Ethical hacker career path advice: Getting started

Becoming a certified ethical hacker isn't a walk in the park. In CEH Certified Ethical Hacker Practice Exams, Fourth Edition, author Matt Walker described the EC-Council's exam as a "four-hour, 125-question grueling marathon that will leave you exhausted."

And that's just taking the test.

Beyond studying for the hours-long exam to grasp topics from emerging attack vectors and enumeration to Wi-Fi Protected Access 3 encryption and container technology to static and dynamic malware analysis, those taking the certification exam must also have two years of IT experience under their belt.

If your mind is set on following an ethical hacker career path, Walker has some sage advice regarding the profession, the CEH certification and more.

Editor's note: This interview has been edited for length and clarity.

What is appealing about becoming an ethical hacker?

Click to learn more about
this title.

Matt Walker: The book answer is it's to further the professional's experience and jump into an exciting career field with a lot of opportunities. But the real answer is money. I don't mean to be so blunt, but it's the truth. A business can lose a lot of things and still function just fine, but you cannot turn your back on security. As wild as enterprise connections have gotten -- like the number of devices that we have to secure and the way that we're doing it -- pen testing has become more of a need, as opposed to something nice to have.

What are the steps to getting started on an ethical hacker career path?

Walker: The first thing I would recommend to someone interested in becoming a certified ethical hacker is to start with the basics. Nobody wants to do that. They want the screens with green falling matrix data in the background, the typing on a keyboard with a headset on to bypass the firewall -- all that stuff that you see in the movies. What people really need to do is go learn the TCP stack. Go learn how to put a network together. These things are bedrock. If you try to jump past them, you're not going to do yourself any favors. Definitely know the basics; that way, you don't have to relearn them as you go.

Also, for people who are coming into the career field, I recommend finding a mentor and listening to them.

What is the best way to find a mentor in the field?

Walker: If you're a student, ask your professors for internships. There are also a bajillion different message boards and free exchange sites to learn from people. There are many resources to self-learn, and there are a lot of resources to get involved in communities. Go to a couple of meetings, and assess what everybody's talking about.

Turning to the exam, is there anything people should know going into it?

Walker: CEH is put together by an international organization. For English-speaking people who go in to take the exam, occasionally, a question's going to pop up, and the grammar is going to look different. Maybe you'll get a question where you can't even figure out what they're asking. Take one for the team, and move on. I want to be clear: That's not a knock against the people who put the test together; that's just something to look for.

Another thing I'd say is, when you decide you want to take the exam, register for it. What often happens is people are like, 'Hey, I'm going to take the CEH,' then they study and never set a date. Don't end up studying for two years for something that you could have done in three months. Stick to it, discipline yourself, study, prepare, go in and knock it out.

What other advice do you have for the ethical hacker career path and exam?

Walker: There are two sets of people that take not just the CEH, but any certification. One set are those who get the book, skip directly to the practice questions and memorize them. Then, they'll go on the internet to look things up and memorize that. This group of people goes in with the sole purpose of taking the exam and passing it. I'm not necessarily knocking that because some questions on any certification exam are so specific that you have to burrow into memorization-type learning. But that mindset belittles the certification and makes it not as valuable because you wind up with a certification that you really didn't earn.

On the other hand, the second group of people are those who want to get a good job, want a career and they care about security. When they see a question pop up they don't know the answer to, they care so much about the subject that they want to learn the answer. Those people will be much more valuable to potential employers.

You can memorize questions all you want, but you really need to learn the material before taking the exam. If you just memorize what you need to pass the test and if you wind up somehow faking your way through interviews to actually get a job, they're going to find out really fast that you don't know what you're talking about. Talk about a brutal career field to be caught making mistakes and lying in.

Any other advice you'd offer?

Walker: The CEH -- and any certification really -- has value. It's hard to get. You have to put effort into getting this certification. Employers do value it when they see it on your resume; it means something because it's not one that you can usually fake your way through.

That said, any certification in and of itself means nothing. The analogy I've always used is, if I were told, 'Hey, Matt, you need liver surgery. You have two guys that you can choose from: Guy number one graduated top of his class and has the best certification in liver surgery, but he's never done the surgery. Guy number two has been a surgeon for 20 years and has performed hundreds of these.' I'm taking guy number two every day.

Same thing with the CEH. It can get you in the door, but you still have to prove yourself.