How does one become an ethical hacker?

[Kushagra Jain]

I have already decided to take computer science but want to know what is the procedure to become an ethical hacker.
How good is it to become an ethical hacker in India?
What are the skills one requires?
And, finally, what programming languages one must learn?

[Ann sers]

I am not sure, but I would assume that the market is booming in India, consider India's booming economy especially in fields and with conditions conducive to a good market for information security professionals. I have been through university schooling and I can tell that you that 99% of what I learned was technical, conceptual, "book" knowledge with very little practical "know how." In order to gain that ever important "know how" you are going to have practice. There are also establishments like Infosec Institute or SANS who offer courses in ethical hacking with the option to get certified as a CEH (Certified Ethical Hacker) and more. In my honest opinion, information security is not an entry level field and you should certainly spend at least a year or two in a (sysadmin) system administrator role then make the step up.

Here are the essential skills skills for an ethical hacker:

1. OPERATING SYSTEMS: Mastery of an operating system. How can you cover your tracks if you don’t even know where you’ve left tracks? If you don’t know the OS in detail, how can you possibly know everywhere things are logged?
2. NETWORKING/TCP/IP: Good knowledge of networking and network protocols. Being able to list the OSI model DOES NOT qualify as knowing networking and network protocols. You must know TCP in and out. Not just that it stands for Transmission Control Protocol, but actually know that structure of the packet, know what’s in it, know how it works in detail. A good place to start is TCP/IP Illustrated by W. Richard Stevens (either edition works). Know the difference between TCP and UDP. Understand routing, be able to in detail describe how a packet gets from one place to another. Know how DNS works, and know it in detail. Understand ARP, how it’s used, why it’s used. Understand DHCP. What’s the process for getting an automatic IP address? What happens when you plug in? What type of traffic does your NIC generate when it’s plugged in and tries to get an automatically assigned address? Is it layer 2 traffic? Layer 3 traffic? If you don’t understand these things, then you can’t possibly understand how an ARP Spoof or a MiTM attack actually works?
3. SCRIPTING/BASH: Learn some basic scripting. Start with something simple like vbs or Bash. Eventually you’ll want to graduate from scripting and start learning to actually code/program or in short write basic software (hello world DOES NOT count).
5. FIREWALLS: Get yourself a basic firewall, and learn how to configure it to block/allow only what you want. Then practice defeating it. You can find cheap used routers and firewalls on ebay, or maybe ask your company for old ones. Start with simple ACL’s on a router. Learn how to scan past them using basic IP spoofing and other simple techniques. There’s not better way to understand these concepts than to apply them. Once you’re mastered this, you can move to a PIX, or ASA and start the process over again. Start experimenting with trying to push Unicode through it, and other attacks. Spend time on this site and other places to find info on doing these things. Really the point is to learn to do them.
6. DATA-RECOVERY/FORENSICS: Know some forensics! This will only make you better at covering your tracks. The implications should be obvious.
7. BASIC PROGRAMMING: Eventually learn a programming language, then learn a few more
8. CRYPTOGRAPHY: Cryptographic protocols, etc.
9. DATABASES. (such as MySQL,etc.) I’m not saying you need to be a DB expert, but knowing the basic constructs help.
10. Real life "social networking" - interacting, sharing knowledge with similarly minded people. A strong desire to learn more.

Start by picking an operating system and learning it's ins-&outs. Learn the networking stuff! Straight away! Practice scripting. Play with firewalls. Dabble with data recovery. Dabble a bit in crypto. Learning the math doesn't hurt.

These are the practical skills which will help you find work once you learn all the lofty, conceptual, technical stuff studying computer science in school. Sure, it's great to know how a gate works or how to build one of out coconuts or whatever.. but I'm talking about practical skills which you can use every day on the job in information security.