Ethical Hacking and Penetration Testing
career areas
Click below for related areas and job profiles:
Work experience ideas:
What is Ethical Hacking and penetration testing?
The terms ‘penetration testing’ and ‘ethical hacking’ are often used interchangeably when referring to internal cyber security tests, but they’re not exactly the same.
Ethical Hacker
An Ethical Hacker is a computer expert who intentionally tries to penetrate a company’s network, in order to help them identify potential security threats.
With the importance placed on our online security at an all-time high, Ethical Hackers (also known as ‘white hat’ hackers or penetration testers) could be invaluable for a business. They use the same methods as their less-reputable namesakes, but document vulnerabilities instead of exploiting them, preventing potential crises and minimising damage.
Penetration Tester
Penetration testers simulate cyberattacks in order to identify and report security flaws on computer systems, networks and infrastructure, including internet sites.
The difference between penetration testing and ethical hacking
There are some big differences between penetration testing and ethical hacking. For example, if we look at the skills of the tester, we see that a penetration tester makes a cybersecurity assessment of a specific IT system. An ethical hacker assesses all systems and security vulnerabilities. In addition, an ethical hacker can perform penetration tests, but a penetration tester will not hack ethically. An ethical hacker will sometimes have to give you access to a number of systems within the IT infrastructure because the tests of an ethical hacker are much broader.
Penetration testers do not need certification as long as they have sufficient experience. However, ethical hackers often need very strict and difficult to reach certification and knowledge.
One final big difference is that a penetration test is often short and does not last very long, whereas an ethical hacker often works on a project for a longer period of time and provides deeper reporting. Ethical hackers are also required to sign legal papers before starting their tests, while this is not the case with penetration testers.
Taken from : https://sectricity.com/en/blog-en/differ/ 2022
Ethical Hacker Infomation
You’d be employed to protect networks and computers from attacks from unethical hackers, who illegally access computers with the intention of accessing confidential information.
Delivering security testing using advanced software, you’d attempt to ‘penetrate’ a company’s systems in much the same way as a hacker – with the goal of uncovering any weak areas in the system.
You would:
Find and suggest patches for weaknesses in the system
Ensure that the system is firewalled
Put security protocols in place
Qualifications
There are different routes to this role or similar roles in cybersecurity. You'll need the ability to identify, assess and deal with complex information security risks. You'll also need to build relevant experience and qualifications to demonstrate this.
You can gain skills and qualifications in the work place through options such as Modern Apprenticeships or Graduate Apprenticeships (combining work and college/university study) in:
Information Security (SCQF level 6 / SCQF 8)
Cyber Security (SCQF 10 / SCQF 11)
Apprenticeships are advertised as job vacancies and, like any vacancy, entry requirements will vary. Relevant experience and qualifications, such as National 5s or Highers, will be helpful but may not be essential if you can show you would be the right person for the job.
Useful subjects
Maths or Physics (required by most courses, valued by employers)
Computer Science or Information Systems (required by most courses, valued by employers)
Other science subjects
English and Social studies subjects, such as business management, geography or psychology (valued by employers)
For more information :
https://www.myworldofwork.co.uk/my-career-options/job-profiles/ethical-hacker
https://www.reed.co.uk/career-advice/how-to-become-an-ethical-hacker/
Penetration Testing
Taken from Prospects 2022
As a penetration tester, you will perform authorised tests on computer systems in order to expose weaknesses in their security that could be exploited by criminals. You can choose to specialise in manipulating a particular type of system, such as:
networks and infrastructures
Windows, Linux and Mac operating systems
embedded computer systems
web/mobile applications
SCADA (supervisory control and data acquisition) control systems
Internet of Things (IoTs).
As well as identifying problems, you may also provide advice on how to minimise risks.
Qualifications
Degree route:
To enter this industry, you'll usually need a relevant degree, in-depth knowledge of computer operating systems and at least two to four years of experience in a role related to information security.
Useful degree subjects include:
computer science
computing and information systems
cyber security
forensic computing
network management
computer systems engineering.
You're unlikely to go straight from graduation into a penetration tester role and will usually need some industry experience. However, some organisations have started to offer graduate penetration tester roles. Where graduate entry roles are offered, there are likely to be high levels of competition.
As well as relevant degree qualifications, you'll often be expected to have one or more professional qualifications (trainee and graduate roles will usually include training and certification in these qualifications as part of the role). These include:
CREST Registered Penetration Tester (CRT)
Offensive Security Certified Professional (OSCP)
Certified Ethical Hacker (CEH) Certification
GIAC Penetration Tester (GPEN) Certification
company certification schemes from major vendors and equipment providers like Microsoft (MCP, MCSE) or Cisco (CCNA Security).
You may gain these qualifications and certifications through cyber security roles, but some can be obtained through self-study. Take a look at job adverts for penetration testers to get a feel for which certifications employers are looking for.
It's also possible to work as a penetration tester without a degree if you have significant experience in information security and hold industry certifications.
You may need to undertake security clearance checks when applying for jobs.
Apprenticeship route :
It's also possible to take a degree apprenticeship in cyber security, combining work with part-time study at university.
Use the findapprentieship service website to look into this and other websites such as : https://www.notgoingtouni.co.uk/opportunities/cyber-security
Employers and CONTINUAL PROFESSIONAL DEVELOPMENT
There are some graduate schemes available, which will usually provide a structured development programme, mentoring and the opportunity to undertake placements in various departments.
It's common to undertake industry-specific qualifications to demonstrate your understanding, knowledge and experience. Professional industry qualifications are offered by a number of organisations, most of whom offer varying levels of accreditation from entry level through to managerial level. These include:
The CHECK scheme allows companies approved by the National Cyber Security Centre (NCSC) to provide qualified penetration testers to work on IT systems for the government and other public sector bodies. To qualify as a CHECK team member (CTM) or team leader (CTL), you'll need to pass an NCSC-accredited CREST, Tiger Scheme or Cyber Scheme examination.
Other relevant qualifications include:
For senior level roles, it's often a prerequisite to hold one or more of the advanced certifications, such as the CTL or the CREST Certified Practitioner qualification.
