How to be an Ethical Hacker in the U.K.

December 14, 2015 | Views: 11205

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

If, like me, you live in the United Kingdom and you’re working towards your penetration testing certifications and want to know what route to take, then look no further. This short, yet detailed, article will help send you on your way.

I’m going to start by presuming that you have no experience in the field at all. This way, I can take you from the beginning. If you do have some experience, then feel free to scroll down and start somewhere in the middle.

Cyber security and penetration testing in the UK is similar to that of the US. You need qualifications and lots of hard work to get into it. Many companies in this sector will ask for Computer Science degrees or equivalent in Maths, or even Psychology (which comes in handy for cryptography). But, if you can work toward your certifications, then these are barriers that can be overcome. Experience wins over education, right? Right.

So let’s start this with the fact that you don’t have a Computer Science degree (not all of us can afford to go to University in the UK. Not only is it extremely expensive, but we don’t want to be paying student loans off until we’re fifty.)

 

Basic Certifications & Advice

Certifications are going to be your main way into the industry. Your first port of call (if you’ve had no experience) should be the CompTIA A+ course. This will give you a basic understanding of software and hardware in computers, along with a little networking. Then you can move on to the CompTIA Network+ course. These courses give the foundations needed to understand how computers and networks communicate, how they are put together, and how to set them up for efficiency.

These are long courses, but they get you where you want to go. Don’t give up on them, stick it out. It’s worth it.

It’s also a good idea to familiarise yourself with different versions of Linux. Although you can make your own distros, it is more beneficial to become fluent in one of the more widely used versions such as BlackArch or Kali Linux.

 

Moving in the Right Direction

You’ve completed these certifications, want to move on and get going with penetration testing? Slow down. Most companies these days require more than just jumping in and hacking computer systems and networks. You want to be an ethical hacker, which means you have to earn the certifications that let companies know that you can work ethically.

Management certifications can help towards this such as CompTIA Security+. This course gives you the fundamentals of running the security of a network and preparing the systems for attack. While this course relies on theory more than practical teaching, the knowledge from it alone is worth its weight in the industry.

 

Are You Speaking my Language?

Let’s set something straight: you’re going to need to learn a language. Not a spoken language. If you spoke like this, people will more than likely shun you. If you currently speak like this, seek help.

The languages I’m talking about are programming and scripting languages. If you want to be a penetration tester/ethical hacker then you need to be versed in a couple. The languages I’d recommend are:

  • Python
  • SQL
  • PHP
  • JavaScript
  • Ruby

Let’s look at these a little closer.

Python is a high level scripting language that’s useful for anything when it comes to ethical hacking. Why? Because it’s easy to learn, fast to type and simple to start. Python should be your priority when it comes to learning a scripting language. All those tasks that you would have to repeat over and over again can be automated with a simple Python script. Need to scan through an entire list of IP’s, but don’t have time to do them one by one? Setup a Python script and worry no more.

SQL stands for Structured Query Language and is a language that communicates with SQL databases. This language is needed to extracting data from vulnerable servers that store things in databases. You’d be surprised how many hacks have been carried out using a simple SQL injection, and many websites out there are still vulnerable to it.

PHP is a server-side scripting language and can be used in conjunction with SQL for web servers mainly. PHP has had some issues in the past with bad coding. Everyone makes mistakes, and PHP accounted for 9% of all vulnerabilities on the internet at one point. One of these was simply not turning off PHP execution in directories that users could upload to. It’s a useful tool, but it doesn’t have to be essential.

JavaScript is a high level programming language used for pretty much everything on the internet. It can be integrated for server-side networking, widgets, web applications, etc. It’s a backbone of the web, but also massively vulnerable if not correctly implemented. JavaScript is prone to XSS (Cross-site Scripting), CSRF (Cross-site Request Forgery), Buffer Overflows, Drive-by downloads and the list goes on and on. Learn what you can. It’s handy tool in your arsenal.

Ruby is another scripting language, just as powerful as Python. Learning one or the other is fine, you don’t have to do both. Some say Ruby is easier to learn than Python, some say it’s the other way around. Metasploit was written in Ruby, so that shows you how capable it is. I’d say try both and see which one suits you better.

 

Practical Learning – (Start here if you have some knowledge already)

This is it. You have basic/intermediate knowledge of networks and computers. You’re itching to learn how to use the systems to penetration test. Private companies and the UK government will be looking for these qualifications:

  • Certified Ethical Hacker (CEHv8/v9) accredited by the EC-Council
  • CREST Registered Penetration Tester (RPT) accredited by CREST
  • Offensive Security Certified Professional (OSCP) accredited by Offensive Security

The difference between these three? Let’s go through them.

