Ethical hacker

Ethical hackers perform security vulnerability assessments and penetration tests in accordance with industry-accepted methods and protocols. They analyse systems for potential vulnerabilities that may result from improper system configuration, hardware or software flaws, or operational weaknesses.

The following job titles also refer to ethical hacker:

system security tester
vulnerability analyst
ethical hackers
ICT security tester
network security tester

Bachelor’s degree is generally required to work as ethical hacker. However, this requirement may differ in some countries.

ISCO skill level is defined as a function of the complexity and range of tasks and duties to be performed in an occupation. It is measured on a scale from 1 to 4, with 1 the lowest level and 4 the highest, by considering:

• the nature of the work performed in an occupation in relation to the characteristic tasks and duties
• the level of formal education required for competent performance of the tasks and duties involved and
• the amount of informal on-the-job training and/or previous experience in a related occupation required for competent performance of these tasks and duties.

Ethical hacker is a Skill level 4 occupation.

These occupations, although different, require a lot of knowledge and skills similar to ethical hacker.

ICT security manager
ICT security administrator
ICT security consultant
digital forensics expert
IT auditor

These occupations require some skills and knowledge of ethical hacker. They also require other skills and knowledge, but at a higher ISCO skill level, meaning these occupations are accessible from a position of ethical hacker with a significant experience and/or extensive training.

This knowledge should be acquired through learning to fulfill the role of ethical hacker.

Computer forensics: The process of examining and recovering digital data from sources for legal evidence and crime investigation.
Software anomalies: The deviations of what is standard and exceptional events during software system performance, identification of incidents that can alter the flow and the process of system execution.
Cyber attack counter-measures: The strategies, techniques and tools that can be used to detect and avert malicious attacks against organisations’ information systems, infrastructures or networks.
Tools for ict test automation: The specialised software to execute or control tests and compare predicted testing outputs with actual testing results such as Selenium, QTP and LoadRunner
Web application security threats: The attacks, vectors, emergent threats on websites, web applications and web services, the rankings of their severity identified by dedicated communities such as OWASP (Open Web Application Security Project).

Legal requirements of ict products: The international regulations related to the development and use of ICT products.
Penetration testing tool: The specialised ICT tools which test security weaknesses of the system for potentially unauthorised access to system information such as Metasploit, Burp suite and Webinspect.

These skills are necessary for the role of ethical hacker.

Provide technical documentation: Prepare documentation for existing and upcoming products or services, describing their functionality and composition in such a way that it is understandable for a wide audience without technical background and compliant with defined requirements and standards. Keep documentation up to date.
Execute ict audits: Organise and execute audits in order to evaluate ICT systems, compliance of components of systems, information processing systems and information security. Identify and collect potential critical issues and recommend solutions based on required standards and solutions.
Execute software tests: Perform tests to ensure that a software product will perform flawlessly under the specified customer requirements, using specialised software tools. Apply software testing techniques and tools in order to identify software defects (bugs) and malfunctions.
Monitor system performance: Measure system reliability and performance before, during and after component integration and during system operation and maintenance. Select and use performance monitoring tools and techniques, such as special software.
Analyse the context of an organisation: Study the external and internal environment of an organisation by identifying its strengths and weaknesses in order to provide a base for company strategies and further planning.
Develop code exploits: Create and test software exploits in a controlled environment to uncover and check system bugs or vulnerabilities.
Address problems critically: Identify the strengths and weaknesses of various abstract, rational concepts, such as issues, opinions, and approaches related to a specific problematic situation in order to formulate solutions and alternative methods of tackling the situation.
Identify ict system weaknesses: Analyse the system and network architecture, hardware and software components and data in order to identify weaknesses and vulnerability to intrusions or attacks.
Perform security vulnerability assessments: Execute types of security testing, such as network penetration testing, wireless testing, code reviews, wireless and/or firewall assessments in accordance with industry-accepted methods and protocols to identify and analyse potential vulnerabilities.
Identify ict security risks: Apply methods and techniques to identify potential security threats, security breaches and risk factors using ICT tools for surveying ICT systems, analysing risks, vulnerabilities and threats and evaluating contingency plans.

This knowledge is sometimes, but not always, required for the role of ethical hacker. However, mastering this knowledge allows you to have more opportunities for career development.

