General discussion

Locked

Prepare a manuscript titled "Protecting your network as an ethical hacker"

By Aldanatech ·
I am working on a research project on ethical hacking as part of my requirements to complete my Bachelor of Science degree with a concentration on Network Technology. The purpose of this project is to make a study on two important aspects of Information Technology security. One is ethical and unethical hacking. The other aspect is the methods for counter-hacking. Ethical and unethical hacking will focus on the differences between them, at what point is hacking considered ethical, and what is considered to be an ethical way of protecting yourself, and your network. The counter-hacking methods study will include preventive measures against common hacking methods, but not specific details on how the attack is actually performed. Details on the latest protection features and products from Cisco, Microsoft, Novell, and Symantec will also be featured. I might also include some details on the current laws that support network security.

This project is expected to be completed in two months. What I would like from you is to review my progress (about once a week or so) and provide with feedback such as corrections, additions, and clarifications. I would also like your opinion on my research topics. Do you believe any of them are irrelevant or unnecessary?

The URL of my project is:

http://www.aldanaweb.com/capella/

Moreover, I will keep track of my notes and progress in:

http://www.aldanaweb.com/capella/statusreport.htm

I trust the knowledge and expertise from everyone in Tech Republic and all the help you can provide me will be appreciated. Also, let me know if you would like me to include you in my contributors list.

This conversation is currently closed to new comments.

29 total posts (Page 3 of 3)   Prev   01 | 02 | 03
Thread display: Collapse - | Expand +

All Comments

Collapse -

I see your point

by Aldanatech In reply to If it was a long time ago

You're right Col. There is no point in hiring a hacker that is outdated. Now how would you make sure this acquisition doesn't backfire? I once read an article about a cracker that after he was behind bars more than once he used his second and third chance, and the equipment to do his work, to go back to illegal activity such as hacking into accounts to transfer large amounts of money and stuff like that. How would you prevent something like this from happening? Would you monitor every muscle is his or her body? Would you have stand besides him or her and watch his or her every move? Or would you trust your new employee?

Collapse -

Sorry for the delay but this is getting harder to find

by HAL 9000 Moderator In reply to I see your point

Firstly if it was a repeat offended who was stealing money I probably would never touch them with a barge pole. But at the time in question I was working at a secure installation so there was not a problem as all traffic was monitored. Granted this kid could probably have got around this but I keep the poor little thing so bust that he feet barely touched the floor and between schooling that I chose for him and the work that I had him doing he didn't have much time left over so when he was allowed to escape my clutches he hit the bed fairly hard.

Actually he's a smart one as I still get correspondence from him whenever I log onto the Net without opening anything I might add. At my home/work computer this is no big deal but when I spend more than a few days at a clients business I start getting them there as well.

Pity that I never want to return to that type of work as he informs that I have a place there whenever I wish to return, but honestly I just can't deal with all the paranoia anymore as I'm getting to old for it any longer.

But back to your question if I just had to have someone like that working for me I would appear not to worry about things while all the time making sure that everything that was done from his terminal was mirrored onto another unit that I could view at my leisure, then if he/she even so much as looked as if they where about to step out of line I'd be down on them like a ton of bricks. After all if you set the ground rules first and enforce them vigilantly there should be very few problems.

Col

Collapse -

That can work

by Aldanatech In reply to Sorry for the delay but t ...

I suppose that is the way to "keep them under control". I have a cousin that told me about how employees in a popular organization he used to work in, were monitored for security purposes. Higher levels of management could simply see in their monitors the same images from their employees' monitors. Now, do you think there is a need to add any extra form of survailance such as a camera or registering keyboard and mouse movements?

Collapse -

A little adjustment

by Aldanatech In reply to Prepare a manuscript titl ...

There is a little adjustment to my site. The progress of my research will no longer be in the status page. They will be at the Unit pages in the Weekly Tracking of IAL Project section:

http://www.aldanaweb.com/capella/

At the time of this posting I am currently working on Unit 6.

