Cyber Security training from QA

A day in the life of an Ethical Hacker

What does an ethical hacker do? It’s a vocation that is ever-changing, so you need to stay ahead of the game at all times.


Mark Amory | 20 January 2016

Ask yourself the following questions: 

  • Are you naturally curious?
  • Do you like tinkering with technology?
  • Do you like solving puzzles?
  • Do you have a thirst for knowledge?
  • Do you have a sense of right and wrong?
  • If the answer to all of the above is yes, then you might just have what it takes to be an ethical hacker.

    So what is an Ethical Hacker?

    We all know what a hacker is right? A hacker is generally identified as someone who breaks into computer systems and networks for some gain. Be that financial, malicious, or simply to cause disruption, a hacker generally acts outside the law in an unauthorised capacity.

    An ethical hacker differs from this only slightly, an ethical hacker acts within the law, in an authorised capacity.

    An ethical hacker, like their devious counter-part, seeks out weaknesses in systems, reverse-engineers code to make it do things it was not originally designed to do, presses the 'X' button when prompted to press the 'Y' button, just to see what happens.

    What does an ethical hacker do – What does a day in the life look like?

    Most days of an ethical hacker will typically be spent carrying out coffee-fuelled research into everything and anything related to IT and tech in general. It’s a vocation that is ever-changing, so you need to stay ahead of the game at all times.

    On the days where the hacking skills get brought into play, a series of common tasks will be carried out which I shall outline below, but before I do, I'm going to assume that all the necessary legal work has already been completed and a full, written scope of works has been created and duly signed by the legal team of your client giving authority for the work to be conducted.

    No?

    Oh dear, stop everything and go back to square one.

    Before ANY work is undertaken, you must get fully detailed legal approval to proceed, failure to do so will put you, and your client at risk of breaking the law – This is not ethical.

    OK, so you've got the legalities sorted? Let's go.

    Stage 1- Reconnaissance (A.K.A. Footprinting)

    You need to know everything about your target, and I mean everything. Even down to where staff go to get their lunch (who knows what juicy titbit of info you might pick up in the queue for a nice chicken & pesto salad sandwich). The weakest link is rarely the IT system, it's usually the user. Find out emails, phone numbers, software versions, project names, supplier details, site maps, anything and everything can be useful in later stages.

    Stage 2- Gaining access

    Data from stage one will be used in stage 2 to gain access either remotely via the networks (using vulnerabilities in software), or physically by entering the building (Clip-board & Hi-Viz vest work a treat for this!). You heard that a new generator was being delivered next month for the server farm? Turn up the week before to do a site survey. Who knows what could happen once you are onsite?

    This stage is typically where the art of hacking comes to the forefront – In the films, this is the point where the protagonist sits in a darkened, smoke-filled room with multiple monitor screens and a nice blue-LED glow from various hi-tech looking devices. Reality is, it's probably done from an overly-cramped desk via a Linux laptop perched on top of numerous O'Reilly books about Python, or Networking.

    Stage 3- Enumeration

    Making sense of the data you find once access has been gained – detailing each and every step you take, so that remedial works can be carried out to ensure the access holes are fixed. A painstaking, yet necessary task - ultimately it’s what is going to get you paid.

    Stage 4- Maintaining access

    Planting backdoors, or creating new user accounts to allow you to keep returning to the scene of the crime. The hacker will want to do this, and so should you. Demonstrate to your client that an attack is rarely a one-off hit; the attackers keep coming back for more, and more.

    Stage 5- Covering tracks

    Deleting logs, wiping audit trails, deleting user accounts. Remove all evidence of your visit so as not to raise any suspicions of a breach at all.

    If the above antics get you excited, then you probably have the makings of an ethical hacker. But a word of caution, the clue is in the name; Ethical. Whatever you do, do it legally.

    Get a recognised accreditation, keep learning about IT, buy shiny things and take them apart and make the world a better, safer place to live, work and play

    We do a wide range of training courses. For more information review our Cyber Security and Cyber Security certification training courses, including Certified Ethical Hacker.


    Mark-Amory

    Mark Amory

    Senior Learning Consultant

    After leaving a career as a mechanical & electrical engineer in 1998, Mark started out with a fresh career as an IT trainer. Spending the first few years as an applications trainer, Mark excelled in delivering Microsoft office and Adobe products. In-line with his background as an engineer, Mark soon shifted focus to more technical deliveries, including hardware and networking topics; a field he has remained in ever since. As a natural progression of his career saw Mark start to explore the security aspect of his existing competencies, and since 2005 has specialised in the cyber security domain. Mark has been the author of a number of QA cyber security courses, and was the design authority and author of the 2017 NCSC Cyber First Academy. Mark is a C|EH and is currently undergoing the process of becoming an NCSC Certified Cyber Professional.
    Talk to our learning experts

    Talk to our team of learning experts

    Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

    Get in touch with our learning experts to talk about how we can help.