Information security strategy: The plan defined by a company which sets the information security objectives and measures to mitigate risks, define control objectives, establish metrics and benchmarks while complying with legal, internal and contractual requirements.
Nessus: The computer program Nessus is a specialised ICT tool which tests security weaknesses of the system for potentially unauthorised access to system information, developed by the software company Tenable Network Security.
Ict network security risks: The security risk factors, such as hardware and software components, devices, interfaces and policies in ICT networks, risk assessment techniques that can be applied to assess the severity and the consequences of security threats and contingency plans for each security risk factor.
Ict security standards: The standards regarding ICT security such as ISO and the techniques required to ensure compliance of the organisation with them.
Internet governance: The principles, regulations, norms and programs that shape the evolution and use of internet, such as internet domain names management, registries and registrars, according to ICANN/IANA regulations and recommendations, IP addresses and names, name servers, DNS, TLDs and aspects of IDNs and DNSSEC.
Proxy servers: The proxy tools which act as an intermediary for requests from users searching for resources e.g. files and web pages from other servers such as Burp, WebScarab, Charles or Fiddler.
Outsourcing model: The outsourcing model consists of principles and fundamentals of service-oriented modelling for business and software systems that allow the design and specification of service-oriented business systems within a variety of architectural styles, such as enterprise architecture.
Hybrid model: The hybrid model consists of principles and fundamentals of service-oriented modelling for business and software systems that allow the design and specification of service-oriented business systems within a variety of architectural styles, such as enterprise architecture.
Ict security legislation: The set of legislative rules that safeguards information technology, ICT networks and computer systems and legal consequences which result from their misuse. Regulated measures include firewalls, intrusion detection, anti-virus software and encryption.
Organisational resilience: The strategies, methods and techniques that increase the organisation’s capacity to protect and sustain the services and operations that fulfil the organisational mission and create lasting values by effectively addressing the combined issues of security, preparedness, risk and disaster recovery.
Cyber security: The methods that protect ICT systems, networks, computers, devices, services, digital information and people against illegal or unauthorised use.
Service-oriented modelling: The principles and fundamentals of service-oriented modelling for business and software systems that allow the design and specification of service-oriented business systems within a variety of architectural styles, such as enterprise architecture and application architecture.
Levels of software testing: The levels of testing in the software development process, such as unit testing, integration testing, system testing and acceptance testing.
Information confidentiality: The mechanisms and regulations which allow for selective access control and guarantee that only authorised parties (people, processes, systems and devices) have access to data, the way to comply with confidential information and the risks of non-compliance.
Open source model: The open source model consists of principles and fundamentals of service-oriented modelling for business and software systems that allow the design and specification of service-oriented business systems within a variety of architectural styles, such as enterprise architecture.
Ict encryption: The conversion of electronic data into a format which is readable only by authorized parties which use key encryption techniques, such as Public Key Infrastructure (PKI) and Secure Socket Layer (SSL).
Whitehat sentinel: The computer program WhiteHat Sentinel is a specialised ICT tool which tests security weaknesses of the system for potentially unauthorised access to system information, developed by the software company WhiteHat Security.
Saas (service-oriented modelling): The SaaS model consists of principles and fundamentals of service-oriented modelling for business and software systems that allow the design and specification of service-oriented business systems within a variety of architectural styles, such as enterprise architecture.
Nexpose: The computer program Nexpose is a specialised ICT tool which tests security weaknesses of the system for potentially unauthorised access to system information, developed by the software company Rapid7.
Internet of things: The general principles, categories, requirements, limitations and vulnerabilities of smart connected devices (most of them with intended internet connectivity).

These skills and competences are sometimes, but not always, required for the role of ethical hacker. However, mastering these skills and competences allows you to have more opportunities for career development.

Manage it security compliances: Guide application and fulfilment of relevant industry standards, best practices and legal requirements for information security.
Define security policies: Design and execute a written set of rules and policies that have the aim of securing an organisation concerning constraints on behaviour between stakeholders, protective mechanical constraints and data-access constraints.
Solve ict system problems: Identify potential component malfunctions. Monitor, document and communicate about incidents. Deploy appropriate resources with minimal outage and deploy appropriate diagnostic tools.
Perform project management: Manage and plan various resources, such as human resources, budget, deadline, results, and quality necessary for a specific project, and monitor the project’s progress in order to achieve a specific goal within a set time and budget.
Maintain ict server: Diagnose and eliminate hardware faults via repair or replacement. Take preventive measures, review performance, update software, review accessibility.

2529 – Database and network professionals not elsewhere classified

 

 

---

 

 

References

1. Ethical hacker – ESCO