I often receive messages from people asking me how to become a hacker, how to hack a website or how to become a professional penetration tester. I usually reply case by case if I’m free and if I feel the person is truly interested in the field and he’s not trying to do some illegal activities (often without the minimum knowledge about what he is trying to do and risking to get caught and sent to jail). I then decided to write a series of articles about Ethical Hacking and Penetration Testing in order to help newbies follow the right path and acquire the necessary knowledge to understand this marvelous world of hacking and encourage them to study further and sharpen their skills until they can feel confident and proud of themselves (hey I’m so 1337! :D) or jumpstart their career and land a job in Information Security. Just keep in mind that the information you’ll be required to learn is huge and I won’t teach you everything, you’ll need to do your personal research and always keep updated. Infosec is in continuos evolution, it changes so fast, day by day. Stop studying for 1 month and you’ll need 3 months to get back on track, to say the least.
WHAT IS HACKING AND WHAT DOES A HACKER DO?
The terms hacking and hacker are often associated with illegal activities but not always this is true. Hacking can be simply described as the ability to manipulate something in order to achieve the wanted result or the ability to find a clever solution to a problem. Often it isn’t an easy task and it requires numerous skills, multiple steps, workarounds, lateral thinking, great spirit of observation and intuition. One can be a hacker in many fields, a father who managed to build a prosthetic hand for his son can be considered a hacker, a programmer who made programs to automatically text the wife if it’s late and he’s still at work, send an email to the boss asking to work from home after an hangover or instruct a coffee machine connected to the company’s network to make a cup of coffee for him can be considered a hacker and so on. Often the term “hacker” is however associated to computer science and information security in particular. The Oxford dictionary describes it as “a person who uses computers to gain unauthorized access to data”. This is a negative and limited definition that doesn’t describe perfectly the whole concept of hacking, then let’s try to classify the various kinds of hackers by introducing some specific terminology.
A White Hat or Ethical Hacker is a hacker who is curious by nature and deeply interested in information security, finding weaknesses and vulnerabilities of systems, softwares, protocols and web applications and has no interest in causing harm and damaging the system but on the contrary has a great sense of duty and likes collaborating with the owner by informing him about the problem and helping him to fix it.
A Black Hat or Cracker is a hacker who misbehaves and like gaining unauthorized access to systems, stealing data, tampering data, creating a Denial Of Service, defacing a website etc. for pure fun or for profit.
A Gray Hat is a hacker whose ethical standards fall somewhere between purely altruistic and purely malicious.
When a white hat hacker discovers a vulnerability, he will exploit it only with permission and will not divulge its existence until it has been fixed, instead a black hat will illegally exploit it and/or tell others how to do so. The grey hat will neither illegally exploit it, nor tell others how to do so.
A further difference among these types of hacker lies in their methods of discovering vulnerabilities. The white hat generally breaks into systems and networks at the request of his employer or with explicit permission for the purpose of determining how secure it is against hackers, whereas the black hat will break into any system or network in order to uncover sensitive information and for personal gain. The grey hat generally has the skills and intent of the white hat but will break into any system or network without permission.
A Newbie or Noob is a person who is a hacker wannabe, someone who wants to become a hacker but doesn’t have the skills yet to be defined as a hacker.
A Lamer or Script Kiddie is a person who claims to be a hacker but actually is only able to to run scripts or programs made by others, often point and click programs with a GUI and lacks any deep knowledge typical of a hacker, can’t use the command line and can’t program. He is often mocked and trolled by people with a higher level of expertise.
MAKE WAY FOR THE PROS!
A Security Professional is anyone whose job consists in dealing with Information Security, anyway not all the jobs are the same.
A Penetration Tester is a security professional who tests the security of an infrastructure with the written consent of a company. Since security is a wide topic, there are many specializations like Network Penetration Testing, Web Application Penetration Testing, Mobile Penetration Testing and so on.
A Security Engineer is a security professional who is usually hired by a single company and has to manage and guarantee the security of the company itself.
A Security Consultant is a senior security professional who provides security consultancy to multiple companies, designs and implements the best security solutions for an organization’s needs.
A Security Researcher is a security professional who doesn’t spend time managing the security of a company or providing security consultancy to multiple companies but focuses his efforts entirely on research in order to discover new vulnerabilities, produce proof of concepts of possible exploits, write technical papers, develop tools for penetration testing or defense and partecipate to Information Security conferences. To say the truth, due to the continuos evolution of the information security field, any security professional dedicates some time to research either at home or at work, although to a lesser extent.
Author: Fabio Baroni Date: 2015-12-12 03:51:26