As malicious hacking grows, the industry fights back, training future security pros to think like their adversaries
Information technology professionals have been conditioned to think defensively, draping their networks with sensor-studded barbed wire and using firewalls to lock down doors and windows. Another school of thought advocates a more proactive approach to security.
New York IT consulting and job-placement firm Prime View recently held its first "Hacking-Defined Training" course, aimed at retraining laid-off IT workers in relevant and marketable skills, security being top of the list. The 10-day course goes beyond security technologies and principles, teaching students to write exploit code and hack each other's computers.
Security pros and network administrators are learning the hard way that even their security vendors are having difficulty keeping up with today's malicious hackers. Cisco earlier this month issued the latest advisory for a serious Internetwork Operating System, or IOS, "heap-overflow" vulnerability that could let hackers get control of routers and switches running certain versions of the software. The heap-overflow advisory was the third security advisory Cisco issued that same week; others affected certain Cisco Airespace Wireless LAN Controllers and Cisco intrusion-prevention system devices configured by IPS Management Center version 2.1.
Mati Aharoni wants students to be able to think like hackers because he believes technology alone won't stop them.
Photo by Sacha Lecca
Prime View's weapon is Mati Aharoni, lead penetration tester with Israeli IT-security education firm See Security Technologies Ltd. Aharoni has students take a hands-on approach to learning security. "Technology itself will not stop a hacker," says Aharoni, who wears a black T-shirt with white lettering that reads, "Not Even Norton Will Protect You." "Instead," he says, "you have to use induction to understand what it takes to secure a network."
Aharoni describes to his students the components of a basic hack, where an attacker would exploit a user login program written to accept a 64-character name. If the programmer didn't include a command to reject any login greater than 64 characters, an attacker could input a 100-character login and break the program, possibly overwriting memory within it.
Hackers use several tools to search for and exploit victims. They write or borrow other hackers' "fuzzer" code that can be unleashed on programs to look for vulnerabilities in that program's code. They use a reverse shell, which tricks a program into sending the attacker a command prompt for logging in to that program. From there, the attacker can break in and remotely access the program's features and data.
Attackers also use Web sites that offer free shell code. Metasploit, an open-source project for developing, testing, and using exploit code, lets hackers copy this code right into their own scripts. "What should make you really paranoid is that these are the bugs that the hackers tell you about," Aharoni told his class. "For every exploit released, you have two that are not."
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2018 State of the CloudCloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
The Next Generation of IT SupportThe workforce is changing as businesses become global and technology erodes geographical and physical barriers.IT organizations are critical to enabling this transition and can utilize next-generation tools and strategies to provide world-class support regardless of location, platform or device