It’s been 6 long years that I’ve journeyed onto the path of becoming a professional penetration tester/certified ethical hacker. A somewhat rather lofty ideal if you must. Along this journey I’ve managed to step away with quite a few jewels that I believe would be helpful (if not, at the very least, then, worthy to be considered) to any newcomer that harbors those same lofty aspirations as I did 6 years ago when I made the decision to pursue a career in penetration testing.
In this post we’re going to look at how you’ll need to classify (and how society and the law is going to classify) exactly what it is that you do. For the most part, it’s important that you come to grips early on with the fact that, to the exclusion of your immediate family, close friends, and the Info Sec community, when you refer to yourself as a hacker there is only one image that is conjured up in the mind of the recipient- that is, a character who’s hidden away in a dark room or tucked away in the corner of some public space that offers free WiFi access, with the monitor(s) on his or her (that’s right, I said her…think “Girl With the Dragon Tattoo”) computer illumined with green scrolling text, furiously typing away on a keyboard in an effort to break into someones account or system to reap major havoc. Period. It is what it is and you have the media to thank for playing their role in shaping, molding, and reinforcing this perception into the modern observers subconscious. However, like most things in life, what’s important is how you see and classify yourself in this journey.
Now. Within the professional realm and among the Info Sec community in which you’ll most likely be spending the majority of your life away from home, there’s basically 3 categories of hackers with each containing within themselves, subcategories or “hacker types”. These categories are commonly classified as a hat. More specifically, a color of a hat.
In a nutshell, the white hats are considered the good guys. These guys are well respected in their craft and do not use their skills without prior consent nor with any aim other than improving security or defensive purposes. The black hats are considered the bad guys. These guys, you guessed it, do just the opposite of what the white hats do. They illegally use their skills for personal gain or some other malicious intent such as stealing and corrupting data, denying access to resources or systems, etc. It should also be noted that black hats do not ask for permission to carry out these malicious activities. The gray hats, being neither good nor bad are by far the hardest group to categorize. This group is made up of individuals who are intrigued by hacking tools and techniques and feel that they have a moral obligation to businesses, end users, and the Info Sec community as a whole to demonstrate security flaws in systems- with or without explicit permission to do so.
What’s the take away in all of this? The take away is this, regardless of how it’s labeled, the activity of hacking is carried out in the same exact manner. Somehow, in some way, a set of specialized tools, techniques, knowledge, and skills are used by someone to bypass security measures and thus, allowing said someone to “hack ” into a computer, a network, or an application. What gives is the purpose or the intent behind the activity. This alone is going to determine what category the hack and or the hacker falls into. So the jewel to be gotten is this: identify the intentions that are driving your decision to aspire towards a career path of penetration testing and ethical hacking because not only will this make you a better all around hacker, but it will also provide you with the motivation to continue to press on and “try harder” when faced with the inevitable difficulties that will arise as a result of taking up such a lofty quest. Happy hacking!
