Companies looking for increased IT security now have a new weapon: the ethical hacker.
In a dimly lit room on the outskirts of Istanbul, Turkey, 11 budding hackers are working intently on breaking into the files of a large corporation, having already hacked into the company's main computer server. Now in possession of almost unfettered access, they rapidly type commands on their keyboards, preparing to troll through the server's files for passwords, confidential documents and financial records.
The group's work could bring the company to its knees - if this were a real hack. But the company is fictitious, and the wannabe cyber-thieves are actually all computer security professionals.
They're here to take part in an eight-day course that teaches them the tools and techniques that hackers would use to get into the systems they are trying to protect.
"What is it that the attackers know that we don't know? What is the mind-set of the hackers?" asks Jay Bavisi, president of the New York-based International Council of Electronic Commerce Consultants (EC-Council), which offers the course in cities worldwide. "Nobody in the [computer] defence industry really knew. We realised that the only real way of defence is offence, that we really have to attack ourselves to understand our vulnerabilities."
The EC-Council course is among a growing number of classes that are trying to even the playing field by teaching IT security experts around the globe to think the same way as their adversaries and find the holes in their systems before the hackers do. Along with firewalls and virus scans, companies looking for increased security now have a new weapon at their disposal: the ethical hacker.
" Organisations for whom trust and security are important are going to be consistent users of ethical hacking," says Andrew Briney, publisher of Information Security, a trade magazine.
The budding trend suggests a shift from putting up ever-higher walls to stop intruders to using a trusted intruder to find a way to scale those walls. The first ethical-hacking course was started six years ago. Today, there are some half-dozen organisations offering similar instruction around the world, says Briney. The EC-Council, for example, says it has trained about 20,000 people in 60 countries over the past three years, with 8,000 of them passing a test that earned them the group's "Certified Ethical Hacker" designation.
Bad guys
"Based on the number of people who are coming to our course, the industry is looking to train people to understand better how security works and how the bad guys work," says Dane Skagen, director of educational services for Foundstone, a division of computer-security softwaremaker McAfee. Foundstone, which has offered a popular series of "Ultimate Hacking" courses since 2000, trains between 800 and 2,000 people every year, he says.
It's easy to explain why demand for ethical hackers is growing. As companies become more networked and their work increasingly revolves around the internet, their vulnerability is also growing. In a survey of computer-security professionals conducted last year by the FBI and the Computer Security Institute, a San Francisco-based trade organisation, 56 per cent reported having at least one unauthorised use of their computer systems during the last year, up from 53 per cent the year before. The average loss for a company from these intrusions, according to the survey, was $203,606.
"It's a constant cat-and-mouse game between the good guys and bad guys. Information technology security is no different than any other security: It's about risk, and risk is always changing," says Information Security's Briney.
At the ethical-hacking course in Istanbul, it becomes clear how precarious computer security actually is. During a session, security consultant Cumhur Omeroglu shows students how easy it is to break into a server running on the popular Windows operating system by manipulating things such as DNS zone transfers, SNMP enumerations and Kerberos authentifications. It may all sound like techno gobbledygook to the layman, but it makes perfect sense to the students. Going online, Omeroglu also shows the students how simple it is to download free hacking tools.
"You never know who might attempt to attack you at anytime. With the [hacking] tools that we are seeing in the course, you realise what is possible," says one of the students, a security engineer at a large Turkish bank, who asked that his name not be used for fear an unethical hacker might get a hold of it. "You see that systems have vulnerabilities that you didn't realise exist. In a big organisation like mine, you have to spend big resources on your defences."
The student says that the sheer number of tools easily available to hackers, and the ever-changing nature of the threat, makes him think that perhaps the most valuable lesson he learned is to utilise something that predates the technological age.
"You need to be paranoid," he says. "That's the mind-set you need to have for this."
