking and OS fundamentals
It is also important to understand how computer networks and operating systems work. This will help you understand how a lot of modern exploits work, and how systems are protected against these exploits.
To learn computer networking and operating systems, I recommend following college course recordings on Youtube.
For example, here’s a good one for networking:
And here’s a good one for operating systems:
There are a few more things that are helpful to all ethical hackers.
First, make sure you are proficient in using the Linux command line. The command line is the most efficient way of interacting with computer systems, and as an ethical hacker, you will spend a lot of time there. To learn the command line, use LinuxCommand.org.
An understanding of the basics of cryptography is also critical since it is used to protect almost every single digital system out there. A quick read on GeeksforGeeks should give you a good overview.
Pick your specialization
There are many specializations you can focus on as an ethical hacker, and they all require expertise in their own set of domain knowledge. You should gain a general understanding of all of these fields and find out which you are more interested in. Then, you should pick one and focus on gaining expertise in that field.
Binary security is the field of attacking and protecting binary applications. Binary exploitation is attacking a compiled application to elevate privileges or perform arbitrary actions on a targetted system. A good place to start learning is my posts on binary exploitation:
Web application security
You could also focus on the vulnerabilities that commonly affect web applications. As web applications become more complex, securing web applications has evolved into a field of its own. A good way of learning about web applications is by starting with the OWASP top ten vulnerabilities. Then, dive deeper into the architecture and development process of web applications and how they affect security.
Mobile application security
In this field, you learn how to hack and secure applications on different platforms such as Android and IOS. You should focus on learning about the security features and limitations of modern mobile operating systems and the vulnerabilities commonly found on popular platforms.
Lastly, it is not enough to just understand how thing work. It is also important to understand what these theoretical vulnerabilities and defenses look like in real-world applications. So, you should practice hacking and defending.
Another good way to practice is by building vulnerable applications with minimal protection, breaking it yourself, and finally implement fixes to protect against the vulnerabilities that you’ve found. This way, you learn to both hack and protect an application at the same time.
Bug bounties are also a great way to practice. HackerOne and Bugcrowd are two of the biggest platforms, with a wide variety of clients. Pick a program related to your chosen field of expertise and hack away! On bug bounty programs, you are hacking actual targets instead of simulated ones like in CTFs. So it will be a lot harder, but a lot more realistic.
Besides technical skills, soft skills are also critical to your success as an ethical hacker. Here are a few to focus on.
Communication skills are extremely important for an ethical hacker. Writing and communicating your findings to your clients will be a big part of your job.
Focus on being detailed in your writing, and be as clear and concise as possible when communicating.
Learn to communicate your technical knowledge to different audiences by keeping a technical blog, or by contributing to Wikis or online learning sites.
In addition to applying known techniques, get in the habit of thinking creatively when approaching your targets. A useful way of thinking about hacking is to switch perspectives between the developer and the hacker. How did the developer build the application? Is there anything that he might have missed? As a hacker, how can I exploit that mistake?
Always keep yourself up to date on the latest security news via forums, newsletters and cybersecurity blogs. The security field is rapidly evolving and it is part of the ethical hacker’s job to continuously learn about the latest techniques and apply it to her work!
Lastly, don’t remember to have fun! Ethical hacking is a very exciting field to be in, but the learning process can get difficult and frustrating. Don’t forget to implement some fun into your learning routine and keep your mind focused on your love for hacking! Good luck!
Thanks for reading! Is there anything I missed? Feel free to let me know on Twitter: https://twitter.com/vickieli7