The word “hacking” is generally associated with the criminal act of accessing computer systems or networks with the aim of stealing private data, disrupting a service, or extorting money from an individual or organization. To the layperson, the world occupied by the hacker is a dark, frightening, and confusing place rife with criminality, corporate espionage, and even state-sponsored cyberattacks from rogue nations.
So, bearing in mind that hacking is generally considered a bad thing, what exactly is ethical hacking and is ethical hacking a good career choice for someone interested in cybersecurity?
Professor Alan Watkins, who teaches cybersecurity classes at National University, isn’t very comfortable with the term “ethical hacking.”
“I have a law enforcement background, so hacking in my world is always bad,” says Watkins. “I prefer the term ‘penetration testing’ — but the cybersecurity industry widely uses the term ‘ethical hacking’ to describe a function of IT security based on the perspective of the bad guys.”
Watkins explains that ethical hackers defend corporate and government computer systems and networks by learning to think like “the bad guys,” adopting many of the same tools and techniques that criminal hackers use to launch their attacks.
“I’m sure there is some quote from some military books about knowing your enemy and if you know your enemy’s tactics, then, of course, you can defend against them,” says Watkins. “This is what we attempt to do in our roles as ethical hackers within the cybersecurity industry.”
The Criminals are Always One-Step Ahead
The bad news for IT security teams is the criminal elements involved in hacking are nearly always one step ahead of the good guys.
“It’s always catch-up as far as I’m concerned, says Watkins. “There may be some instances where the security folks have a leg-up because maybe they have implemented something new, but the hackers spend a lot of their time finding their way through security devices and systems.”
The odds seem to be on the side of the bad guys. “The saying on the cybersecurity side is the hackers only have to be successful once in getting in,” says Watkins. “The security folks have to be successful all the time to prevent something from getting in.”
What Makes a Good (Bad) Hacker?
According to Watkins, a good (bad) hacker must be open-minded, be able to think out of the box, and be really systems oriented.
“A lot of the tools, even from the criminal side of things, get down into the code and across the data-packet levels of computer technology,” says Watkins. “You need to know what you can do with data packets, and a lot of the tools, I’m going to call them root-level tools, are operated by text-based command lines which can be challenging.”
Watson says that’s very different than using a graphical application for the most part and it helps if you have the kind of mentality that can work with these things.
“From a strategy standpoint, a good hacker is one that can think ahead of security measures and find ways to bypass something,” Watkins says.
This doesn’t mean all hackers conform to the Hollywood stereotype of computer geniuses, holed up in secret lairs, and hell-bent on wreaking havoc with a couple of deft taps on a keyboard and the click of a mouse.
“I’m sure there are a couple of people in the world that can have that level of genius, but most hackers today tend to fall into two categories,” says Watkins.
The first category is the “true hacker.”
“If you are a true hacker, like a developer/programmer type of hacker, it can take days, weeks, or months to maybe develop a good attack scenario or piece of malicious software. The true hacker can be just as motivated by the opportunity to prove their hacking abilities as they are by their criminal intent.”
While the threat these technically competent hackers present is significant, the scale of the hacking problem is dramatically increased by the second category of hackers who have emerged onto the scene much more recently. These “criminal hackers” lack the technical skills of the true hacker but can easily source readily available hacking tools and malicious software scripts on the dark web.
“The really bad part of the criminal side is you can go on the dark web and buy, rent, or lease malware,” says Watkins. “You can lease a botnet to make denial of service attack or send phishing email campaigns. So you don’t have to have any skills anymore — you just have to have some money to purchase the tools that do the bad stuff.”
Watkins explains this access has increased the potential for different types of criminal characters to get involved in hacking. No longer must you possess any real knowledge of what to do and how to do it; you simply need to follow the instructions of the package you have acquired.
“Here’s how you make a phishing attack. Here’s how you make a denial of service attack. Here’s how to make a sequel database attack,” Watkins explains, adding that this “ease” has completely changed the landscape.
“It has certainly increased the number and types of cybercriminals out there,” he says. “We are not just fighting the hardcore ones who did it because they could, now people are doing it because they have the opportunity.”
