A Beginner’s Guide to Ethical Hacking

Table of Contents

• Meet the Expert: Khester Kendrick
• What is Ethical Hacking?
• On the Job: What does an Ethical Hacker do?
• How to Become an Ethical Hacker
• Khester’s Favorite Ethical Hacking Resources
• The Future of Ethical Hacking

Ethical hacking (also known as penetration testing) is a cybersecurity skill set that requires intrepid tech professionals to investigate networks for vulnerabilities in order to protect organizations. Cybersecurity expert and Flatiron School Instructor, Khester Kendrick, breaks down what to expect in the pen testing career and how to get into the field. Find out how the Cybersecurity Bootcamp at Flatiron School prepares students with pen testing labs, Khester’s top resource recommendations, and his prediction for the future of ethical hacking. 

Meet the Expert: Khester Kendrick

• Khester is a Cybersecurity Instructor at Flatiron School, teaching a variety of courses ranging from compliance and ethics to penetration testing and ethical hacking.
• Khester has nearly three decades of experience. He first got into IT and Communication Security in 1994, starting with the United States Army as an enlisted member, and then working for companies such as T-Mobile and AT&T. 

What is Ethical Hacking?

Penetration testing (also known as ethical hacking) is the ethical or orderly manner in which you would test a network for vulnerabilities and then exploit those vulnerabilities with permission. 

The term “ethical hacking” is actually a marketing term for “penetration testing,” which is how it's known within the industry. 

On the Job: What does an Ethical Hacker do?

Ethical hackers work with an organization to identify and exploit vulnerabilities to find out how secure their network really is. The overall purpose of penetration testing is to secure a network. 

Ethical Hackers vs Malicious Hackers

Essentially, permission is what separates a penetration tester (a.k.a. ethical hacker) from someone that's illegally hacking a system. Otherwise, ethical hackers and malicious hackers are nearly identical in what they do. 

An ethical hacker, a white hat hacker, and penetration tester are all the same. They work for an organization as hackers. They get permission, a scope of work, a defined purpose of what they're trying to test and then work in unison with that organization to find vulnerabilities, so that the organization can secure those vulnerabilities. They would then file a report, back out of the system, and restore any changes they made, like opening and closing ports and fixing anything they altered. A penetration tester will not release any information. 

A black hat hacker or malicious hacker, are in it for themselves. Typically, a malicious hacker is doing it for profit or self-satisfaction. The big difference is that a malicious hacker doesn’t tell the corporation they're hacking it because they are hacking to steal information about customers or finances, or to stop or cause damage to a network. This is in direct contrast to an ethical hacker who is trying to secure a network, so malicious hackers can't readily get access to it. 

How do ethical hackers work within a team or organization? 

Most penetration testers work as part of a team ranging from 3-10+ people, depending on the size of the organization. Rarely does a team only have one person penetration testing. This team works on finding vulnerabilities, making sure that those vulnerabilities are impactful, and then getting permission to proceed forward with an exploit for that vulnerability. 

Keep in mind that there’s also different systems that could be attached to an organization’s network. That means, different members of your team are experts on different operating systems, tools, firewalls, and networks, like Windows and Linux servers. Penetration testers are going to utilize the strengths of different team members when they're conducting operations against a network.

As a penetration tester, when you get a scope of work from an organization to conduct a penetration test, it has to go through legal first and you have to sign a contract before you can start. By the time you’re ready to start, you usually have to complete that penetration test in 1-2 weeks, which is a very short time. Penetration testers have to do as much work as possible in a short amount of time and then write it all up.

What types of companies do ethical hackers work for?

Not every company has ethical hackers or a penetration testing team. There are compliance rules that impact hiring ethical hackers, and then there’s company size and the cost-effectiveness of the frequency of penetration testing needed. Not every company needs to spend the money to have penetration testers on staff, so there are third party vendors that will do penetration testing year-round that are up-to-date with the newest tools.

How to Become an Ethical Hacker

It really depends on the network, but in general, an ethical hacker needs to understand Linux. Having an understanding of programming, operating systems, and networks are all important depending on what type of penetration test you're doing. 