Collapse -

Starting rough draft

by Aldanatech In reply to A little adjustment

Now that my research phase is virtually complete, I'm now beginning to work on my rough draft. Here is the URL where I will be working on it:

http://www.aldanaweb.com/capella/manuscriptroughdraft.htm

If the URL doesn't work, you can go to:

http://www.aldanaweb.com/capella/

The go to Unit 6 and look for the "manuscript rough draft" on the lower half of the page. I might still ask for opinions on issues to come up along the way. Please let me know if there is correction I should do. Any feedback you can provide me to enhance it will be appreciated.

Collapse -

First part of my manuscript

by Aldanatech In reply to Starting rough draft

Here is a copy of what I have so far. Feel free to review it and correct any error or inaccuracy:

Just about any IT professional should devote some attention to security -- whether it is an individual computer, or an enterprise WAN network. Today, computers and networks are an essential contribution to the development and success of businesses and organizations, but their benefits are increasingly jeopardized by the speed and sophistication of security breaches and attacks. Common preventive actions installing the latest patches, updating the Anti-Virus DAT files, configure the firewall(s), and install an intrusion-detection system. However, no matter the effort, there is always the concern that not enough was done to protect the system from attacks. When the IT professional encounters this situation, it becomes almost inevitable to stand on the attacker's shoes. He or she must try to figure out what would an attacker attempt to hack the system. In other words, the IT professional must learn to actually be hacker to anticipate other hacker's moves and effectively protect his or her system from unauthorized access. The dilemma is that depending on the location and culture, hacking is legal, illegal, unethical, or both illegal and unethical. The alternative for this issue is to explore the possibility of becoming an Ethical Hacker.

Before even considering becoming an Ethical Hacker, the successful candidate must understand what a hacker actually is and what he or she is up against. Merriam Webster's Collegiate Dictionary Tenth Edition does define a hacker as a person who illegally gains access to and sometimes tampers with information in a computer system, but also as an expert at programming and solving problems with a computer. Many people identifies a Hacker as a criminal that uses his or her skills in high technology for illegal activity such breaking into people's bank accounts and withdraw huge amounts of money. The truth is that a hacker does have an extensive knowledge on technological devices, particularly computers, but that doesn't necessarily mean that they will use those skills to commit a crime or for unethical purposes. In fact, having a hacker in staff can be a valuable asset to an organization. Because a hacker's high level of expertise in information technology is so high, he or she can provide solutions so creative that other people would not. Their skills can be particularly uses to efficiently secure a network.

Stephen James, Chief Executive of IT and Audit Consulting in Australia, is a hacker that companies hire to crack their security systems for testing purposes. He explains that a typical attacker would start by obtaining as much information about the target as possible to identify vulnerabilities, such as the network's topology, their security systems, and configurations. This process will probably include social engineering techniques such as impersonating a member from the IT help desk and ask vulnerable users to give them their user ID and password. The excuse will usually be to resolve a technical issue, and many users will not question it. Others are more cautious in these situations. Carlos O. Estrada, a phone technician from Mexico says he once got a call from someone who attempted to use social engineering to obtain information about one of his company's modem. When Carlos insisted on providing proper identification the caller hang up and never called again. After the attack is complete, Stephen says the cracker would try to be discreet and cover the evidence of his activity.

It doesn't take long for Stephen test a company's network for security. Sometimes he completes this task in no less than fifteen minutes. For a government association or a financial institute it takes him around a week; and his attempts are only detected about only 5% of the cases. Most of the time the actual purpose is to see how for can an attacker go and how much damage can be done with no knowledge of the organization's network. Stephen says that an attacker's target is usually sensitive information such records from a hospital and credit card accounts. Between 90% and 95% he and his staff obtain sensitive information from the network. He even confirms that he had been able to transfer funds. Of course, all of this is done with proper permission. According to Stephen, high technology should not be the main focus to achieve a more secure network; it should be higher awareness.

