It’s ethical hacking month here at ITPro, and to celebrate, we sat down with our edutainer Daniel Lowrie to talk about one of the hottest topics in the cybersecurity world: ethical hacking. We asked about his opinion on breaking into the industry, where it’s going in the future, and more. Read on to learn:
Why Daniel Lowrie does what he does
How to avoid cybersecurity bootcamp scams
How you can get started and continue to grow in this fascinating field
In your own words, what is ethical hacking?
Daniel - Ethical hacking is using hacking skills in an ethical way so you can discover vulnerabilities or weaknesses that are exploitable in your network, for the purposes of securing those weaknesses.
What are some of the jobs available as an ethical hacker? What can someone expect to be doing day-to-day?
Daniel - That can be subjective, and it really depends on each person’s individual case. It’s going to depend on what your situation dictates. Generally, there are great certifications, degree programs, and internships. If you can take advantage of any of those in your world, then go for it. If you’re talking in more general terms-what are good ethical hacking certifications that will help someone get into the field- that's going to be your PenTest+, eJPT, OSCP, and PNPT. These things are well known for people to break into the field, but of course there are more out there.
What certifications might an ethical hacker seek, and do you think they are critical to landing a job?
Daniel - Degree programs can vary. There are some universities and colleges that are better known for having good cybersecurity programs, and others that are just complete wastes of time and money. I won’t name any programs but do your own research. As far as internships, you have to actively Google or network, because they pop up and they go away. Be active on Indeed and LinkedIn, and just put it out there that you’re looking for an internship or some kind of work experience. Of course, you can also do whatever you want to learn on your own at your own house. Try building a lab. Last time I checked, most people have a home network that probably needs securing, and what better thing to penetration test than the things you’re already using at home?
Circling back to the university programs, recently a lot of universities have been making cybersecurity bootcamps. There has been buzz that the content is sometimes made by other entities who pay to use the name of the university. What are your thoughts on that?
Daniel - I hadn’t heard about that yet. As with anything, it’s important to do your own research before you sign up. You are the customer, and it’s your job to make sure you get the best product, because the salesmen sell. They don’t care what it is. Their job is to sell you the product. So, you can’t blindly believe in their marketing because you can’t just trust someone who has no skin in the game. You can only trust what you know, doing your own research. Do your best to find out whether it’s legit, a scam, or just not worth your money.
What are some tools that ethical hackers use in their daily jobs?
Daniel - Screwdrivers, mostly. Sometimes hammers. I’ve seen the occasional saw come out…
Just kidding. I can almost guarantee they’re using Nmap. There’s a probability they’re using Burp Suite. It’s important to keep in mind that ethical hacking is not the same aspen testing. Pen testing is a subset of ethical hacking. So, if you are, per se, an ethical hacker, you are going to be using a wide variety of tools. You could be using IPRO, you’re going to be looking at source code and doing dynamic and static code analysis. You will also be a part of the secure software development lifecycle, the SDLC, and making sure that’s set. So, you’re working your way through the chain of events that happens before the project goes live, whether that is a website being published or a product being sold. But then after it goes live, there's still the job of trying to test things and do stuff like that. Whereas pen testers tend to be kind of like a mercenary group that come in and say, “What do you need?” “Oh, well we need to check security.” And then you have red teams that do long-term threat engagement. So, if you’re talking about ethical hacking specifically, they use a bunch of stuff, and so do pen testers and other cybersecurity professionals. But what they use on the day-to-day totally depends on the job.
What are your thoughts on the future of ethical hacking? Do you think the field will blow up in the coming years?
Daniel - I don’t think it’s going to explode, necessarily. The job market right now actually has a bigger demand for the blue team. The blue team is getting a lot of inundation right now because everybody wants to get into red teams' side of things because it’s fun, right? And who doesn’t want to have fun? Blue teams- I'm being facetious, but- they must be a bit of a masochist, because their job is to get beat up all day, right? Their job is all, “Oh, we missed that hole, now we have to go fix it.” or “oh, we stand-up new technology and it’s got new vulnerabilities that we now have to learn about and fix, and we don’t even know they exist yet.” Right? Their job is super hard. So, because of the big boom on the red team side of things, and firms standing up and people getting more pen tests, they realized, “We need to spend more money on our blue team!” Because that’s what the problem is. We don’t have enough defenders to cover the gaps. So that’s an avenue that should be growing in the future. Now, there’s still plenty of work to go around on the red team side of things if you want to get into ethical hacking. But there is less than the need for cyber defenders. If you really want to be an ethical hacker but you’re not yet working in tech or cybersecurity, working in the blue team first isa great way to get experience and crack into the field overall. Take advantage of the current market.”
Do you think there are factors or personality traits that make someone more inclined to this job? Is there a certain kind of person that is more likely to become an ethical hacker?
