Job Role: Ethical Hacker
Ethical hackers perform important work for employers by simulating attacks and trying to figure out how to foil black hat hackers.
In general, an ethical hacker is a soldier in the arms race between cybersecurity experts and those who want to attack systems. But there is a little more to it than that. In an earlier piece, we talked about this as an emerging industry, and demand for ethical hackers since then has only grown. (Also read: 5 Reasons You Should Be Thankful For Hackers.)
So, let's go through and talk a bit about how this works practically and what the trends are, and what's changing in the job of the ethical hacker.
Types of Hacking and Ethical Hacking in Particular
First and foremost, a lot of experts describe three types of hackers:
- White hats. White hat hackers are engaged in attacking systems on behalf of the people who run or own those systems. In other words, they're trying to use hacking techniques to find vulnerabilities they can fix, keep malicious hackers out and to prevent certain kinds of system damage or compromise.
- Gray hats. Gray hats sort of exist in the middle of the whole conflict. They are often described as mercenaries and work for whoever gives them an incentive. Gray hats may vacillate between working as security experts and working as malicious hackers in independent lone wolf operations or criminal rings.
- Black hats. Black hats are malicious hackers who are trying to attack a system for profit or for other motives. They generally seek the destruction of corporate or government systems or other networks. Some are disgruntled former employees, others are cybercriminals. All of them are active threats!
To look at it with a bit more detail, the role of an ethical hacker differs from the role of a malicious hacker mainly in intent. If you’re employed by somebody who owns a system to try to break it, you're an ethical hacker working with a fairly clear and standard contract.
The problem, though, is that intent is sometimes in the eye of the beholder. What if there is no contract? When someone hacks a system, how does law enforcement know that they're doing it ethically? Without the documentation and agreements, they may not.
That has led to a recent trend toward better legal protections for ethical hackers, where people have to be assured that they're not going to be prosecuted for legitimate ethical hacking activity.
In recent times, when a lot of financial value is floating around the internet, it's even more important to pin down an ethical hacker's job role and incentivize people to act ethically.
Ethical Hacking in the Crypto Age
Although you can't “hack the blockchain,” per se, there are multitudes of blockchain-adjacent hacks that can siphon off cryptocurrency and steal valuable digital assets. Opportunities for fraud abound, as detractors so often point out. So cybersecurity people, including ethical hackers, need to be at the tops of their games.
A Coindesk article published in November of 2022 notes an infamous vulnerability in Nomad, a bridge protocol used to transfer tokens between different blockchains. Hackers around the world shared instructions for how to execute an attack on Nomad, which quickly led to losses of $190 million.
In response, Nomad gave some hackers the benefit of the doubt and posted a tweet that asked its "white hat and ethical researcher" friends to return the stolen crypto to a specific wallet address.
When $32.6 million was returned, it inspired a lot of buzz around the topic of incentivizing white hat hacking. (Also read: How Cryptomining Malware is Dominating Cybersecurity.)
Trends in Ethical Hacking
As mentioned, some of the trends in ethical hacking involve incentives and better law enforcement support for white hat professionals.
There are also more companies looking to hire certified ethical hackers to safeguard their systems, as cybersecurity becomes more and more important to modern business. According to Salary.com, an ethical hacker in the United States earns around $100,000 per year on average.
Ethical Hacking Versus Penetration Testing
There is an interesting contrast between ethical hacking as a professional role, and a more specific process called penetration testing (pen testing). Although the two terms are similar, there are some of the major differences. One way to think of it is that penetration testing is a technique used in ethical hacking.
Penetration testing focuses only on testing that's done to secure a network. The tester doesn't need a lot of comprehensive knowledge or acumen with generalized reporting. (Also read: The Beginner's Guide to NIST Penetration Testing.)
An ethical hacker, on the other hand, needs to be a sort of full stack professional with a much broader reach. Dare we say it, they need to have “10x skills” and be a “unicorn” in a world of specialized labor.
Demand for ethical hackers has only grown as cybersecurity becomes a more prominent concern for organizations across the globe.
While the specifics this job role entails can vary from position to position and company to company, in general, ethical hacking involves trying to break into an organization's system so vulnerabilities can be fixed before malicious hackers exploit them.