Dr. Dobb's is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Channels ▼
RSS

Dangerous Dealings




Back to School?

Rather than hire reformed hackers or pay big consulting fees to vendors like IBM, some companies are sending their IT employees to hacker school.

Foundstone, a security vendor in Irvine, California, offers a popular four-day course titled "Ultimate Hacking: Hands On." The course teaches students how to use hacking tools like AntiSniff and Big Brother. After each morning session, students apply their newly acquired knowledge by trying to break into computers in the rear of the classroom. Foundstone monitors each classroom system to make sure students aren't attempting to hack outside networks.

David Raikow, a lawyer and IT security expert in San Francisco, completed Foundstone's course a couple of years ago for a technology article he was writing at the time. "The class really opens your eyes to security holes that may exist in your own company," he says. After taking the class, Raikow managed to spot dozens of weak links within his employer's network.

The course, which costs about $7,000, appears to be popular with IT managers from blue-chip companies. Best Buy, Intuit, Symantec, Visa International, and Yahoo, just to name a few, have sent their IT employees to the course.

Still, reformed hackers like Murphy insist that the best education comes from former members of the digital underworld. "Hackers are responsible for much of the testing and workarounds found in today's software," says Murphy. "They have provided real knowledge to IT managers."

But would you trust them with your own systems?


Joseph C. Panettieri ([email protected]) is editorial director at the New York Institute of Technology.



Friendly Fire

Ethical hacking services from HP, IBM, Rent-A-Hacker, and other companies cost from $1,400 (low-end, single server) to $15,000 (complete attack on application server), and in some cases $100,000 (distributed attack across server and network components) or more. Here's what a basic ethical-hacking package typically includes:

A review of your overall network design to determine how effectively it prevents untrusted, outside networks from gaining access to your internal, trusted networks and systems.

A test designed to exercise all components within the scope of the project in an attempt to gain unauthorized access to your internal network from three perspectives: a low-level solitary hacker, a small team of competent hackers, and an expert team of highly motivated hackers.

A report describing the strengths and weaknesses found in the various intrusion test scenarios with recommendations for immediate and long-term improvements.

Sources: HP, IBM, Rent-A-Hacker



Six Tips to Security

Can't afford a hacker service? Clip and save these best practices:

1. Outline security and privacy policies, which should cover data access, applications access, network access, privacy, email use, and related topics.

2. Outline an authentication policy that describes how all passwords are maintained and updated within your company.

3. Deploy a directory service that allows users to access only authorized network services.

4. Track your network security by maintaining user sign-on error reports, policy violation reports, resource activity reports, and user-access reports.

5. Embrace disaster recovery (remote backup, restore, emergency facilities, etc.) and test the plan at least twice annually.

6. Stay abreast of six key technologies: firewalls, anti-virus software, certificate authority services, biometrics, encryption, and privacy compliance technologies.

Source: TechVestCo



Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.