The terms ‘penetration testing’ and ‘ethical hacking’ are often used interchangeably when referring to internal cyber security tests, but they’re not exactly the same.

Ethical Hacker

An Ethical Hacker is a computer expert who intentionally tries to penetrate a company’s network, in order to help them identify potential security threats.

With the importance placed on our online security at an all-time high, Ethical Hackers (also known as ‘white hat’ hackers or penetration testers) could be invaluable for a business. They use the same methods as their less-reputable namesakes, but document vulnerabilities instead of exploiting them, preventing potential crises and minimising damage.

Penetration Tester

Penetration testers simulate cyberattacks in order to identify and report security flaws on computer systems, networks and infrastructure, including internet sites. 

The difference between penetration testing and ethical hacking

There are some big differences between penetration testing and ethical hacking. For example, if we look at the skills of the tester, we see that a penetration tester makes a cybersecurity assessment of a specific IT system. An ethical hacker assesses all systems and security vulnerabilities. In addition, an ethical hacker can perform penetration tests, but a penetration tester will not hack ethically. An ethical hacker will sometimes have to give you access to a number of systems within the IT infrastructure because the tests of an ethical hacker are much broader.

Penetration testers do not need certification as long as they have sufficient experience. However, ethical hackers often need very strict and difficult to reach certification and knowledge.

One final big difference is that a penetration test is often short and does not last very long, whereas an ethical hacker often works on a project for a longer period of time and provides deeper reporting. Ethical hackers are also required to sign legal papers before starting their tests, while this is not the case with penetration testers.

Taken from : https://sectricity.com/en/blog-en/differ/ 2022

You’d be employed to protect networks and computers from attacks from unethical hackers, who illegally access computers with the intention of accessing confidential information.

Delivering security testing using advanced software, you’d attempt to ‘penetrate’ a company’s systems in much the same way as a hacker – with the goal of uncovering any weak areas in the system.

You would:

• Find and suggest patches for weaknesses in the system

• Ensure that the system is firewalled

• Put security protocols in place

Qualifications

There are different routes to this role or similar roles in cybersecurity. You'll need the ability to identify, assess and deal with complex information security risks. You'll also need to build relevant experience and qualifications to demonstrate this.

You can gain skills and qualifications in the work place through options such as Modern Apprenticeships or Graduate Apprenticeships (combining work and college/university study) in:

• Information Security (SCQF level 6 / SCQF 8)

• Cyber Security (SCQF 10 / SCQF 11)

Apprenticeships are advertised as job vacancies and, like any vacancy, entry requirements will vary. Relevant experience and qualifications, such as National 5s or Highers, will be helpful but may not be essential if you can show you would be the right person for the job.

Useful subjects

• Maths or Physics (required by most courses, valued by employers)

• Computer Science or Information Systems (required by most courses, valued by employers)

• Other science subjects

• English and Social studies subjects, such as business management, geography or psychology (valued by employers)

For more information :

https://www.myworldofwork.co.uk/my-career-options/job-profiles/ethical-hacker

https://www.reed.co.uk/career-advice/how-to-become-an-ethical-hacker/

Taken from Prospects 2022

As a penetration tester, you will perform authorised tests on computer systems in order to expose weaknesses in their security that could be exploited by criminals. You can choose to specialise in manipulating a particular type of system, such as:

• networks and infrastructures

• Windows, Linux and Mac operating systems

• embedded computer systems

• web/mobile applications

• SCADA (supervisory control and data acquisition) control systems

• Internet of Things (IoTs).

• As well as identifying problems, you may also provide advice on how to minimise risks.

Qualifications

Degree route:

To enter this industry, you'll usually need a relevant degree, in-depth knowledge of computer operating systems and at least two to four years of experience in a role related to information security.

Useful degree subjects include:

• computer science

• computing and information systems

• cyber security

• forensic computing

• network management

• computer systems engineering.

You're unlikely to go straight from graduation into a penetration tester role and will usually need some industry experience. However, some organisations have started to offer graduate penetration tester roles. Where graduate entry roles are offered, there are likely to be high levels of competition.

As well as relevant degree qualifications, you'll often be expected to have one or more professional qualifications (trainee and graduate roles will usually include training and certification in these qualifications as part of the role). These include:

• CREST Registered Penetration Tester (CRT)

• Offensive Security Certified Professional (OSCP)

• Certified Ethical Hacker (CEH) Certification

• GIAC Penetration Tester (GPEN) Certification

• company certification schemes from major vendors and equipment providers like Microsoft (MCP, MCSE) or Cisco (CCNA Security).

You may gain these qualifications and certifications through cyber security roles, but some can be obtained through self-study. Take a look at job adverts for penetration testers to get a feel for which certifications employers are looking for.

It's also possible to work as a penetration tester without a degree if you have significant experience in information security and hold industry certifications.

You may need to undertake security clearance checks when applying for jobs.

Apprenticeship route :

It's also possible to take a degree apprenticeship in cyber security, combining work with part-time study at university.

Use the findapprentieship service website to look into this and other websites such as : https://www.notgoingtouni.co.uk/opportunities/cyber-security

https://www.instituteforapprenticeships.org/apprenticeship-standards/cyber-security-technical-professional-integrated-degree-v1-0