“Ethical Hacking”….that term is a worry….
August 7th, 2007 Drazen Drazic Posted in Applications, Bad Stuff, Disclosure Laws, Dumb Security, Ford Falcon, Vulnerability Management, WTF, Web Application Security, cyber crime, governance |
Courses that teach under-skilled individuals the basics of “hacking” are a worry to me. Companies that teach “ethical hacking” courses are worry…….most I know I would not hire to review a static one page site. What is that they are trying to achieve? I read the course objectives for pretty much all of these courses and they worry me.
So….big company that can afford to send netadmin to one of these courses now thinks netadmin can do network and web app pen test…..saving bucks now by not hiring a third party?!?! Akin to me reading the “Idiots Guide to Accounting” and professing to be able to manage the financial books of News Limited.
Come on….WTF….give the professionals some credit!
August 7th, 2007 at 9:15 am
An exception perhaps? http://www.sensepost.com/training.html
August 8th, 2007 at 1:59 pm
As someone who has written and ran many of these I agree and disagree.
First and foremost you can not teach “ethical hacking” in a week. period. You can tech people to perform reconn and run exploits as well as the discovery of basic vulnerabilities sure.. but ethics ? not a chance.
I regularly changed the course material and deliberately omitted information when I wasn’t sure that the students were ethically on the right page. Did good students miss out because of this ? Yep, but I make no apologies for it.
Technical security training is an excellent feather in any (sys|net)admin’s cap and I unquestionably recommend it. Having your admins aware of what the vulnerabilities are and able to find and fix them will make an instant improvement in an organizations security posture.
However - this isn’t a replacement for regular “Technical Security Reviews/Penetration Test” (I too, hate the term ethical hacking, but I’ll get to that soon) performed by professionals who have spent years perfecting their technical skills AND who are able to align the results to business risk.
Which brings me to the terminology.. What is the difference between an “Ethical Hack” and a “Technical Security Reviews/Penetration Test” ? well, when someone hacks into one of your systems and tells you about it, you know that you have a vulnerability. That’s a good start but somewhat meaningless to a business as there are unpteen thousand exploitable vulnerabilities in any system.
So what matters is this : that someone can find the vulnerabilities in your technical systems AND align them to business risk AND work with the business to provide reasonable and realistic mitigations. While I’m a self confessed security zealot there is no room here for security nerd fundamentalism either - but I digress.
IMHO the more people that know about the basics of software vulnerability the better - but they will never replace highly skilled professionals who have lived and breathed it for most of their lives.
I blame the people in marketing
August 8th, 2007 at 3:03 pm
We all want to get off the ‘Hamster Wheel of Pain’ http://www.securitymetrics.org/content/Wiki.jsp?page=Welcome_blogentry_061005_1
Maybe point 3) here http://www.ranum.com/security/computer_security/editorials/master-tzu/ could be construed as ’security review, QA or something else’, but I’d personally prefer to spend less time maintaining, trying to clean up other peoples messes, and more time innovating.
When spec’ing a new service or product what are your expectations, deliverables - who defined them, and what is actually measurable? In a war zone, how does one ensure the armored car designers learn from their mistakes and don’t field the same crap again and again?
Note: Especially when the battlefield, protagonists, definitions of risk/value and technology seems to constantly change. Complex systems need to be more modularly built. More loosely coupled. More easily replaced and expected to fail and lose integrity over time. City planners and bridge builders don’t necessarily design to mitigate terrorist attacks, however we need to, but are we certified or qualified to predict the future. Intelligent attackers out innovate the security industry. Fundamental paradigm shifts are needed at the atomic level to ‘Escape the Hamster Wheel of Pain’ http://www.securitymetrics.org/content/Wiki.jsp?page=Welcome_blogentry_040505_1
August 8th, 2007 at 4:06 pm
Yes, yes …. I know there are exceptions and my blanket rant is probably selling short some of the good guys out there. D2 and Dec, I can’t argue with. But, like with many of the rants in here, I am trying to get thought and debate going on our industry and things within it….in particular, the “wrong” things. Even MIS and AFR picked up on my rant to run a piece on this topic so I suppose that is a good thing.
Flame me please when you disagree…I can be opinionated.
