White hat hackers, sometimes known as ethical hackers, are experts that help businesses find vulnerabilities in their applications, systems and networks.
The Cybersecurity job market has become a hot field, seeking new, highly qualified candidates. It is a diverse field with various job types, but one of the most desired positions is unquestionably penetration tester. A pen tester is an ethical or white hat hacker. Because of this, a pen tester needs to understand the sensitive nature of their job and ensure that they are always compliant with policies, procedures, laws and legislature. Becoming a pen tester is not a decision that should be taken lightly. It can, however, be a lucrative field and also personally rewarding, so if one does take this path, it can be a real life changer.
As with many IT related fields, this job has flexible options. It could be performed remotely, outside of normal office hours, as a consultant, or an employee of a larger, or small, corporation. If one is considering pen testing, it’s important to weigh the pros of cons of being a W-2 employee or 1099 freelance consultant.
Being a freelance consultant in any field normally means you are a 1099 employee, thus a small business owner, versus a W-2 employee. But many people do not fully prepare for what being a freelance consultant really entails.
The first item to consider is whether you want to start an actual business, or just be a 1099. As a 1099, you normally do work for a company and they provide you a 1099 statement at the end of the year. They will pay you a set rate for services performed; however, they do not pay your taxes or provide you any level of benefits. You are 100 percent responsible for paying your own taxes and ensuring you still have enough money left over for health insurance, as well as any time you need to take off from work. Remember, you only get paid for time and services rendered. If you perform no work, you will not receive any money. There is no paid time off in the 1099 world!
If you decide you want to be a freelancer, you could also start a business. You can be a sole proprietor, or you could start a LLC or corporation. You would need to look into the laws of your particular state to understand what the differences are. A sole proprietor is similar to just being a 1099 employee. In some states, you can be a sole proprietor and file a “Doing Business As” (DBA) certification with your state to present yourself as a business. For example, your name is Alex Jones, you’re a freelance pen tester in Alabama, but to look a bit more professional, you might want to send your customers invoices using the name, “AJ Pen Testing Services.” Alex would fill out a DBA with the state of Alabama so he could use that name for his Pen testing services.
If you decide to launch a LLC or corporation it is important to consider the business licensing laws in your state. You also want to understand and evaluate how this affects your tax structure. If you do start a freelance business, you will want to obtain business insurance. As a pen tester, you will be penetrating and possibly exposing the vulnerabilities related to an organization’s Information Technology structure. As a result, it is possible to be sued if something goes wrong. You want to ensure you have some form of liability insurance so you protect your personal assets from your business. In some states, you do not have this level of protection if you are a sole proprietor, so again it is important to weigh your options.
Being an employee provides some level of stability. That is why many people choose to become employed at companies instead of starting their own. Being a Pen tester at a corporation means a steady paycheck, normally provides medical and dental benefits, vacation time, the camaraderie of a team, additional resources, and maybe even other perks like occasional free lunches or snacks, or even holiday parties. If you are fairly new to pen testing, having some additional training could prove useful to enhancing your skillset. In some cases, a company may pay for training. Most cybersecurity related training is fairly expensive, so having a company pick up the tab is a great perk. Many pen testers have some type of related certification. These technical certifications require CPEs (Continuing Professional Education), also referred to as Continuing Education credits. Some companies provide training opportunities that employees can take advantage of while still getting paid, allowing their employees to maintain their needed CPEs. Some companies even pay for the renewal fees that many certifications require.
Working for a company also provides all of the pen testing resources needed to complete the job. There are many open source tools that can be used to perform pen testing, but many advanced tools require the purchase of a subscription or a license for installation. Some items that have costs associated to them include:
BurpSuite: Used to automate crawl and scan. Using the professional addition requires a subscription.
Metasploit: This is open source software, but the professional addition has associated costs.
Nessus: A scanning tool that requires a yearly license.
Pen testers also need a laptop that has these tools along with others to perform their work. Kali Linux does come pre-loaded with many of these tools, which can be helpful for the freelance employee, though you may not have the professional versions that provide additional capabilities. As an employee, you have all of your needed resources provided for you. As a freelancer, you are responsible to pay for them yourselves; however, as they are being purchased for business purposes, these items could be potential tax write offs, so that is a potential advantage to consider. The toughest issue with being freelance pen tester is finding clients.
Outside of the financial considerations, finding work is the biggest hurdle for any pen tester. That is employee or freelancer alike. Many companies are not eager to pay a stranger to come poke around at their network and find vulnerabilities, so even large corporations with great reputations in the field may not always have pen testing opportunities available. The advantage working at a company as a pen tester is that when there are times of low to no pen testing work available, they may have other projects that you can work on to keep you busy and fulfilled. As a freelancer, you have to find ways to fill those voids.
