If you have the interest and aptitude, [ethical] hacking is one of the jobs in highest demand within IT and Info Sec. If you want to make money hacking then here we go through some simple steps to help you set objectives, to get your career off the ground; to move from rookie to the Top Gun school, and earning over $1M per year.
Over $1M per year? Well have a look around the Internet, Apple will pay $1M for 1 [an admittedly very hard to find] bug. Google offer $1M for equivalent bugs, as do Microsoft and others.
The real news is not the jackpots but the bounties for $50K for this, $30K for that payouts. The $1M is very rarely paid, but the figures in tens of thousands are paid out all the time, these companies invest tens of millions a year in these programmes to precent themselves being hacked with vulnerabilities. So how do you do this?
It is all about you…
Got the right mind set? This really comes down to what makes you tick, if you answer yes to several of the following, then this job is probably for you:
- Has someone, a supposed expert in something you don’t know, ever described something to you, and have called “Bullshit”, because it couldn’t possibly work that way?
- Do you know lots of stuff about lots of stuff? A bit of JavaScript / HTML, a bit of PHP, a bit of Java, a bit of networking, a bit of Linux, a bit of SQL and so on?
- Know what a stack is? The heap? A garbage collection? A buffer overflow?
- When you get something new, do you assume that it must do what it is supposed to, and immediately investigate what its limits are?
Ok, so you have kept reading so you have answered “yes” to most of the above, now what? How do you make money?
Getting skilled up for hacking
This is the hardest part, there is no one course, no one certification that you can go on that will get you there. It is a layer of skills upon layers of skills for hacking.
I can have as many tennis lessons as I want, but I will never win Wimbledon. The big bucks don’t come from a course, yes it helps, but it is not the answer. I have never talked to a top class sports person, but if I asked what secret to success was, they would probably say “raw talent and hard work”. Well the good news is that to get this far you have the raw talent, now you need practise.
Kali is hard to use, but effective; learn it. Point it at one of the many exploitable images that are out there and see what you can do.
Once you have some skill you need an objective. I like https://www.hackthebox.eu/ (ever wondered about that animation?) A great set of machines to try and exploit. If you get a long way into the hard images then you will make it onto the “leader board”, employers will be interested, and $$ occur.
What media to consume?
Well this is all very subjective and about what you like. I would suggest starting with the podcast Security Now. They talk about what is going on in the world. In the older episodes they teach you how things like the Internet, a CPU work, which is very well done for an audio only presentation . They also make reference to many industry luminaries (say Bruce Schneier) who are also worth following. The show is also unashamedly geeky, which is half of its attraction.
So, you’re a top gun… now make money!!
Well now it is all about making money, hacking. Well you really have 2 different options depending on where your skills lie.
Platform-specific
If you are really platform specific (Android, Windows, iOS etc.) then you sign up to that vendor’s program and see what you can find. The vendors often give you pre-release software because they want the issue before things are released. This is where the really big jackpots lie.
Generic skills
Vendors of applications (including government agencies) often run bug bounty programs where you can get paid for finding issues. My favourite platform for this is https://www.hackerone.com/ but others are available.
These platforms allow vendors to say, “here is a system, see what you can find, and we pay $X for Y security flaw”. My suggestion here is to go for the esoteric stuff. Yes, there is lots of money and glory in finding a gaping hole within Gmail, but a lot of people have looked already, and there probably aren’t any. If some company you have never heard of is offering $5K for security issues in an application that nobody else has ever looked at, you may find 5 in a week (that is $5K per day or over $1M per year).
Closing thoughts
So, there is a lot of money to be had if you are very, very, very, very good (that was 4 x verys) and have a lot of time to spend. If you are 3 x very good or would like a life outside of work, but still want to make money hacking, then you can work offering pen-test services to companies. There may not be glory, or the $1M jackpot, but there is predictable money every month of every year, and good money. If you work offering companies services, you can do this for yourself or a consulting house; most learn the ropes for someone else, then start up themselves.
This is a great job, very interesting, pays well, is in great demand, and you don’t have to work 80 hours a week.
Here is where we sell tools that make pen-testing quicker and easier. They won’t win the next Hack The Box challenge, but they will allow you to turn around a pen-test for company X in much less time than before, automate all of the boring things (like generate the reports) and generally ease your life, making that beach 1 step closer.
Next steps
See a pen-test product in action such as Core Impact.