IT pros sign up to security boot camp

Corporate security and IT professionals got a chance last week to think like hackers so they could learn how to better prevent...

Corporate security and IT professionals got a chance last week to think like hackers so they could learn how to better prevent unauthorised users from gaining access to their networks.

More than a dozen computer specialists from across the US took part in an intensive five-day "boot camp" course offered by Ernst & Young on the defence of enterprise networks. Each paid $5,000 (£3,527) apiece for a place on the course.

Though not always an enterprise's top priority, network security has moved into the spotlight since the September 11 terrorist attacks and the discovery of the Nimda and Code Red worms last year.

Dubbed "Extreme Hacking: Defending Your Site," the 4-year-old course originally began as a training course for Ernst & Young employees, focusing on network and system security for Windows NT and Unix systems.

Ron Dongoski, a partner in Ernst & Young's security and technology solutions practice, said many of the company's clients already use outside consultants or security experts to do site assessments of their systems on a quarterly basis to determine if there are any vulnerabilities.

But now those companies want their own employees to take corporate security to another level by performing more frequent site assessments. That, Dongoski said, is why they send workers to take the hacking course.

During the 45-hour course, Ernst & Young security professionals take students step-by-step through all the ways hackers try to subvert mission-critical servers and network configurations.

Using dual-bootable NT/Linux laptops and an accompanying network setup for practising subversive attacks, attendees were taught a new bag of tools and tricks to help them understand how hackers identify IP addresses, collect information about the systems they want to compromise and exploit weaknesses without being noticed.

Students spent half their course time conducting hands-on exercises using the techniques they learned from lectures to compromise three self-contained Windows NT boxes.

Among the attendees at last week's class was Jason Buckley, security officer for corporate IT security at CCBN, which builds, manages and hosts the investor relations sections of Web sites for more than 2,500 public companies.

Buckley, who successfully compromised all three machines, said one of the reasons he signed up for the course was to get fresh ideas and better understand what he's up against.

"We wanted to take our security to the next level," he said. "Although we do penetration testing and third-party auditing [of our network], I wanted to look at our site from the outside and try to penetrate it."

Buckley said the class also taught him what to do to defend against an attack.

"This class was invaluable," he said.

Read more on IT risk management