Ethical hackers tread the fine line between the good and bad sides of the internet, often venturing into both. They use their knowledge of hacking for good, usually to test and secure systems for clients. But if they were to use their skills for malicious purposes, they’d be capable of causing great harm.
Because breaking into systems is a great way to improve them, ethical hacking is often marred by controversy. Professionals in this line of work aren’t easy to find, and even if you do, you can’t get a lot of information out of them. Most maintain a low profile and employers are unlikely to disclose their use of ethical hacking – in most places, their profession isn’t even recognized by the law.
It’s tough to get insight into the world of ethical hacking, but we did. We sat down with two specialists to answer some of our burning questions and to discover what it really means to be an ethical hacker. Read on as we take a deep dive into the exciting but obscure world of ethical hacking.
What Makes Ethical Hackers So Important
Cybercrime has become a major threat to individuals, businesses, and governments, and it’s growing at an alarming rate. With the increasing reliance on technology, cybercriminals have found new ways to exploit vulnerabilities in networks.
Cybercrime increased 600% during COVID-19 and will probably grow faster in the coming years. Ata Hakçıl and Jeremiah Fowler gave us an inside look into the life of ethical hackers and into what we can expect from big tech and from cybercriminals.
Ata Hakçıl is an ethical hacker, pentester, and bug bounty hunter with over 7 years of experience. He has a BA in Computer Science and is currently pursuing an MA in Computer Engineering. You can check out his open-source security projects on Github, where he goes by the handle ignis-sec.
Jeremiah Fowler is a security researcher with over 10 years of experience in the tech and cybersecurity industry. He co-founded Security Discovery, a cybersecurity consultancy group, and his work has been featured in prestigious publications, including Forbes, the BBC, and Gizmodo.
Ata Hakçıl, believes that “a recession following the COVID era will hit security budgets first because it’s one of those things you don’t consider necessary until you cut them. [What follows] will be a mess of constant massive data breaches caused by poorly maintained and audited projects.”
Ethical hackers are now crucial to ensure the security of organizations’ digital assets and sensitive information. They simulate attacks and find vulnerabilities in a controlled environment to identify potential security loopholes before cybercriminals can exploit them.
Big tech is harvesting your data and collecting it, and the terms of service give them access to your microphone, to your camera, or possibly key logging. Everything you do on your device is captured and recorded – we don’t know how harmless this information could be or if it could be used against you. A comment you make today on social media might turn up in a job interview 10 years from now.Jeremiah Fowler, ethical hacker & security researcher
Here are a few more reasons ethical hackers are the best antidote to cybersecurity risks in the future:
Thinking like a thief is the key to crime prevention. That’s exactly what you do when you hire an ethical hacker to test your security systems. We believe ethical hacking is the future of cybersecurity and will rise in demand in the coming years. Before we get into the thick of things, here are a few important terms to understand.
Ethical Hacking Glossary
Why Is Ethical Hacker A Controversial Term
If a cybercriminal (often incorrectly referred to as hacker) is a burglar sneaking into your house to steal your stuff, an ethical hacker is the friendly neighborhood locksmith who comes to your rescue and shows you how the burglar could get in. This way, you can fortify your security and feel safe again.
Think of it this way: a malicious hacker is the one who makes you scream, “Why me?” while an ethical hacker is the one who makes you say, “that’s why I hired you!” But not every professional in this field prefers being called an ethical hacker, mostly due to the negative connotations we’ve ascribed to the word “hacker”. We asked our specialists their thoughts.
Q: Do you agree with the term “ethical hacker”?
Ata Hakçıl: “I do, but I personally prefer ‘security researcher’.”
Jeremiah Fowler: “Absolutely, as an ethical hacker, there are certain things that I would never do, such as bypass password credentials or forcibly break into a network. As a researcher, I look only for exposed data and would never go beyond what is publicly available. It would be unethical to use passwords I find in exposed data.”
