How Ethical Hackers Are Your Best Defense Against Cyber ThreatsAugust 12, 2022
As companies race to build online presences and automate business processes, the demand for cybersecurity experts is greater than ever. When looking to employ an ethical hacker, commonly known as a “white hat” hacker, it’s important to find a candidate with strong technical skills, a mindset for detecting vulnerabilities, and a passion for helping organizations strengthen their security.
However, evaluating hacking talent and technical skills can be challenging if you’re not familiar with the field. Asking the right questions during the interview process will help ensure you find a hacker who is not only highly capable but also a strong cultural fit for your organization.
The following questions are designed to probe a hacker’s experience, skills, motivations, and ability to communicate technical concepts to non-technical teams. With the talent shortage in cybersecurity, you’ll want to act fast, but take the time to thoroughly vet candidates to find a hacker who can take your security to the next level.
What Type of Hacker Are You?
To find the right hacker for your needs, you must ask the right questions. Start by determining what type of hacker they are:
- White hat or ethical hacker? These hackers use their skills for legal penetration testing and cybersecurity. They find and report vulnerabilities to help organizations improve their security.
- Black hat or criminal hacker? These hackers illegally access computer systems and networks for malicious purposes like theft, fraud, or vandalism. Avoid hiring these hackers at all costs.
- Gray hat hacker? These hackers operate in a gray area, sometimes acting legally and other times crossing ethical lines. Use extreme caution if considering a gray hat hacker.
Once you determine the hacker practices legally and ethically, ask about their experience and qualifications:
- Do you have professional certifications (e.g. Certified Ethical Hacker, CISSP)? Certifications help verify skills and knowledge.
- How long have you worked as a hacker? More experience means higher skills and a wider range of abilities.
- What types of systems or networks have you hacked into? Relevant experience with similar systems or networks is ideal.
- What hacking techniques do you use? They should use techniques like phishing, social engineering, and vulnerability scanning—not illegal hacking methods.
- Can you provide references from past clients? Authorities can confirm the quality of their work and professionalism.
- What security precautions do you take to prevent illegal hacking or theft of data? Strict security procedures help ensure sensitive data remains protected.
By asking targeted questions about their background, skills, experience, techniques, and professionalism, you can determine if a hacker will meet your needs legally and ethically. Do thorough vetting to avoid the risks of hiring an unscrupulous hacker.
What Are Your Core Competencies and Skills?
To find a hacker with the skills to meet your needs, you must ask the right questions. One of the most important is:
What are your core competencies and skills?
Look for a hacker proficient in areas relevant to your project:
- Penetration testing and cybersecurity: Can uncover vulnerabilities in networks, applications, systems, and physical premises. Skilled in techniques like social engineering.
- Web development: Can build secure web applications and fix vulnerabilities in existing ones. Proficient in languages like PHP, Java, Python, etc. and frameworks like Django or Ruby on Rails.
- Mobile app development: Can develop secure Android and iOS apps and identify weaknesses in current mobile apps. Familiar with tools like Wireshark, Charles Proxy, etc. to analyze mobile traffic.
- IoT and embedded systems: Understands how to secure IoT devices, smart home systems, vehicles, medical devices, and industrial control systems. Able to find and fix issues like default passwords, unencrypted data, lack of authentication, etc.
- Malware analysis: Can analyze malicious software to understand its functionality, origins, and impact. Knows reverse engineering techniques and is familiar with tools like IDA Pro, OllyDbg, etc.
- Digital forensics: Able to preserve, recover, analyze, and present data from computer systems, networks, wireless communications, and storage media in a legal and ethical manner. Proficient with forensic tools like EnCase, FTK, Volatility, the Sleuth Kit, etc.
The ideal hacker will have expertise in multiple areas. Ask about relevant certifications, degrees, publications, conference presentations and client work to determine competency. A hacker’s skills and experience level must match your needs to achieve the best results.
How Long Have You Been Hacking?
As with any profession, experience matters when it comes to hacking. Before hiring a hacker, you’ll want to determine how long they have been actively hacking and building up their skills. Some key questions to ask include:
How did you get into hacking? What got you interested in cybersecurity?
