What is it?
Ethical hackers attempt to use the same methods criminal hackers
would use to break into an organisation's systems to expose gaps in
security, which can then be closed.
These methods can be physical as well as internet-based - a team
of IBM security consultants once blagged its way into the computer
centre of a financial services company during working hours and
took over its systems.
The number of training companies offering courses towards
certification in ethical hacking, or penetration testing, has
increased over the past year, with several of the pioneer companies
setting up networks of authorised training partners.
The University of Abertay has introduced the first four-year BSc
in ethical hacking and countermeasures, and the University of
Glamorgan has launched a postgraduate certificate in penetration
testing and information security.
Where did it originate?
The first organisation to target its own systems was the US
Department of Defense. In 1993, two researchers, Dan Farmer and
Wietse Venema, published their findings on the use of hackers'
techniques to test security on Usenet. The move was widely seen as
irresponsible, particularly when the pair made available the tools
they had used as a package called Satan (Security Analysis Tool for
Auditing Networks).
The move to open-sourcing ideas and technology has continued,
and the most widely used source for ethical hacking is the Open
Source Security Testing Methodology Manual (OSSTMM), a
peer-reviewed methodology for performing security tests and
metrics, from the Institute for Security and Open Methodologies
(Isecom), which has headquarters in New York and Barcelona.
What's it for?
As well as testing the security organisations have in place,
ethical hackers examine the assumptions on which security systems
are based and whether they truly reflect vulnerabilities. An
example of the kind of meticulous logic and lateral thinking
required can be found in a deconstruction of the marketing claims
of security product suppliers on the Isecom site.
www.isecom.org
What makes it special?
The work is highly paid and challenging, though far from
glamorous, often requiring days of persistent, repetitive work.
How difficult is it to master?
Perhaps surprisingly, many of the best practitioners do not come
from a security background. According to IBM, they include
"computer users from various disciplines who took it personally
when someone disrupted their work with a hack".
You will however need an exhaustive experience-based knowledge
of operating systems and networks. Most courses require as a
minimum a background in Windows or Unix and TCP/IP.
People who try to show their skills by breaking into systems
uninvited will find themselves blacklisted. IBM and others will not
hire former "criminal" hackers, no matter how talented. One of the
prerequisites for any penetration testing assignment is a "get out
of jail free" contract, authorising you to carry out what would
otherwise be criminal acts.
Training
Two good starting points for those wanting to get into ethical
hacking are the Institute for Security and Open Methodologies,
which provides OSSTMM professional security tester and analyst
certifications, and UK-based 7safe, which offers the certified
security testing associate/professional and certified forensic
investigation analyst qualifications in conjunction with the
University of Glamorgan.
www.isecom.org
www.7safe.com
Rates of pay
Ethical hackers earn between £30,000 and £60,000. Rates are much
higher for the most senior consultants.