“Ethical hacker” sounds like an oxymoron, but the role of these “white hat” security experts is crucial to keeping computer systems safe..
These elite professionals are hired to attempt to break into a system to discover vulnerabilities and propose solutions before malicious hackers exploit the weakness to the detriment of the organization. The EC-Council describes an ethical hacker as “an individual… who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods and techniques as a malicious hacker.”
In large organizations, penetration testing, another term often used — some claim wrongly — for ethical hacking, is done regularly. The idea is to stay one step ahead of “black hat” hackers who are constantly attempting to break into networks and systems. Whether they do it for the sense of adventure – so-called “gray hat” hackers – or to steal or destroy data or hold it hostage in exchange for ransom, these hackers are committing a crime.
Catching them is not easy. Many intrusions come from overseas; some are state-sponsored. Even when they are domestic, hackers are usually skilled enough to cover their tracks well enough to go unapprehended. The best may even go undetected until the damage is done.
That’s why the work of ethical hackers is so important, prevention being the best cure.
Increasingly, organizations are hiring or contracting security professionals with one of the two most common certifications in penetration testing. Both require candidates to take an extensive exam.
CompTIA, the computer trade organization, offers a nearly three-hour long test with up to 85 questions. The CompTIA PenTest+ is a combination of multiple choice and performance questions based around simulations.
The Certified Ethical Hacker test of the EC-Council is 4 hours long and all multiple-choice. Unlike the CompTIA test, the certifying organization, EC-Council, requires candidates to first take the organization’s training program or provide proof of two years of work experience in information security.
Both organizations require holders to earn continuing education credits over a three-year period in order to retain their certification.
The two organizations compete fiercely for candidates, with each claiming their certification is better and more thorough.
EC-Council even argues that penetration testing is not the same as ethical hacking, arguing that “in many organizations ethical hackers are not even involved in penetration testing teams or processes.”
Which is best? As with most certifications in IT, both sides have their proponents. For a relatively even-handed approach, here’s a link to a Medium article discussing both. Spoiler alert: It gives the nod to the CEH certification largely because it’s been around longer and is accepted as a DoD 8570 Baseline Certification.
From an employer’s perspective, both certifications mean the candidate has been tested by a credible outside organization and found to be capable of providing that dose of prevention so critical to today’s cybersecurity.