Education vs. Experience
There are many paths to entering this profession. Unlike, say medicine, where there is a single proscribed path you must take to enter the profession, the same cannot be said for hacking. Some believe that the only route to the profession is through many years of school and degrees. On the other hand, many simply launch into their skill development at an early age and continue to hone their skills over time.
At this time—the end of 2015—I would say that the vast majority of professionals in this field have taken the latter route. They simply start playing with computer systems, dissecting them, figuring out how they work, and how to break them.
Most have little formal education. For instance, the notorious Edward Snowden of NSA fame did not even graduate from high school, yet held a highly paid position at the CIA, then as a NSA contractor earning about $120,000 year. Firms want practical skills, not gaudy resumes.
Image via The Guardian, via ReutersI am not trying to discourage anyone from going the formal education route (after all, that is the route I took), but it is not the ONLY route. The formal education route can be the safest route to a career in IT, but from my experience, may not be the most direct route to become a professional hacker.
Most college professors and instructors have little or no experience with hacking. They have been trained in how to build systems, not break them. This means that, although they may offer a course in hacking, they don’t have the mindset of a hacker. Their courses are more like trying to learn to build an airplane from someone who has only read about flying a kite.
Image by Dai Sugano/Bay Area News Group
The Hacker Mindset
One of the key traits that sets apart hackers from run-of-the mill IT folks is the “hacker mindset.” This mindset is best described by four attributes:
- Problem solving
- Commitment to freedom
- Helping your fellow hacker
Much has been said already here on Null Byte about helping our fellow hackers, so I won’t repeat it. I will, though, re-emphasize that Null Byte is anewbie-friendly environment for learning hacker skills—and I intend to keep it that way. Mistreatment of those trying to learn will not be tolerated here.
Hackers believe in freedom. That’s why Linux and so many of the hacking tools are open source. This freedom extends beyond the software and includes freedom of the internet, freedom of information, and freedom to exchange.
The hacker mindset is not limited to a single way of doing things. The hacker realizes that there many, many ways to get the same thing done. When a hurdle arises, they find a new way to bypass it. Sometimes this means using our tools in ways they were not intended, and sometimes it means creating our own tools. To use an overused cliché—don’t be boxed in by others’ ways of doing things. Think outside the box!
The hacker must be a problem solver. This skill comes from repeatedly solving problems without asking someone else to solve it for you. Although it may be easier to Google for the solution, or ask someone with more experience, this will bypass the process of learning how to break down problems into manageable units and solve each one analytically.
ALL hackers have this skill. Without it, you will doomed to frustration and mediocrity. It’s okay to ask for help when you are stuck, and our Null Byte community is a great place to ask as there so many knowledgeable and helpful hackers here, but problem-solving is a skill that is only developed and strengthened by practice.
You might be able to ask and get a quick answer here, but if you solve it yourself, you will be strengthening your analytical and problem-solving skills that will not only serve you well as a hacker, but in all endeavors of life.
Going hand in hand with the problem-solving skills is persistence. When faced with a hurdle or problem, the true hacker does not throw up their hands and quit, rather they persist until they create a solution. Sometimes those solutions may takes hours or days or weeks or months, but the hacker doesn’t quit. They are confident that eventually they can crack the problem, and in the meantime, their persistence is yielding new knowledge and strengthening their very valuable problem-solving skills.
The hacker must have some basic skills of the IT field. These would includeLinux basics and networking basics—at a minimum. To be capable of writing your own scripts, you need basic BASH scripting and preferably one of the following scripting languages: Perl, Python, or Ruby.
To delve deeper into exploit development, knowledge of assembler and C is required. If you want to attack databases, SQL knowledge is required. When attacking websites, a whole host of web languages is useful.
In many cases, it’s useful to learn how to build something before you try to hack it. For instance, once you have built a web app, then its easier to understand how to hack them. This isn’t required, but some people find it a better route. There are some hackers who are incapable of building anything as their mindset is one of finding flaws and breaking things.
Image via Son Kook-hee
Hacker Skills Set
The hacker must develop some hacker-specific skills. As mentioned above, they have a knowledge of networking and Linux, but then must build upon that knowledge by becoming conversant in one of the hacker operating systems, such as Kali, and some of the more widely used tools, such as:
- Cain & Abel
- Burp Suite
- Nessus, Nexpose, or OpenVas
- Tamper Data
- A good password cracker, such as John the Ripper or Hashcat, or any number of other password-cracking tools
Although this not an exhaustive list, I believe these to be the most important tools for the aspiring hacker to master.
Choose a Focus
The world of information technology is vast. There are so many technologies and languages and no one can master them all. If you try, you will likely be stuck in a superficial understanding of all of them without the deep enough knowledge to master any. The same applies to hacking. Choose an area to focus your efforts in and master it. Once you have mastered that one, then look to master another. No one masters them all—and definitely not at the same time.
Attempts to master all of the IT skills, and thereby hacking skills, will only lead to frustration and mediocrity.
The IT industry, in general, and the hacking industry, in particular, like to see certifications. The reason for this is that certifications tend to be skill-specific, while degrees tend to be broad and theoretical. For someone trying to enter this field, the certifications are a surefire way to impress a prospective employer.
As a starting point, I suggest the CompTIA certifications such Security+, Network+, and A+. These vendor-neutral certifications will provide you the fundamental skill sets necessary to advance to the next level.
Then I would suggest a hacking certification. The Certified Ethical Hacker (CEH) is the grand daddy of ethical hacking certifications, but it is not held in high regard in the industry. That is why we will be offering our own certifications (CWA, CWE, and CWP) beginning in January 2016.
For those with advanced skills, there is the GIAC Penetration Tester (GPEN) certification and the Offensive Security Certified Professional (OSCP) certification. Both are well regarded in the industry, and they require hands-on skills to pass, unlike the CEH.
The growth of the IT security field and hacking have made this a prime time to study hacking. This growth and the concomitant demand for hackers will likely continue for many years into the future, making this career path a bright one for those with the aptitude and work ethic to study hacking.