A cracker on the other hand, is someone who actually uses these skills to bypass a system's security, access it without permission, and either steal something or cause damage. A minor variation of the cracker is the script kiddie. Script kiddies also do illegal or unethical activities, but they do not actually have as much technical background as a hacker or a cracker. Instead, they use scripts or programs from true crackers. The history of the modern cracker spans at least three decades. In the 1980's, only individual computers were targets of attacks. One of the most common forms of attack was virus infection through disk sharing. In the 1990's, attacks were extended to small and medium size networks. Today, the risk extends as far as the entire global infrastructure. In 2003, it is estimated that global losses from viruses alone was around thirteen billion dollars, and the reported global incidents in the first three quarter over the total number in 2000 was over 700%. By the half of 2004, the increase in loss due to denial of service attacks alone was over 2000% since 1999.

Collapse -

TR needs security needs feedback!!!!

by jmottl In reply to Prepare a manuscript titl ...

Hello TR members,
We need to form a focus group that will review/critique security related content we're currently developing and hoping you're interested in participating. We'll be sending you a security package -- a tool of various documents and downloads that we're creating to help members use in their jobs, and looking for feedback on whether you believe they have value, suggestions for improvement and what specific security topics we should target first.
Please email me at judy.mottl@cnet.com by tomorrow (Thursday) and let me know if you're interested in serving on this focus group that'd be great.
I hope to hear from you,
Sincerely
Judy Mottl

Collapse -

What education for an Ethical Hacker

by Aldanatech In reply to Prepare a manuscript titl ...

What kind of education do you think would be most appropriate for an Ethical Hacker (someone hired to legally test a system's security)? Would it be experience itself? Would it be a Masters Degree in Network Security? Would it be a Security+, a CISSP, or a CEH certification? Would it be a combination of each, and if so, in what sequence?

Collapse -

So what is an ethical hacker (first look)

by Aldanatech In reply to Prepare a manuscript titl ...

Here is my first draft about how to protect a network as an ethical hacker. Please check it closely and reply with any correction I should make. This includes inaccuracies, parts I should rephrase, anything you don't agree with, and any additional contribution or insight you can provide me.

Just about any IT professional should devote some attention to security -- whether it is an individual computer, or an enterprise WAN network. Today, computers and networks are an essential contribution to the development and success of businesses and organizations, but their benefits are increasingly jeopardized by the speed and sophistication of security breaches and attacks. Common preventive actions installing the latest patches, updating the Anti-Virus DAT files, configure the firewall(s), and install an intrusion-detection system. However, no matter the effort, there is always the concern that not enough was done to protect the system from attacks. When the IT professional encounters this situation, it becomes almost inevitable to stand on the attacker's shoes. He or she must try to figure out what would an attacker attempt to hack the system. In other words, the IT professional must learn to actually be hacker to anticipate other hacker's moves and effectively protect his or her system from unauthorized access. The dilemma is that depending on the location and culture, hacking is legal, illegal, unethical, or both illegal and unethical. The alternative for this issue is to explore the possibility of becoming an Ethical Hacker.
Before even considering becoming an Ethical Hacker, the successful candidate must understand what a hacker actually is and what he or she is up against. Merriam Webster's Collegiate Dictionary Tenth Edition does define a hacker as a person who illegally gains access to and sometimes tampers with information in a computer system, but also as an expert at programming and solving problems with a computer. Many people identifies a Hacker as a criminal that uses his or her skills in high technology for illegal activity such breaking into people's bank accounts and withdraw huge amounts of money. The truth is that a hacker does have an extensive knowledge on technological devices, particularly computers, but that doesn't necessarily mean that they will use those skills to commit a crime or for unethical purposes. In fact, having a hacker in staff can be a valuable asset to an organization. Because a hacker's high level of expertise in information technology is so high, he or she can provide solutions so creative that other people would not. Their skills can be particularly useful to efficiently secure a network. Truly talented Hackers are extremely proficient in programming languages, how operating systems work, the protocols used in networks, how applications interact with each other, and even the history of networks and its services.
Stephen James, Chief Executive of IT and Audit Consulting in Australia, is a hacker that companies hire to crack their security systems for testing purposes. He explains that a typical attacker would start by obtaining as much information about the target as possible to identify vulnerabilities, such as the network's topology, their security systems, and configurations. This process will probably include social engineering techniques such as impersonating a member from the IT help desk and ask vulnerable users to give them their user ID and password. The excuse will usually be to resolve a technical issue, and many users will not question it. Others are more cautious in these situations. Carlos O. Estrada, a phone technician from Mexico says he once got a call from someone who attempted to use social engineering to obtain information about one of his company's modem. When Carlos insisted on providing proper identification the caller hang up and never called again. After the attack is complete, Stephen says the cracker would try to be discreet and cover the evidence of his activity.
It doesn't take long for Stephen test a company's network for security. Sometimes he completes this task in no less than fifteen minutes. For a government association or a financial institute it takes him around a week; and his attempts are only detected about only 5% of the cases. Most of the time the actual purpose is to see how for can an attacker go and how much damage can be done with no knowledge of the organization's network. Stephen says that an attacker's target is usually sensitive information such records from a hospital and credit card accounts. Between 90% and 95% he and his staff obtain sensitive information from the network. He even confirms that he had been able to transfer funds. Of course, all of this is done with proper permission. According to Stephen, high technology should not be the main focus to achieve a more secure network; it should be higher awareness.
A hacker is then someone who is considered to be a white hat. A cracker on the other hand is considered to be a black hat. It is a lawbreaker. It is someone who actually uses his or her skills to bypass a system's security, access it without permission, and either steal something or cause damage. A minor variation of the cracker is the script kiddie. Many crackers however, don't consider themselves to be true black hats because they usually have some sort of justification for their actions. Some of them even consider themselves gray hats because they fall somewhere between the two sides. Script kiddies also do illegal or unethical activities, but they do not actually have as much technical background as a hacker or a cracker. Instead, they use scripts or programs from true hackers or crackers. The history of the modern cracker spans at least three decades. In the 1980's, only individual computers were targets of attacks. One of the most common forms of attack was virus infection through disk sharing. In the 1990's, attacks were extended to small and medium size networks. Today, the risk extends as far as the entire global infrastructure. In 2003, it is estimated that global losses from viruses alone was around thirteen billion dollars, and the reported global incidents in the first three quarter over the total number in 2000 was over 700%. By the half of 2004, the increase in loss due to denial of service attacks alone was over 2000% since 1999. The Slammer Worm's infection rates doubled every 8.5 seconds. It drastically reduced or stopped services and communications for weeks.
Most of the attacks on networks are thought to be external, but they can be external as well. An employee might download an ostensibly harmless file from either a website or an e-mail attachment. A network can also be vulnerable by improperly configuring a remote access system, a router, or a firewall. According to the CSI/FBI Computer crime and Security Survey of 530 computer security practitioners in 2003, 78% of the attacks in the United States were external. The other 22% of attacks were internal, but they can be up to ten times more damaging and expensive. According to the surveyed companies, the cost of internal attacks rose up to twenty-seven million dollars in 2003. This includes seventy million from proprietary information theft, and twenty-seven million from downtime and viruses. Even when security systems such as firewalls, anti-virus software, and intrusion detection systems are properly configured, it is impossible to download security upgrades and patch every single device on the network fast enough to ensure total protection. The challenge is even greater with the use of wireless access points for public Internet and access to the corporate network by partners, telecommuters, mobile users, and suppliers.
On the other hand, a network is only as insecure as the awareness of its vulnerabilities. A network is insecure only to those who know its vulnerabilities, and it is secure to everyone else. This could bring the conclusion that publishing vulnerabilities causes networks to be insecure. However, it can actually help increase the possibility of making a network more secure by fixing the known vulnerabilities. Just as an attacker can't exploit an unknown vulnerability, a defender can't protect against an unknown vulnerability either. Trying to maintain vulnerabilities secret to increase security is dangerous. Vulnerabilities are secret only as long as it remains secret. Sometimes people discover secrets unintentionally, and virtually nothing can prevent a discovered secret to spread or control how far it can go. This seems to be the major reason why hackers believe all vulnerabilities should be published. Yes, this makes it easier for attackers to learn about them, but eventually they can still learn them from other various sources. More importantly, defenders and maybe even product vendors that learn about vulnerabilities can fix them to prevent future exploits. Not only does this help local networks be more secure, but also the Internet itself. It is believed that the Internet would be far more insecure without disclosing vulnerabilities that were then addressed.
This brings the question of whether or not an employer should hire a hacker. By now it is clear that a hacker is actually an Ethical Hacker, but there as still many misconceptions about what a hacker actually is and the differences by a hacker and a cracker. This brings a wide range of opinions on the issue. Some people value the worth of having a hacker in staff. Those in favor consider a hacker to be an IT expert that is clever, but not malicious. They might have skills are likely not found in books or magazines, so they can provide the staff with the hands-on training that can't be taught anywhere else. Some even believe that hacker built UNIX, the Internet, Linux, and many other technologies. Others still mistake a hacker with a cracker, and therefore consider it a risk, even a liability. The most common reason is that the employer simply could not trust him or her for corporate secuirty. If the candidate clams to be a rehabilitated cracker, that is a cracker that was caught by justice, and completed his or her sentence, many employers might still hesitate. Employers don't see a way to fully determine that a former cracker to use his or her skills and the companie's equipment criminal activities. Another reason could be the concern that if the employer must lay-off or fire the cracker, he or she could try to get revenge. Even when the hacker or former cracker is still employed, it can become difficult to determine the treatment he or she will get compared to other employees. If the hacker has the same treatment, the staff could have a sense of neglectance towards the employer. If the hackers gets special treatment, such a closely monitoring their activities, either the hacker or other employees could resent the inequality, even if the hacker never did anything that could represent a risk.
Trying to differentiate between a hacker and cracker can be difficult if there is no criminal background. If this were the case then the employer's decision would depend highly on his or her criteria. The employer might consider the possibility only if gathering as much information as possible about the candidate, and several interviews, that the risk is minimized compared to gain of potential. Those who are willing to hire a cracker (a hacker that used his or her skills to commit a crime) would do it as long as his or her skills are up-to-date and was not recurrently charged for wrongdoing. Colin Luck from Australia, says that a long time ago he knew a 15-year old kid that used a Commodore 64 game set to access a Defense Department secure area thousands of times to download a single file. He says he recruited him to test his system and it took him only 10 minutes to access an encrypted file inside five layers of protection. Mr. Luck values these kind people because they can identify flaws that can then be corrected, and are not easy to find. He says that the only reason why he found out about him was because the kid himself published what he stole in his school newspaper. Another alternative is to hire a hacker or a former cracker to train the staff on hacking methods and countermeasures. This option can be more viable for employers that still find it risky to hire hackers for their security. Away from the production network, the employer can set up a prototype network to resembles the original one as much as possible. This prototype network can be used for both for training and to test new security measures before implementing them on the actual network. By isolating the hacker on the test network, even the most reluctant employer can benefit from the services he or she can provide.
Script-kiddies seem to have less value than hackers and crackers because they carry the stigma of "if they can do it, anyone can." However, because they can also cause damage to a certain extent, they are still considered be potential attackers. Because script-kiddies use tools from true hackers or crackers, there is an ongoing debate about whether or not is ethical to make port scanners, packet sniffers, and other hacking tools widely available on the Internet and other sources. One example of such tools is the Metasploit Framework 2.0 software, an advanced open-source platform for developing, testing, and using exploit code. It is said that such a tool could help network managers improve the security of their system. Many argue that people with malicious purposes could also abuse it. Colin Luck from Australia considers that unless it is used without proper permission, it would not be unethical. It would be a useful tool for any network administrator regardless of how it is provided. In terms of ethics, he believes that such a tool would be similar to the gun industry. The industry is not responsible for the use of the guns, and neither would the software developer be responsible for the misuse of to network scanning tool. Gerardo Machorro from Mexico considers that such a tool would be appropriate for an intelligence agency or department, to access corporate sites and investigate possible administrative or financial fraud. He doesn't see any problem if the tool is used that way because it would be endorsed by the intelligence organization. If it were otherwise, he would consider it to be a critically unethical because the IT professional should work for the common good of society. Such an act would not only be unethical for the IT professional, but it could also be against the law of a certain country, state, or city.
Carlos O. Estrada, also from Mexico compares this debate with Einstein and his theory of relativity. Such theory led to the development of the atomic bomb or a-bomb. Is Einstein the villain for investigating something that rose out of his curiosity? Of course not, curiosity is what also lead to vaccination, the computer, and other scientific wonders. Technology by itself is neither good nor bad, but rather it is our use of it. So the question is: Who is to blame, the companies that develop insecure operating system, or people that look for vulnerabilities? Anyone can try to look for vulnerabilities in a system to either fix it to avoid future exploitations of it, or to actually exploit it. Such a system cannot only be an IT system, but also in an alarm system, or any kind of machinery. There will always be people with malicious purposes. It is best to look for tools that can help you find weak spots and strength it up, which is the responsibility of any IT professional. Whether it is commercial or free of charge, any tool will be used whatever way the user wishes. A cyber criminal is not someone who learns to use tools, but someone who uses them to commit crimes; the same as an ordinary citizen is a criminal only when he or she commits a crime.
Laws play a major role in the fight against cybercrime. Some of the government regulations in the United States and other countries that can help slow down the momentum of cracking are the Gramm-Leach-Bliley Act (GLBA), the Information Privacy Act, the Children?s Internet Protection Act (CIPA), the Homeland Security Act, the PATRIOT Act, the Data Protection Act, the Health Insurance Portability and Accountability Act (HIPAA), the Personal Information Protection and Electronic Documents Act, and the Federal Information Processing Standards (FIPS). One of the newest governmental efforts to counter cybercrime is a controversial international treaty signed by the United States and 37 other countries in the Council of Europe's "Convention on Cybercrime". Critics argue that it will facilitate cross-border computer crime probes by cooperating with repressive regimes. Its purpose is to obligate participating countries to ban computer intrusion, child pornography, commercial copyright infringement, and online fraud. It also requires laws to permit government search and seize of e-mail and computer records, perform Internet surveillance, and to order Internet Service Providers to preserve logs for crime related investigation purposes. So far only Albania, Croatia, Estonia, Hungary, and Lithuania ratified the treaty. Those who favor the treaty say it will facilitate investigations on the Internet. Those who oppose it argue that governments with poor human rights habits could abuse it.
Companies and individuals that create Operating Systems and software have the greatest responsibility of ensure that their products are secure, but they seem to a find it rather difficult to accomplish this. Even Bill Gates, chairman of Microsoft Corporation, blames the rash of worms and viruses that exploit Microsoft code on what he identifies as the "diabolical ingenuity of the computer underground", and admits the people who attack these systems are getting more and more sophisticated. Still, he is optimistic about Microsoft's improved security record. According to Gates. 300 days after the release of Microsoft Windows Server 2003 it had only eight serious security advisories, compared to 38 for Windows 2000. Among Microsoft's plans for security enhancement include a technology to disable programs and services that might be vulnerable on users that have not yet installed the latest security patches, and tools to allow programmers to write applications without the need of administrative rights.
