Training Ethical Hackers: Training the Enemy? Author: Tim Greene Published: Thursday, 22 July 2004, 14:07 GMT
Training
information security professionals carries the risk of training ethical
and malicious hackers side-by-side. This paper defines ethical hacking,
differentiates it from malicious hacking, presents some of the ways
that ethical hacking is taught, identifies some of the risks associated
with this training, and concludes with suggestions on how to minimize
these risks.
Introduction
Events that occurred on September 11, 2001 along with the ongoing war
in Iraq have caused a heightened interest in the field of Information
Security. Visiting a computer section in a store such as Barnes and
Nobles reveals an increase in the number of books about Information
Security. The National Security Agency is looking to increase the
number of new hires by 1,500 per year for the next five years.
Searching Internet job databases reveals new security positions that
require professional security certifications. An Internet search using
Google.com revealed 22 such certifications.
There has never been a time when it was easier to learn about hackers
and their methods of operation. Many colleges now offer Information
Security courses and degrees. It is clear that information security and
hacking are “buzz” words at present. The intent of information security
training is to improve information security and to educate information
security professionals, e.g. ethical hackers. However, providing this
“knowledge” in readily available and encapsulated formats presents the
hazard of educating not only ethical security professionals but also
malicious hackers.
Definitions
To begin the discussion on training information security specialists,
more specifically ethical hackers, a working definition of both hackers
and ethics is needed. Webster’s defines ethics as, “The rules or
standards governing the conduct of a person or the members of a
profession.” From this definition an ethical hacker should have a code
of conduct and abide by its principles. For the more elusive term
hacker, Webster’s offers three definitions of which I’ll discuss the
first two: “1. One who is proficient at using or programming a computer
and 2. One who uses programming skills to gain illegal access to a
computer network or file.” These definitions differ in the “hacker’s”
intent. The first definition sounds like a person that is proficient
with computers that your company might like to hire. However, the
second definition is not as positive with its use of the word illegal:
the hacker is up to no good. By combining what we’ve learned from
Webster’s definitions of ethics and hacker, an ethical hacker is
someone proficient with computers and adheres to the code of behavior
for their profession. C.C. Palmer in the IBM Systems Journal offers
this description, “ethical hackers…employ the same tools and techniques
as the intruders, but they…neither damage the target systems nor steal
information. Instead, they…evaluate the target systems' security and
report back to the owners with the vulnerabilities they found and
instructions for how to remedy them.” Jeff Moss, founder of computer
security service DefCon and BlackHat, agrees that, "Hacking and
cyber-ethics need not be in conflict. You can be a hacker and be
ethical at the same time."
There is a long running debate about the proper definition of the word
hacker and its many derivatives. The details of this debate are beyond
the scope of this paper but it is mentioned to forewarn the reader that
in general conversation the term hacker can have varying, even
opposite, meanings. Ed Skoudis, in his book Counter Hack, provides the
following suggestion, “Hackers, crackers, and hats of all colors—let’s
just use “attackers”…to refer to someone who attacks computers…The
attacker may be a hacker, cracker, white hat, black hat, gray hat,
super elite, security researcher, or even a penetration tester.
Whatever their skill level, motivation, and the nomenclature you
prefer, they are attacking computers.” Ethical hackers and malicious
hackers both attack computers, only their intent differs.
How and What Ethical Hackers Are Taught
There is no universal method or skill set for training an ethical
hacker. Much like the difficulty in defining a hacker, some security
professionals don’t agree with what ethical hackers should be taught.
Palmer states that, “The idea of testing the security of a system by
trying to break into it is not new. Whether an automobile company is
crash-testing cars, or an individual is testing his or her skill at
martial arts by sparring with a partner, evaluation by testing under
attack from a real adversary is widely accepted as prudent.” Whereas,
Ira Winkler feels that, “The process of breaking into systems has
minimal use in the security profession. It is infinitely more difficult
to secure computers than it is to break into them. You have to know the
proper procedures for fixing the problems. The students should then be
trained in what NOT to do. This includes warnings about attacks that
can cause denial of service, and how attacks can backfire. There must
then be discussion about how to recover if a disaster does happen, and
the what to do when you detect a real attack…students should then be
educated in the legal and political aspects of ethical hacking.”
Now that a little is known about what an ethical hacker should be and
do, how and where someone gets their ethical hacker skill set is
important to explore. Information Security and hacking books,
professional and academic courses, various Internet services like
websites and Internet Relay Chat (IRC), friends, and family members all
help train ethical hackers. Michael Roberts, President of Mile2, gives
some idea of what his company teaches, “In a nutshell, we are teaching
them to think like the bad guys by looking from the outside back into
their own enterprise and…all the nasty tools that the bad guys use and
how to use them so that they can effectively do penetration testing on
their own network…all the methods of hacking whether it is active
hacking or Trojan type viruses…just about anything that’s a threat to a
network. But we also cover the soft aspects of hacking such as social
engineering, the art of deception and the way hackers try to identify
personal information that might lead to potential passwords to escalate
their privileges once they get into the network.” The Mile2 courses
aren’t free and can take several days to complete. However, there are
free and portable resources on the Internet as well. Websites such as
IronGeek.com provide free videos that lead the viewer through
step-by-step attacks. Almost anyone who can watch a video can perform
these attacks with the added convenience of rewinding and viewing them
over and over if needed or even downloading them. This format also
allows for easy distribution of this knowledge even if the viewer
speaks a different language, a simple monkey-see, monkey-do situation.
Don’t Overlook the Risks
Two important questions to ask when teaching these potentially harmful
skills are, whether or not they should be taught, and how to teach them
safely. It is possible that the very act of describing an information
system vulnerability or attack method could lead a student with a
malicious bent to attack systems. Also, a channel of communication with
other malicious hackers, e.g. a malicious hackers group website, could
be initiated simply by providing a web address or URL. An important
lesson was learned on September 11 when the passenger jets crashed into
the World Trade Center. Suddenly flight simulation software became a
tool used to train murderers. Prior to this event most American
citizens didn’t see the nefarious use for this software which helped
the pilots learn the cockpit controls and how to fly their weapon. The
dangers present in teaching information security concepts can be as
destructive in the wrong hands and don’t require loss of the attacker’s
life.
Roberts of Mile2 says the following about his company’s most “expert”
hacking class, “if we were to teach it to people that weren’t supposed
to be doing that class – I was told by one of our friends here in the
States that we’d get into almost as much trouble as exporting Stinger
missiles because it is electronic warfare.” He goes on to say that, “We
have hackers always trying to get into our web server” What happens if
one of these hackers breaches Mile2’s defenses and distributes these
“munitions” freely around the Internet?
Minimizing the Risks of Generating Malicious Hackers
Ethical behavior is easier to model than to teach. Brian Harvey of the
University of California at Berkeley compares ethical hacking training
to teaching someone karate, both of which when improperly used can
cause serious problems for both the attacker and target, and offers
four suggestions: provide a “serious” model, provide access to real
power, provide challenging problems and access to expertise (i.e.
apprenticeship), provide a safe arena for moral experimentation
Applying Harvey’s advice directly to ethical hacking courses would mean
to be a good example for students, i.e. the security trainers should be
a near ideal example of a security professional, the student’s goal.
Trainers should be a plum line against which students can measure their
own conduct. Students should use real tools in class. Training students
to use crippled or bogus tools discounts the students their experience
and may lead them to have a limited view of a real malicious attacker’s
power. The instructor should realize that they are responsible for the
moral development of students not only their technical skill and should
steer them in the direction of challenges appropriate to each one's
progress providing personal expertise to help the learner. Students
should have a safe place to perform attacks of any degree to see their
effect. This should not be limited to technical experiments but also
“soft” attacks like social engineering, and malware, e.g. e-mail that
carries a worm or virus.
