Want to outwit hackers? Hire an ethical one.
A growing number of courses worldwide train 'ethical hackers' to prevent malicious attacks.
ISTANBUL, TURKEY — In a dimly lit room on the outskirts of this bustling city, 11 budding hackers are working intently on breaking into the files of a large corporation, having already hacked into the company's main computer server.
Now in possession of almost unfettered access, they rapidly type commands on their keyboards, preparing to troll through the server's files for passwords, confidential documents, and financial records.
The group's work could bring the company to its knees – if this were a real hack. But the company isfictitious, and the wannabe cyber-thieves are actually all computer security professionals.
They're here to take part in an eight-day course that teaches them the tools and techniques that hackers would use to get into the systems they are trying to protect.
"What is it that the attackers know that we don't know? What is the mind-set of the hackers?" asks Jay Bavisi, president of the New York-based International Council of Electronic Commerce Consultants (EC-Council), which offers the course in cities worldwide. "Nobody in the [computer] defense industry really knew. We realized that the only real way of defense is offense, that we really have to attack ourselves to understand our vulnerabilities."
The EC-Council course is among a growing number of classes that are trying to even the playing field by teaching IT security experts around the globe to think the same way as their adversaries and find the holes in their systems before the hackers do. Along with firewalls and virus scans, companies looking for increased security now have a new weapon at their disposal: the ethical hacker.
"Organizations for whom trust and security are important are going to be consistent users of ethical hacking," says Andrew Briney, publisher of Information Security, a trade magazine. He says that some of the "bigger [corporate] names out there" are already using ethical hackers.
The budding trend suggests a shift from putting up ever-higher walls to stop intruders to using a trusted intruder to find a way to scale those walls.
The first ethical-hacking course was started six years ago. Today, there are some half-dozen organizations offering similar instruction around the world, says Mr. Briney. The EC-Council, for example, says it has trained about 20,000 people in 60 countries over the past three years, with 8,000 of them passing a test that earned them the group's "Certified Ethical Hacker" designation.
"Based on the number of people who are coming to our course, the industry is looking to train people to understand better how security works and how the bad guys work," says Dane Skagen, director of educational services for Foundstone, a division of computer-security softwaremaker McAfee. Foundstone, which has offered a popular series of "Ultimate Hacking" courses since 2000, trains between 800 and 2,000 people every year, he says.
"I think [the industry] has come to realize that it is to their benefit and their advantage to have someone like that," Skagen says.
It's easy to explain why demand for ethical hackers is growing. As companies become more networked and their work increasingly revolves around the Internet, their vulnerability is also growing. In a survey of computer-security professionals conducted last year by the FBI and the Computer Security Institute, a San Francisco-based trade organization, 56 percent reported having at least one unauthorized use of their computer systems during the last year, up from 53 percent the year before. The average loss for a company from these intrusions, according to the survey, was $203,606.
"It's a constant cat-and-mouse game between the good guys and bad guys. Information technology security is no different than any other security: It's about risk, and risk is always changing," says Information Security's Briney.
At the ethical-hacking course in Istanbul, it becomes clear how precarious computer security actually is. During a session, a youthful-looking security consultant, Cumhur Omeroglu, shows students how easy it is to break into a server running on the popular Windows operating system by manipulating things such as DNS zone transfers,SNMP enumerations, and Kerberos authentifications. It may all sound like techno gobbledygook to the layman, but it makes perfect sense to the students.
Going online, Mr. Omeroglu also shows the students how simple it is to download free hacking tools.
"You never know who might attempt to attack you at anytime. With the [hacking] tools that we are seeing in the course, you realize what is possible," says one of the students, a security engineer at a large Turkish bank, who asked that his name not be used for fear an unethical hacker might get a hold of it. "You see that systems have vulnerabilities that you didn't realize exist. In a big organization like mine, you have to spend big resources on your defenses so that a kid sitting at his computer doesn't get access to your system."
The student says that the sheer number of tools easily available to hackers, and the ever-changing nature of the threat, makes him think that perhaps the most valuable lesson he learned is to utilize something that predates the technological age.
"You need to be paranoid," he says. "That's the mind-set you need to have for this."