As a freelancer, you will also have to find ways to build clientele and get people to trust you. When you are not working, you will need to spend time going to various conferences to try and get your name around the industry. Some of the big conferences can be expensive so those costs are other items to consider. Other ways to get your name around it to train or teach. Doing talks at events like Black Hat or Defcon are ways to create interest in your expertise.
There are both advantages and disadvantages to being a freelance or company employed pen tester. Pen testing can be a full-time job for either, but there can be slow periods. Being a hired employee can offer additional educational benefits as well as opportunities for other work during slow periods, but being a freelance offers flexibility and the ability to take on certain types of projects according to your skills or interests. Employed pen testers get the benefit of working with other like-minded individuals (or even finding mentors) in the field to bounce ideas off of, but as a freelancer, you can start your own business and hire other like-minded individuals. Building clientele as a freelance could prove difficult, but that is true in any profession. If you have the drive and prove yourself an expert in the field, freelancing could be just as steady and fulfilling as being an employed pen tester. Whichever route you choose, it’s a fun, exciting, and rewarding field!
What do you think of when you think “hacker”?
If you pictured the hoodie-clad villain in countless famous movies, you’ve got one side of the story. But did you know it’s also possible to use hacking skills for good? In fact, hacking can be a respectable full-time job for some people.
Becoming a white hat hacker is like the antidote to “black hat” hackers, or those who use hacking for negative purposes. Businesses and governments are eager to employ white hat hackers to combat the threats posed by other hackers. These jobs have all of the excitement of illegal hacking, with the benefit of a steady paycheck and no threat of jail time.
Wondering how to become a white hat hacker? We’re here to help. Keep reading to learn how to get started with white hat hacking!
As a white hat hacker, you look for weaknesses in the security of a system, just like black hat hackers do. The difference is that instead of trying to exploit those weaknesses, you’re trying to fix them.
You’ll use common cyber-attack methods to try to get into the system from the outside. Here’s more about some common types of cyber attacks. Then, once you’ve located those weak points, you can work on fixing them so no one else can get in.
The skills you’ll need include coding and programming knowledge, as well as a great deal of other tech knowledge. You’ll also need the creativity to think like a black hat hacker and learn the newest hacking tactics, which change frequently.
You’ll need to become very familiar with the platform you primarily work with. However, just like any computer programmer, it’s also valuable to learn a wide variety of platforms and coding languages so you can be as versatile as possible.
Some people are well-suited to the white hat hacking world, while others might find it’s not what they thought it would be.
You’ll need to enjoy the technical side of working at a computer. For example, you might need to learn new coding languages as they get developed.
You’ll also need to be passionate about problem-solving and finding solutions. This can involve being determined and not giving up easily when you find a roadblock. It also involves a certain amount of creativity, as mentioned above. You’ll need to be able to come up with different possible things to try and to put yourself in the shoes of a black hat hacker to figure out how they think.
In addition to that, great white hat hackers are also great communicators. It’s not really a solitary job, you’ll need to be able to effectively express what you’ve found to your team. The best hackers are also very organized and work well under pressure.
In some jobs, you’ll need to work on the physical security of a site, as well as the digital security. You might be required to test physical access controls of a site, such as trying to bypass card readers and security personnel.
There’s no degree required to become a white hat hacker. As long as you have the proper technical skills, it doesn’t matter how you got them. However, most employers will be looking for a college degree in computer science, information security, or a similar field. This is an easy way for them to see that you have the foundation they’re looking for.
You can also get specialized certifications to supplement your education, or to fill in gaps where you don’t have a formal education. For example, there are certifications in the IT security field that can help impress potential employers.
There are even “ethical hacker” certifications if you want to learn the most job-specific skills possible. Some hackers also learn computer forensics, which is a related field. This gives you yet another way to gather relevant information for your hacking jobs.
Once you’ve pursued the right areas of study and gotten some impressive certifications or experience, how do you actually find a hacking job?
“Hacker” won’t necessarily be in your job description. You might find yourself applying for jobs as an information systems analyst or a tech consultant.
One common source for white hat hacking jobs is in the government sector. For example, the military often hires white hat hackers to help make sure that black hat hackers can’t learn sensitive military secrets through weak points in their systems. However, many other government organizations also need the kind of security that white hat hackers can provide.
There are also plenty of private sector hacker jobs. However, the private sector can be harder for an entry-level hacker with no hands-on experience to break into. You might need more experience or more specialized knowledge to get a private sector job. The more education and certifications you have, the easier your path will be.
Taking part in relevant conferences or “hackathons” can be a great way to network with the right people and find new job opportunities. Staying involved in these communities throughout your white hat hacker career can also help you stay up to date on the latest hacking news and technologies.
If being a white hat hacker still sounds like a good fit after you’ve read this, you’re probably ready to get started. For the right person, this can be a fun, rewarding, and lucrative career path.
For many hackers, the first step is getting a relevant college degree. Check out our guide to the top public universities in the U.S. here.