What is it?
Ethical hacking - or, less colourfully, penetration testing -
involves simulating the attacks a malicious or criminal hacker
could carry out on a network, so that security can be tightened to
prevent them. Recent incidents such as the massive loss of customer
data by
TK Maxx's US parent have raised awareness among businesses, and
the UK government is tightening data security. Ethical hackers are
in demand.
The work is less glamorous than is portrayed on film and TV, but
the fictional stereotype of the hacker as an unsociable night owl
is not far from the truth. Testing has to be done round the clock
to pinpoint when the network is vulnerable. Although many automated
tools are available, malicious hackers are continually finding ways
to beat them, so much of the work is manual, and is both tediously
repetitive and intellectually demanding.
Films often show hackers being recruited from the "dark side",
but
ethical hacking is a grey area involving practices that are
technically illegal (tight contracts need to be drawn up to protect
practitioners from prosecution), and trust is paramount because
ethical hackers will be probing the client's innermost secrets.
Businesses and consultancies will not hire anyone with a background
in illegal hacking.
Where did it originate?
In 1993, Dan Farmer and Wietse Venema posted a paper on UseNet
called
Improving
the Security of Your Site by Breaking Into It, and subsequently
bundled the tools they had used in their investigations and put
them online as Security Analysis Tool for Auditing Networks
(Satan).
What's it for?
Forget the back bedroom - ethical hacking must be done from
facilities with exceptional logical and physical security.
Techniques you will need to understand include password guessing
and cracking, session hijacking and spoofing,
denial-of service attacks, exploiting buffer overflow
vulnerabilities and
SQL injection.
How difficult is it to master?
According to a paper in the
IBM
Systems Journal, "Ethical hackers typically have very strong
programming and computer networking skills. It should be noted that
an additional specialisation in security is not always necessary,
as strong skills in the other areas imply a very good understanding
of how the security on various systems is maintained." There are
courses that claim to introduce the basic skills in as little as
three days, and senior qualifications that involve years of
practice and study. Most practitioners use informal skills they
have taught themselves, however.
Where is it used?
Many IT services companies, such as IBM, offer ethical hacking.
The most demanding institution in the UK is CESG, the Information
Assurance arm of GCHQ, which assesses penetration testing
consultants for their fitness to work on government systems.
Details of CESG's "Check Service Assault Course" can be found on
its
website.
Rates of pay
£30-65,000 up to £550 a day for contractors.
Training
The most widespread international qualification is the Certified
Ethical Hacker devised by the
International Council of
Electronic Commerce Consultants (EC-Council), which is offered
by a number of UK specialist security trainers. Within the UK,
security consultant
7Safe offers certified security testing at associate and
professional level, with higher qualifications in forensic
investigation.
7Safe's courses are accredited by the universities of Bedford
and Glamorgan, which both offer ethical hacking courses, as do the
universities of Northumbria and Coventry.
See also The Open Source
Security Testing Methodology Manual (OSSTMM).