August 11th, 2007 at 12:47 pm
http://taosecurity.blogspot.com/2007/05/thoughts-on-rear-guard-security-podcast.html
QUOTE
Rather than spending resources measuring risk, I would prefer to see measurements like the following:
1. Time for a pen testing team of [low/high] skill with [external/internal] access to obtain unauthorized [stealthy/unstealthy] control of a specified asset using [public/custom] tools and [zero/complete] target knowledge. Note this measurement contains variables affecting the time to successfully compromise the asset.
2. Time for a target’s intrusion detection team to identify said intruder (pen tester), and escalate incident details to the incident response team.
3. Time for a target’s incident response team to contain and remove said intruder, and reconstitute the asset.
QUOTE
August 12th, 2007 at 8:30 pm
@Drazen,
Their agenda of the entity offering the training is to exploit the lack of experience by their student[s] in order to secure additional revenue by referral.
Furthermore, the reference to ethics is based on the argument, while deliberately withholding the counter-argument, of “White Hats” versus “Black Hats”.
Cost and the resulting “quality” are independent of each other. Furthermore, the “good” is ultimately pushed out by the “bad” allowing the later to dominate the market.
The earnings of News Limited are filed as part of News Corporation – I previously provided technical support for the direct connection to News Corporation at News Limited.
Can you please clarify why you specifically referring to News Limited?
August 12th, 2007 at 8:33 pm
@Drazen,
Are you referring to the “Ethical hackers doubt ethical hacking” article?
August 13th, 2007 at 7:00 am
Yes.
That is the article.
August 13th, 2007 at 7:03 am
Why News? Don’t be paranoid.
Just an example of a large company. Could have been anyone - just came to mind first.
August 13th, 2007 at 12:53 pm
I think “Ethical Hacking” and “Penetration Testing” are two different roles. Let me explain my feelings towards the titles.
“Hacking” (or “cracking”, depending on how your terminology goes) is an attacking role. If you find a hole you’re in, job’s done. It’s not actually very hard finding a single vulnerability in most sites. One mistake on the other side and you’re in.
“Hacking” also isn’t aligned to any business need or business requirements. Hackers just go in and do what they want.
“Penetration Testing” is a defensive role. A penetration tester finds a hole, notes it down and continues testing every single part of the site no matter how minor because, as a defender, a penetration tester needs to find everything. Instead of one mistake on the other side being game won, it’s one mistake on the tester’s side being game lost.
“Penetration Testing” is also a business role. A penetration tester is a professional and must act like one. We don’t need the word “ethical”, we’re simply assumed to act with ethics. We are also fully capable of talking to both management and technical staff.
Just my two cents.
August 16th, 2007 at 11:49 am
Are white hat hackers - black hats in disguise ?
At least that’s got your attention. ;- )
Of course, I don’t think for a minute that this is the case, but I’ve often wondered about the percentage of white hats that are really black hats pretending to be white.
How many of the IT Security ‘professionals’ out there are doing some really down & dirty (illegal) stuff, for whatever reason, say, self gratification or financial reward ?
When you really think about it, what better (paid) full time profession than ‘IT Security’ could a black hat be in ?
-Big Galoot.
August 29th, 2007 at 1:51 pm
@Big Galoot
Two examples that come to mind are:
1. Max Butler aka Max Vision of whitehats.com
2. ISS - e.g. search Google 4 “what’s the hat got to do with it” or their disclosure of the Apache vulnerability back in 2002
September 6th, 2007 at 3:31 am
[...] This link at Beast or Buddha is an interesting thread that starts with commentary about the teaching of ethical hacking. The writer says that he is concerned about courses that quickly teach the basics of hacking. He says that companies that think graduates of such courses are qualified to perform network and web app tests are misguided. A respondent said that he has written and taught many such classes, and admits that he left out material “when I wasn’t sure the students were ethically on the right page.” The implication is that he suspected that some of the students may have had less than pure motives. [...]
September 13th, 2007 at 12:08 pm
@Big Galoot,
The media is reporting that Max Butler has been arrested again today.
October 11th, 2007 at 7:56 pm
[...] How many white hats are actually black hats in disguise ? http://beastorbuddha.com/2007/08/07/ethical-hackingthat-term-is-a-worry/#comments [...]