- Freelance White Hat Hacker
- Freelance White Hat Hacker Hat
- Freelance White Hat Hacker Salary
- Freelance White Hat Hacker Bot
Do viruses, DDoS attacks, or buffer overflows tickle your fancy? If so, you might consider becoming a legal hacker, aka an ethical hacker, “white hat” hacker, or penetration tester.
Businesses and government-related organizations that are serious about their network security hire ethical hackers and penetration testers to help probe and improve their networks, applications, and other computer systems with the ultimate goal of preventing data theft and fraud. You may not get the same adrenaline rush that you might with underground hacking, but you can earn a good and honest living–and not end up facing prison time, as some illegal “black hat” hackers do.
In original geek parlance, a hacker was honest—a “white hat.” A cracker was dishonest—a “black hat.” Over time, and with the perennial misunderstanding and mislabeling by the press, crackers have become hackers, to the chagrin of hackers. White hat hackers are also known as “ethical hackers”. If you want a legal career as a hacker, then this is the only hat you should wear. Ethical hackers always go to great pains to ensure that whatever they do happens with the consent of everyone involved. They act as security consultants and advocate for a safer digital world. White hat hackers are often employed by organizations as members of an in-house security operations center or cybersecurity team, though white hat hackers can also work freelance, chasing down so-called bug bounties – large sums of money offered up by major companies (think Apple and Facebook) to cybersecurity professionals who can identify vulnerabilities, making it possible for them to be patched. The White Hatter provides internet and social media safety, digital literacy, workplace violence prevention education and training to schools & businesses. Hence the term “white hat hacker” is an attempt to explain the honesty and ethics of the hacker. Yet to the old hacker the phrase is redundant and nettlesome Can you find an honest hacker? Honest hackers are everywhere.
Related Stories
– Top 10 hacking tricks
– Seven dirtiest tech jobs
– 6 weird malware tricks hackers use to bypass security
…
How does the job market look like for ethical hackers? Extremely good! The IT market overall continues to grow despite the current economic turmoil. Research firm Gartner estimates that worldwide enterprise IT spending grew by 5.9 per cent between 2009 and 2010, to a total of $2.7 trillion. At the same time, security is becoming a more pressing concern. Gartner expects to see an increase of nearly 40 per cent in spending on worldwide security services during the five-year period from 2011 to 2015, eventually surpassing $49.1 billion.
In your first years as an ethical hacker, you’ll be in a position to earn anywhere from $50,000 to $100,000 per year, depending on the company that hires you, and on your IT experience and education. With several years of professional experience, you could command $120,000 or more per year, especially if you do your own independent consulting.
You can’t just dive into an ethical hacker position, however. Without IT security experience, you won’t get very far, even with degrees and certifications. As is true for other IT jobs, employers typically want candidates who have college degrees, but related experience is king. And experience with certifications can typically take the place of some degree requirements.
What you need to do to get started on the road to becoming an ethical hacker depends on where you are in the IT field. If you haven’t started your IT career yet, you might even consider military service. The military offers many IT opportunities, and you get paid to go to school, even if you enlist in a part-time branch such as the National Guard or Reserves. Military service also looks good to employers that require security clearances.
Start with the basics: Earn your A+ Certification and get a tech support position. After some experience and additional certification (Network+ or CCNA), move up to a network support or admin role, and then to network engineer after a few years. Next, put some time into earning security certifications (Security+, CISSP, or TICSA) and find an information security position. While you’re there, try to concentrate on penetration testing–and get some experience with the tools of the trade. Then work toward the Certified Ethical Hacker (CEH) certification offered by the International Council of Electronic Commerce Consultants (EC-Council for short). At that point, you can start marketing yourself as an ethical hacker.
Related Story | 2011: The year hacking goes mainstreamFor a hacker, networking know-how is vital; but make sure that you gain experience in related areas as well. Discover and play with Unix/Linux commands and distributions. Make sure you also learn some programming–maybe C, LISP, Perl, or Java. And spend some time with databases such as SQL.
Hacking isn’t all technical. It also requires so-called soft skills, just as any other IT job does. You’ll need a strong work ethic, very good problem-solving and communications skills, and the ability to say motivated and dedicated.
Ethical hackers also need street smarts, people skills, and even some talent for manipulation, since at times they need to be able to persuade others to disclose credentials, restart or shut down systems, execute files, or otherwise knowingly or unknowingly help them achieve their ultimate goal. You’ll need to master this aspect of the job, which people in the business sometimes call “social engineering,” to become a well-rounded ethical hacker.
It’s important never to engage in “black hat” hacking–that is, intruding or attacking anyone’s network without their full permission. Engaging in illegal activities, even if it doesn’t lead to a conviction, will likely kill your ethical hacking career. Many of the available jobs are with government-related organizations and require security clearances and polygraph testing. Even regular companies will perform at least a basic background check.
Becoming a Certified Ethical Hacker (CEH)
As noted earlier, becoming a Certified Ethical Hacker (CEH) involves earning the appropriate credential from the EC-Council after a few years of security-related IT experience. The certification will help you understand security from the mindset of a hacker. You’ll learn the common types of exploits, vulnerabilities, and countermeasures.
Qualification for a CEH (a vendor-neutral certification) involves mastering penetration testing, footprinting and reconnaissance, and social engineering. The course of study covers creating Trojan horses, backdoors, viruses, and worms. It also covers denial of service (DoS) attacks, SQL injection, buffer overflow, session hijacking, and system hacking. You’ll discover how to hijack Web servers and Web applications. You’ll also find out how to scan and sniff networks, crack wireless encryption, and evade IDSs, firewalls, and honeypots.
Through approved EC-Council training partners, you can take a live, five-day onsite or online training course to prepare for the CEH cert. You can generally take live online classes over five consecutive days; onsite courses typically offer the content spread over a couple weeks for locals. In addition, you can take self-paced courses and work with self-study materials (including the CEH Certified Ethical Hacker Study Guide book) with or without the training courses. The EC-Council also offers iLabs, a subscription based-service that allows you to log on to virtualized remote machines to perform exercises.
The EC-Council usually requires that you have at least two years of information-security-related work experience (endorsed by your employer) in addition to passing the exam before it will award you the official CEH certification.
If you’re interested in ethical hacking, you can consult many useful resources for more information. To start, check the resources section of the EC-Council site. A quick Amazon search will reveal many books on ethical hacking and the CEH certification, as well.
With some googling, you can find simple hacking how-tos, which may motivate you even more. Consider downloading the Firefox add-on Firesheep or the Android app Droidsheep, and hijack your online accounts via Wi-Fi (but don’t use these tools to hijack others’ accounts–you could find yourself in legal trouble if you do).
Another option is to experiment with the BackTrack live CD. Try enabling WEP security on your wireless router at home, and then take a stab at cracking it. Check out Hack This Site to test and expand your skills. You could even set up a Linux box with Apache or buy a used Cisco router and see what you can do with it. If you want to play with malware, consider downloading–cautiously, and at your own risk–a malware DIY kit or a keylogger, and use it to experiment on a separate old PC or virtual machine.
Like other IT areas, hacking has conventions and conferences dedicated to it, such as DefCon, one of the oldest and largest of these. Such gatherings can be a great place to meet and network with peers and employers, and to discover more about hacking. DefCon also has affiliated local groups in select areas.
And remember, never attack or intrude on anyone else’s network or computers without full written permission.
Eric Geier is the founder of NoWiresSecurity, which helps businesses easily protect their Wi-Fi networks with the Enterprise mode of WPA/WPA2 security by offering a hosted RADIUS/802.1X service. He is also a freelance tech writer-become a Twitter follower or use the RSS Feed to keep up with his writings.
Introduction
The Cybersecurity job market has become a hot field, seeking new, highly qualified candidates. It is a diverse field with various job types, but one of the most desired positions is unquestionably penetration tester. A pen tester is an ethical or white hat hacker. Because of this, a pen tester needs to understand the sensitive nature of their job and ensure that they are always compliant with policies, procedures, laws and legislature. Becoming a pen tester is not a decision that should be taken lightly. It can, however, be a lucrative field and also personally rewarding, so if one does take this path, it can be a real life changer.
As with many IT related fields, this job has flexible options. It could be performed remotely, outside of normal office hours, as a consultant, or an employee of a larger, or small, corporation. If one is considering pen testing, it’s important to weigh the pros of cons of being a W-2 employee or 1099 freelance consultant.
What are some considerations you need to think about when becoming a pen tester?
Freelance White Hat Hacker
Being a freelance consultant in any field normally means you are a 1099 employee, thus a small business owner, versus a W-2 employee. But many people do not fully prepare for what being a freelance consultant really entails.
The first item to consider is whether you want to start an actual business, or just be a 1099. As a 1099, you normally do work for a company and they provide you a 1099 statement at the end of the year. They will pay you a set rate for services performed; however, they do not pay your taxes or provide you any level of benefits. You are 100 percent responsible for paying your own taxes and ensuring you still have enough money left over for health insurance, as well as any time you need to take off from work. Remember, you only get paid for time and services rendered. If you perform no work, you will not receive any money. There is no paid time off in the 1099 world!
