White hat hackers: A cyber career in Social Engineering

Social Engineering and hacking alone often connotes criminal activity; identity theft, fraud, Network intrusion, and the exploitation of personal information. It has become synonymous with ‘cyber-criminal’ when in reality social engineering can be a paid profession, where people can help improve and test a company’s cybersecurity and are constantly looking for new ways to prevent things such as online manipulation and fraud from occurring.

What is Ethical Hacking?

Ethical hacking can be known by other terms such as social engineering, penetration testing or cybersecurity. All of these will enable you to make a career and get paid for essentially breaking into computers and their systems legally!

Being paid to hack. Sounds fun? But what’s the difference and fine line between an illegal hacker and a certified ethical hacker? There are three kinds: the ethical or ‘White hat hackers’, the illegal or ‘Black hat hackers’ and the morally questionable ‘grey hat hackers’.

White hat hackers perform preventative penetrating testing for ethical reasons to help improve systems. They disclose all vulnerabilities and exploits when legally permitted. Often some are former black hat hackers such as Kevin Mitnick who was famously convicted for various hacking-related crimes, before becoming a computer security consultant. Opposing this is the Black hat hackers, they are known to be dangerous, malicious, intent on stealing or committing fraud for their own gain. The middle ground between these two is the Grey hat hacker, who may penetrate systems maybe with good intentions but without permission or may even break into a system to find a fix and then request a small fee for their services.

The idea of a white/black hacker may make you think back to cowboys and saloons in the early 1900s and you would be quite right. The term was indeed coined from traditional cowboy films where the villain would don a black hat and the classic hero a white.

The importance of Social Engineering as a profession

Social engineering as an industry is in a constant state of growth and development; attackers are always looking for new and more sophisticated forms of infiltration. The ability to adapt, grow and change is paramount, with a willingness to try new things and understand that the role will constantly be moving and adapting alongside ever-changing threats. Despite the progress in security over the past 10 years, companies are still being hacked just as much. The industry must constantly adapt and change because as soon as a breakthrough is made, attackers will move onto something else and find more innovative forms of attack; Cybersecurity faces new challenges every day!

Yahoo, a global internet and web service provider, announced in 2017 that over the course of 2013 – 2014, it had been a victim of potentially the biggest data breach in history, compromising 3 billion user accounts. Due to the sophistication and clinical methods of the hackers, the full extent of the breach wasn’t known prior to 2017 and it was originally believed that only 26 users’ information was compromised. An attack on this scale all began through a spear-phishing email sent out in 2013 to Yahoo employees. One simple click of the link sent out was all it took for attackers to hone in on Yahoo’s database and account management tools. It took 4 years and an FBI investigation to understand the sheer size of the infiltration of Yahoo’s systems, highlighting just how important it is for professional ethical hackers to understand the mind of a malicious scammer and know a company’s system weaknesses.

Social media powerhouses such as Facebook, LinkedIn and Twitter, are usually at the forefront of these malicious attacks. Not only will hackers use their traditional methods and skill to try and hack through systems for data and passwords, but they will also use people’s personal information voluntarily put on social media. This information can therefore be easily accessed online such as place of work, job roles, names, email addresses and much more.

An example of this occurred in March 2019; criminals used artificial intelligence as part of a social engineering attack on a leading UK energy company. They used certain software to mimic a CEO’s Voice whom they found details of on LinkedIn, which resulted in $243,000 being transferred to a bank account that ended up belonging to a scammer.

Therefore, we must constantly look for the best ways to countermeasure social engineering attacks and this is why ethical hackers are in high demand and valued as a profession.

How can we use social engineering in the best possible way by employing ethics?

Professionals understand the mind of a criminal and adapt as new threats arise, they conduct social engineering with positive intent and impeccable morals and ethical values. As a criminal hacker will seek to exploit human trust and error, professionals seek to assist and protect people and organisations alike. Pinpointing their weaknesses and where their highest exposure to risk and threat might be, this long-term could impact day-to-day practices to long-term business models.

The Idea of tactical ethical hacking came about through Dan Farmer, an American computer security researcher and programmer who was a pioneer in the development of vulnerability scanners and Wiestse Venema, a Dutch IBM researcher and computer security specialist. Both developed SATAN (Security Administration Tool for Analysing Networks), a network security scanner, in 1995 which detailed how to break into computers along with various defences you could also use to protect yourself.