• For example: If I'm trying to do a penetration test of a typical network, I would need to understand the router, switch, firewall, their inherent vulnerabilities, and how to scan them.

Most of the software tools we use to perform those functions are on a Linux platform, either through Kali Linux or Parrot, which have built-in penetration testing tools. Both Kali and Parrot provide testers with a readily available Linux platform complete with pre-installed tools designed for cybersecurity professionals.

Do students learn ethical hacking in Flatiron School’s Cybersecurity Bootcamp?

Our team developed a curriculum specifically for penetration testing that students take for six weeks with Flatiron School’s Live program. Plus, I teach 5-6 different hacking labs throughout the cybersecurity course. There is a set curriculum that every student will see and it ends with a penetration test in the final phase, so students get the opportunity to identify, scan for, and exploit different vulnerabilities.

Can you become a pen tester or ethical hacker at a bootcamp like Flatiron School?

At Flatiron School, we teach students the foundational skills needed to start. From the experts that I've spoken with in the field, most penetration testers need to have 3-5 years of experience in cybersecurity before they start looking at penetration testing as a full-time position.

Penetration testing is a highly technical field, so it’s unrealistic to think that a bootcamp, college course, or even a degree will enable you to immediately start penetration testing. If penetration testing is your life-long ambition, start by working at a security operations center (SOC) and keep learning. Cybersecurity is one of those fields where you can't just go to school, learn the skill set and think you’re done. Technology changes all the time! Every day there’s a new vulnerability showing up. You have to be abreast of new technologies and vulnerabilities, and you have to stay motivated to go out and learn these things. 

The person that practices hacking on their own free time, learning how to scan, how to detect vulnerabilities, and how to exploit that vulnerability, are going to get the job. 

Do you need to know how to code to become an ethical hacker?

You can start penetration testing without understanding code. You don't need to know Python, C++, or Java in order to start penetration testing. If you want to go deeper into ethical hacking, though, those coding skills will definitely help — you'll have an easier time if you understand programming at a deeper level. 

Are there certain traits that make a good ethical hacker? 

If it sounds exciting to have a job that changes daily, working on different vulnerabilities and trying out new tools, you will make a great ethical hacker! However, if you're looking for a 9-5 job doing the same thing you did the last three months every day in a row, chances are ethical hacking would not be a good career choice for you.

Do you need any certifications to become an ethical hacker?

You don’t need certifications, but there are certifications like CompTIA Security+ that most organizations highly prize. That cert will help you get into the field if you don't have a background in security. There are also certifications directly attributed to ethical hacking, such as Certified Ethical Hacker (CEH) and Offensive Security Certified Professional (OSCP). Just be sure you're not putting the cart before the horse, and start with the foundations first.That said, experience makes up for any lack of certification. 

Khester’s Favorite Ethical Hacking Resources

For penetration testing specifically, I love Vulnhub.com. It’s a repository of different vulnerable machines that are available to anybody so you can practice your ethical hacking on them. You can create a Sandbox environment, and put your skills to the test! They've got hundreds of different machines. I recommend starting with level one and working your way up. 

If you need something a little foundational OverThewire.org is aimed at beginners and is a great place to start your cybersecurity career. It provides users "war games" to practice foundational cybersecurity concepts.

If you’re interested in certifications, Cyber Seek is a non-profit that offers a great breakdown of how certifications interact with the job placement field for cybersecurity. 

As far as actual news, I like Hacker News and I use Google alerts to update me once a week on the latest tech and cybersecurity news.  

The Future of Ethical Hacking

Over the next five years, I predict:

1. That we'll start to see more pen testing resources dedicated to the mobile industry. 
2. That we’ll see digital forensics playing a key role in the cybersecurity field, as incident responses increase after a network has already been breached. 
3. And that we’ll also start to see more penetration testing jobs becoming available across the board. 

Find out more and read Flatiron School reviews on Course Report. This article was produced by the Course Report team in partnership with Flatiron School.