When I tell people what I currently do for a living, or what I studied (Ethical Hacking) they often have no idea what I'm talking about and just stare at me blankly.
Or they think I do Ethical Hiking which, I confess, would be pretty cool.
But no, I do hacking - or penetration testing if you want to use more bussiness-y term.
And here I'd like to get across what it's like to be an employed (ethical) hacker.
What is that?
Well, basically I test systems, applications or anything that can be used to steal valuable resources from and I try to find (many) ways an evil attacker would try to get in and exploit (take control of) the system.
Basically I am pretending to be a bad guy, thinking like a bad guy and doing things that a malicious attacker might do. Though with good intentions :). It's good for Karma, you know?
Image Source(direct link to img)
It sounds quite exciting, right? Well, let's see what a day of a hacker could look like.
But first, let's divide hackers into three categories (though there are more)
- General Penetration Tester
- Security Researcher
- The Specialist
Penetration Tester
This is what I do right now and what I studied.
Image Source(direct link to img)
Description
This person does everything and knows something about everything. He can test your computer, server, web application, mobile application or whatever you throw at him as he should be adept at learning new technology quickly. He will perform a pretty good assessment of the security of your system within the short time-frame he is usually given.
The Day
The pentester walks into the office at 9 AM. First thing he does is to check the latest security news to stay up-to-date and know what's happening. It's just a quick skim, no serious investigation. There is no time for that.
Now it's time to check emails and get all the information required to start testing and deletes all the corporate spam he received during the night.
Let's pretend that this is a perfect scenario and he actually have everything he needs and on time, as often there is a lot of waiting and back-and-forth with a client getting all the right information and permissions before the test can even start.
Knowing what to test now he launches a scan or two that will give him more information about the system and what to focus on. Meanwhile, he gets some tea.
With tea in hand it's time to look at the results of the scan...
There's a lot of it ... Time to manually go through it and make sure it's correct. A very laborous task that just requires time. Though if there is something interesting it will be explored further to determine if it's done correctly and if it can be exploited (taken advantage of).
After that it is time to play around with the application as not everything can be done with tools (yet). This is the time when the tester really gets to know the application intimately. He will try to understand how it works and how it can be bypassed.
"Bow to my greatness and do what I want!", he thinks, though he does not say it out loud as he does not want his colegues to hear that.
Finding something interesting he uses all his knowledge and creativity to get most out of it and makes sure that there is no (easy) way of exploiting the given functionality.
Most time is of course spent on the fun parts, like making transactions, stealing credentials or obtaining information about different users.
Though after all this fun the dreadful time of writing this all down comes ...
The client wants to know how safe they are and what they can do to protect themselves. They want a piece of paper that clearly explains what's good, what's bad, what was performed and how to fix the found problems. This takes ages and can be a very boring task so the tester grabs another cup of tea and gets to it. Just when the clock hits 5 he is finished and sends the report for review which is then sent to a client.
Time to go home. He leaves hoping that he will not see that report again and everything is fine ...
This is just an illustration and I tried to put a week worth of work into one day*.
Security Researcher
Description
The security researcher usually focuses on one topic, researches that topic and tries to come up with something new.
Image Source(direct link to img)
The day
Being tired he stumbles to the office at around 10 AM grabs his coffee and starts tinkering with the task he has left from yesterday as he was already falling asleep on the desk but is too excited not to finish. He came up with an interesting idea two weeks ago so he is in a process of creating a Proof of Concept(PoC). Though there is this small part that he still quite not understands so he digs deeper trying to understand it.
It's 3 PM and he realizes that he's hungry so he stands up from the office trying to find someone who'll go have a lunch with him. Everyone already ate.
Oh well, so it's just a quick take-away. He eats in front of the computer looking for some research papers that might help him with his problem.
He found some very interesting ones. They are just slightly related to what he's doing and might not help at all though he will finish them anyway. It's fascinating, and who knows, it might come in handy at some point.
Though by the time he finishes he has to go home and make dinner. With all the new ideas floating in his head from the research he read it is hard to focus on anything else in his daily life so his focus is scattered ... and he can't wait to go back to the office tomorrow ...
The Specialist
Description
This person has an area of expertise that he is really good at. He knows other things, too but he really enjoys improving his craft in his area of expertise. In a way, he is very similar to the penetration tester and so are his projects. Though the projects are usually in his area of expertise and may take longer and be more thorough. In case he does not have a project he works on his craft and keeps up-to-date with the latest reseearch in his field. He might also do some research on his own in the spare tine.
Image Source(direct link to img)
As the day might be quite similar to a pentester I won't go into details.
Conclusion
I hope this gives you at least a glimpse of what it is like to be an ethical hacker working for a company or some institute.
This does not involve everything nor even all the possibilities there are in the Security field but it's a good start. And I tried to make it very light-weight and non-technical so hopefully it is pretty clear.
If you want to know how I modify my Images with a quick copy-paste, check out my post about a tool I created
About the Author;
Hi, I am Joe and I love freedom.
Freedom of all sorts, social, financial, emotional, physical, freedom from your stuff or place.
My biggest passion is to show that it is possible to live life being free, work towards my freedom, and help others obtain their own versions of freedom.
I also love exploration and experimentation (of all senses).
My articles are about all of this (Freedom, exploration, experimentation)
as well as my own transparent and authentic experiences.
Hi joe, did you get CEH certification for this and would you recommend it?
It really depends where you are right now @masaa and where you want to get to.
I don't have CEH and I would not say it's worth it, especially if you'd have to invest your own money.
Offensive Security Certificates are considered really good and will get you through many doors, especially OSCP.
Though for me personally Inrastructure penetration testing is not that exciting. It's not my expertise and it's not something I want to focus on right now so that one is not really for me either. But it might be great for you.
Otherwise, getting a Junior position is the best bet as often they should train you.
Where do you live right now? And do you consier a career in Security?
This post received a 1.8% upvote from @randowhale thanks to @joewantsfreedom! For more information, click here!
@joewantsfreedom great post bro followed keep up the good work and steem on
Thank you. I'm glad you enjoyed it. Let me know if you want to know more.
Doing the job of a silent hero wearing the villain's mask. I am too studying IT, but still in verse of gaining knowledge. Great info bro.
Oh yea, hoodie is mandatory. They thought us that in Uni. And of course also in TV. It brings forward special abilities :).
Good luck with obtaining knowledge :). Though remember to have fun.
Very interesting and informative post.
I'm currently just playing around in my own private virtual network to see what I can do and how to counter it. Hopefully one day I can get to the point that I can do it as a penetration tester or who knows what comes on my path :)