You’ve read up on the history of hacking, its motivations, and benefits for you as an IT professional. You’ve watched videos and read technical books on hacking tools and even spent a few hard-earned dollars on some nifty hacking gadgets to learn from on your own personal hack-lab playground. Now what? What can you do with this newfound knowledge?
Well, you can get a certification or two.
Wait, what? A certification for hacking?
Sort of. There are certifications that recognize your knowledge and understanding of hacking vectors, tools, techniques, and methodologies. More importantly, these certifications validate your skill at being able to prevent and mitigate those same vectors, tools, techniques, and methodologies.
These are valuable certifications for anyone wishing to move their career into a security-focused area of IT. As hackers and malware evolve and become more sophisticated, the demand for well-trained, knowledgeable, and certified information security professionals has risen sharply, and organizations around the world are investing heavily in protecting themselves.
Certified Ethical Hacker
The International Council of E-Commerce Consultants, or EC-Council, developed the popular Certified Ethical Hacker (CEH) designation after the 9/11 attack on the World Trade Center. There was growing concern that a similar attack could be carried out on electronic systems, with widespread impact to commerce and financial systems.
Other EC-Council certifications include the Certified Network Defender, and Certified Hacking Forensic Investigator, among others. These certifications vary in terms of study and experience required.
From the CEH information page, the purpose of this certification is to:
- Establish and govern the minimum standards for credentialing professional information security specialists in ethical hacking measures
- Inform the public that credentialed individuals meet or exceed the minimum standards
- Reinforce ethical hacking as a unique and self-regulating profession
While the term "ethical hacking" may be open to some interpretation, it’s clear from that last bullet that the EC-Council would agree that IT professionals can and should participate in some form of hacking as a learning tool. Ethical hacking, or hacking that won’t land you in prison, is something anyone can do at home to further learn about cybersecurity and risks to their own environments.
“To beat a hacker, you need to think like a hacker."
Certified Information Systems Security Professional
The International Information Systems Security Certification Consortium, or (SSC)2 was formed in 1989 and offers training and certification in a number of Information Security topics. Their cornerstone certification is the Certified Information Systems Security Professional or CISSP. This certification is a bit more daunting to achieve. It requires direct, full-time work experience in two or more of the information security domains outlined in the Common Body of Knowledge (CBK), along with a multiple choice exam, and endorsement from another (ISC)2 certification holder.
The CBK is described as a “common framework of information security terms and principles”, and is constantly evolving as new knowledge is added to it through developments in different attack vectors and defense protocols.
The CISSP has three different areas of specialty:
- CISSP-ISSAP – Information Systems Security Architecture Professional
- CISSP-ISSEP – Information Systems Security Engineering Professional
- CISSP-ISSMP – Information Systems Security Management Professional
Each of these is valid for three years and is maintained through earning Continuing Professional Education credits, or CPE’s. CPE’s can be earned by attending training, or online seminars, along with other educational opportunities.
It is one of the most sought-after security certifications and many IT professionals surveyed year after year report the CISSP as having a fairly significant salary advantage as well.
Cisco Cyber Ops and Security
Cisco is easily one of the most recognized and well-known vendors to offer certifications in various networking topics. Their Security track consisting of the Cisco Certified Network Associate, Cisco Certified Network Professional, and the Cisco Certified Internetwork Expert, is a graduate program that covers a wide variety of practical topics for someone who is responsible for hardening and protecting their infrastructure from cyber threats.
To begin with the Associate level certification, you must first demonstrate a fundamental understanding of networks and basic routing and switching by completing the Cisco Certified Entry Networking Technician (CCENT) or the CCNA-Routing & Switching. After this, completion of one more exam will net you the CCNA-Security designation.
The Professional level certification then requires four additional exams, focusing on secure access or network access control; edge solutions, such as firewalls, mobility, and VPN; and malware, web, and email security solutions.
Once you've achieved your CCNP-Security designation, for those brave enough to continue, there’s the CCIE-Security, which only requires one exam.
And a lab. A very difficult, 8-hour lab.
Those with the CCIE-Security designation have demonstrated knowledge and practical experience with a wide range of topics, solutions, and applications, and would also be recognized as top experts in their field.
Cisco recently announced another certification track, the CCNA Cyber Ops. This focuses less on enterprise security and is more aimed at those who might work in a Security Operations Center or SOC. In this track, the focus is more on analysis, real-time threat defense, and event correlation.
For Fun or For Profit
Hacking can be fun, and it can be something you as the IT professional do as a hobby or just to keep your skills sharp. Alternatively, you can also develop those skills into marketable professional skills that employers would be keen to leverage. Whether you choose to hack for fun or to further your employment opportunities, it’s an area of expertise that is constantly evolving and requires that you be able to learn and adapt to the threat landscape because it changes by the minute.
Gone are the days when you could include "some security" as part of your jack-of-all-trades portfolio, but Information Security has become a full-time job, even sometimes requiring an entire team of security staff to protect and defend IT environments. Private enterprise and vendors alike are investing millions, if not billions, of dollars into protecting themselves from malware, hacking, and cybercrime, and that doesn’t seem to be a trend that will slow down anytime soon.