Their origin story can reveal their motivations and passions. Look for hackers driven by a genuine interest in technology and solving complex problems.
How long have you been hacking in an ethical capacity?
Ideally, you want a hacker with at least 3-5 years of experience conducting authorized penetration testing and cybersecurity assessments. They will have a proven track record of responsible, lawful hacking.
What certifications or degrees do you have?
Relevant credentials demonstrate their dedication to the craft and meeting high standards of ethics and professionalism. Look for certifications like the Certified Ethical Hacker (CEH) or degrees in cybersecurity, computer science or a related field.
How do you stay up-to-date with advancements in cybersecurity?
The field is constantly evolving, so ongoing learning and continuing education are must-haves. Look for hackers who actively participate in hacker communities, read industry publications, take additional courses, and practice their skills through CTFs (Capture the Flag) events and bug bounty programs.
What types of systems and technologies are you most familiar with?
An experienced hacker will have a broad range of knowledge covering operating systems, network infrastructure, web applications, mobile devices, and more. They should be comfortable hacking into and defending systems running Windows, Linux, iOS, Android, etc. Familiarity with programming languages like Python, Java, C++, and SQL is also important.
What methodologies and tools do you commonly use?
They should be well-versed in established penetration testing methodologies like the Open Web Application Security Project (OWASP) and able to use popular hacking tools such as Kali Linux, Nmap, Wireshark, Metasploit, and John the Ripper.
Using these and follow-up questions, you can determine if a hacker has the experience and skills to handle the sensitive work of penetration testing and risk assessments. An experienced, certified hacker will give you confidence in the results and recommendations from their hacking activities.
Have You Ever Been Caught or Prosecuted for Illegal Hacking?
When interviewing a hacker, it is crucial to ask probing questions to determine their experience and ensure they operate legally and ethically. One important question to ask is:
Have you ever been caught or prosecuted for illegal hacking?
Any candidate with a history of illegal hacking activities should raise major red flags. Illegal hacking violates privacy laws and computer fraud acts, and if caught, the hacker could face legal prosecution and jail time. As an employer, you do not want to be associated with or legally implicated in a hacker’s unlawful actions.
Look for a hacker with a proven track record of working legally and ethically. Some follow-up questions to ask include:
- Have you ever participated in illegal hacking activities like DDoS attacks, malware deployment or identity theft? If so, please explain the circumstances.
- Do you follow a code of ethics when performing hacking activities? If so, please describe your ethical guidelines.
- Have you ever had a hacking job terminated or lost a client due to unlawful behavior? If yes, please provide details on the situation.
- Are you familiar with data protection laws like HIPAA, GDPR and PCI DSS? Do you keep up with the latest cybersecurity regulations and compliance standards?
- Do you have any certifications or credentials in ethical hacking like the Certified Ethical Hacker (CEH) certification?
While a skilled hacker can be a valuable asset, it is imperative to find one committed to operating legally and ethically. Asking pointed questions about their experience, values and compliance knowledge can help determine if they are the right candidate for your organization. With cybercrimes on the rise, hiring an unethical hacker could put your company’s reputation, customer data and legal standing at serious risk. Do thorough vetting to find a hacker you can trust.
Do You Have Any Certifications or Credentials?
As a company, hiring a hacker can be risky if you don’t know what questions to ask to determine their qualifications and trustworthiness. You’ll want to make sure any hacker you bring on board is ethical and has the proper credentials and experience.
Do You Have Any Certifications or Credentials?
Certified hackers, also known as “white hat” hackers, have gone through official training and testing to prove their skills. Some of the top certifications for ethical hackers include:
- Certified Ethical Hacker (CEH): This credential demonstrates knowledge of ethical hacking techniques. To earn the CEH, candidates must pass an exam covering topics like footprinting, scanning, enumeration, and system hacking.
- Offensive Security Certified Professional (OSCP): This certification requires passing a hands-on exam where candidates demonstrate the ability to hack into target systems. OSCP holders have proven skills in penetration testing and vulnerability assessment.