Even when we append “ethical” to it, hacker is a controversial term. Some say a hacker is a hacker, and putting ‘ethical’ in front of it doesn’t change the fact they use stealth and deceit to infiltrate systems. They also argue the term is highly subjective.
We have hackers who claim to be activists, hacktivists, rather than criminals. Others believe they have a responsibility to expose an organization’s weak security. But is their intent enough to consider them ethical? The idea that individuals who challenge authority are automatically ethical isn’t always valid.
What Exactly Is Ethical Hacking? What Are Its Origins?
According to Oxford Languages, an ethical hacker is ‘a person who hacks into a computer network in order to test or evaluate its security, rather than with malicious or criminal intent.’ This definition is more or less the same worldwide, but it’s not as simple as it seems.
Ethical hacking, often dubbed “white hat hacking”, has only become a common cybersecurity trade in the last decade. But did you know the practice of ethical hacking is actually older than “black hat hacking” – the clearly bad one, where the intent is malicious?
In the early days of computers, hacking was just optimizing systems and machines to make them more efficient. Even though the malicious nuance overpowered the term, we now know the origin hacking is a purely ethical one. But fighting against stereotypes is an uphill battle.
Unfortunately, the line between ethical and unethical hacking is still unclear today. You can’t really tell good guys from bad guys, and legislation has not caught up either.
Q: Is it all black or white in the hacking: bad guys vs good guys?
Ata Hakçıl: “The majority of the black hat activities such as harvesting, stealing and selling credentials, and stealing credit card information, are objectively bad. But some topics fall in an ethical gray area and it all depends on the perspective.”
Jeremiah Fowler: “It depends if you’re talking about employees working for big companies or independent people. Unfortunately, many black hat hackers come from regions with very little economic prospects and legal regulation.”
So it’s not all black and white, there’s also a good amount of gray in-between.
Black, White, And Gray Hat Hacking Explained
Black hat hackers work exclusively to create damage or personal gain. This includes people selling data breach information on the dark web, those who launch DDoS attacks, and even the one guy who hacked Twitter and tweeted out of celebrity accounts to send Bitcoin to their wallet.
White hat hackers are usually motivated by research, they perform penetration testing, and do bug bounties – official programs that reward people who manage to find vulnerabilities and flaws in certain software and services. White hat hackers follow strict ethical guidelines in their research.
Gray hat hackers don’t follow a strict ethical code and fall into a morally gray area where it’s questionable whether their motives are good or bad. Ata explains this concept really well:
Compromising someone’s personal laptop is objectively unethical. Taking down a human trafficking website is objectively good. Compromising someone’s laptop to take down a human trafficking website they are hosting falls in a moral and ethical gray area.It is easy to move between one and another — conscience can turn a black hat into a white hat, ideologies can make someone a gray hat, and money or lack of empathy can make someone a black hat.
What Is the Mission of an Ethical Hacker?
Ethical hackers also aim to bypass a target system’s defenses. Although it’s to help close security loopholes and improve an organization’s cybersecurity, their mission is very similar to that of malicious hackers.
However, professionals may take different routes to ethical hacking. Here are the three main types of ethical hackers:
Bug Bounty Hunters
Rather than being paid for their time, bug bounty hunters receive a bounty from an organization if they successfully report a new vulnerability. CyberGhost VPN’s bug bounty is one example.
Security Researchers or Specialized Cybersecurity Assessment Teams
Organizations hire them to assess their security and identify weaknesses using offensive techniques and improve defenses.
Such teams are modeled after the Navy, where a red team attacks and a blue team defends. These highly trained cybersecurity professionals work closely together to improve security through continuous feedback and two-way knowledge transfer. Their goal is to strengthen the organization’s preventive, detection, and response strategies.
Also known as Intrusion Testers or Pentesters, these professionals who assess a system’s security by simulating malicious third-party attacks. Penetration testers usually operate within a timeframe and according to a target test scope defined by the client.
Their goal is to identify attack vectors, vulnerabilities, and monitor system weaknesses. This involves using various manual techniques supported by automated tools to exploit known vulnerabilities.
Apart from the goal of identifying vulnerabilities, each type has different motives. As Ata puts it, “If it’s a penetration test, I take pride in finding what vulnerabilities previous contractors missed and in making sure the next contractors can’t find anything else. If it’s a search for a new vulnerability, my motivation is finding something so creative that it sticks with you when you hear the details. If it’s a bug bounty, I mostly find myself more financially motivated than seeking creative stimulation.”
Is Ethical Hacking a Dangerous Job?
Now, you might think, “How dangerous could it be? They’re just hacking into computers (with permission), not running with the bulls in Pamplona!” But let me tell you, the dangers of ethical hacking are not to be underestimated. It’s not all rainbows and unicorns in this line of work, and I’m not just talking about the risk of getting caught by the authorities. We asked our ethical hackers for a deeper insight into their fears.
Q: What’s the worst fear of an ethical hacker?
Jeremiah Fowler: “If you’re ethically hacking and helping people, you have no fear. If you’re criminally breaking into networks and stealing data, obviously, there is a huge legal risk.”
Q: Can you tell us about your hacks? Have you ever been prosecuted or rewarded for them?
Ata Hakçıl: “Never prosecuted, but rewarded a lot. For a short while, I was actively and exclusively participating in bug bounty platforms and got rewarded regularly.”
Jeremiah Fowler: “I used my skills and abilities for security discovery, which started as a cybersecurity research organization and then branched out as a security vendor. We have helped secure the personal data of millions of people around the world and have consulted and worked for Fortune 100 companies and organizations.”
If you operate within a strict ethics code, you likely won’t get prosecuted for ethical hacking. There have been cases where ethical hackers ended up in front of a judge, as legislation isn’t always clear. Mostly, you’ll be responsible for some serious chaos for your employer. Almost as much as a malicious hacker. It’s fun if you think about it.
Ethical hacking is not always dangerous, but since you’re always up against outdated laws and cybercriminals, you have to be extra careful with your online security and privacy. Malicious hackers may try to target ethical hackers just because they make it impossible for them to penetrate systems and conduct cyberattacks.
Is Ethical Hacking Mainly a Freelance Job?
Although most ethical hackers are freelancers, you can pursue ethical hacking in a variety of settings. You could work as a full-time employee or a consultant in a wide range of industries, including finance, healthcare, government, and technology, among others.
A lot of organizations hire security researchers full-time as part of their security teams to help identify and mitigate vulnerabilities. Current trends show a number of professionals in this field often choose to work as freelancers as it offers them more flexibility.
Ethical hacking is a highly specialized field requiring a unique set of skills and knowledge. As a result, organizations also prefer hiring ethical hackers on a freelance or basis rather than as full-time employees. This allows them to tap into a wider pool of expertise.
Companies Recruiting Ethical Hackers
Security researchers are high in demand. Many of the world’s leading brands are hiring ethical hackers at very handsome salaries. According to the US Bureau of Labor Statistics, the average annual salary for a security researcher was $102,600 as of May 2021.
Here are some of the top organizations hiring ethical hackers with the average annual salary they offer:
|Company Hiring Ethical Hackers||Average Salary|
|Bank of America||$158,947|
What’s a Typical Day Working as an Ethical Hacker?
An ethical hacker’s workday “most likely has no visual difference compared to a software development job,” according to Ata Hakçıl. Before we get into the details of what you might encounter working as a security researcher, here are the responsibilities you may expect to take on:
- Meet with clients to discuss current security systems.
- Verify system security, network organization, and vulnerable entry points.
- Perform penetration testing.
- Create penetration test reports.
- Identify and document vulnerabilities.
- Find out the best security solutions.
- Perform penetration testing after implementing suggested or new security solutions.
- Find out alternatives to security solutions that don’t work.
Here’s what a typical workday looks like if you were an ethical hacker already working on a project:
- Start the day by checking your email inbox and tasks.
- Review findings generated overnight by automated attack scripts or analytical systems running certain reports.
- Note down the operating system and applications you’ll have to work with to conduct penetration testing.
- Create a list of vulnerabilities you may use to take control of a system.
- Scan the system and discover more vulnerabilities to find the best plan of attack.
- Search dark web forums or network with other ethical hackers to find vulnerabilities and how best to exploit them.
- Set up automatic vulnerability scanners to conduct a large number of attacks quickly
- Conduct additional research to fine-tune your plan.
- Attend meetings, give presentations, or just provide feedback on system security reports you submit.
- Learn to work with new tools, polish your skills, and find new and valuable information to stay up to speed.
Security research is a great fit for people who pay attention to details and like to think about how malicious actors can exploit them —the type of people who might work in quality assurance or software testing.
Patience is key. Ethical hacking involves monotonous work, and the chances of finding a vulnerability are usually very low. You’ll see yourself putting in several hours of work every day and might not always find something valuable. That said, if you manage to find a vulnerability, the rewards are usually big enough to make up for it.
How to Become an Ethical Hacker – Studies and Career Path
Ethical hacking is a highly attractive career path for cybersecurity enthusiasts. Apart from being exciting, it’s also very much in demand. Let’s explore the steps you can take to become an ethical hacker and build a successful career in security research.
- 🎓 Obtain a relevant degree or certification: You can start by earning a degree in computer science, cybersecurity, or a related field. Alternatively, you can get relevant certifications such as the Certified Ethical Hacker (CEH) or Offensive Security Certified Professional (OSCP).
- 🛠️ Develop technical skills: To be an effective ethical hacker, you’ll need a strong understanding of programming languages, operating systems, networking, and other technical aspects of computer systems. You can gain these skills through online courses, self-study, or practical experience.
- 💪 Gain practical experience: Participate in bug bounty programs, work on open-source projects, or volunteer for organizations that need cybersecurity expertise.
- 📑 Build a portfolio: Mention vulnerabilities you have discovered and how you’ve resolved them in your portfolio.
- 🔃 Stay up-to-date: Cybersecurity is a rapidly evolving field, so it’s important to stay up-to-date with the latest threats, technologies, and best practices. Attend conferences, read industry publications, and network with other professionals in the field.
After becoming an ethical hacker, you can pursue various career paths. Here are some of your top options with what each of these jobs may entail.
- ➡️ Penetration Tester: Identify vulnerabilities in computer systems and applications by attempting to exploit them.
- ➡️ Security Consultant: Advise organizations on how to improve their cybersecurity posture and develop strategies for protecting against cyber threats.
- ➡️ Incident Responder: Investigate and respond to cybersecurity incidents, such as data breaches or malware attacks.
- ➡️ Security Analyst: Monitor and analyze computer networks and systems for security breaches and anomalies.
- ➡️ Security Architect: Design and implement security solutions for organizations, such as firewalls, intrusion detection systems, and other security measures.
Q: Can anyone become a hacker?
Ata Hakçıl: “It took me around 2 years of 24/7 security training parallel to my computer science education to be financially stable as a security researcher. It’s a field that requires you to constantly keep up with the news and think outside of the box, but if you can do that, you can easily be a hacker. I’ve met many talented researchers who are still in high school [and who are] in security contests and events.”
Jeremiah Fowler: “The anonymous hacking collective has proved that anyone regardless of their skill set can be valuable in a coordinated attack. The group even went as far as to train individuals how to launch a denial of service attack and other low-level or beginner methods. So, fundamentally anyone can become a hacker. It just depends on what the goal or the purpose would be and how much time, energy, and effort they are willing to dedicate to learning about systems and their weaknesses or vulnerabilities.”
Deconstructing Hacker Stereotypes
Stereotype 1: Hackers are criminals. Ethical hackers are just a myth.
In a world where hacking has been sensationalized by Hollywood, it’s time to deconstruct the stereotypes and understand the truth behind ethical hackers. Let’s dive in and shatter the myths.
Stereotype 2: Hackers are lone wolves.
Ethical hackers are often perceived as lone wolves who work independently and in isolation, but this isn’t necessarily true. While some ethical hackers may prefer to work alone, many of them work in teams or collaborate with other security professionals.
Stereotype 3: Hackers are shy and introverted.
Jeremiah Fowler: “It’s more of a stereotype. In my case, I am a public speaker. I’ve been a performer and love talking to people. However, there is a subsection of wizards who do shut themselves away and live in a digital world. Real black hat hackers are often breaking the law and being shy or introverted may be a beneficial defense mechanism.”
Stereotype 4: Ethical hackers have to hide their identity.
Another stereotype regarding ethical hackers is they must hide their identity, which isn’t entirely accurate. While ethical hackers may need to take measures to protect their privacy and security while conducting their work, this doesn’t necessarily mean they must hide their identity.
Q: Do you use a nickname? If so, why did you choose one?
Ata Hakçıl: “I’ve used multiple handles (and still use some of them). Using the same handle everywhere is a convenient way of sharing no personal information but still persisting through different platforms. We know each other by usernames, and when we see each other in different forums or in CTF (capture the flag) contests, we know who that is.
I have many friends that I talk to daily for 5+ years who wouldn’t recognize me if they saw me on the street but would recognize my nickname on a scoreboard.”
Jeremiah Fowler: “I was never a gamer — as a musician I couldn’t understand why people would sit around and play video games. Many gamers gave themselves nicknames or code names. When I lived and worked in Ukraine, one of the first companies I worked for, none of the employees used their real names and I had to come up with a nickname.
It was only then that I really understood how cool it was to create this online persona or give yourself an anonymous name that was not connected to your government name. Yes, I absolutely used one but now as a public person, I am proud to use my real name and be independent, fair, and balanced with what I do and the news or stories I produce.”
Are All Ethical Hackers Self-Taught?
Most ethical hackers acquire their skills through self-study and practice. However, they may also have obtained formal education or training in cybersecurity, computer science, or a related field.
Many universities and colleges offer undergraduate and graduate programs in cybersecurity, and some also offer specialized courses and certifications in ethical hacking. These programs provide students with a solid foundation in cybersecurity concepts, tools, and techniques.
That said, a large part of an ethical hacker’s learning experience comes from practice. As this field of work takes a lot of patience, you have to spend a lot of time learning through trial and error.
Q: What’s so attractive about hacking? What motivated you to become an Ethical Hacker?
Ata Hakçıl: “I’ve spent 5+ years working in different coding & development works, and loved it. It took me 1 day to realize I enjoy breaking stuff more than building them. My college roommate started practicing on a website which was essentially a training ground for hackers. They deploy intentionally vulnerable servers and encourage you to hack them and collect points. He showed me the website and since that day this is what I do.”
Jeremiah Fowler: “I work for a company that had a data breach of 15 million customer accounts. It was a nightmare and I wanted to learn how it happened and why it happened. During this journey I understood how much data was exposed and learned so much that interested me. This is why I follow the path of being an ethical security researcher.”
Ethical Hackers Seen by Relatives
Ethical hackers are often misunderstood not only by society, but also by relatives and loved ones as they often have the same misconceptions about hacking. Only by discussing the work they do and the value they bring to organizations and individuals can we change the public’s perception. In addition, it’s important to stress the creation of legal frameworks for ethical hacking where these don’t exist.
Q: Does your family, relatives, and circle of friends know about your interest in hacking?
Ata Hakçıl: “Yes, even my grandma does, it took me a good chunk of time to explain I wasn’t a criminal.”
Jeremiah Fowler: “Unfortunately yes because many of my discoveries have been covered in some of the biggest news outlets in the world. My entire family contacts me often to be technical support anytime they have a computer problem, malware, or they have been hacked.”
Ethical Hacking In Pop Culture
When asked about hackers in pop culture and which titles most and least accurately portray hackers, here’s what Ata had to say:
“I think none of the movies/series accurately portray hackers, but then again, sitting in front of a computer for three hours looking at a terminal […] is not always exciting. Mr. Robot kind of did a good job with the portrayal, though.”
