Back to School?
Rather than hire reformed hackers or pay big consulting fees to vendors like IBM, some companies are sending their IT employees to hacker school.
Foundstone, a security vendor in Irvine, California, offers a popular four-day course titled "Ultimate Hacking: Hands On." The course teaches students how to use hacking tools like AntiSniff and Big Brother. After each morning session, students apply their newly acquired knowledge by trying to break into computers in the rear of the classroom. Foundstone monitors each classroom system to make sure students aren't attempting to hack outside networks.
David Raikow, a lawyer and IT security expert in San Francisco, completed Foundstone's course a couple of years ago for a technology article he was writing at the time. "The class really opens your eyes to security holes that may exist in your own company," he says. After taking the class, Raikow managed to spot dozens of weak links within his employer's network.
The course, which costs about $7,000, appears to be popular with IT managers from blue-chip companies. Best Buy, Intuit, Symantec, Visa International, and Yahoo, just to name a few, have sent their IT employees to the course.
Still, reformed hackers like Murphy insist that the best education comes from former members of the digital underworld. "Hackers are responsible for much of the testing and workarounds found in today's software," says Murphy. "They have provided real knowledge to IT managers."
But would you trust them with your own systems?
Joseph C. Panettieri ([email protected]) is editorial director at the New York Institute of Technology.
Friendly FireEthical hacking services from HP, IBM, Rent-A-Hacker, and other companies cost from $1,400 (low-end, single server) to $15,000 (complete attack on application server), and in some cases $100,000 (distributed attack across server and network components) or more. Here's what a basic ethical-hacking package typically includes:
A review of your overall network design to determine how effectively it prevents untrusted, outside networks from gaining access to your internal, trusted networks and systems.
A test designed to exercise all components within the scope of the project in an attempt to gain unauthorized access to your internal network from three perspectives: a low-level solitary hacker, a small team of competent hackers, and an expert team of highly motivated hackers.
A report describing the strengths and weaknesses found in the various intrusion test scenarios with recommendations for immediate and long-term improvements.
Sources: HP, IBM, Rent-A-Hacker
|
Six Tips to SecurityCan't afford a hacker service? Clip and save these best practices:
1. Outline security and privacy policies, which should cover data access, applications access, network access, privacy, email use, and related topics.
2. Outline an authentication policy that describes how all passwords are maintained and updated within your company.
3. Deploy a directory service that allows users to access only authorized network services.
4. Track your network security by maintaining user sign-on error reports, policy violation reports, resource activity reports, and user-access reports.
5. Embrace disaster recovery (remote backup, restore, emergency facilities, etc.) and test the plan at least twice annually.
6. Stay abreast of six key technologies: firewalls, anti-virus software, certificate authority services, biometrics, encryption, and privacy compliance technologies.
Source: TechVestCo
|