part0010

If you feel that hacking is a skill that you are interested in and possibly you have gained experience yourself perhaps in less ethical methods, you may be interested in a career in hacking. As we mentioned earlier, many corporations and institutions often hire white hat hackers in order to improve their security capabilities and keep abreast of all developments in hacker culture.

There has never been a better time to be involved in the IT security field with the Bureau of Labor Statistics estimating that the sector is set to grow approximately 18 percent by 2024. Even more exciting for newcomers to the field is that the demand for skilled hackers is up by 40% according to a survey completed by the Ponemon Institute. This indicates that within the last few years there is roughly 40% of positions going unfulfilled within the IT security field. This could also be an indication that many skilled hackers are not willing to put their skills to use in a legitimate career, creating opportunities for white hat, ethical hackers.

As we mentioned earlier, there are many opportunities being created for ethical hackers to perform penetration tests to determine the viability of a networks security. For the right person, this type of work can be incredibly rewarding with pay exceeding six figures per year. The average security analyst in the United States makes over $96,000 per year.

As we rely increasing on technology and the constant developments in the IT field, the demand and job prospects for IT security professionals will continue to grow as the skills and requirements for hacker’s change. An ethical hack is tasked with consulting an organization in how they are able to reduce the number of vulnerabilities that could be exploited by black hat hackers and working with developers to advise on how they are able to better address their security requirements. This leads to the updating of security policies and procedures and further training of staff as part of a company’s security awareness and training program.

Despite the significant shortage and demand for ethical hackers, there are still requirements for an entry level ethical hacker to find himself a position within the IT security field. As a minimum, most white hat hackers will require a bachelor degree within computer science or a related field to secure an interview within an organization. Further from that the hacker will also require specific security certifications which will demonstrate that the hacker possess the appropriate level of experience and skill to perform the job to the best of their knowledge. Evidence for this has been demonstrated by the SANS Salary & Certification survey of 2008 in which 81% of respondents within the IT security field stated that having certifications was a key factor in securing their positions.

There are three primary security certifications which are recognised within the industry and although there is an abundance of other certifications, these have the greatest value when looking to secure a position.

Before enrolling, students should at the very least have a basic understanding of Windows and Linux system administration as well as TCP/IP and virtualization. Classes are not compulsory, and students are able to enrol and opt to just take the exams provided they are able to submit proof that they have prior experience within IT security, 2 years to be exact.

The flexibility of the CEH certification is one of the most valued advantages of the course. Students are able to learn through self-study and video lectures which they are able to go through at their own pace and even the instructor led lessons are able to be taken online. If students are already employed with a business or organization in the security field, they are able to bridge their training in conjunction with their work.

The course is broken down over the course of five days, with each day being eight hours long. Students are able to access online labs for six months following their enrolment. As we mentioned earlier, the exam is comprised of 125 multiple choice questions over the course of four hours with a 70% minimum pass threshold to receive certification.

The general knowledge of the course provides students with an all-round experience of what is expected of them in the industry with no specific focus on any software, product, technology or skill. Students are expected to understand how to correctly scan a network to identify basic viruses as well as how to perform penetration testing and how a web server can be hijacked. Another element of the course is the social engineering aspect of hacking, informing hackers how they are able to manipulate and influence individuals to obtain personal and confidential information in order to infiltrate a computer system. In recent years, particularly as human communication has advanced to the point of online messaging and social media, social engineering has become a crucial element of hacking.

The course does have some drawbacks however being incredibly dependant on text and video instruction without too much of a focus on the hands-on practice. It has also been noted by industry experts that the course is somewhat outdated and is too simple for providing enough scope for day to day use. It does however present an excellent overview of the industry and those hackers looking to specialise are welcome to explore further certifications to gain more precise knowledge. The CEH is a more cost-effective certification to gain an insight into the industry and should not be treated as anything comprehensive.

The CEH certification is well known within the IT security field and having the qualification is a significant advantage to have documented on your resume. While it won’t make you stand too far out from the crowd of other applicants, the certification will enable you to be on the radar of potential employers being the most recognised certification in the industry.

For those looking at expanding their skills in network penetration testing, the GPEN is the course to take you much deeper into this particular field of knowledge. The course takes students through what is involved in a penetration test before taking the GPEN test to obtain their certification.

Before undertaking a network penetration testing course, students should at the very least have an understanding the different types of cryptography within Windows, Linux and also an understanding of TCP/IP, many courses offer refreshers on these subjects to bring students up to speed but the prior knowledge will help when progressing through the course they are however not set in stone prerequisites.

Throughout the course, students will take part in over 30 labs, getting hands on practical experience through the pen-testing process with everything from detail reconnaissance, scanning and how to write and interpret a penetration testing report for conveying such information to management and technical staff. This will allow students to have a good idea of what is required when performing penetration tests in a corporate environment.