A Multi-Billion Dollar Industry
Criminals are of course attracted to hacking because it presents a multi-billion dollar opportunity to illicitly make money from the anonymity — and therefore relative safety — of a computer screen anywhere in the world.
Despite being conducted in the virtual environment, hacking is not a victimless crime, and it can have a devastating impact on anyone directly or indirectly involved. In recent years, cyberattacks have targeted the personal data held by major e-commerce sites and banking institutions, brought entire government infrastructures to a standstill, and even raised concerns about the security of medical devices such as pacemakers.
Even today, with the threat of hacking being widely recognized, the real cost of hacking to the economy is not accurately understood. US government figures released in 2018 estimated the total cost of cybercrime to the US economy in 2016 was anywhere between $57 billion and $109 billion. The reasons for such ambiguity is that many of the victims of cybercrime either don’t admit to being attacked or are blissfully unaware that they have been targeted.
Ignorance Is No Line of Defense
Watkins says when it comes to cybersecurity, some organizations, unfortunately, aren’t as worried about the possibility of attacks as they should be.
Part of the issue may be that company decision-makers aren’t as versed in cybersecurity as their IT teams or other in-house experts, and therefore aren’t aware of the potential vulnerability. This means it’s important for those on the IT team, no matter what their role, to talk with the “non-technical” folks about cybersecurity and educate them on hacking threats.
“In a lot of cases, you need to be able to communicate up to non-technical managers, and so there is a lot of interaction,” Watkins says, adding this educational approach isn’t just for internal use; it should also be used when working with clients as an outside cybersecurity professional. “When you go and talk to businesses you need to translate techno-speak and cyber realities into a business reality to them. The best way to do that is to identify what kind of business risk poor cybersecurity poses to their business,” he says.
The consequences of not having effective cybersecurity in place can be catastrophic. According to Watkins, around 60 percent of small businesses that experience a cyberbreach go out of business within a year of the attack. Once a business understands this, the cybersecurity professional can then work on the details of the specific environment — what are they using, how much do they use locally versus cloud services, what kind of data they have, what kind of other assets (trade secrets, etc.) do they have, etc.
A Legal Obligation to Protect Data
Aside from the threat of criminal activities, companies may also have a legal obligation to protect their systems and the data they hold. Alongside the direct financial impact a cyberattack might have on an organization from the loss of client trust or the leaking of sensitive commercial materials, there is also the risk of hefty fines for failing to ensure the safety of such data or failing to disclose a breach within a specific period of time.
Highlighting the potential costs of legal action following data breaches, Uber, the ride-sharing app company, recently agreed to pay $148 million following a data breach and subsequent cover-up in 2016 where hackers gained access to the personal information of 57 million riders and drivers. Adding insult to injury, it was revealed that Uber paid the hackers $100,000 to delete the data and keep the breach a secret.
Keeping on the right side of the law is just as important as keeping your systems and networks safe from attack by criminal hackers. These two indisputable facts explain why job openings in cybersecurity continue to outpace applicants.
Job Opportunities in Cybersecurity
According to Watkins, the gap between the number of open positions and the available cybersecurity workforce keeps growing, and by 2020, estimates suggest there is going to be a surplus of somewhere around 2.5 million vacant positions waiting to be filled.
Common career paths for people in possession of a bachelor of science in cybersecurity include penetration tester, IT security engineer, and information security analyst.
According to Bureau of Labor Statistics figures, the median wage for an information security analyst nationally is $95,510 per year. In California, this increases to $108,090. The job outlook in this sector is also incredibly healthy with an estimated 28 percent growth rate between 2016 and 2026, compared to an average growth rate across all occupations of just seven percent.
Teaching Students to Hack
Despite the rapidly evolving nature of cybercriminal activities, ethical hackers have a number of tools available at their disposal to create a solid line of defense. In many cases, they will be able to test security systems using the very same tools and software employed by cybercriminals.
According to Watkins, the opportunity to spend significant lab time working with legitimate hacking tools makes the bachelor’s in cybersecurity online program at National University stand apart from similar online degrees.
The online degree also encourages students to focus on some of the more concrete rules of computer science, giving them a very real edge over less competent opportunist attackers.
