Corporate security and IT professionals got a chance last week to
think like hackers so they could learn how to better prevent
unauthorised users from gaining access to their networks.
More than a dozen computer specialists from across the US took part
in an intensive five-day "boot camp" course offered by Ernst &
Young on the defence of enterprise networks. Each paid $5,000
(£3,527) apiece for a place on the course.
Though not always an enterprise's top priority, network security
has moved into the spotlight since the September 11 terrorist
attacks and the discovery of the Nimda and Code Red worms last
year.
Dubbed "Extreme Hacking: Defending Your Site," the 4-year-old
course originally began as a training course for Ernst & Young
employees, focusing on network and system security for Windows NT
and Unix systems.
Ron Dongoski, a partner in Ernst & Young's security and
technology solutions practice, said many of the company's clients
already use outside consultants or security experts to do site
assessments of their systems on a quarterly basis to determine if
there are any vulnerabilities.
But now those companies want their own employees to take corporate
security to another level by performing more frequent site
assessments. That, Dongoski said, is why they send workers to take
the hacking course.
During the 45-hour course, Ernst & Young security professionals
take students step-by-step through all the ways hackers try to
subvert mission-critical servers and network configurations.
Using dual-bootable NT/Linux laptops and an accompanying network
setup for practising subversive attacks, attendees were taught a
new bag of tools and tricks to help them understand how hackers
identify IP addresses, collect information about the systems they
want to compromise and exploit weaknesses without being noticed.
Students spent half their course time conducting hands-on exercises
using the techniques they learned from lectures to compromise three
self-contained Windows NT boxes.
Among the attendees at last week's class was Jason Buckley,
security officer for corporate IT security at CCBN, which builds,
manages and hosts the investor relations sections of Web sites for
more than 2,500 public companies.
Buckley, who successfully compromised all three machines, said one
of the reasons he signed up for the course was to get fresh ideas
and better understand what he's up against.
"We wanted to take our security to the next level," he said.
"Although we do penetration testing and third-party auditing [of
our network], I wanted to look at our site from the outside and try
to penetrate it."
Buckley said the class also taught him what to do to defend against
an attack.
"This class was invaluable," he said.