The Growing Need for Ethical Hacker Training By Richard Landrigan As an instructor, I am often asked by people why they should attend Certified Ethical Hacker training. Certified Ethical Hacker is a course presented by EC-Council that, in my mind, should be attended by anyone in the security field, and by every network administrator and systems engineer. I know this covers a lot of ground, but an Ethical Hacking course is not meant to create tomorrow’s hackers or crackers. It is meant to inform us, the “good guys,” on how the “bad guys” think—and what they are currently up to.

Hacking is Everywhere
We all read, almost daily, about the latest hack, database exposure or identity theft—and we think we are doing all we can to prevent that from happening to us. Unfortunately, sometimes we couldn’t be further from the truth. For example, every household in the U.S. has a lock on the front door, and we all believe that this will keep most of the “bad guys” out. Fine, except they are ahead of us. Have you ever heard of the “bump-key” technique for opening a pin tumbler lock by using a specially-crafted key? The Masterlock people have. As far back as November, 2007, they have marketed a lock that is resistant to this practice. Did you purchase one of these locks? Do you have one of them now?

Our computer systems are no different. There are many areas that leave us exposed to data or identity theft. Do you have a password on your computer? Is it more than 15 characters long? Most of the world is still using eight- or ten-character passwords which can be cracked in less than 20 minutes with the latest innovations, once physical or network connectivity has been accomplished. Hackers can also can boot a computer from a bootable CD, complete with an operating system on it, and recover your password quickly, defeating even encrypted file systems.

It is not that these criminals are that much smarter than we are. They are merely more aware of the weaknesses of computers and the people who use them. The latest threat is “drive-by” hacking, which consists of going to a Web page with the latest browser, and downloading a tiny program to your computer.

The purpose of this program is to “phone home,” and then download a larger program to your computer that may contain rootkits, email daemons, or Trojans which are designed to give the criminal your data—or to turn control of your computer over to the criminal so the machine can be used for an Internet attack, or for information needed for identity theft. This is as transparent as a cookie, and will not ask for your permission.

Social hacking activities go on around the clock. While we are focusing on work and other daily priorities, the “bad guys” are devoting all of their time looking for that one vulnerability to exploit. They no longer need to be master programmers or highly technical engineers. They only have to be able to download the latest hack program and execute it.

If you download music, or buy a music CD from the store and play it on your computer, you could be installing a “rootkit”—a program designed to take fundamental control on your computer. Just ask those people who bought music CDs from a well-known music retailer that were infected with a program that gathered and then emailed information from their computers. There are also other retailers who ask you to install a program on your computer to improve your experience. The program allows the store and its employees to see all of your Internet traffic, including your encrypted bank sessions, stock purchases and even your telephone conversations if you are using VoIP (voice over IP) for your phone system.

Many people I speak with have at least one firewall in place—but in many cases, a single firewall is not sufficient. Using two firewalls is a better approach. Minimally, I recommend one firewall for hardware and a second firewall for software. This should be accompanied by scanning your PC constantly.

Hacking threats are with us every day, and are constantly evolving. This is what makes it so critical to receive the training in ethical hacking that can enable individuals and organizations to fight back.

About The Author

Richard Landrigan is Vice President of Compuceuticals LLC, a subsidiary of Federal Computers LLC, NY and NJ that provides on-site training and consulting services to corporations, schools, government agencies and other organizations. As an experienced network administrator, security consultant, vulnerability assessment and penetration tester, MCT and certified CEH/CHFI Instructor, he consults regularly with executives from a wide variety of fields to help create synergistic solutions to business-impacting problems.

Comments? Questions? Send them to editor@technologytrainingmag.com.