General discussion

Locked

Is this what an ethical hacker is about?

By Aldanatech ·
I'm working on a college report on ethical hacking. Because members of TechRepublic are so knowledgeable, I figured I should get an opinion and accept any feedback for improvement. Please check it in detail and answer with any correction that you think I should make. This includes innacuracies, anything you don't agree with, and just about any contribution or insight you can provide. Your help is greately appreciated. The whole report doesn't fit in the question, so I just post whatever fits, and you can find the rest on my page (http://www.aldanaweb.com/capella/manuscriptroughdraft.htm).

Here is my report:

Just about any IT professional should devote some attention to security -- whether it is an individual computer, or an enterprise WAN network. Today, computers and networks are an essential contribution to the development and success of businesses and organizations, but their benefits are increasingly jeopardized by the speed and sophistication of security breaches and attacks. Common preventive actions installing the latest patches, updating the Anti-Virus DAT files, configure the firewall(s), and install an intrusion-detection system. However, no matter the effort, there is always the concern that not enough was done to protect the system from attacks. When the IT professional encounters this situation, it becomes almost inevitable to stand on the attacker's shoes. He or she must try to figure out what would an attacker attempt to hack the system. In other words, the IT professional must learn to actually be hacker to anticipate other hacker's moves and effectively protect his or her system from unauthorized access. The dilemma is that depending on the location and culture, hacking is legal, illegal, unethical, or both illegal and unethical. The alternative for this issue is to explore the possibility of becoming an Ethical Hacker...

The rest of the report is my page (http://www.aldanaweb.com/capella/manuscriptroughdraft.htm)

This conversation is currently closed to new comments.

17 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by Joseph Moore In reply to Is this what an ethical h ...

Boy, you've got a lot to say there! I'll digest it and post something later tonight.

Collapse -

by Joseph Moore In reply to

First, I would not call a hacker a "white hat" and a cracker a "black hat". It's not that clear cut. Yes, a "hacker" probes security for weaknesses from an intellectual standpoint, while a cracker does the same in order to steal data and/or cause damage. The "hacker" in this definition does not take this extra step. He wants to see what type of security is in place at his target; he does not want to see what data is beyond the security at the target in an effort for financial gain or anarchy.
The "white hat" uses their hacker/cracker skills for good. There could be a "white hat cracker", someone who uses the skills of a cracker in order to HELP the target system. A company that does penetration testing to see what vulnerabilities that can be exploited, with knowledgeable people doing the work, would fall into this category. Crackers using their skills, and stopping just BEFORE they cause destruction or just before they steal the credit card database are white hat crackers.
"Black hat hackers" would also exist, in the scenario that they find out what vulnerabilities the target has, then they could pass this info off to their cracker friends and/or team mates. Maybe HACKER1 is good at penetration, but doesn't know SQL command syntax. So, HACKER1 penetrates a SQL server at the target company, then passes the penetration info (IP address, passwords, layers of security and how to bypass them) to their SQL DBA -- CRACKER1 --, who would then connect to the SQL server using HACKER1's collected info, to then download the credit card database. Then both HACKER1 and CRACKER1 use the credit card database info to buy things illegally. So, both hacker and cracker in this situation would be "black hat."

Collapse -

by Joseph Moore In reply to

I would not say that "what an IT professional is looking is to officially be an Ethical Hacker, then there is probably no better way than obtaining a CEH certification." The CEH when it first came out, was criticized as being a joke! "Oh, look at me, I'm a certified hacker!!!" Yes, the exam is now being deliever by global testing centers (Prometric now carries the test), but the exam criteria for it is STILL stolen basically verbatim from the Hackers Exposed line of books! The list of what the CEH exam covers WAS the Table of Contents from Hackers Exposed! Maybe the exam is better now; I don't know. But it wasn't anywhere near the level of the respected security certs like the CISSP, the CompTIA Security+, the GIAC certs, SANS certs, or the other one that I can't remember the name of (damn!). Personally, I feel the CEH is a novelty cert, something that would earn you a beer from a fellow IT employee, just due to the sheer audacity of actually getting it AND admitting it!

"that many candidates today only study to pass exams, not to actually master the material." Very true. Microsoft is flooded with "paper MCSE" candidates, folks who take a 2-week bootcamp to pass the MCSE exams, but have never touched a machine in real life. Basically, a certification alone will not get you a job; real-world experience will probably help more, but having certs in addition to experience is the best solution. A lot of employers care about certification. It looks nice on the resume, what with a logo on the top corner of your resume.

