As malicious hacking grows, the industry fights back, training future security pros to think like their adversaries
Information technology professionals have been conditioned to think defensively, draping their networks with sensor-studded barbed wire and using firewalls to lock down doors and windows. Another school of thought advocates a more proactive approach to security.
New York IT consulting and job-placement firm Prime View recently held its first "Hacking-Defined Training" course, aimed at retraining laid-off IT workers in relevant and marketable skills, security being top of the list. The 10-day course goes beyond security technologies and principles, teaching students to write exploit code and hack each other's computers.
Security pros and network administrators are learning the hard way that even their security vendors are having difficulty keeping up with today's malicious hackers. Cisco earlier this month issued the latest advisory for a serious Internetwork Operating System, or IOS, "heap-overflow" vulnerability that could let hackers get control of routers and switches running certain versions of the software. The heap-overflow advisory was the third security advisory Cisco issued that same week; others affected certain Cisco Airespace Wireless LAN Controllers and Cisco intrusion-prevention system devices configured by IPS Management Center version 2.1.
Mati Aharoni wants students to be able to think like hackers because he believes technology alone won't stop them.
Photo by Sacha Lecca
Prime View's weapon is Mati Aharoni, lead penetration tester with Israeli IT-security education firm See Security Technologies Ltd. Aharoni has students take a hands-on approach to learning security. "Technology itself will not stop a hacker," says Aharoni, who wears a black T-shirt with white lettering that reads, "Not Even Norton Will Protect You." "Instead," he says, "you have to use induction to understand what it takes to secure a network."
Aharoni describes to his students the components of a basic hack, where an attacker would exploit a user login program written to accept a 64-character name. If the programmer didn't include a command to reject any login greater than 64 characters, an attacker could input a 100-character login and break the program, possibly overwriting memory within it.
Hackers use several tools to search for and exploit victims. They write or borrow other hackers' "fuzzer" code that can be unleashed on programs to look for vulnerabilities in that program's code. They use a reverse shell, which tricks a program into sending the attacker a command prompt for logging in to that program. From there, the attacker can break in and remotely access the program's features and data.
Attackers also use Web sites that offer free shell code. Metasploit, an open-source project for developing, testing, and using exploit code, lets hackers copy this code right into their own scripts. "What should make you really paranoid is that these are the bugs that the hackers tell you about," Aharoni told his class. "For every exploit released, you have two that are not."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.