“Some of the basics about computer systems, the way data packets are formed and transmitted don’t change,” says Watkins. “It’s the application and usage of new techniques that change, so we definitely teach the basics. How should a data packet normally look and how can you modify it so that it does something that it’s not supposed to do.”
The Ethics of Ethical Hacking
With great power comes great responsibility, and when a student is granted the knowledge and given the tools to hack computer systems and potentially do harm, they need to understand how to act ethically.
“An ethical hacker is someone who gets hired by a company to come in and perform penetration and vulnerability testing for the benefit of the company to increase its security, as opposed to the criminal, non-ethical hacker who is going in for financial gain or to do damage to the company,” says Watkins.“It’s a personality character trait that they are ethical, that they are honest, and that they’ve got high integrity.”
Watkins adds that it’s possible some criminal hackers have received certification, but are using it for the wrong reasons.
“So we try and instill in the students that it really is up to the individual to remain ethical and to follow the code of ethics that their employers have for cybersecurity,” he says.
What Does a Typical Cybersecurity Student Look Like?
Due to the technical nature of the cybersecurity program at National University, Watkins suggests that students come armed with some outside training or education in the IT field.
“They need to have a basic understanding of operating systems, of networks, of how data flows across computer systems — that sort of basic understanding of technology before getting into cybersecurity,” says Watkins. “If you don’t understand that underlying technology information, it’s going to be really hard to understand the cyber side because now you are talking about how to misuse things that shouldn’t be there.”
Watkins estimates that upwards of 50 percent of students enrolled in the bachelors in cybersecurity online program come from a military background.
For those currently serving and planning on staying in a military career, a degree in cybersecurity can help with potential officer advancement opportunities or help them move into assignments in cyber command.
Other servicemembers are attracted to the program due to the increasing job opportunities in the field and the availability of GI Bill benefits that can help them pay for their education.
While there may be a number of transferable skills between military and civilian cybersecurity roles, Watkins jokes that his military students couldn’t possibly divulge such information to fellow students and faculty members “on the basis of national security.”
The Growing Role of Women in Cybersecurity
Watkins is also pleased to see an increasing number of female students studying cybersecurity in what has been traditionally a male-dominated role.
“The last class that I finished a week ago was probably 40 percent women — which is probably the highest I’ve ever seen it,” says Watkins. “There’s a calling for more women in the field — everything in the workforce has been male-dominated, but this is definitely an industry where the field can be level for all genders, and I’m encouraged to see the change in the landscape.”
What Makes National University a Great Place to Study?
Watkins believes the accessibility of available programs and the opportunity for students to engage with “hands-on” lab work make National University’s programs stand out from other universities.
“I think the whole opportunity to do a combination of classes in classroom, online, a hybrid of both, or strictly online is a fantastic opportunity,” says Watkins.
“Having online classes is becoming the norm for universities across the country and world anyway, but I think one of the distinguishing characteristics of National has been, and still is, the amount of hands-on lab work that we do in almost all of the classes. It gives the students the opportunity to test out and learn the skills with the tools.”
As pioneers and innovators in delivering online degrees, National University is constantly looking at new ways of delivering their online degree programs.
“We are shifting away from instructor-led courses to asynchronistic, student self-paced courses. These are still managed by an instructor, but there are not the weekly online meetings that you have to attend,” says Watkins. “So that opportunity is especially good for students who are highly motivated and already skilled because they might get through the course in three-and-a-half weeks instead of four weeks or whatever the case might be.”
Watkins describes this approach as the “fourth mode of teaching.”
“You have the classroom, you have the hybrid with the classroom and online, you have the fully online instructor-led, and now you have the asynchronistic self-paced courses,” says Watkins.
This frees up students’ time to concentrate on their studies and various projects while allowing the instructor to research, plan, and optimize programs.
“The instructor will still hold sessions, but they will be more for Q&A, helping students with projects, and maybe demonstrating some new tools,” says Watkins.
Launch Your Career in Cybersecurity
A bachelor of science in cybersecurity from National University, offered both online and on campus, can help launch your career as an ethical hacker in the burgeoning cybersecurity industry. To learn more or to speak with one of our advisors, please visit the Bachelor of Science in Cybersecurity program page.