To Hack or Not to Hack Ethically? By Sanjay Bavisi ^{Copyrights reserved by EC-Council.}

In January of this year, TJX, operator of discount chains including T.J. Maxx and Marshalls. was hacked, putting shoppers at risk of identity fraud. Intruders accessed systems used to process and store customer transaction data and handle credit card, debit card, check and return transactions. Stores affected were T.J. Maxx, Marshalls, and HomeGoods; A.J. Wright stores in the U.S. and Puerto Rico; and the Winners and HomeSense stores in Canada.

The exposed data covers the year 2003, and the period from mid-May through December 2006. The breach of sensitive personal information held by TJX was foreseeable, but there was also a report alleging that the company failed to put in place adequate security safeguards. The company collected too much personal information, kept it too long, and relied on weak encryption technology to protect the information. This put the privacy of millions of its customers at risk.

In another incident that occurred in September 2007, Microsoft apologized for a problem that caused some visitors to its MSN site in Taiwan to be redirected to a non-Microsoft site.

In November 2007, Monster.com was attacked and hacked with the hackers using the site to feed exploits to visitors. This forced Mon-ster.com to take down a portion of its online job search service.

However, the most serious case of all involved the government of Estonia. Estonia was a target of a synchronous attack. At the peak of the attack, 20,000 networks of compromised computers were being linked, indicating that an organization was behind the barrage of network traffic. Estonia government websites were targeted, and the Internet had calls to join in the attack and hack Estonia.

In the second phase of the attack, there was a gathering of botnets that was used to launch attacks against the routers of ISPs hosting Estonian government sites. Distributed denial-of-service (DDoS) attacks against the two main banks in Estonia, Hansabank and SEB Eesti ⿠hispank, were the major focus of the attack. This was critical to Estonia, since it was highly dependent on Internet banking.
Why are all of these attacks happening on major networks, corporations and countries? What happened to all of the security policies and prac-tices, and what can we do to reduce these attacks?

One reason is that some corporations tend to equate the strength of their corporate networks with the amount of their corporate budgetary commitments to security. What they fail to understand is that, even if they invest in the best technology, security is only as good as the weak-est link—including the human link. That human link can be an ill-informed administrator, a disgruntled employee or an inept security professional.

It is common, as well, for corporations to invest in “the latest technologies.” These include biometrics, cryptography, firewalls, intrusion detection systems, anti virus programs, intrusion prevention systems, and more. At the same time that companies invest, they should also be asking: “Who is the person in the company who completely understands all of the configuration and security challenges that our multiple installation raise? Who is monitoring for automated security vulnerabilities caused by these installations?”

Companies rely on patch management software to assist them in updating their operating systems, and in keeping these systems secure. How-ever, what about the executives who were in a flight the day the patches were uploaded? Are their laptops updated? Obviously, they have missed the patches and hence, they become a “weak link” for the security of the organization!

Corporations need to recognize that no matter how good their production systems are in terms of functionality, they can be compromised eas-ily if vulnerabilities remain un-patched. How can these organizations empower their network administrators to man their information high-ways efficiently?

The average network administrator spends significant time managing a slow Internet connection, replacing a damaged mouse, or trouble-shooting a cloudy monitor screen. This is not the case with a proactive administrator, who continually monitors the network, analyzes log files and screens for internal and external security intrusions.

An average corporation deploys hundreds of computers, and each knowledge worker has his own machine. These machines are loaded with top-notch security software that includes anti-virus software, firewalls, highly secure passwords, etc. Meanwhile, the aim of the hacker is to get into the system at any cost.

The intrusions can be quite creative, like an after-hours cleaning crew team that is part of an espionage team. What if they install a physical key logging device that monitored every keystroke you typed? What if the device has the capability to monitor every screen shot, too? What if the key logger had a wireless capacity to transmit the data to the “captain” of the espionage team, seated across the road in a fast food chain, eating his favorite burger?

Few in the industry today understand the complexities of the hacking world or that the most recent hacking tools available for download on the Internet can be used to compromise the network with just a mouse click. One of the reasons we are in this predicament today is because the same companies that manufacture computer equipment and operating systems, also train systems administrators in a vendor-specific envi-ronments.

The focus of security training, therefore, is on equipment and software—and not necessarily on human factors, and other potentially threatening elements. Malicious hackers are aware of these vulnerabilities. Given all these technical and human aspects of security, what makes a system administrator stand out from the crowd? The International Council of E-Commerce Consultants (EC-Council) offers a certifi-cation course in ethical hacking.

Certified Ethical Hacker (CEH) training gives IT systems professionals a mastery of hacking tools and security systems, as well as knowledge of how to hack via Windows and Linux. Students learn strong security system techniques, including how to deploy countermeasures that will prevent or contain hacker attacks. Information security professionals who carry the CEH certification are qualified to administer non-destructive penetration testing to e-commerce, e-business, IT security and other types of computer networks or systems.

The Certified Ethical Hacker certification also arms systems administrators with critical information to identify, counter and defend the corpo-rate network against harmful agents. It takes administrators into the minds of the attackers, and enables them to assess the security posture of the network from an attacker’s perspective. This differentiated perspective allows agile system administrators to deploy pro-active countermeasures, and to stay at the bleeding edge of information security developments.

A Microsoft Certified Systems Engineer (MCSE) equipped with CEH can address his organization’s information security resources in a sharp, focused and adaptable manner. He deals with security initiatives productively, rather than restricting the efficiency of the organiza-tion. Functionality is enhanced, and not lost in the process of securing the organization. This is why an MCSE armed with the knowledge of hacking, can significantly reduce the number of security breaches.

An MCSE with CEH stands out from the crowd because he is equipped with the critical knowledge that makes him an extraordinary systems administrator. He is sought after by organizations, because he brings more value to the table. He improves the organization’s return on security investment, and he reduces external security assessment costs. He is more than the guy who makes sure that cables connect or print-ers work. He is a vigilant systems administrator, constantly re-assessing and defending the organization’s network, and enabling other employees to improve efficiency in a productive workspace.

About The Author

Sanjay Bavisi is a leading consultant, columnist and speaker for many local and international companies and government organizations. He is a Certified e-Business Professional and the T i.e. the International Council of Electronic Consultants. A distinguished and popular speaker, he has conducted training and presented papers at numerous events. He is a strong believer of Ethical Hacking and Countermeasures.

Comments? Questions? Send them to editor@technologytrainingmag.com.