It Takes A Hacker To Catch One - InformationWeek
Business & Finance
04:25 PM

It Takes A Hacker To Catch One

As malicious hacking grows, the industry fights back, training future security pros to think like their adversaries

Fear Of The Unseen
In fact, the greatest threats are those no one sees. Some attackers find a vulnerability and develop an exploit without sharing their work. Now they've got a secret that they can use at a particularly inopportune time, Aharoni says. The severity of these unseen threats has led him to incorporate principles from the military treatise "Sun Tzu On The Art of War" into his teachings. One principle reads, "If the enemy leaves a door open, you must rush in." Prime View president and chief technology officer Victor Natanzon agrees with this analogy. There are several ways to enter through a door, he says. "You can use a key, a sledgehammer, or you can remove the hinges."

For one exercise, Aharoni has his students search for bugs in Ability Server, a low-end FTP server made by Code-Crafters Software LLP. Aharoni has let Code-Crafters know he's using its product in his exercises, and the company hasn't asked him to stop. Once students find bugs, they're expected to write working exploits that attack Ability Server. The purpose is to demystify what hackers do and how they operate, Aharoni says. "You cannot defend properly unless you know how people attack," he says. "I try to instill a sense of paranoia in my students."

In another exercise, students use exploit code downloaded from the French Security Incident Response Team Web site to hack into Microsoft Windows 2000 Plug and Play Universal Remote, creep across their local network, and reboot other students' PCs. FrSIRT is a research group that publishes information about networked computer threats.

It's an eye-opening experience that Aharoni's students hope will give them an edge in the security job market. "I'm amazed at how easy it is to gather information on potential targets," says Benjamin Pearlman, who worked as a quality-assurance tester for AT&T and is now in Prime View's retraining program. "In order to be protected properly, you have to think about how a system can be broken into."

Eye Opener
Bessalel Yarjovski, who has more than 20 years of experience in the IT world, is taking the retraining course, too, with the hope of landing a job as a chief information security officer. "The class is opening my eyes not to new technology but to how easy it is to do these exploits and how many there are," says Yarjovski, who has worked as CIO of CareerEngine Inc., a network of career Web sites, and as chief technology officer with iVillage Inc., which runs a multimedia site addressing women's issues.

The class isn't all gloom and doom. Aharoni addresses several ways that application and network security can be improved. One is to write programs that control the type and amount of information that users can input, so hackers can't add too many characters. Another is to improve QA testing after a program is written by applying hacking-defined methods to the code.

With any luck, the 12 students in Aharoni's class will be just the first in a new generation of IT workers who are up to challenging the malicious hackers who have shown an ability and willingness to endanger anyone the Web touches.

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll