As malicious hacking grows, the industry fights back, training future security pros to think like their adversaries
Information technology professionals have been conditioned to think defensively, draping their networks with sensor-studded barbed wire and using firewalls to lock down doors and windows. Another school of thought advocates a more proactive approach to security.
New York IT consulting and job-placement firm Prime View recently held its first "Hacking-Defined Training" course, aimed at retraining laid-off IT workers in relevant and marketable skills, security being top of the list. The 10-day course goes beyond security technologies and principles, teaching students to write exploit code and hack each other's computers.
Security pros and network administrators are learning the hard way that even their security vendors are having difficulty keeping up with today's malicious hackers. Cisco earlier this month issued the latest advisory for a serious Internetwork Operating System, or IOS, "heap-overflow" vulnerability that could let hackers get control of routers and switches running certain versions of the software. The heap-overflow advisory was the third security advisory Cisco issued that same week; others affected certain Cisco Airespace Wireless LAN Controllers and Cisco intrusion-prevention system devices configured by IPS Management Center version 2.1.
Mati Aharoni wants students to be able to think like hackers because he believes technology alone won't stop them.
Photo by Sacha Lecca
Prime View's weapon is Mati Aharoni, lead penetration tester with Israeli IT-security education firm See Security Technologies Ltd. Aharoni has students take a hands-on approach to learning security. "Technology itself will not stop a hacker," says Aharoni, who wears a black T-shirt with white lettering that reads, "Not Even Norton Will Protect You." "Instead," he says, "you have to use induction to understand what it takes to secure a network."
Aharoni describes to his students the components of a basic hack, where an attacker would exploit a user login program written to accept a 64-character name. If the programmer didn't include a command to reject any login greater than 64 characters, an attacker could input a 100-character login and break the program, possibly overwriting memory within it.
Hackers use several tools to search for and exploit victims. They write or borrow other hackers' "fuzzer" code that can be unleashed on programs to look for vulnerabilities in that program's code. They use a reverse shell, which tricks a program into sending the attacker a command prompt for logging in to that program. From there, the attacker can break in and remotely access the program's features and data.
Attackers also use Web sites that offer free shell code. Metasploit, an open-source project for developing, testing, and using exploit code, lets hackers copy this code right into their own scripts. "What should make you really paranoid is that these are the bugs that the hackers tell you about," Aharoni told his class. "For every exploit released, you have two that are not."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.