Critical System Protection

 View Only
Back to Library

Ethical Hacking 

Apr 17, 2009 03:16 AM

A few weeks ago, a couple of my co-workers visited a workshop about a new course: ethical hacking. In short, it teaches system administrators how to try and hack your own system, to check it's vulnerabilities and find out whether your security needs working on. The course is also available for pretty much everyone else, but that on a side note.

When i heard about it, the only thing that sprung to my mind was "WTF??". Are we really going to TEACH people to hack, how to do it and what to do with it? Why not just build a program for it then? That would make things a lot easier: Microsoft Hacking 2007 or something, ofcourse licensed, but that would not be a problem, since - well it is a hacking tool, right?

As i remember in the good ol' days, hacking was staring at black screens, learning, adapting to what you found and working with that information. It was almost completely auto-didacted by people that wanted to know. That made hackers good system admins, if and when they choose to be. They were used to handy tools, scripted anything they needed and knew a lot about indepth command lining.

These kind of people are active, unfortunately more and more on the background, doing either something illegal, creating programs for the nextgen hackers, or embarressed by the rest of the community locking themselves up in cellars and atticks, learning. They tend to stay out of the media - either rightfully or unrightfully - fearing there skills and whether or not they would be prosecuted if they shared what they know.

Send in the script kiddies!

The nextgen hacker were script kiddies. Young people, finding a handy program on the net (created by the firstgen hackers) and ultilizing them in ways they were ment to be used or finding new, innovative ways to utilize their tools. Let me make clear: i do think script kiddies are a step back from the firstgen hackers. But on the other hand, they are creative in other ways, combining powers of one program with other programs, not used in this set before. These nextgen hackers are still an asset to security, but in a different way. They teach us that one vulnerability leads to a second, until your entire system is compromized. the knowledge of these people limits though to using tools and finding them, not in knowing what the tool does and why it does it like this.

And now this?

And now we are going to teach people, without background knowledge, how to hack? But what defines a good hacker? Self teaching, self preservation, self learning. I do not actually know what will be taught in this course. I presume some standard methods, which nullifies the reason for the course, since hacking always tries to find new, innovating ways. The taught material will be absolete in about one month or so. And who is the teacher? A firstgen, or nextgen hacker?

If he would be the firstgen: where did they find this guy? Doing legal or illegal things? And how could he teach his years of expirience and mindset that comes with his hobby to a bunch of people, most of them "sent" by their employer, in about five working days?

If he would be the nextgen: don't even bother going and go with your browser to www.google.com. That would be just as effective.

Ethical Hacking?

They choose the name Ethical Hacking, because they also teach you not to use your skillzz for the dark side. But who prescreens applicants, or keeps track of them after completing the course? To answer the question myself: no one. They teach a bunch of people skills they should not know and hope for the best. And whether or not the skills are tought by a firstgen or nextgen: they can harm. Especially in the hands of the wrong people, or people that don't know how to utilize their skills.

Would you for instance fire your system admin, knowing he can hack your system in return, using skills learned in a course payed by that same company?

Summarized

Yes, teach people how hackers think and work. But when you choose to teach them the skills, don't be mighty surprised something goes terribly terribly wrong.

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Migration User
Apr 24, 2009 09:22 PM

"To hunt for a prey, you should think like one". EH could turn the security industry from being reactive to pro-active. The "wait and see" mentality on dealing with new viruses could be altered. Big companies has the ways and means to out run the petty virus makers through countless resources and funds thus making the cure before the outbreak occurs.

The only dilemma is, " Who is fit to be trained for this?". I agree that this might backfire if given to the wrong person or group.

Let's update the courses in becoming up to date and practical but screen the participants.
It may limit the consequenses from the good things that this might give.

Just my thoughts team.

Regards,

Nel Ramos

Migration User
Apr 23, 2009 06:12 AM

ery useful Information about EH.

Migration User
Apr 22, 2009 01:44 AM

The thing is i am all in the favour of having this and other courses like that ..SANS etc
Why becoz most of the sysadmin are simple sysadmin they have no idea what is what and how to make things secure (most of them not all) , if this crash course can open thier eyes then why not they should be sent for this kinda course... and again this course is called E + H .... not only H
So i would prefer that ppl should go for this kinda trainings to open thier minds  coz i have seen most of ppl are always busy in operations tasks and they cant think out of the box.
hackers will be one way ahead of you... but if you know what and how they think then you can be one step ahead from them and then everything comes to ethics ... where to stop
never ending story ;)

Migration User
Apr 21, 2009 02:45 AM

@ Ajitjha:
Ignoring a problem doesn't make it go away, unfortunately. And do get me correct: i don't think EH should just "go away".

I personally believe it is not the best way to move forward on securing a network, by just sending the sysadmin on a crashcourse "hacking for dummies". On the other hand it is mighty handy to know how a hacker thinks and works.

So i think it's better to emphasize that part of Hacking, not the actual ways and skills.

Migration User
Apr 20, 2009 03:53 AM

We shouldn't support Eh

Migration User
Apr 20, 2009 12:30 AM

CEH not always means hacking.The Tools used in CEH are pretty good to  safeguard your network from hacking.Its always good to know your security holes an patch them up quickly before an outsider finds it out.
But there are few not so good tools like VIRUS CREATION tools that should not go in wrong hands at all.

Migration User
Apr 20, 2009 12:01 AM

Good thoughts

Migration User
Apr 18, 2009 01:23 PM

Companies giving Ethical Hacking Training Sounds Interesting.Company should know that the employees to whome it is giving training knows the most about their own network which may backfire later if the employee leaves the job and joins the rival company.

Migration User
Apr 18, 2009 12:41 PM

are hardly smart at all, Erik, once you understand their principle: they already contain the answers you need from them.

There are still some sides of me you don't want to know about ;)

Migration User
Apr 17, 2009 02:02 PM

Sebastiaan got a good point.
That's why I refused to teach him how to crack smartcards like the one of the Dutch ministry of defense.

:-)

Migration User
Apr 17, 2009 04:39 AM

 Yeah, i agree, the EH program is not a great value add. They use pre-built apps and only the very basics.

Related Entries and Links

No Related Resource entered.