A white hat, or a white hat hacker, is an ethical hacker. Described as ‘white hat’ due to the legal nature of their profession, ethical hackers identify security issues within systems and networks to aid organisations [source]. Ultimately, white hats hack systems to stress test the existing cybersecurity of a client. Therefore, vulnerabilities can be highlighted and eliminated to avoid malicious hacking.
1.0 So What?
In October 2021, the head of the UK National Cyber Security Centre (NCSC), an arm of GCHQ, renewed warnings that ransomware was the most immediate threat to organisations [source]. This type of cyberattack can be incredibly costly and risk the compromise of sensitive data. However, research suggests that most organisations are not adequately prepared to prevent or respond to a ransomware attack [source]. Therefore, in the modern cyber-landscape in which most organisations operate, it is more important than ever to ensure malicious actors do not exploit vulnerabilities.
2.0 What is Ethical Hacking?
Ethical hackers are tasked with attempting to hack existing organisations’ systems to identify security weaknesses that could be exploited. This is incredibly important to most businesses, particularly those which hold personal information or sensitive data, to ensure vulnerabilities are patched prior to being exploited by malicious actors [source].
Ethical hackers will use their extensive understanding of networks and computer science, as well as cyber security, to identify vulnerabilities across an entire organisation. White Hats are in many senses conducting intelligence across clients’ systems. The cycle of an ethical hacker is not dissimilar to the traditional intelligence cycle:
- Direction – Understanding client requirements.
- Collection – Vulnerability assessments, penetration testing, intelligence gathering, scanning, gaining access.
- Processing – understanding the information gathered, decryption
- Analysis – reorganising data collected to create actionable insights, reporting on vulnerabilities.
- Dissemination – communicating findings back to client, making recommendations on actions to be taken. Subsequently, the client can communicate further requirements based on findings to begin the cycle again.
3.0 A White Hat’s Toolkit
In order to conduct such intelligence, an ethical hacker will use a number of tools to test an organisation on their cybersecurity:
- Penetration testing through multiple programmes, such as:
- Kali
- Metasploit
- Burpsuite
- Wireshark
- Network Mapper
- Netsparker
- Knowledge of computer programming languages, such as:
- Python
- Powershell
- Golang
- Bash
- Understanding of database exploitation, through programmes such as SQL
- Soft skills, such as being able to communicate findings to business leaders, and teamworking capabilities
4.0 Becoming a White Hat Hacker
4.1 Career Path
The most common way to enter ethical hacking is a degree in Computer Science, Information Security, or another mathematics or engineering field. However, it has also been reported that a background in military intelligence is also invaluable in providing problem-solving skills that employers search for [source].
4.2 Accreditation
There are several recognised accreditation programmes available to prove ethical hacking abilities. These include the EC-Council Certified Ethical Hacker (CEH) Qualification, CREST Qualifications, or masters degrees and doctorates in Cyber Security [source].
5.0 Salaries
5.1 The US
The US Bureau of Labour Statistics estimates that the requirement for Information Security Analysts to increase by 33% between 2020 and 2030 [source]. This suggests a much faster increase in demand for IT Security professionals, including ethical hackers, over other professions. Therefore, a job in such demand ultimately allows for lucrative salaries.
Salary reporting for White Hats varies greatly, as many ethical hacking opportunities are on a temporary, contract basis. However, in the US, the average base salary for a White Hat is $79,000USD, rising to over $150,000USD for experienced professionals [source].
5.2 The UK
In the UK, starting salaries for Junior Penetration Testers start at around £30,000GBP. Whilst salaries for experienced professionals varies greatly depending on tenure and industry, Senior Ethical Hacking Roles generally earn around £70,000GBP annually [source]. Similarly, the average salary is around £40,000GBP [source].
6.0 Bug Bounties
Increasingly common are ‘Bug Bounty Programmes’. Much like traditional bounties which offer a reward for information, Bug Bounties are programmes where organisations offer rewards for the identification and resolution of vulnerabilities within their programmes [source]. Large companies such as Apple, Google, and Microsoft run such programmes, encouraging cyber security professionals to submit their research.
In addition, governmental organisations have now begun to embrace Bug Bounties and the world of ethical hacking. For example, the UK Ministry of Defence held its first Bug Bounty in 2021, asking white hats to identify security vulnerabilities across its entire defence infrastructure networks [source].
These opportunities are becoming more commonplace. The adoption into national intelligence infrastructure marks a great shift in the general view of ethical hacking – professionals within the field are sought after and valuable to all manner of organisations, rather than seen as malicious.
7.0 Summary
White Hats are security professionals in high demand. They draw on a large range of skills and knowledge to conduct intelligence for a client and create actionable insights to ensure enhanced cybersecurity.