Recently, Cisco Systems began to take a different approach. Instead of patching a system for known attacks, it focuses on preventing both known and unknown types of attacks before they start. An example of such technology is the Cisco Security Agent (CSA). CSA is not an intrusion detection system, it is considered to be a Host-based Intrusion Prevention System (HIPS). Intrusion detection systems only identify intrusions. By the time it and alerts you know when it is usually too late to do anything about in. Prevention systems prevent the intrusions from happening and let you know what they prevented. CSA works by using a behavior analysis to detect and stop malicious activities instead of blocking ports or identifying attack signatures as with firewalls and anti-virus software. The problem with firewalls and anti-virus software is that companies must be continuously informed of new types of attacks. Then they must develop defenses and distribute it to every possible user. This could take tremendous amounts of time considering that worms can propagate across networks and the Internet in a matter of minutes. Prevention systems can actually stop worms from spreading and contain it. It doesn't eradicate them however. After the worm is contained, it must be removed either manually or with anti-virus software. Even though an intrusion prevention system is still not the single one solution for every security issue, its service can be priceless compared to the loss in damages that viruses and worms produce.
Certifications for a Security Specialists, and even an Ethical Hacker are Security+ from CompTIA, CISSP from ISC2, and CEH (Certified Ethical Hacker) from EC-Council. The Security+ exam can be a good starting point for those interested is specializing in the field of IT Security. It covers includes communication security, infrastructure security, cryptography, access control, authentication, external attack and operational and organization security. The CISSP focuses on Telecommunications, Network & Internet Security. It includes Access Control Systems & Methodology, Applications & Systems Development, Business Continuity Planning, Cryptography, Ethics, Operations Security, Physical Security, Security Architecture & Models, and Security Management Practices. If what an IT professional is looking is to officially be an Ethical Hacker, then there is probably no better way than obtaining a CEH certification. According to the EC-Council, the goal of the ethical hacker is to within legal limits, help an organization take preventive measures against malicious attacks by attacking the system himself. It is an IT Pro that understands the weaknesses and vulnerabilities in target systems and is capable of locating them with the same knowledge and tools as a cracker. Not only can A CEH certification enhance the skills of security professionals, but also of security officers, auditors, site administrators, and anyone with an interest of strengthen the security of a network.
It is unclear however on what the ideal qualifications are for an Ethical Hacker. The choices are a Masters Degree in Network Security, a Security+, CISSP, or CEH certification, experience itself, or a combination of each. Other majors such as Computer Information Systems, or even Computer Science might be accepted in place on Network Security. The idea behind a Degree seems to be that candidate has the fundamental knowledge and skill, and has at least the capability of understanding the job to perform it satisfactory. The only problem that some professionals see is that the network security courses that many universities offer focus only on the foundations, so the professional must still supplement this with either certifications, experience, or both. A candidate with a certification shows that he or she is up-to-date with the knowledge and skills that the certification represents. Before considering a security certification, many professionals begin with a Cisco certification such as CCNA. As the professional acquires more hands-on experience, he or she usually continues either with a more advanced Cisco certifications or go directly with a security certification. The CISSP certification seems to be most popular of all. Critics of certifications however, argue that many candidates today only study to pass exams, not to actually master the material.
Experience seems to effectively help candidates develop relevant skills to be hired as an Ethical Hacker. While a degree or certification shows that the candidate knows how to the job, experience shows the candidate got the job done. This of course requires the endorsement of proper work references. This compliments perfectly with official credentials. Employment history can begin with a part-time entry-level position such as a Computer Technician, and then aim at more advanced positions such a Network Administrator or Network Technician, and test the network's security by hacking it with proper permission. Other alternatives are volunteering to test the security of systems in non-profit organizations or individuals such as doctors and offer them advise on how to correct vulnerabilities. Ideally, the Network Security Specialist (or Ethical Hacker) should have a combination of education, certifications, and experience.

Back to Security Forum
29 total posts (Page 3 of 3)   Prev   01 | 02 | 03

Related Discussions

Related Forums