- GIAC Penetration Tester (GPEN): This certification from the Global Information Assurance Certification organization shows competence in conducting penetration tests and vulnerability assessments. To earn the GPEN, candidates must pass an exam on penetration testing methodologies, tools, and techniques.
While certifications are not always required, they do help to validate a hacker’s skills and knowledge. Be wary of any hacker who claims to have skills but cannot point to any official certifications, credentials, or references. Membership in professional organizations, regular participation in hacker events like DEF CON, and published research papers are also signs of a dedicated, experienced hacker.
The key is to look for hackers with a proven track record of conducting authorized penetration testing and vulnerability assessments. Their experience and credentials should align with the type of work they would be doing for your company. Don’t be afraid to ask for client references or examples of previous work to determine if a hacker would be the right fit. With the proper vetting, you can find ethical hackers who will improve your cyber defenses, not exploit them.
What Are Your Rates and Fees?
When considering hiring an ethical hacker, it is important to understand their rates and fees. As with any service, you want to find someone who is reasonably priced, but also experienced and capable. Some questions to ask about rates and fees include:
What is your hourly rate?
Ethical hackers typically charge between $50 to $200 per hour, depending on their level of experience and credentials. Be wary of rates that seem too low, as that may indicate a lack of expertise. However, higher rates do not always mean better service either. Ask for an estimate of the total hours required to complete your specific testing needs.
Do you charge for an initial consultation?
Many ethical hackers offer a free initial consultation to discuss your needs, scope of work, and their approach. This allows you both to determine if you are a good fit to work together before any fees are paid. If there are charges for the initial call, inquire if that fee will be deducted from the total billing if you move forward with their services.
What is included in your fees?
Fees should include all work related to the hacking exercise, including planning, testing, and reporting. However, additional fees may apply for remediation support to fix identified vulnerabilities. Also ask if travel fees apply if on-site work is required. All inclusions and potential added fees should be clearly laid out in the service agreement.
What payment terms do you offer?
Most ethical hackers require payment in advance of work being performed, either partially or in full. However, some may allow payment upon completion of specific milestones. Be very wary of anyone who requires full payment upfront before doing any work. Standard payment methods include check, wire transfer, and credit card. Understand their cancelation and refund policies before signing a contract.
Do you provide discounts for long-term or repeat clients?
If you anticipate needing ongoing security testing and remediation support, inquire about available discounts for committed long-term or repeat clients. Ethical hackers may offer reduced rates for clients who contract them for multiple jobs over time. Discounts of 10 to 30 percent are not uncommon for long-term client relationships.
Do You Have References I Can Contact?
When interviewing a hacker, it is critical to verify their experience and skills. Asking for client references is an important step in the hiring process. Some key questions to ask include:
Do You Have References I Can Contact?
Any reputable hacker should be willing to provide references from previous clients to vouch for their work. Ask for 2-3 references you can contact, including:
- Names and contact information of previous clients
- Details on the type of work performed for each client
- Dates of service to confirm their experience
Be sure to actually call the references and ask questions such as:
- How did you come to hire this hacker?
- What specific services did they provide for you?
- Were you satisfied with the quality and timeliness of their work?
- Would you recommend this hacker for hire? Why or why not?
Speaking with references is the best way to determine if a hacker’s skills and work ethic match what they have claimed. Listen for enthusiastic recommendations, as well as any hesitance or less-than-stellar reviews. Consider if the references’ needs and projects are similar to your own to determine if this hacker is the right fit for your purposes.
It is also advisable to search for reviews or mentions of the hacker on independent online forums and communities like Reddit, Quora, and various cybersecurity blogs and websites. While a hacker may be able to provide hand-picked references, unsolicited reviews from other clients can provide a more balanced view of their reputation and experience.
Conducting thorough research on a hacker’s references and reputation can help avoid potential legal and security issues down the road. Do not hesitate to ask probing follow-up questions and trust your instincts—if something feels off, it may be best to continue your search. With the right questions and diligence, you can find a hacker with proven skills and a track record of satisfied clients.
What Are Your Ethical Standards for Hacking?
Any reputable hacker should have a strict code of ethics to guide their work. Before hiring a hacker, ask them about their ethical standards to ensure they align with your values. Some key questions to ask include:
What actions do you consider unethical?
Ethical hackers should avoid any illegal activities or actions that could cause harm. Unapproved access of systems, theft of data, damage of infrastructure, and violation of user privacy should all be strictly off limits.
Do you have a formal code of conduct you follow?
Many professional hacking organizations and certifying bodies have established ethical codes of conduct. Ask if the hacker adheres to standards set by the EC-Council’s Certified Ethical Hacker certification or organizations like the Open Web Application Security Project. These help guide ethical behavior and best practices.
How do you ensure your hacking activities remain within legal boundaries?
Ethical hackers must operate within the confines of the law at all times. Ask how they stay up-to-date with relevant laws and regulations regarding cybersecurity, hacking, and privacy. They should also have strict procedures in place to obtain proper authorization and consent before conducting any hacking activities.
How do you protect any sensitive data you may encounter?
In their work, hackers may come across confidential information. Ask how they ensure data is kept private and secure at all times. Strict encryption, access control, and data minimization policies should be followed to protect sensitive data from unauthorized access.
Do you have a process for disclosing and reporting vulnerabilities?
Responsible disclosure is an important part of ethical hacking. Ask if the hacker has a process for disclosing any vulnerabilities found to the relevant companies or organizations as soon as possible. They should also avoid publicly disclosing vulnerabilities until appropriate patches or fixes have been developed and implemented.
Following these ethical principles helps build trust in the work of hackers and ensures their skills are used to benefit society as a whole. Be wary of any hacker unwilling to discuss or commit to high ethical standards. Their work could end up causing more harm than good.
How Do You Stay Up-to-Date With Technology and Security Advances?
To stay on top of the latest cybersecurity advancements and threats, an ethical hacker must continuously expand their knowledge and skills. Ask the candidate how they stay up-to-date with technology and security advances.
An ethical hacker should pursue ongoing learning to keep their knowledge and skills sharp. Look for candidates who stay up-to-date by:
- Reading industry reports, news, blogs, and publications regularly. Reputable sources include Krebs on Security, Wired, and TechCrunch.
- Taking additional courses or participating in mentorships. Relevant topics include cryptography, networking, programming languages like Python, and new technologies such as blockchain or artificial intelligence.
- Practicing their skills through simulation environments, hacker challenge sites, or by participating in hacker meetups or conferences like DEF CON. These opportunities allow them to encounter new techniques and vulnerabilities in a controlled setting.
- Maintaining professional certifications. Credentials such as the Certified Ethical Hacker (CEH) must be renewed every two years through continuing education. Other respected certifications include Offensive Security Certified Professional (OSCP) and CREST Registered Penetration Tester.
- Participating in hacker community forums and online groups. For example, Reddit has communities like /r/hacking, /r/AskNetsec, and /r/netsec focused on sharing the latest cybersecurity news and insights. Engaging with peers in the field exposes the candidate to diverse perspectives and areas of expertise.
By continuously expanding their knowledge, skills, and experience through ongoing learning and practice, an ethical hacker can provide the most up-to-date and comprehensive security assessments and advice. The ideal candidate will demonstrate a thirst for constant growth and improving their craft. Regularly ask follow-up questions to verify the candidate is staying up-to-date with trends in both offensive and defensive security measures. An expert hacker is a perpetual student.
As you wrap up the interview process and evaluate the candidates, remember that technical skills alone do not make a great hacker. Look for someone with a growth mindset, a curiosity about cybersecurity, and a passion for their craft. The ideal candidate will see hacking as a way to solve problems and build more secure systems, not just break into them. They should communicate clearly and work well within your team and company culture. By asking the right questions, checking references, and trusting your instincts, you’ll find an ethical hacker who can help strengthen your security posture and give you valuable peace of mind. The time you invest in this process will pay off manifold down the road.