Daniel - I’m not sure if there is... I’ll tell you what: This guy asked me to do a podcast for him. He said, ‘I want you to do a string of eight podcasts for me, I’ll pay you.’ And I asked him, ‘What do you want them to be about?’ He was thinking, ‘How do you defend this, how do you defend that.” I told him ‘No, you’ve got the wrong guy. ’Because that’s not me. I appreciated him reaching out to me, but that’s not my thing. I don’t enjoy writing firewall rules and hoping they work, and only find out they don’t when someone bypasses them. Or realizing that this machine for whatever reason, even though it was checking in for updates, wasn’t getting updates. What is happening? For me personally, that’s a hard job. And if that’s you, go crazy. We need people who like to do that stuff.
What makes hacking fun for you?
Daniel - Because I’ve got a little bit of a deviant side to me, right? And the idea of bypassing locks has always appealed to me. Going places I’m not supposed to go.
Are you a big puzzle guy? Not in a literal sense, but figuring things out in general? Taking a problem, finding the solution, and the conquering of that?
Daniel - Yeah, I do like that stuff. I haven’t historically been known to sit there with a jigsaw puzzle, although I do love my sudoku. To me, I’m more interested in learning stuff. It’s more about the journey through things and about learning something new. So, I get super hyper focused on things when I find them interesting, and once I feel like I’ve gotten to a certain competency, that’s when I start losing that focus. And then something else makes my brain go, ‘What’s this?’ and then I zoom in on that new topic. So that’s why I know a lot about a bunch of different stuff. It’s because I tend to go down the rabbit hole until I get tired of it. Cybersecurity, on the other hand, is always changing, so it’s always interesting. If you like challenges and you often get bored doing the same thing, you’ll like this because it keeps you on your toes.
On the topic of changing, do you have any suggestions on how an ethical hacker might keep their knowledge up to date? Or professional resources like podcasts that you listen to and use to keep yourself going?
Daniel - I listen to Darknet Diaries because it’s just entertaining. They don’t go deep into technical details on stuff most of the time. They kind of give you the basics of what they’re talking about, but it’s still compelling stuff because it’s all stories. I’ve always said that it’s the context of a situation that makes things sticky to your brain. Like, if we had an accident right now and a light fell and almost hit you in the head, you would remember that moment in fine detail forever. Even though you weren’t trying to memorize the events that occurred. It’s the context that makes that happen. It was built into an event, an experience. So, to me Darknet Diaries telling stories is that kind of thing. It gives you that context, as well as information, so you can marry the two things together and it’s a lot easier to remember. So, I like that. I do listen to some other podcasts. I like anything Red Siege. Black Hills is always good. We talked with John Hammond today, and I always watch his stuff. Those are the ones I frequent the most.
I’m just an odd bird with this stuff, because I am not the kind of person to say, ‘oh I’m going to go aggregate all these resources.’ I sit back and think, ‘You know what’s cool? Malware. Malware is cool.’ Obviously, what Malware does is not cool, but the fact that you can do these things with software at all is cool. How hard would it be to make something that can also operate like that? Let me try that. Oh, there’s more to this than I thought, because I didn’t think about this factor, and I didn’t think about that factor. And then you’re reading and researching solutions that exist for those problems. So, I kind of bring things together from random sources because I had an idea, not because I heard it on a podcast. Not that it doesn’t happen, because it does sometimes, but that’s typically how I learn new stuff.
What would be the "next steps" up the chain to higher paid positions or jobs that someone might aspire to within an ethical hacker career?
Daniel - There isn’t really another step. In this avenue of cybersecurity, you have engineers, analysts, and management. If you like having your hands on keyboards, being an analyst or an engineer is as far as you’re going. Once you hit management, you don’t usually do the hands-on stuff anymore. As a manager, you’re more a part of running the business, making sure that your engineers and analysts are doing the things they should be doing, and that they have the resources that they need. If you’re a good manager, then you’re being an advocate for your people and keeping the company on top of where they’re going directionally. The manager is more like the visionary. They’re telling the team to implement a new technology or protocol, and the team is doing all the grunt work to get it implemented. If you want to literally move up, you’ll become a manager.
So, if you’re moving up, you’re moving out? If you’re the kind of person who wants to level up in ethical hacking itself, is it more about expanding your knowledge base?
Daniel - Correct. It’s just not likely you’ll move up into that management world and continue to do hacking itself. If you choose to stay in hacking and learn new skills, then you can do things like write cool tools and find zero-days. Learning new things and expanding your toolbelt can help you open opportunities and higher-paying positions with other firms, or maybe on more specialized projects within your current organization. So, if someone is already in the field of ethical hacking and they want to earn more or do more, it’s best that they try to learn more.”
Get into cybersecurity with ITPro Looking to get into cybersecurity? Want to be an ethical hacker on the red team like Daniel Lowrie? ITPro from ACI Learning is your go-to resource for all things cybersecurity. Courses are available now on ethical hacking, pen testing, and countless hours of other cybersecurity topics. Subscribers to ITPro gain access to the entire library of IT training content, as well as all future courses. The newest update to the Certified Ethical Hacking course goes live next month. Subscribe today for your opportunity to finally break into cybersecurity!