If you decide you want to be a freelancer, you could also start a business. You can be a sole proprietor, or you could start a LLC or corporation. You would need to look into the laws of your particular state to understand what the differences are. A sole proprietor is similar to just being a 1099 employee. In some states, you can be a sole proprietor and file a “Doing Business As” (DBA) certification with your state to present yourself as a business. For example, your name is Alex Jones, you’re a freelance pen tester in Alabama, but to look a bit more professional, you might want to send your customers invoices using the name, “AJ Pen Testing Services.” Alex would fill out a DBA with the state of Alabama so he could use that name for his Pen testing services.
If you decide to launch a LLC or corporation it is important to consider the business licensing laws in your state. You also want to understand and evaluate how this affects your tax structure. If you do start a freelance business, you will want to obtain business insurance. As a pen tester, you will be penetrating and possibly exposing the vulnerabilities related to an organization’s Information Technology structure. As a result, it is possible to be sued if something goes wrong. You want to ensure you have some form of liability insurance so you protect your personal assets from your business. In some states, you do not have this level of protection if you are a sole proprietor, so again it is important to weigh your options.
Being an employee provides some level of stability. That is why many people choose to become employed at companies instead of starting their own. Being a Pen tester at a corporation means a steady paycheck, normally provides medical and dental benefits, vacation time, the camaraderie of a team, additional resources, and maybe even other perks like occasional free lunches or snacks, or even holiday parties. If you are fairly new to pen testing, having some additional training could prove useful to enhancing your skillset. In some cases, a company may pay for training. Most cybersecurity related training is fairly expensive, so having a company pick up the tab is a great perk. Many pen testers have some type of related certification. These technical certifications require CPEs (Continuing Professional Education), also referred to as Continuing Education credits. Some companies provide training opportunities that employees can take advantage of while still getting paid, allowing their employees to maintain their needed CPEs. Some companies even pay for the renewal fees that many certifications require.
Working for a company also provides all of the pen testing resources needed to complete the job. There are many open source tools that can be used to perform pen testing, but many advanced tools require the purchase of a subscription or a license for installation. Some items that have costs associated to them include:
BurpSuite: Used to automate crawl and scan. Using the professional addition requires a subscription.
Metasploit: This is open source software, but the professional addition has associated costs.
Nessus: A scanning tool that requires a yearly license.
Pen testers also need a laptop that has these tools along with others to perform their work. Kali Linux does come pre-loaded with many of these tools, which can be helpful for the freelance employee, though you may not have the professional versions that provide additional capabilities. As an employee, you have all of your needed resources provided for you. As a freelancer, you are responsible to pay for them yourselves; however, as they are being purchased for business purposes, these items could be potential tax write offs, so that is a potential advantage to consider. The toughest issue with being freelance pen tester is finding clients.
Finding work
Outside of the financial considerations, finding work is the biggest hurdle for any pen tester. That is employee or freelancer alike. Many companies are not eager to pay a stranger to come poke around at their network and find vulnerabilities, so even large corporations with great reputations in the field may not always have pen testing opportunities available. The advantage working at a company as a pen tester is that when there are times of low to no pen testing work available, they may have other projects that you can work on to keep you busy and fulfilled. As a freelancer, you have to find ways to fill those voids.
Freelance White Hat Hacker Hat
As a freelancer, you will also have to find ways to build clientele and get people to trust you. When you are not working, you will need to spend time going to various conferences to try and get your name around the industry. Some of the big conferences can be expensive so those costs are other items to consider. Other ways to get your name around it to train or teach. Doing talks at events like Black Hat or Defcon are ways to create interest in your expertise.
Freelance White Hat Hacker Salary
Conclusion
Freelance White Hat Hacker Bot
There are both advantages and disadvantages to being a freelance or company employed pen tester. Pen testing can be a full-time job for either, but there can be slow periods. Being a hired employee can offer additional educational benefits as well as opportunities for other work during slow periods, but being a freelance offers flexibility and the ability to take on certain types of projects according to your skills or interests. Employed pen testers get the benefit of working with other like-minded individuals (or even finding mentors) in the field to bounce ideas off of, but as a freelancer, you can start your own business and hire other like-minded individuals. Building clientele as a freelance could prove difficult, but that is true in any profession. If you have the drive and prove yourself an expert in the field, freelancing could be just as steady and fulfilling as being an employed pen tester. Whichever route you choose, it’s a fun, exciting, and rewarding field!