Coursework is generally completed through a Linux distribution containing everything the student will need such as Metasploit tools and free open source software such as password-breaker John the Ripper, taking advantage of some of the most widely used and most advanced tools the industry has to offer.

The course also aims to open students up to the perspective of the hacker when attacking the business, changing the mindset of students to approach the penetration in a way that they are able to think outside of the box and launch the attack in ways that would have been unintended from the point of view of the business.

The costs involved with the course can be a deterrent, particularly for those who are looking to break into the industry, however the practical hands on experience will allow students to present themselves as a cut above the rest and provide themselves with a career boost and a significant raise if they are currently working with the industry. The course can be difficult to get through with a huge amount of information presented over six days. The practical experience however will allow students to refine their skills as an ethical hacker and open new avenues in their career.

The exam consists of 115 multiple choice questions and is open book. The timeframe for the exam is run over three hours with students requiring a 74 percent pass threshold in order to receive the certification. The cost of the course varies whether you decide to take the online option or the in-person training with the latter being more considered once the compulsory online labs are taken into account.

The OSCP is by far the most technical and specialised certification of the three. The certification is aimed towards providing an in depth and hands on insight into the penetration testing process and lifecycle. The certification aims to steer away from a classroom setting instead opting to be more focused on the practical aspects.

Students are first expected to complete the Penetration Testing with Kali Linux (PWK) course a course which has been built around the Kali Linux Distribution open source project which is maintained by the administers of the course, Offensive Security. Students will need to have a solid understanding of TCP/IP, networking and reasonable Linux skill as a minimum requirement.

The course is offered online with the only live training facility being in Las Vegas, Nevada. The cost of the course is determined by the length you will be accessing the online labs with options for 30 days and 90 days. During this time, you will be provided with video lessons, access to the labs and finally the certification test.

The OSCP is unique in that the test is not performed by multiple choice and instead is performed through a virtual networking in which you are tasked with researching the network, identifying vulnerabilities and then hacking the system to obtain administrative access similar to how a simulation would work. You are then asked to provide a comprehensive penetration test report to detail your findings, creating an environment that would mimic that of a real-world situation. The test is completed over 24 hours with the report being reviewed by a certification committee to obtain a passing grade.

While the OSCP is designed to develop skills focused on pen-testing tools and techniques, the certification also explores more out of the box thinking and unique approaches to solving problems. The test is structured in a way that students learn how to think laterally and that students will be able to not only find and exploit vulnerabilities but also further escalate their privileges and gain experience in scenarios that they may be faced with in the future.

The test is geared more towards advance security personnel in the IT field, with the hands-on approach taking much time with the trial and error approach however, this is incredibly beneficial for those looking to advance in the industry. Students are able to learn from hands on experience rather than just knowledge and are able to put their skills into practice in real scenarios.

There are downsides to the course however with students not being able to speak with a live instructor in the case that they may need to ask questions or may be stuck and require assistance in the labs. The course is also far less recognised than the CEH which can mean that you will not necessarily standout from the field of other applicants as well as you would with a more recognised course. The education however will provide you with a greater understanding of pen-testing, increasing your productivity and performance while at work which is something that cannot be said of other more knowledge based courses.

If a hacker wants to have an in depth understanding of pen-testing and become a specialist in their field, the OSCP will provide that level of experience and skill through the simulation exam, more so than any other course.

Your decision to take on any one of these courses will be founded in having a desire to further develop your knowledge and skills within the topics that are presented. Each one has its own pros and cons within the industry and it is down to the ethical hacker to decide where they are in their career and where they would like to take it. For example, for those who are looking to get started with a shift in their career and hoping to break into the industry, the CEH will provide them with the broad knowledge required and industry recognition for them to be considered for the position, however the information may be outdated and not for those who are looking to specialise or become exceptionally skilled in the industry.

If a student aims to develop their skills further and have a more comprehensive understanding of penetration testing, the GPEN uses tools that are widely used in the industry and allows for one on one instructions. The course also explores the social engineering aspect of hacking which is widely becoming recognised as a very important element of hacking particularly in the age of social media and technology dedicated to communicating, while still lacking high security measures. This can provide a career boost for one who is looking to increase their qualifications and their pay however the course comes at a cost.

Finally, if you are looking to specialise in pen-testing and have an understanding of the entire process the OSCP will provide you with extensive knowledge tested through a simulation scenario and while the course is not recognized as widely as the other courses, you can be sure that your practical experience in the workplace is of the highest standard. The lack of instruction and heavy course load can be overwhelming for beginners and therefore this course is recommended for those who have experience working within the IT security field as opposed to those who are looking to start in the industry.