In the event that every possible effort has been made to instill values
into students but still fail, safeguards must be in place to account
for such occasions. As Joseph Malee suggests, “Ethics do not replace
good policies…More and more these days, companies are confronted with
employees engaged in unethical behavior in the workplace…Promoting
ethical principles can instill positive behavior… but policies …provide
clear and mandatory guidelines for acceptable conduct…Even with the
greatest efforts of a trainer to instill an ethical mindset into
students, simply trusting that students will behave in an ethic manner
isn’t enough. Acceptable Use Policies must be enforced to ensure proper
conduct.” A policy should be in place to dissuade students with weak
ethics. Information security policies should clearly present the
improper forms of hacking as illegal or unethical. All activities
should be represented as strictly right or wrong so as not to be too
"ethically neutral". Exposing students to the ease with which hackers
are caught and the laws that they are subject to can help reduce their
potential to do wrong. Fear, or rather respect, is a useful tool in
this battle. The CISSP (Certified Information Systems Security
Professional) exam, one of the 20+ certification exams mentioned
earlier, identifies three reasons that contribute to deterrence of
crime: the fear of penalty, the probability of being caught, and the
probability of the penalty being administered. Schwartau, a self
professed hacker and hacking book author says, “The fear of being
caught can be a powerful deterrent to malicious behavior. My son
somehow discovered that hacking is a people issue, and that is how he
gathered up the neighbor's passwords, by 'shoulder surfing'-- looking
over their shoulders as they typed in their passwords, a classic social
engineering trick. [I] pretended to call the FBI when [I] found out
what [my] son was doing and [he] was terrified. So I said 'Well, I
guess I could help you fix it if you promise never to do this again.' I
made him go to the neighbors, tell them what he had done and also what
they needed to do to make themselves more secure.”
It is imperative that all trainers teach the countermeasures to each
attack strategy. New laws are continually being written and old ones
are being brought up to date to deal with people that have weak morals.
After completing a hacking course, a student should be aware of how
difficult it is to successfully remain invisible online in post
September 11 America. Unfortunately, policies are often where we drop
the ball. Policies that aren’t up-to-date often miss the threat that
new technologies, like USB flash drives, present. Leon Erlanger states
that, “Most organizations have no policy in place for detecting USB
drives or regulating their use…most of them [USB drives] are tiny,
[and] very easy to hide.” Some of these “memory sticks” even look like
an ink pen which lessens the ability of visually detecting who has
them. After completing “hacker” training, a student may have the mind
set and abilities to use a device like this to readily steal
information or execute security tools in order to attack a resource,
possibly undetected. Every effort should be made to properly draft and
police good security policies. If a student’s conscience fails, fear
often will provide guidance.
Conclusion
The benefits of training ethical hackers far out weigh the risks
associated with it. Skoudis explains why he wrote a book on hacking:
“Let’s face it – the malicious attackers have all the information they
need to do all kinds of nasty things. If they don’t have the
information now, they can get it easily enough on the Internet though a
variety of Web sites, mailing lists, and newsgroups devoted to hacking.
Experienced hackers often selectively share information with new
attackers to get them started. Indeed, the communication channels in
the computer underground among attackers are often far better than the
communication among computer professionals. This book is one way to
help make things more even.”
As quickly as the field of Information Security is changing, the “good
guys” need all the information and help that they can get. “Keeping up
with the ever-changing world of computer and network security requires
continuous education and review. Just as in sports or warfare,
knowledge of the skills and techniques of your opponent is vital to
your success. In the computer security realm, the ethical hacker's task
is the harder one. With traditional crime anyone can become a
shoplifter, graffiti artist, or a mugger.” Proper security training
should instill students with a strong ethical sense of what they should
and shouldn’t do as security professionals. Policies should help guide
students for sections of the training which are ineffective. Properly
enforced Laws should be in place to reinforce a student’s healthy fear
of getting caught performing unethical attacks.
To conclude and answer the question of whether Ethical Hacker training
is actually training the enemy, the bad guys are way ahead of the good
guys in the information security arms race. Any and every tool and
useful piece of knowledge should be taught to budding security
professionals. Safeguards should be in place to help deter students but
by no means should ethical hacker training be crippled or halted. Long
live the ethical hackers.
|
Resources
- Home
- Articles
- Reviews
- News Archive
- Security Software
- Wi-Fi Software
- Press Releases
InfoSec Training
Computer Forensics Training
- Learn how to perform digital forensics. Combat
computer crime and IT system abuse as a certified computer examiner at InfoSec
Institute.
Featured Product
GFI LANguard Network Security Scanner - Network-wide security vulnerability
scanning & fixing - Free version available.
Wi-Fi Software Updates
Linux-IrDA 0.9.16 WiFiFoFum 0.3.2 StreetHawk 0.1 Ministumbler 0.4 Mognet 1.16
Featured Sites
|