When I was about 10 years old, I read a book about Kevin Mitnick, Pengo and Robert Morris. While their exploits seemed very interesting, each story ended in jail time or at the very least, derailment of career goals. My unsophisticated Internet searching circa the early 2000s led me to the same conclusion. Hacking was a neat skill to have but the price was too high.
It was many years later when I discovered ethical hacking through my participation in the collegiate cyber defense competition, and I began a career as a penetration tester, security researcher and trainer. Though it all turned out the way it should in the end, I am often left thinking how much more I would have accomplished with all those extra years to focus on ethical hacking, and what contributions I could have made towards the state of security.
Some might say, if I had wanted it bad enough I would have found a way. These are the same sort of people who complain about “n00bs” asking to be spoon-fed how to hack. Real hackers as the saying goes figure it out for themselves. They scoff at the availability of books, tutorials, YouTube videos, you name it that are available for someone who wants to learn hacking skills and lament hacker culture becoming mainstream. To them, I am nothing but part of the problem but in my mind, the availability of infosec training is an amazing opportunity I wish I had had sooner, and I am proud to be helping more people gain skills in ethical hacking.
The job market for this skillset is rapidly growing; having these skills could changes someone’s life. I know many hackers who were struggling to make ends meet before learning information security skills and are now driving new cars and paying off their mortgages. I regularly get emails from people all over the world thanking me for helping them learn hacking. No matter how many times someone tells me I changed his/her life, it never gets old. By making technical and yet beginner-friendly content affordable and accessible via the Internet, anyone regardless of their location and financial status can learn hacking.
The only concern I have with hacking tutorials online concerns ethics. Sites, such as Cybrary.it, stress that hacking should only be performed ethically but not all hacking tutorials you will find online cover this important distinction. There are specific free training tools, such as OWASP’s Webgoat, that give you a platform to learn hacking skills against a target without violating any laws. You should always learn on assets you own or have expressed permission to run the specific tests against.
Many companies have bug bounty programs allowing ethical hackers to test their sites and applications for vulnerabilities for a monetary reward. Top bug hunters are able to support themselves well just from security testing. Other companies hire penetration testers to test their assets for vulnerabilities by simulating a malicious attack. Either way, vulnerabilities are discovered by ethical hackers, so the company can fix them before they are taken advantage of by malicious attackers.
Without proper discussion of hacking ethics, some students of free online tutorials may become malicious attackers themselves, attacking sites they do not have permission to test. In many jurisdictions this is a crime. Not only can you go to jail or be fined, but it can be very harmful to a future infosec career. It makes good cinema to see the safe cracker who stole millions before he was caught working for the safe companies after his release, but this is not the norm.
While there are cases of reformed blackhat hackers landing prestigious information security jobs, many top security firms will not consider a candidate with a criminal record for malicious hacking. It is important that people interested in hacking know this going in, and learn how to develop their skills in an ethical way. They might not get this just by clicking on the first “how to hack” tutorial they find.
On the whole, freely available hacking tutorials are a great resource that makes the exciting world of information security available to anyone who has the drive to learn. That said, anyone can put up a hacking tutorial and make it available, and not everyone may have the candidate’s best interests at heart, leading viewers down the dangerous path of malicious hacking. There are, however, excellent resources that focus on ethical hacking and provide hands-on skills in a controlled environment.
I only wish they had come along sooner.
About the Author: Georgia Weidman is a penetration tester, security researcher, and trainer. She holds a MS in computer science as well as holding CISSP, CEH, and OSCP certifications. Her work in the field of smartphone exploitation has been featured in print and on television internationally. She has provided training at conferences such as Blackhat USA, Brucon, and Security Zone to excellent reviews. Georgia founded Bulb Security LLC, a security consulting firm specializing in security assessments/penetration testing, security training, and research/development.
She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security culminating in the release of the open source project the Smartphone Pentest Framework (SPF). She was selected as a Mach37 cohort to build pro products for mobile penetration testing. She is the author of Penetration Testing: A Hands-on Introduction to Hacking from No Starch Press.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.