The depiction of a hacker is one of the biggest stereotypes you’ll come across in pop culture. Hollywood hasn’t always been kind to cybersecurity professionals. Countless movies and TV shows have established a stereotype of what a security expert should look like and then actively reinforced it.
The scene almost always starts with a young guy (they’re always male) in a dark basement, in a black hoodie, and surrounded by several screens showing a black and green control panel. He’s hammering away at his keyboard and hacking into the government database within minutes.
This stereotype has given hacking a very negative and strictly illegal connotation. Let’s look at a few movies and see how well they represent hackers.
What Are the Dos and Don’ts for Ethical Hackers?
Ethical hackers may not have a green hat and a quiver of arrows, but they have a laptop and a mission to make the internet a safer place. But before you go all-in on your hacking skills, here are a few things you need to know. Because let’s face it, even the noblest intentions can go wrong if you don’t know the ethical hacking do’s and don’ts.
Ethical Hacking Dos
Obtain Authorization Before Attempting to Hack a System
Ask for permission before you perform penetration testing that looks like a real-world brute-force or denial of service attack. If you don’t, you’d look like an actual malicious attacker and be treated like one. Organizations may already have software in place to detect such tests and might ban you from working with them again.
Document Your Security Research
Keep detailed records of all the steps you take during the hacking process, including any vulnerabilities you discover. This will make things much easier when you prepare a report and start fixing issues.
Report Issues Privately
Respect the privacy of the target system’s owners, users, and their data. Report issues privately to the client or product vendor, and give them enough time to fix the problems. If you publicly disclose the vulnerability too early, you put your client or product and its users at risk and probably don’t deserve a reward.
Check How to Communicate Vulnerability Reports
Notify the target organization of any vulnerabilities you find and provide recommendations for fixing them. Before reporting an issue, check how the organization prefers receiving these reports. Companies usually have dedicated bug reporting systems where you can report confidentially. Others use security or generic email addresses.
Potential issues might need a lot of investigation before you report them. If you report something without really testing if it can be exploited, it may end up wasting a lot of time both for you and for your client.
If you keep reporting things too early without proper investigation, the client can simply get upset and stop listening to your reports. Or they might choose not to reward you when you find a real issue because you’ve wasted so much of their time.
Organizations offering bug bounties will usually have it mentioned somewhere in their security policy. If you’re only in it for the money, check before you start testing their system or network.
Ethical Hacking Don’ts
Don’t Ask for Money Too Early
Don’t demand money before you reveal information. Not asking for financial rewards in your first email is a baseline rule. This looks more like extortion rather than ethical hacking and gives the impression that you might be a cybercriminal.
Don’t Make Assumptions
If a tool says it found something, don’t assume it must be exploitable. More often than not, tools warn about potential issues you can only exploit in specific circumstances.
Don’t Publicly Disclose Vulnerabilities Too Early
Whatever happens, never report issues on public websites like Twitter, Facebook, Reddit, or forums. If it’s the only way to contact a company, message them stating you have a security issue to report to them and ask how to contact them in private.
Don’t Ignore Local Laws
Ethical hacking and criminal hacking are not differentiated from each other in some legal systems. Always check if you need to obtain proper authorization from a website or vendor before you test their security.
Is Ethical Hacking the Future of Cybersecurity?
In a world where cyberattacks and data breaches are becoming increasingly common, ethical hackers play a vital role in identifying vulnerabilities and preventing future harm.
With their skills and knowledge to test and secure systems, security researchers help protect businesses and individuals from malicious attacks.
Businesses are the most common target for cyberattacks. Ata Hakçıl believes, “regular penetration tests and source code audits” can help organizations protect their data. This means ethical hackers are extremely important to the future of cybersecurity. Individuals also need to be equally vigilant and practice good cyber hygiene to stay safe online. Jeremiah Fowler advises users to “use a VPN, especially when connecting to public or shared Wi-Fi connections because they are very easy to extract data from.”