As threats continue to grow and develop with new technologies, social engineering as a profession is becoming an integral part of information security. It is the perfect role for those who want to actively contribute to protecting security controls that oversee the processes, operations, and transactions of any organisation.

Jenny Radcliffe, an expert in social engineering, non-verbal communication, and deception, helps global corporations and security companies by showing them how they are a target and where their weak points can cause a risk of exposure. She explains how she began her career in social engineering as a physical penetration tester, ‘I’m not a bad person, but I do know how criminals think’, Jenny uses her experience and instincts to find holes in security and thus help reinforce defences against future threats. She has delivered talks and training all over the world, educating people about people hacking and the negatives and positives of social engineering.

Former black-hat hacker Marc Maiffret, co-founder and CTO of eEye digital security is known for exposing weaknesses in Microsoft products. After a close brush with the FBI, he turned his life around and started up eye with a friend when he was only 17 years old. Their aim? To create a security product that would scan computers to break in just as hackers would and then subsequently how to fix this. So, they did just that, this system is now known as Retina which to this day is a mandated standard part of the Department of Defence in the USA, and militaries all around the world now use. Now a huge advocate of their security system, Maiffret recognises the company has now raised the bar and there is a certain shift in the landscape of its software development that others are yet to catch up with.

So, how do you learn the art of ethical human hacking and become a Social Engineer?

Though people such as Maiffret entered the cybersecurity industry in the early 2000s with a less formal approach to education. Let’s take a look at what employers today are considering when building a team of ethical hackers to protect their systems.

Of course, with many careers, it is logical to think that further education and additional qualifications can help. There are various courses you can take to help you progress toward your goal as a career in social engineering: Offensive Security Certifications (OSCP / OSCE), Certified Information Systems Security Professional (CISSP) and Advance Practical Social Engineering Course. The Certified Ethical Hacker (C|EH) is a credential provided by EC-Council and is a respected and trusted ethical hacking program.

These are just a few of the certifications that can get you experience in the theory behind the industry, however, both technical and interpersonal skills are critical.

The ability to think critically with a great understanding of how humans think and interact go a long way, as do a desire to learn and want to help. Given the nature of the role, a candidate would need to have the ability to communicate clearly, concisely, and professionally. All this, combined with learning from failure and thinking outside the box will get you on your way to entering the exciting and rewarding career path of social engineering.

Despite the constant growth in cybersecurity, experts report that there will be an estimated 3.5 million unfilled cybersecurity-related roles globally in 2021, according to the New York Times. This is due to the fact that there is a lack of qualified and skilled cyber professionals to fill the growing demand.

A limited supply of cybersecurity professionals and high demand for well-seasoned engineers who can detect and neutralise threats has led to outstanding job opportunities and a better career outlook for the industry.

What salary can an ethical hacker expect to earn and where can they look forward to working?

The salary banding differs depending on the level of skill, experience and what the candidate has to offer. In general, the salary for a social engineer ranges between 30,000 to 50,000 for those starting out all the way up to 90,000 and over for the more senior social engineers. These competitive rates are only like to continue to rise given the high demand and nature of the roles.

There a various places an ethical hacker can be employed to protect networks and computers from attacks. Big brand names like IBM, Visa, Sky, KPMG, Vodaphone, Asda and McAfee all employ people as penetration testers to perform authorised tests on their systems to expose weaknesses. Similarly, as you could expect, so does aerospace and defence, BAE Systems and the Airport group are among a few who too, employ ethical hackers as an important part of their team.

You could even find yourself working for the Government, both the Justice and digital technology department and the national grid are in search of Penetration Testers to help keep their security in check. To mention just a few the list is endless, across all sectors the role of a social engineer is paramount. With today’s climate, the sudden shift to flexible working also means that a lot of these roles can even be performed and consulted on from the comfort of your own home.

So whether you want to join the government, become a representative of a company and its brand or if you want to contract your skills and services out to help various sectors at once; there are many opportunities for the taking when you join such a diverse, exciting and ever-growing industry, providing more reasons to become a professional ethical hacker and join the world of social engineering.

Morson is one of the UK’s largest suppliers of tech roles in the UK, search all of our technology roles by clicking here and begin the next chapter of your career today.