Collapse -

by Joseph Moore In reply to

My thoughs on Metasploit. I've read a lot about it, and all of the freak-outs people are posting. Come on! There are other rootkits that one can get; this one just happens to be open source and real easy to get. An open source rootkit is not the end of the world here! It just means that it will be used probably more often then other ones (where you have to make friends with the hacking crew to get a copy), and many people will be colaberating to make it better. Therefore, I think that an admin who cares about security ought to be involved with Metasploit. It's our jobs here to keep secure, and I am of the opinion that you need to know what is out there that could threaten your system security. Stay up-to-date on new vulnerabilities, new tools, new techniques and concepts. Read Bugtraq every day, and other sites with this type of info. CAREFULLY join IRC channels where the discussions cover these topics. Keep your systems up to date. Monitor everything, and study your logs daily.

Collapse -

by Aldanatech In reply to

Thank you for your support

Collapse -

by CG IT In reply to Is this what an ethical h ...

not bad, actually I thought the whole paper was pretty good.

A paragraph outlining the sociology [or pathology would be a better term] of hackers would go well in your article. I'll quote from Network Professional's Library Windows 2000 Security Handbook, Obsborne/McGraw-Hill 2001 by Ton Sheldon and Philip Cox, pages 15,16, page 16, first paragraph..."Attackers learn about hacking by sharing information with their fellow attackers. The sociology of the cracking community is unlike the sociology of many other malicious subcultures. As an example, car thieves dont share new techniques with hundreds or thousands of other car thieves, while the cracking community readily shares their discoveries with others"... " E.B. White said that, quote" the most time consuming thing is to have an enemy". ... to go on further, the book relates this story... on page 15, Attackers: Who are they and why are they here. Second paragraph, ..."description of one attacker's idea of an exciting Friday night [from a conversation we had with him]:[sic the authors conversation] "...We gather our tools: my laptop with extra battereis and a spool of phone wire. My friend is good with phones, so we drive around until we find a building that we can get to the phone box on. He will connect the spool to their phone system, so we can dial-out on their bill, and then run the wire back to some bushes that we can sit in. have some dial-up usernames and passwords that I got off the attacker's lists, so I use them to get access. We just hack around until the batteries run dry, then we'll pack up and maybe come back tomorrow"

Given that premise, and the fact that business made hire these very computer knowledgeble atackers to gain business advantage, hiring an "Ethical hacker" to guard against those attackers weighs in favor of it.

Collapse -

by CG IT In reply to

I'll add that the terms hacker may not well define the breed whereas the term "attacker" might well distiguish between those that try to break codes to those that use those tools to perform malicious attacks!

Collapse -

by CG IT In reply to

I need to add some thoughts. First is that your paper is pretty good. You've got the grab line [premise] right up front to interest the reader to continue. You've got a dearth of information to back up or "justify" your premise. Second is that to "sell" the need for hiring an ethical hacker or a better term would be a security specialist [who just happens to be an expert hacker] to businesses, businesses have to have a need. Need can be real or imagined need. I would venture to say that the imagined need e.g. the "possibility" of being broken into than an actual need [being broken into ] is the driving force in companies looking to hire a security expert. Third point: Today, many of the security holes that are found in the Windows operating system are found by consultants employed to find the holes. That is something that the general public or not tech savy company executives actually "get". An imagined threat works to a business advantage. People rush out to buy antivirus software, Firewalls, Intrusion Detection Systems, Routers with firewalls, etc new products that are supposed to make stuff secure. It's good for business.

Fourth point: Evolution! you've got some good material references on the evolution of hacking from the beginning of the computer age where early programmers who also happen to be avid pranksters to modern day criminals who have access to thousands of hacking/cracking/intrustion methods to electronically enter and compromise the data of companies like banks, credit card companies, check clearing companies and even individuals for the purposes of defauding or stealing $$.

Collapse -

by CG IT In reply to

I need to interject this. I wrote this sentence "That is something that the general public or not tech savy company executives actually "get". and what I meant was ..."the general public or not tech savy company executive DONT actually "get".

Collapse -

by CG IT In reply to

to continue: the early prankster prone programmers loved to put up and comers in their place via pranks or "viruses". Ha ha on the guy who didn't know and loaded it up. Or they used it as a way to "get even" with someone who pissed them off. Early geeks weren't football players or boxers, or weighlifters and tended to stay locked in their their computers. Didn't get out much. So viruses tended to be a way to get even. It was also a way geeks made a challenge. The early programmers [and they all happened to love being pranksters] happened to also love a challenge. One would put up a block as a challenge to others and volia! hacking became a game programmers used to play with each other. break in e.g. meet and beat the challenge then your afforded recognition [with the added benefit of learning]. Create a challenge in return. Those challenges are made readily available on the internet. How else would other programmers know of the challenge???

On the other hand, criminals could give a s..t about a challenge. They care only about $$ and a fast and easy way to get it.

Mix the two e.g. programmers publishing their tools so they are made available to other programmers, and criminals having easy access to the programmers tools and how to use them you've got a real problem on your hands.

And that last 2 paragraphs I would say is the whole premise of hiring an Ethical Hacker [Security specialist].

Back to Security Forum
17 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums