General discussion

  • Creator
    Topic
  • #2286907

    Prepare a manuscript titled “Protecting your network as an ethical hacker”

    Locked

    by aldanatech ·

    I am working on a research project on ethical hacking as part of my requirements to complete my Bachelor of Science degree with a concentration on Network Technology. The purpose of this project is to make a study on two important aspects of Information Technology security. One is ethical and unethical hacking. The other aspect is the methods for counter-hacking. Ethical and unethical hacking will focus on the differences between them, at what point is hacking considered ethical, and what is considered to be an ethical way of protecting yourself, and your network. The counter-hacking methods study will include preventive measures against common hacking methods, but not specific details on how the attack is actually performed. Details on the latest protection features and products from Cisco, Microsoft, Novell, and Symantec will also be featured. I might also include some details on the current laws that support network security.

    This project is expected to be completed in two months. What I would like from you is to review my progress (about once a week or so) and provide with feedback such as corrections, additions, and clarifications. I would also like your opinion on my research topics. Do you believe any of them are irrelevant or unnecessary?

    The URL of my project is:

    http://www.aldanaweb.com/capella/

    Moreover, I will keep track of my notes and progress in:

    http://www.aldanaweb.com/capella/statusreport.htm

    I trust the knowledge and expertise from everyone in Tech Republic and all the help you can provide me will be appreciated. Also, let me know if you would like me to include you in my contributors list.

All Comments

  • Author
    Replies
    • #2669728

      Small correction

      by aldanatech ·

      In reply to Prepare a manuscript titled “Protecting your network as an ethical hacker”

      Just wanted to verify the URL of my status report page:

      http://www.aldanaweb.com/capella/statusreport.htm

    • #2669650
      Avatar photo

      OK Josh

      by hal 9000 ·

      In reply to Prepare a manuscript titled “Protecting your network as an ethical hacker”

      While the second link was dead the first one did give me the front page of the report.

      I’ll keep an eye on how you are proceeding and add any corrections or addendum’s as I see fit.

      I could say that there is no such thing as “Ethical Hacking” but as I’ve just thrown down a challenge to everyone here at TR to crack a Web Page’s Security I would be a bit of a hypocrite as I see a very important part for what you wish to call “Ethical Hacking” although I prefer to think of it as “Penetration Testing.”

      Perhaps that could be a sub title to make it a bit more palatable to the “Powers That Be” although it is a college assignment I suppose that was the title you where given to work with.

      Any way best of luck with your endeavors.

      Col

      • #2669551

        Thanks

        by aldanatech ·

        In reply to OK Josh

        Thank you. Your assistance is appreciated.

    • #2669334

      Which laws are more relevant?

      by aldanatech ·

      In reply to Prepare a manuscript titled “Protecting your network as an ethical hacker”

      On Unit 3 of my research phase:

      http://www.aldanaweb.com/capella/ts4992unit3.htm

      I posted a set of links to sites about laws that could help enhance or assist IT security or privacy. Which ones do you think are the most relevant ones for this purpose?

      Note: If you cannot open the page, go to my home page:

      http://www.aldanaweb.com/capella

      and click on Unit 3 of Weekly Tracking of IAL Project.

      • #2669100
        Avatar photo

        OK as I commenting from Australia

        by hal 9000 ·

        In reply to Which laws are more relevant?

        Things might be a little different but here you first have to look at Federal Laws then State Laws and see which apply to what you are doing as obviously different laws would apply to a bank than to a military developer {Hardware.}

        However the one that is always for most is the Privacy Laws {both Federal & State} no matter where you are as you allow this to be breached and personal data getting out about customers/clients or co-workers without their permission you are looking at some serious Jail Time.

        While it is a great idea to submit a Universal Thesis these never cover every aspect of what different areas require depending on the outline of what you have been given to work with the best that you can hope for is some form of “General” overview of what is required.

        As I don’t live in America I would suggest you get in contact with some Legal Studies Students to get their take on it or if you have access a practicing Lawyer within the area that who are required to write about ask him/her. Law like this course varies depending on what exactly you are trying to protect and provided you follow some common sense practices while not being “Strictly Legal” they will not cause you any problems. What you really need to know is how much the relevant laws can be bent without breaking them to protect the hypothetical network from unauthorized penetration.

        Generally any testing of network security by the person responsible for administering the network or any authorized person/companies hired to perform these tests are legal it is only when these tests are performed without the knowledge of the Administrator for nefarious means that troubles arise.

        Now the reality of the real world is that you do what is necessary to protect the network from penetration no matter what and then worry about the legal aspects latter.

        But you can generally manage this without bending too many laws and unless there is something in place that gives authority to outside agencies to monitor the system there normally is not a problem. However as I’ve already said it all depends on what you are trying to protect.

        Col

    • #2668105
      Avatar photo

      Josh with th TR site not working properly

      by hal 9000 ·

      In reply to Prepare a manuscript titled “Protecting your network as an ethical hacker”

      At the moment it be better if you e-mail me direct with any questions {that is if you still want my input} so if you do I can be contacted at colinluck@quicknet.com.au if you want to ask any questions about what you are doing or how to approach something.

      Col

    • #2668079

      Protecting your identity on the Internet

      by aldanatech ·

      In reply to Prepare a manuscript titled “Protecting your network as an ethical hacker”

      During the nineties and early years of the twenty first century, the Internet (also known as the World Wide Web) quickly evolved to be a way to overcome borders and global distances even more remarkably than earlier forms of communication such as the telegraph, the telephone and the fax. Millions of sources of information can be accessed from anywhere there is connection to the World Wide Web. E-mail allows anyone to send a letter to almost anywhere in the world in only a few seconds without a need for postage. Chat rooms allow groups of two or more users to interact in bi-directional conversations in locations that could range from the same street to a country on the other side of the world. The Internet is particularly beneficial to organizations that take advantage of the opportunities of e-commerce by opening national or international markets for their products. For the consumer, the Web allows him or her to purchase products that are either less expensive than the local retail store or unavailable in town. It also allows consumers to consult account balances, make payments, and register for services ? all online. Millions of bits of information travel through cables, routers and off antennas. Their final destination is usually in a server?s hard drive. All this convenience makes it extremely tempting for Hackers or other cyber criminals to access information for such destructive purposes as identity theft. This happens when they impersonate a victim for personal or other gains. Cyber criminals usually use the information they gain for committing credit card fraud, requesting loans, or sign up to other services. In 1997, the U.S. Secret Service estimated the cost of identity theft at $745 million (Bidwell, 3). Besides the bills that victims get for services they never requested and charges for credit cards that the victim never even signed up for, the victim?s credit tends to decline drastically. Even if users usually don?t fill-out online forms or perform transactions on the Internet, many still keep files with private information on their hard drives. When these users are online, their information is at the mercy of unscrupulous cyber criminals. This happens most often in extremely vulnerable networks such a cable modem services. All this could easily add up to at least 100 million dollars in damages (Dunsmore, 2). In early 2000, the Computer Security Institute (CSI) with assistance from the San Francisco office of the Federal Bureau of Investigation (FBI) performed the ?2000 CSI/FBI Computer Crime and Security Survey?. The survey shows that 90 percent of the participants from large U.S. corporations, financial institutions, medical institutions, universities, and government agencies detected security breaches in 1999. Around 70 percent of the participants experienced more serious breaches than viruses or employee Web abuse; and 42 percent claimed financial losses that totaled over 265 million dollars in damages from cyber attacks (Dunsmore, 2). The cyber criminals responsible for these liabilities are identified as Hackers. It is important, however, to keep in mind that a Hacker is not actually someone who breaks in to systems for illegal or destructive purposes. A hacker does possess such abilities, but a hacker can also be hired to test a system?s security. The term that we would use for someone that uses his or her skills for malicious purposes is a Cracker. There is even a third type of malicious user called a Script Kiddie. The Script Kiddie is derived from the Cracker, but is far less talented than the Cracker. Instead, they use well-known tricks and tools programmed from true Hackers or Crackers. They are derived from the crackers because they also tend to use their resources at hand for malicious purposes. For convenience purposes, all these groups are referred to Hackers. Truly talented Hackers are extremely proficient in programming languages, how operating systems work, the protocols used in networks, how applications interact with each other, and even the history of networks and its services (Dunsmore, 5). Sometimes it is as easy as doing a simple search on the Internet. With a person?s name or phone number, some search engines can help a malicious hacker find more information about an individual, such as an address. If the hacker is proficient enough, and knows where the individual makes frequent purchases, he or she can break into that site and steel the victim?s information (Bahadur, 16). Now, just because Hackers possess all these abilities, does mean that we should avoid using anything that relates to Information Technology. The fact is that no matter how good their technical skills are, they can only go so far without the necessary information to get started. Knowing some of the key sources where malicious users get the information they need, and avoiding common mistakes can help drastically reduce the chances of become another identity theft victim. One good place for an identity stealer to begin is in the victim?s trash and mailboxes. One of the biggest mistakes that people make is tossing old banking or credit documents in the trash without shredding them. Pre-approved credit or loan solicitations in the trash can also give provide some the perpetrator something to start with. Using an unlocked mailbox to receive and send mail makes identity stealer?s job as easy as sneaking in it and going through it (Bidwell, 4). A lost or stolen wallet with a credit card and driver?s license can lead to identity theft, but the situation can particularly get out of hand if the wallet?s owner makes some of the most dangerous mistakes. The social security card should not be carrier in a wallet, nor should a social security number be printed in a health insurance card, a driver?s license, or personal checks. Likewise, a social security number should not be used as an online account name, particularly for a bank, health insurance, or stockbroker. Password for online bank accounts and ATM personal identification numbers should not be written down anywhere in the wallet. Along with these preventive measures, it is always recommended to monitor your own identity by requesting yearly credit reports, reading website privacy policies before disclosing any kind of private information, and running both firewall and anti-virus software on your computer (Bidwell, 5). All these preventive measures do reduce the possibility of becoming a victim of identity theft, but it is not by all means a full warranty of immunity. If a hacker gets lucky, he or she might even find vital information about a potential victim online. Anything that seems suspicious in the latest credit report, bills for unsolicited services, and recurring credit card offers are signs that indicate a possible process of identity theft, and immediate action should be taken. The first step is to file a police report with local law enforcement. If the imposter is suspected to be in another state, a report should be filed in that state as well. Credit reports and any sort of relevant information such as a list of credit card numbers, bank account numbers, and billing cycle information will be useful for investigation purposes. While the investigation takes place, it is important to have a copy of everything that relates to it such as the police reports. They will help close accounts and obtaining credit for purchases you didn?t make (Bidwell, 273). The second step is to report fraud and stolen accounts. This will include closing credit card accounts, bank and loan accounts, and any other commercial accounts such as memberships for clubs, grocery or department stores, and video rentals. All sorts of online accounts require attention as well. First, all passwords must be changed immediately, and every online service such as Internet Service Providers, banking institutions, and auction sites must be contacted so they can take necessary steps for protection. If a theft involves a website account or password, then the account should be deleted and not be used again. The final step is to notify the Federal Trade Commission (FTC) toll-free at 1-877-IDTHEFT (1-877-438-4338). If the fraud involves your driver?s license or Social Security Number then those should be reported as well (Bidwell, 276). Because identity theft is an increasing issue in the information age, and the recovery process is so tedious, several laws have either been passed or are somewhere in the several stages of development. Two of the earliest of these laws are the Freedom of Information Act (FOIA) and the Privacy Act of 1974. The Privacy Act allows you to obtain and correct your own information as needed to keep it accurate and complete. The FOIA is similar to the Privacy Act, but it only applies to federal agencies and does not give the right to access records held by Congress, the courts, or state or local government agencies (Dunsmore, 59). Today, Information Technology offers several benefits to our way of living, but we really shouldn?t avoid it because of its several inconveniences such as identity theft. Even though the Internet and its services are still considered to be at its early stage, they have extended so much that any attempt to stop it or reverse it would be unrealistic. Early developments of other tools such as the automobile were probably seen as menacing as the Internet today. Many of the major issues with the automobile were addressed with proper education. Likewise, proper education on preventive and corrective measures can be taken to protect our identity. It will also help our society evolve and find better ways to take the best out of the Internet, while countering the worse of it.

      References:

      Bahadur, G., Chan, W., & Webber, C. (2002) Privacy Defended: Protecting Yourself Online,
      16-17.

      Bidwell, T., Russell, R., & Cross, M. (2002). Hack Proofing Your Identity In the Information
      Age. Rockland, MA: Syngress Publishing, Inc. 3 – 5, 273, 276.

      Dunsmore, B., Brown, J.W., Cross, M. & Cunningham, S. (2001). Mission Critical! Internet
      Security. Rockland, MA: Syngress Publishing, Inc. 2, 5-6, 59.

      • #2668062
        Avatar photo

        While the references are great

        by hal 9000 ·

        In reply to Protecting your identity on the Internet

        You are restricting all of your inquiries to the US but if you where to have a look in the UK you would find that there are public records which show just how lax the banking sector actually is.

        It is possible for anyone to obtain a PIN number within 15 attempts if they know what they are doing. This was mentioned in a Court case last year where all the finical institutions tried to get a restraining order on evidence placed before a court and supplied by a “Post Graduate” student from his final Thesis. Even if the courts did suppress this which I’m not sure that they could as it is all public record it would only require some basic research to find it all out again.

        Incidentally you forgot to mention that the very first case of hacking that occurred in the world originated from Melbourne Australia back in the Unix days where the Melbourne Uni was hacked and what now is known as the Internet was used to access other computers to reek havoc and steal data. At the time that this was going on there where no laws against this activity and it was the Australian Federal Police who succeeded in recording the first data transfers across phone lines where they could be reconstructed and decoded. Laws where only introduced here in Australia after a request from the US Government because all the big companies where being hit and generally vandalized but because it was an “International Event” nothing could be done about it. Eventually some of the people involved where caught and charged with stealing Melbourne Uni Computer time nothing more.

        Now that is something that I bet isn’t in your history books.

        Col

        • #2668038

          I would love to find out more

          by aldanatech ·

          In reply to While the references are great

          Thank Col. You’re right. I focus too much on the U.S. because I live here but would like to know more about the network security in other parts of the world such as the U.K. and Australia. Do you know where I can get such information on the Internet?

        • #2732965
          Avatar photo

          Try Cambridge University

          by hal 9000 ·

          In reply to I would love to find out more

          As that was the Uni that the Post Grad student was attending and was helping him before the courts to stop the suppression of his thesis work.

          As far as network security goes it is pretty much the same the world over but it does differ between different networks as different companies have different needs so really there are no hard and fast rules in place about what is required but mainly general outlines. For instance medical and bank records are far better protected than records held by most small business this is really where knowledge of the Law becomes necessary as you need to know exactly under what pieces of Legislation they have to comply with.

          Obviously total protection would be great but in the real world this just doesn’t happen mainly owing to the costs involved. Then there are different protocols used between wired and wireless networks the list just goes on and on.

          But you could try the Australian Broadcasting Commission at http://www.abc.com.au as they ran a program on “Hacking” in the old days sometime last year I’m told unfortunately I was out working at the time so I didn’t get to see it so I really do not know if it was any good but from the trailers it was set from the Hackers side and attempted to explain why they did what they did, apparently they had a t least one of the original Hackers involved in making the show {God I wish I could program a VCR at times.} But I had to study all of this when I was at Uni all those years ago sometime around 74 on wards to 82 so everything is a bit vague now as it isn’t something that I use at all.

          Actually Guru of DOS would probably be useful on the UK side as he lives there and may know a lot more about that incident than me as I only heard about it from a work briefing and I’ve never actually seen anymore about the whole mess. But it may have received a lot more coverage in the UK than it did over here I’ll see if I can get a message to him and ask him can he help.

          Col

        • #2733293

          They are still in there.

          by aldanatech ·

          In reply to Try Cambridge University

          Thank you Col I checked the Australian Broadcasting Commission site and they still have some on those reports. I will spend some time this week to check them out.

    • #2733303

      Is she an ethical hacker?

      by aldanatech ·

      In reply to Prepare a manuscript titled “Protecting your network as an ethical hacker”

      The Network Security Breaker Scenario.

      A friend of yours has developed a tool, that can contact corporate sites, scan their networks, and find weaknesses in their security system. She has made the software available to everyone via the Internet, including hackers and cyber-criminals. She says she is providing a useful product, which will help network managers improve their security systems. The companies whose networks were scanned say that she is assisting those people who will abuse them.

      Are her actions ethical? Why or why not? What if she sold her software rather than providing it for no charge?

      • #2727424
        Avatar photo

        Easy answer NO

        by hal 9000 ·

        In reply to Is she an ethical hacker?

        While she may have developed a tool to scan for weaknesses provided she isn’t using it without authority she is doing nothing wrong.

        Now it really doesn’t matter if she sells it or makes it freely available anywhere the same applies as she isn’t breaking any laws and it could prove a useful tool to any Network Admin.

        Actually I think that this is a hypothetical question as if some one had developed a tool like this they could just about write their own paycheck as they would almost certainly be overnight millionaire’s.

        But if is a real program the best parallel would be the gun industry they can make and sell guns without breaking any laws as they are not responsible for what a certain individual may do with their product. The same applies here she isn’t responsible for what it is used for and if it is a real product she isn’t interested in making any money so she is more of a help to the Network Admin?s than a hindrance. If they knownly leave their systems vulnerable they deserve the consequences remember “Slammer” Microsoft put out a article informing everyone to update their code and when it hit Microsoft was one of the first take down, now some could argue that Microsoft was responsible for “Slammer” being written as they made known the weakness that Slammer exploited.

        Get the Idea?

        Incidently if this tool actually exists e-mail me and let me know where to find it as I would like a copy to play with and test all the networks that I consult for.

        Col

        • #2727379

          Just a scenario

          by aldanatech ·

          In reply to Easy answer NO

          I personally don’t know of such a tool, but posted this scenario in relation to the discussion on Metasploit Framework 2.0. But thanks for your opinion. As always it is valuable for my research.

    • #2727399

      Credit card fraud

      by aldanatech ·

      In reply to Prepare a manuscript titled “Protecting your network as an ethical hacker”

      Because I live in the border between the U.S. and Mexico, I get to be informed about what is going on in both Countries. Yesterday, there was a national news report from Mexico City on credit card cloning fraud. I couldn’t find yesterday’s report on their site, but here is a summary of what I found from a report on June 17th, 2002 (http://www.esmas.com/noticierostelevisa/mexico/239733.html):

      According to Miguel Torruco M?rquez, national president of the Mexican Association of Hotels and AMHM), credit card fraud by card cloning rose to up 85 million US dollars. He declared before loan officials in the city of Monterrey, Nuevo Le?n that fraud against foreign tourists alone was up 227,000 dollars between 1999 and 2001. Even in the state of Nuevo Le?n, the fraud is estimated 25,000 pesos from December 2001 to present (June 17th, 2002), Torruco indicates that this crime significantly affects loaners for tourism services and proposed considering it a serious crime in every Mexican state. He solicited in the name of AMHM, the intervention of lawmakers to declare fraud of credit cards and other payment forms as a serious crime.

      Now yesterday report was that the Mexican legislation finally completed changes to make credit card cloning a serious crime. Also, on a report from today, May 1st, 2004 (http://www.esmas.com/noticierostelevisa/mexico/160373.html), that the president of the Banking Association of Mexico will launch a massive recall to change over 8 million credit cards with smart chips starting next January in an effort to deter credit card cloning fraud. This recall is expected to last for about a year. According the Banking Association of Mexico, losses for credit card fraud rose to 20 million dollars this year.

      Do you know how laws in other countries consider this kind of crime, and are they doing anything about it? Do you think smart chips will do the trick?

      • #2732468

        Colin’s reply

        by aldanatech ·

        In reply to Credit card fraud

        This was Col Luck’s reply by e-mail:

        From what you’re describing it’s nothing new and cloning plastic cards is a big business world wide. I honestly think that the figures that have been quoted are very much on the consertitive side and even replacing the current crop of credit cards with the so called “Smart Cards” will only mean that the criminals have to change their methods a bit. Recently we had a group here caught with 100,000 blank cards waiting to be stamped and the magnetic strip encoded it was estimated that they had already made well in excess of 20,000 cards and managed to steal several million dollars and we only have around 20 million people over here. It’s a lot bigger in the USA and other large countries about the only place that is currently safe is in the back lots of China as there is no possibility of using plastic there.
        Now what the banks and other companies don’t tell you is that with every transaction not only is the dollar amount sent to the company but exactly what you have bought where and when. So if you walk into your nearest chain store and buy your weekly food on plastic they get to know exactly what you are buying where and what time you prefer to shop. This information is sold on to competitor of the products that you buy so you can be targeted for promotions of their goods.

        Now back to your original question it is a very big problem world wide and will only get worse as I mentioned previously with the standard plastic the average person should be able to gain access to your pin number within 15 attempts if they know what they are doing. Now the proposed “Smart Cards” are only a half way measure as they will only store account details and verify with the banks central computer that this account is in fact active much the same thing happens now with the current crop of plastic so while it is passed off as being far more secure it actually is only a way to increase fees as there is no added security involved but the average person will get a warm fuzzy feeling in their stomach knowing that they are now carrying a microprocessor with them instead just a bit of plastic with a magnetic strip. It is only when the amounts available are keyed into the Smart Card technology that things will start to become secure but then it will be the banks responsibility when money is stolen and not the consumers so I honestly can’t see that happening in the short term.

        Just to give you an idea of how easy cloning these things are the AU Federal Government at great expense developed a counterfeit proof form of plastic money {instead of the old paper type} and it was claimed that it was impossible to fake as there was a clear plastic window with a watermark in it that was only possible to make in the Government mint. Unfortunately the average color photocopier could do just as good a job which was brought home to me when I saw a 12 year old in at his fathers work photocopying one side of a $100.00 note off. Now granted he was only playing but the copy was almost perfect and other than the obvious fact that it was only copied onto normal photocopy paper and not double sided it looked real enough until you touched it. Now if you wanted to do the job properly you could line up a whole swag of notes and duplex them onto film instead of paper and they would be very hard to tell from the real thing particularly if you only saw one at a time. This actually happened as one of there places that I consult for has several copies of these fake bank notes in house so that they can educate their tellers to pick the differences to the real thing. These of course where supplied by the Federal Government to all of the banks after they had been passed off as the real thing and it was only much latter that they where picked up as being fake.

        Now if it is possible to do this with bank notes just how difficult do you think it will be to do to pieces of plastic that can be bought almost anywhere blank for company security purposes and programmed as required?

        • #2732467

          My reply

          by aldanatech ·

          In reply to Colin’s reply

          I do believe that part where you say banks selling information about my purchasing habits. It seems that every time I buy something with a credit card, a few months letter I get catalogs of products related to that purchases.

    • #2692421

      Would you hire a rehabilitated cracker

      by aldanatech ·

      In reply to Prepare a manuscript titled “Protecting your network as an ethical hacker”

      Suppose you need to hire someone with strong network security skills, you find a candidate (a hacker), but he was convicted for using his skills for illegal purposes. Now suppose that was a long time ago, he completed his sentence, claims he is rehabilitated, and was not involved in any illegal activity since. Would you hire him? Why or why not? If you hire him, would you warn him he would work under close surveillance? Would you set any other condition? And if so, to what extent?

      • #2692739
        Avatar photo

        If it was a long time ago

        by hal 9000 ·

        In reply to Would you hire a rehabilitated cracker

        Most likely not as by now he is out of touch with what is going on the the Hacker community but if it was a recent conviction that really showed some flair I’d personally grab him/her as fast as I could and never allow his/her feet to touch the ground.

        I did this many years ago with a 15 year old kid who cracked a Defense Department secure area with a monitored line on of all things a Commode 64 which was even then a play toy but he managed to without attracting any notice break into a place over 16.000 times to download one file. When I heard about this I asked could I look up the records and it was expected that I would just pick up the hand out and read the half page spiel. Well I downloaded the whole court transcripts and all the investigation reports and then made immediate arraignments to see this kid with his play toy in a secure office. I got him to attempt to crack my system and find a specific file which was encrypted download it and open it. Well besides the kid being scared witless it only took him 10 minutes to get in through 5 layers of protection that no one had been able to do previously then find the file download it and read it. I had my immediate boos with me at the time and I spirited both the kid and his family out of America to a “Safe Place” where he learned Languages and now I believe works for a much more clandestine organization that what I recruited him for.

        So in answer to your question if I was offered a so called “Hacker” depending on exactly what he/she was accused of doing and how they went about it if they where into breaking in andf extracting a copy of data and leave without any sign of being in I’d grab them as fast as possible because they understand just how the system works unlike others who are taught and only half understand what exactly is going on if even that. It is people like this who have a gift that I would not hesitate for one nanosecond to grab and have work for me as the best way of preventing intrusions is to hire people who specialize in this type of thing and that by the very nature of the business means “Hackers” but you really want one that didn’t leave tracks to follow. The particular kid that I grabbed was only found out because he published what he stole in his school newspaper otherwise no one would have been any the wiser.

        Col

        • #2690772

          I see your point

          by aldanatech ·

          In reply to If it was a long time ago

          You’re right Col. There is no point in hiring a hacker that is outdated. Now how would you make sure this acquisition doesn’t backfire? I once read an article about a cracker that after he was behind bars more than once he used his second and third chance, and the equipment to do his work, to go back to illegal activity such as hacking into accounts to transfer large amounts of money and stuff like that. How would you prevent something like this from happening? Would you monitor every muscle is his or her body? Would you have stand besides him or her and watch his or her every move? Or would you trust your new employee?

        • #2691252
          Avatar photo

          Sorry for the delay but this is getting harder to find

          by hal 9000 ·

          In reply to I see your point

          Firstly if it was a repeat offended who was stealing money I probably would never touch them with a barge pole. But at the time in question I was working at a secure installation so there was not a problem as all traffic was monitored. Granted this kid could probably have got around this but I keep the poor little thing so bust that he feet barely touched the floor and between schooling that I chose for him and the work that I had him doing he didn’t have much time left over so when he was allowed to escape my clutches he hit the bed fairly hard.

          Actually he’s a smart one as I still get correspondence from him whenever I log onto the Net without opening anything I might add. At my home/work computer this is no big deal but when I spend more than a few days at a clients business I start getting them there as well.

          Pity that I never want to return to that type of work as he informs that I have a place there whenever I wish to return, but honestly I just can’t deal with all the paranoia anymore as I’m getting to old for it any longer.

          But back to your question if I just had to have someone like that working for me I would appear not to worry about things while all the time making sure that everything that was done from his terminal was mirrored onto another unit that I could view at my leisure, then if he/she even so much as looked as if they where about to step out of line I’d be down on them like a ton of bricks. After all if you set the ground rules first and enforce them vigilantly there should be very few problems.

          Col

        • #2737272

          That can work

          by aldanatech ·

          In reply to Sorry for the delay but this is getting harder to find

          I suppose that is the way to “keep them under control”. I have a cousin that told me about how employees in a popular organization he used to work in, were monitored for security purposes. Higher levels of management could simply see in their monitors the same images from their employees’ monitors. Now, do you think there is a need to add any extra form of survailance such as a camera or registering keyboard and mouse movements?

    • #2690767

      A little adjustment

      by aldanatech ·

      In reply to Prepare a manuscript titled “Protecting your network as an ethical hacker”

      There is a little adjustment to my site. The progress of my research will no longer be in the status page. They will be at the Unit pages in the Weekly Tracking of IAL Project section:

      http://www.aldanaweb.com/capella/

      At the time of this posting I am currently working on Unit 6.

      • #2690843

        Starting rough draft

        by aldanatech ·

        In reply to A little adjustment

        Now that my research phase is virtually complete, I’m now beginning to work on my rough draft. Here is the URL where I will be working on it:

        http://www.aldanaweb.com/capella/manuscriptroughdraft.htm

        If the URL doesn’t work, you can go to:

        http://www.aldanaweb.com/capella/

        The go to Unit 6 and look for the “manuscript rough draft” on the lower half of the page. I might still ask for opinions on issues to come up along the way. Please let me know if there is correction I should do. Any feedback you can provide me to enhance it will be appreciated.

        • #2737275

          First part of my manuscript

          by aldanatech ·

          In reply to Starting rough draft

          Here is a copy of what I have so far. Feel free to review it and correct any error or inaccuracy:

          Just about any IT professional should devote some attention to security — whether it is an individual computer, or an enterprise WAN network. Today, computers and networks are an essential contribution to the development and success of businesses and organizations, but their benefits are increasingly jeopardized by the speed and sophistication of security breaches and attacks. Common preventive actions installing the latest patches, updating the Anti-Virus DAT files, configure the firewall(s), and install an intrusion-detection system. However, no matter the effort, there is always the concern that not enough was done to protect the system from attacks. When the IT professional encounters this situation, it becomes almost inevitable to stand on the attacker’s shoes. He or she must try to figure out what would an attacker attempt to hack the system. In other words, the IT professional must learn to actually be hacker to anticipate other hacker’s moves and effectively protect his or her system from unauthorized access. The dilemma is that depending on the location and culture, hacking is legal, illegal, unethical, or both illegal and unethical. The alternative for this issue is to explore the possibility of becoming an Ethical Hacker.

          Before even considering becoming an Ethical Hacker, the successful candidate must understand what a hacker actually is and what he or she is up against. Merriam Webster’s Collegiate Dictionary Tenth Edition does define a hacker as a person who illegally gains access to and sometimes tampers with information in a computer system, but also as an expert at programming and solving problems with a computer. Many people identifies a Hacker as a criminal that uses his or her skills in high technology for illegal activity such breaking into people’s bank accounts and withdraw huge amounts of money. The truth is that a hacker does have an extensive knowledge on technological devices, particularly computers, but that doesn’t necessarily mean that they will use those skills to commit a crime or for unethical purposes. In fact, having a hacker in staff can be a valuable asset to an organization. Because a hacker’s high level of expertise in information technology is so high, he or she can provide solutions so creative that other people would not. Their skills can be particularly uses to efficiently secure a network.

          Stephen James, Chief Executive of IT and Audit Consulting in Australia, is a hacker that companies hire to crack their security systems for testing purposes. He explains that a typical attacker would start by obtaining as much information about the target as possible to identify vulnerabilities, such as the network’s topology, their security systems, and configurations. This process will probably include social engineering techniques such as impersonating a member from the IT help desk and ask vulnerable users to give them their user ID and password. The excuse will usually be to resolve a technical issue, and many users will not question it. Others are more cautious in these situations. Carlos O. Estrada, a phone technician from Mexico says he once got a call from someone who attempted to use social engineering to obtain information about one of his company’s modem. When Carlos insisted on providing proper identification the caller hang up and never called again. After the attack is complete, Stephen says the cracker would try to be discreet and cover the evidence of his activity.

          It doesn’t take long for Stephen test a company’s network for security. Sometimes he completes this task in no less than fifteen minutes. For a government association or a financial institute it takes him around a week; and his attempts are only detected about only 5% of the cases. Most of the time the actual purpose is to see how for can an attacker go and how much damage can be done with no knowledge of the organization’s network. Stephen says that an attacker’s target is usually sensitive information such records from a hospital and credit card accounts. Between 90% and 95% he and his staff obtain sensitive information from the network. He even confirms that he had been able to transfer funds. Of course, all of this is done with proper permission. According to Stephen, high technology should not be the main focus to achieve a more secure network; it should be higher awareness.

          A cracker on the other hand, is someone who actually uses these skills to bypass a system’s security, access it without permission, and either steal something or cause damage. A minor variation of the cracker is the script kiddie. Script kiddies also do illegal or unethical activities, but they do not actually have as much technical background as a hacker or a cracker. Instead, they use scripts or programs from true crackers. The history of the modern cracker spans at least three decades. In the 1980’s, only individual computers were targets of attacks. One of the most common forms of attack was virus infection through disk sharing. In the 1990’s, attacks were extended to small and medium size networks. Today, the risk extends as far as the entire global infrastructure. In 2003, it is estimated that global losses from viruses alone was around thirteen billion dollars, and the reported global incidents in the first three quarter over the total number in 2000 was over 700%. By the half of 2004, the increase in loss due to denial of service attacks alone was over 2000% since 1999.

    • #2737081

      TR needs security needs feedback!!!!

      by jmottl ·

      In reply to Prepare a manuscript titled “Protecting your network as an ethical hacker”

      Hello TR members,
      We need to form a focus group that will review/critique security related content we’re currently developing and hoping you’re interested in participating. We’ll be sending you a security package — a tool of various documents and downloads that we’re creating to help members use in their jobs, and looking for feedback on whether you believe they have value, suggestions for improvement and what specific security topics we should target first.
      Please email me at judy.mottl@cnet.com by tomorrow (Thursday) and let me know if you’re interested in serving on this focus group that’d be great.
      I hope to hear from you,
      Sincerely
      Judy Mottl

    • #2736645

      What education for an Ethical Hacker

      by aldanatech ·

      In reply to Prepare a manuscript titled “Protecting your network as an ethical hacker”

      What kind of education do you think would be most appropriate for an Ethical Hacker (someone hired to legally test a system’s security)? Would it be experience itself? Would it be a Masters Degree in Network Security? Would it be a Security+, a CISSP, or a CEH certification? Would it be a combination of each, and if so, in what sequence?

    • #2731286

      So what is an ethical hacker (first look)

      by aldanatech ·

      In reply to Prepare a manuscript titled “Protecting your network as an ethical hacker”

      Here is my first draft about how to protect a network as an ethical hacker. Please check it closely and reply with any correction I should make. This includes inaccuracies, parts I should rephrase, anything you don’t agree with, and any additional contribution or insight you can provide me.

      Just about any IT professional should devote some attention to security — whether it is an individual computer, or an enterprise WAN network. Today, computers and networks are an essential contribution to the development and success of businesses and organizations, but their benefits are increasingly jeopardized by the speed and sophistication of security breaches and attacks. Common preventive actions installing the latest patches, updating the Anti-Virus DAT files, configure the firewall(s), and install an intrusion-detection system. However, no matter the effort, there is always the concern that not enough was done to protect the system from attacks. When the IT professional encounters this situation, it becomes almost inevitable to stand on the attacker’s shoes. He or she must try to figure out what would an attacker attempt to hack the system. In other words, the IT professional must learn to actually be hacker to anticipate other hacker’s moves and effectively protect his or her system from unauthorized access. The dilemma is that depending on the location and culture, hacking is legal, illegal, unethical, or both illegal and unethical. The alternative for this issue is to explore the possibility of becoming an Ethical Hacker.
      Before even considering becoming an Ethical Hacker, the successful candidate must understand what a hacker actually is and what he or she is up against. Merriam Webster’s Collegiate Dictionary Tenth Edition does define a hacker as a person who illegally gains access to and sometimes tampers with information in a computer system, but also as an expert at programming and solving problems with a computer. Many people identifies a Hacker as a criminal that uses his or her skills in high technology for illegal activity such breaking into people’s bank accounts and withdraw huge amounts of money. The truth is that a hacker does have an extensive knowledge on technological devices, particularly computers, but that doesn’t necessarily mean that they will use those skills to commit a crime or for unethical purposes. In fact, having a hacker in staff can be a valuable asset to an organization. Because a hacker’s high level of expertise in information technology is so high, he or she can provide solutions so creative that other people would not. Their skills can be particularly useful to efficiently secure a network. Truly talented Hackers are extremely proficient in programming languages, how operating systems work, the protocols used in networks, how applications interact with each other, and even the history of networks and its services.
      Stephen James, Chief Executive of IT and Audit Consulting in Australia, is a hacker that companies hire to crack their security systems for testing purposes. He explains that a typical attacker would start by obtaining as much information about the target as possible to identify vulnerabilities, such as the network’s topology, their security systems, and configurations. This process will probably include social engineering techniques such as impersonating a member from the IT help desk and ask vulnerable users to give them their user ID and password. The excuse will usually be to resolve a technical issue, and many users will not question it. Others are more cautious in these situations. Carlos O. Estrada, a phone technician from Mexico says he once got a call from someone who attempted to use social engineering to obtain information about one of his company’s modem. When Carlos insisted on providing proper identification the caller hang up and never called again. After the attack is complete, Stephen says the cracker would try to be discreet and cover the evidence of his activity.
      It doesn’t take long for Stephen test a company’s network for security. Sometimes he completes this task in no less than fifteen minutes. For a government association or a financial institute it takes him around a week; and his attempts are only detected about only 5% of the cases. Most of the time the actual purpose is to see how for can an attacker go and how much damage can be done with no knowledge of the organization’s network. Stephen says that an attacker’s target is usually sensitive information such records from a hospital and credit card accounts. Between 90% and 95% he and his staff obtain sensitive information from the network. He even confirms that he had been able to transfer funds. Of course, all of this is done with proper permission. According to Stephen, high technology should not be the main focus to achieve a more secure network; it should be higher awareness.
      A hacker is then someone who is considered to be a white hat. A cracker on the other hand is considered to be a black hat. It is a lawbreaker. It is someone who actually uses his or her skills to bypass a system’s security, access it without permission, and either steal something or cause damage. A minor variation of the cracker is the script kiddie. Many crackers however, don’t consider themselves to be true black hats because they usually have some sort of justification for their actions. Some of them even consider themselves gray hats because they fall somewhere between the two sides. Script kiddies also do illegal or unethical activities, but they do not actually have as much technical background as a hacker or a cracker. Instead, they use scripts or programs from true hackers or crackers. The history of the modern cracker spans at least three decades. In the 1980’s, only individual computers were targets of attacks. One of the most common forms of attack was virus infection through disk sharing. In the 1990’s, attacks were extended to small and medium size networks. Today, the risk extends as far as the entire global infrastructure. In 2003, it is estimated that global losses from viruses alone was around thirteen billion dollars, and the reported global incidents in the first three quarter over the total number in 2000 was over 700%. By the half of 2004, the increase in loss due to denial of service attacks alone was over 2000% since 1999. The Slammer Worm’s infection rates doubled every 8.5 seconds. It drastically reduced or stopped services and communications for weeks.
      Most of the attacks on networks are thought to be external, but they can be external as well. An employee might download an ostensibly harmless file from either a website or an e-mail attachment. A network can also be vulnerable by improperly configuring a remote access system, a router, or a firewall. According to the CSI/FBI Computer crime and Security Survey of 530 computer security practitioners in 2003, 78% of the attacks in the United States were external. The other 22% of attacks were internal, but they can be up to ten times more damaging and expensive. According to the surveyed companies, the cost of internal attacks rose up to twenty-seven million dollars in 2003. This includes seventy million from proprietary information theft, and twenty-seven million from downtime and viruses. Even when security systems such as firewalls, anti-virus software, and intrusion detection systems are properly configured, it is impossible to download security upgrades and patch every single device on the network fast enough to ensure total protection. The challenge is even greater with the use of wireless access points for public Internet and access to the corporate network by partners, telecommuters, mobile users, and suppliers.
      On the other hand, a network is only as insecure as the awareness of its vulnerabilities. A network is insecure only to those who know its vulnerabilities, and it is secure to everyone else. This could bring the conclusion that publishing vulnerabilities causes networks to be insecure. However, it can actually help increase the possibility of making a network more secure by fixing the known vulnerabilities. Just as an attacker can’t exploit an unknown vulnerability, a defender can’t protect against an unknown vulnerability either. Trying to maintain vulnerabilities secret to increase security is dangerous. Vulnerabilities are secret only as long as it remains secret. Sometimes people discover secrets unintentionally, and virtually nothing can prevent a discovered secret to spread or control how far it can go. This seems to be the major reason why hackers believe all vulnerabilities should be published. Yes, this makes it easier for attackers to learn about them, but eventually they can still learn them from other various sources. More importantly, defenders and maybe even product vendors that learn about vulnerabilities can fix them to prevent future exploits. Not only does this help local networks be more secure, but also the Internet itself. It is believed that the Internet would be far more insecure without disclosing vulnerabilities that were then addressed.
      This brings the question of whether or not an employer should hire a hacker. By now it is clear that a hacker is actually an Ethical Hacker, but there as still many misconceptions about what a hacker actually is and the differences by a hacker and a cracker. This brings a wide range of opinions on the issue. Some people value the worth of having a hacker in staff. Those in favor consider a hacker to be an IT expert that is clever, but not malicious. They might have skills are likely not found in books or magazines, so they can provide the staff with the hands-on training that can’t be taught anywhere else. Some even believe that hacker built UNIX, the Internet, Linux, and many other technologies. Others still mistake a hacker with a cracker, and therefore consider it a risk, even a liability. The most common reason is that the employer simply could not trust him or her for corporate secuirty. If the candidate clams to be a rehabilitated cracker, that is a cracker that was caught by justice, and completed his or her sentence, many employers might still hesitate. Employers don’t see a way to fully determine that a former cracker to use his or her skills and the companie’s equipment criminal activities. Another reason could be the concern that if the employer must lay-off or fire the cracker, he or she could try to get revenge. Even when the hacker or former cracker is still employed, it can become difficult to determine the treatment he or she will get compared to other employees. If the hacker has the same treatment, the staff could have a sense of neglectance towards the employer. If the hackers gets special treatment, such a closely monitoring their activities, either the hacker or other employees could resent the inequality, even if the hacker never did anything that could represent a risk.
      Trying to differentiate between a hacker and cracker can be difficult if there is no criminal background. If this were the case then the employer’s decision would depend highly on his or her criteria. The employer might consider the possibility only if gathering as much information as possible about the candidate, and several interviews, that the risk is minimized compared to gain of potential. Those who are willing to hire a cracker (a hacker that used his or her skills to commit a crime) would do it as long as his or her skills are up-to-date and was not recurrently charged for wrongdoing. Colin Luck from Australia, says that a long time ago he knew a 15-year old kid that used a Commodore 64 game set to access a Defense Department secure area thousands of times to download a single file. He says he recruited him to test his system and it took him only 10 minutes to access an encrypted file inside five layers of protection. Mr. Luck values these kind people because they can identify flaws that can then be corrected, and are not easy to find. He says that the only reason why he found out about him was because the kid himself published what he stole in his school newspaper. Another alternative is to hire a hacker or a former cracker to train the staff on hacking methods and countermeasures. This option can be more viable for employers that still find it risky to hire hackers for their security. Away from the production network, the employer can set up a prototype network to resembles the original one as much as possible. This prototype network can be used for both for training and to test new security measures before implementing them on the actual network. By isolating the hacker on the test network, even the most reluctant employer can benefit from the services he or she can provide.
      Script-kiddies seem to have less value than hackers and crackers because they carry the stigma of “if they can do it, anyone can.” However, because they can also cause damage to a certain extent, they are still considered be potential attackers. Because script-kiddies use tools from true hackers or crackers, there is an ongoing debate about whether or not is ethical to make port scanners, packet sniffers, and other hacking tools widely available on the Internet and other sources. One example of such tools is the Metasploit Framework 2.0 software, an advanced open-source platform for developing, testing, and using exploit code. It is said that such a tool could help network managers improve the security of their system. Many argue that people with malicious purposes could also abuse it. Colin Luck from Australia considers that unless it is used without proper permission, it would not be unethical. It would be a useful tool for any network administrator regardless of how it is provided. In terms of ethics, he believes that such a tool would be similar to the gun industry. The industry is not responsible for the use of the guns, and neither would the software developer be responsible for the misuse of to network scanning tool. Gerardo Machorro from Mexico considers that such a tool would be appropriate for an intelligence agency or department, to access corporate sites and investigate possible administrative or financial fraud. He doesn’t see any problem if the tool is used that way because it would be endorsed by the intelligence organization. If it were otherwise, he would consider it to be a critically unethical because the IT professional should work for the common good of society. Such an act would not only be unethical for the IT professional, but it could also be against the law of a certain country, state, or city.
      Carlos O. Estrada, also from Mexico compares this debate with Einstein and his theory of relativity. Such theory led to the development of the atomic bomb or a-bomb. Is Einstein the villain for investigating something that rose out of his curiosity? Of course not, curiosity is what also lead to vaccination, the computer, and other scientific wonders. Technology by itself is neither good nor bad, but rather it is our use of it. So the question is: Who is to blame, the companies that develop insecure operating system, or people that look for vulnerabilities? Anyone can try to look for vulnerabilities in a system to either fix it to avoid future exploitations of it, or to actually exploit it. Such a system cannot only be an IT system, but also in an alarm system, or any kind of machinery. There will always be people with malicious purposes. It is best to look for tools that can help you find weak spots and strength it up, which is the responsibility of any IT professional. Whether it is commercial or free of charge, any tool will be used whatever way the user wishes. A cyber criminal is not someone who learns to use tools, but someone who uses them to commit crimes; the same as an ordinary citizen is a criminal only when he or she commits a crime.
      Laws play a major role in the fight against cybercrime. Some of the government regulations in the United States and other countries that can help slow down the momentum of cracking are the Gramm-Leach-Bliley Act (GLBA), the Information Privacy Act, the Children?s Internet Protection Act (CIPA), the Homeland Security Act, the PATRIOT Act, the Data Protection Act, the Health Insurance Portability and Accountability Act (HIPAA), the Personal Information Protection and Electronic Documents Act, and the Federal Information Processing Standards (FIPS). One of the newest governmental efforts to counter cybercrime is a controversial international treaty signed by the United States and 37 other countries in the Council of Europe’s “Convention on Cybercrime”. Critics argue that it will facilitate cross-border computer crime probes by cooperating with repressive regimes. Its purpose is to obligate participating countries to ban computer intrusion, child pornography, commercial copyright infringement, and online fraud. It also requires laws to permit government search and seize of e-mail and computer records, perform Internet surveillance, and to order Internet Service Providers to preserve logs for crime related investigation purposes. So far only Albania, Croatia, Estonia, Hungary, and Lithuania ratified the treaty. Those who favor the treaty say it will facilitate investigations on the Internet. Those who oppose it argue that governments with poor human rights habits could abuse it.
      Companies and individuals that create Operating Systems and software have the greatest responsibility of ensure that their products are secure, but they seem to a find it rather difficult to accomplish this. Even Bill Gates, chairman of Microsoft Corporation, blames the rash of worms and viruses that exploit Microsoft code on what he identifies as the “diabolical ingenuity of the computer underground”, and admits the people who attack these systems are getting more and more sophisticated. Still, he is optimistic about Microsoft’s improved security record. According to Gates. 300 days after the release of Microsoft Windows Server 2003 it had only eight serious security advisories, compared to 38 for Windows 2000. Among Microsoft’s plans for security enhancement include a technology to disable programs and services that might be vulnerable on users that have not yet installed the latest security patches, and tools to allow programmers to write applications without the need of administrative rights.
      Recently, Cisco Systems began to take a different approach. Instead of patching a system for known attacks, it focuses on preventing both known and unknown types of attacks before they start. An example of such technology is the Cisco Security Agent (CSA). CSA is not an intrusion detection system, it is considered to be a Host-based Intrusion Prevention System (HIPS). Intrusion detection systems only identify intrusions. By the time it and alerts you know when it is usually too late to do anything about in. Prevention systems prevent the intrusions from happening and let you know what they prevented. CSA works by using a behavior analysis to detect and stop malicious activities instead of blocking ports or identifying attack signatures as with firewalls and anti-virus software. The problem with firewalls and anti-virus software is that companies must be continuously informed of new types of attacks. Then they must develop defenses and distribute it to every possible user. This could take tremendous amounts of time considering that worms can propagate across networks and the Internet in a matter of minutes. Prevention systems can actually stop worms from spreading and contain it. It doesn’t eradicate them however. After the worm is contained, it must be removed either manually or with anti-virus software. Even though an intrusion prevention system is still not the single one solution for every security issue, its service can be priceless compared to the loss in damages that viruses and worms produce.
      Certifications for a Security Specialists, and even an Ethical Hacker are Security+ from CompTIA, CISSP from ISC2, and CEH (Certified Ethical Hacker) from EC-Council. The Security+ exam can be a good starting point for those interested is specializing in the field of IT Security. It covers includes communication security, infrastructure security, cryptography, access control, authentication, external attack and operational and organization security. The CISSP focuses on Telecommunications, Network & Internet Security. It includes Access Control Systems & Methodology, Applications & Systems Development, Business Continuity Planning, Cryptography, Ethics, Operations Security, Physical Security, Security Architecture & Models, and Security Management Practices. If what an IT professional is looking is to officially be an Ethical Hacker, then there is probably no better way than obtaining a CEH certification. According to the EC-Council, the goal of the ethical hacker is to within legal limits, help an organization take preventive measures against malicious attacks by attacking the system himself. It is an IT Pro that understands the weaknesses and vulnerabilities in target systems and is capable of locating them with the same knowledge and tools as a cracker. Not only can A CEH certification enhance the skills of security professionals, but also of security officers, auditors, site administrators, and anyone with an interest of strengthen the security of a network.
      It is unclear however on what the ideal qualifications are for an Ethical Hacker. The choices are a Masters Degree in Network Security, a Security+, CISSP, or CEH certification, experience itself, or a combination of each. Other majors such as Computer Information Systems, or even Computer Science might be accepted in place on Network Security. The idea behind a Degree seems to be that candidate has the fundamental knowledge and skill, and has at least the capability of understanding the job to perform it satisfactory. The only problem that some professionals see is that the network security courses that many universities offer focus only on the foundations, so the professional must still supplement this with either certifications, experience, or both. A candidate with a certification shows that he or she is up-to-date with the knowledge and skills that the certification represents. Before considering a security certification, many professionals begin with a Cisco certification such as CCNA. As the professional acquires more hands-on experience, he or she usually continues either with a more advanced Cisco certifications or go directly with a security certification. The CISSP certification seems to be most popular of all. Critics of certifications however, argue that many candidates today only study to pass exams, not to actually master the material.
      Experience seems to effectively help candidates develop relevant skills to be hired as an Ethical Hacker. While a degree or certification shows that the candidate knows how to the job, experience shows the candidate got the job done. This of course requires the endorsement of proper work references. This compliments perfectly with official credentials. Employment history can begin with a part-time entry-level position such as a Computer Technician, and then aim at more advanced positions such a Network Administrator or Network Technician, and test the network’s security by hacking it with proper permission. Other alternatives are volunteering to test the security of systems in non-profit organizations or individuals such as doctors and offer them advise on how to correct vulnerabilities. Ideally, the Network Security Specialist (or Ethical Hacker) should have a combination of education, certifications, and experience.

Viewing 11 reply threads