Certified Ethical Hacker v8 is a basic course that gives you all the tools to be an ethical hacker or penetration tester. Version 8 unfortunately isn’t the latest version. v9 came out recently and adds several features to the course which make it more interesting, but that shouldn’t stop you from pursuing it. The thing that might stop you is the course requirements. EC-Council stated in their FAQs:

EC-Council fulfills its social responsibility by ensuring that only persons with a minimum of two years of security related experience are eligible for the course.

This puts a hold on you actually taking the course, unless you’ve been working in that sector for some time.

CREST Registered Penetration Tester is the “pinnacle” of certifications in the UK for those who want to be a penetration tester, though they don’t actually teach any courses. Instead, you’re encouraged to do the outside learning by yourself at one of their accredited course partners such as 7SAFE (another company who can offer you the courses).

The bonus for the RPT is that it gets you CHECK status once you have passed the exam, which also allows you onto the CESG register for working with UK government networks that may hold confidential documents. If you gain this accreditation then you could, theoretically, end up working for GCHQ.

The exam is multiple choice with some practical and the accreditation is useful for working with top Pen Testing companies within the UK. The CREST Practitioner examinations are the entry level exams and are aimed at individuals with around 2,500 hours relevant and frequent experience.

The CREST Registered Tester examinations are the next step and by passing this you are demonstrating your commitment as an information security tester. Typically, candidates wishing to sit a Registered Tester examination should have at least 6,000 hours (three years or more) relevant and frequent experience.

Offensive Security Certified Professional, in my opinion, is the best option for those wanting to learn about ethical hacking, the methods, and the procedures followed. What’s involved is the one of the most comprehensive exams that you’ll encounter, including a network that you have to compromise in order to pass.

The course giving you the tools and concepts to pass the exam is called Penetrating with Kali or PWK. It works through every step, including how to properly document your work and encourages you to do this as you carry out your tests. But, it also makes you look outwards to further your understanding. You’ll be required to look elsewhere for the answers as to how to crack certain systems and gain entry.

The bonus for passing the OSCP is the automatic CREST RPT accreditation. That’s right, for passing the OSCP you are put on the register for it as Offensive Security and CREST have recently partnered making the OSCP the equivalent to the RPT in the UK.

The only caveat is that it doesn’t get you onto the CESG list to work with confidential information. In order to do this, you have to pass the CREST exam as well, which means more exam fees. Although the OSCP is held in high regard even in the UK with several jobs citing they would take someone on who had the minimum CEHv8, preferred requirements would be the OSCP.

 

Conclusion

Learn! It’s not an easy road and requires a lot of discipline, but you might find it to be one of the most rewarding career choices you’ve ever made. Even if you don’t fully pursue it, the skills you learn on the way will more than give you what you need for a job in most I.T. sectors. The world will open up for you in this sense and so will your job opportunities.

Just remember, if you get stuck, ask smart questions. And if you don’t succeed TRY HARDER!

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
50 Comments
  1. Thanks bro, the article was very helpful.I have done Masters in ‘CS and Infosec’ ,can i start with CEH to get into the Infosec field;or just move slowly by working as sysadmin,network admin etc. (Experience always matters)

  2. Excellent article and read! I myself am studying Ethical Hacking and Network Security at university and this has given me more insight to what I should be aiming towards and eventually achieving. 🙂

  3. Let me make something very clear here. These courses and this route to learning to be a penetration tester shouldn’t be taken lightly. These courses will take you to your limit, especially the Penetrating with Kali course by Offensive Security.

    You NEED computer experience to do these courses. If you don’t have the basics down, go and do them. Being in Cybersecurity is NOT EASY. I know, I WROTE THE ARTICLE. No-one is implying this will simply take months and all of a sudden you’re a PenTester with elite hacking skills. This is a constant learning process, a day-in day-out job that forces you to constantly broaden your horizons and look at the multiple goings on within the industry. But guess what? If you don’t know how to read headers, PWK will teach you that. If you don’t know how to setup Network Time Protocols (NTP) or Simple Network Time Protocols (SNTP) then GOOGLE IT. You WILL have to RESEARCH with this career! Up to 60% of a common developers time is spent researching, yours will be the same if not more.

    You WILL have days that you don’t want to do it. You WILL have moments of doubt. But keep learning and you WILL succeed.

  4. What is the point you pass all the exams like A+ N+ S+ and then you go for your CEHv8. You need to know you stuff when it comes to hacking. Do you know how to setup basic NTP, SMTP etc. Do you know how to properly troubleshoot SMTP? Do you know how to read the internet headers, trace email etc. It takes years, not months!!!!!!!!

    A hacker is an expert in computers, operating systems, etc. programming,….

    What is the point you have the certs and you can’t do jack …s…t.!

    • These things do take time. For people who work in the industry currently, most of these things will already be known. For other people, they will have to learn as they go. I’d hope with all the theory that they’re learning they would put it to practical use. What do you think these courses will teach you? Do you think the Penetrating With Kali course is too simple?

Page 7 of 7« First...«34567
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel