Security: Go Hack Yourself

Author: George Pauwels

March 2008

Whenever it becomes public knowledge that I hold the Certified Ethical Hacker credential offered by EC-Council the question of pluralism immediately becomes the topic of discussion. How can anyone be ethical and be a hacker? The latter, for most people, denotes someone with notorious intentions. When the term hacker first came into being it meant someone who liked to tinker with an object to see how it would work. Sometimes it was out of mere curiosity and other times it was in an attempt to make it work better or faster. As Steven Levy explains in his 1984 work Hackers, these were the original computer nerds who had a “philosophy of sharing, openness, decentralization, and getting your hands on machines at any cost – to improve the machines, and to improve the world.” This book goes on to discuss those individuals who liked to tinker and who indeed made life better for those of us in the computer industry. Somehow over the years the definition has changed from benevolent watchman to nefarious evildoer.  Hence the reason the faculty of a small business college which employed me to teach their students to be Microsoft Certified Systems Engineers expressed concern when I assigned Hackers to my students as extra credit.

The Certified Ethical Hacker course explores the methodology and associated tools that many criminals use to defeat network security and either perform some mischievous prank or steal information and/or services with the intention of doing harm to the victim. What could be the possible purpose of learning how a hacker operates? What good is this information if you do not intend to use it for your own dirty deeds? This is where ethics comes in. One of the translations of Sun Tze’s sixth century treatise The Art of War says, “If you know both yourself and your enemy, you can come out of hundreds of battles without danger.” What they knew over 1,300 years ago is that it is nearly impossible to protect yourself if you do not know how your adversary intends to attack you.

Our biggest enemy often appears in the form of fear, uncertainty and doubt. One of our best defenses against such a foe is education, available in the IT industry though certification. To that end, it is very interesting when the debate over how an organization could certify an individual as “ethical” presents itself. Certifications in and of themselves are intended to indicate an expert knowledge level concerning a set of standards, or a specific technology. It is assumed that these individuals, these “test takers” are demonstrating their knowledge by ethical means. Is the test itself then hackable? One of the lessons that is repeated over and over again in any IT security related course, and especially Certified Ethical Hacker, is that no system, no matter how secure, is unhackable. There are means in which any individual, with regard to any test, could cheat the system and pass the requirements for certification. Does that mean that we should then completely dispense with the whole certification process? I believe not. Just as there are ethical hackers in this world there are ethical individuals who work diligently, study the lessons, learn the technology and pass the tests honestly. For these individuals certification is a tool, an indication that learning is possible. Is it the be-all-end-all that indicates complete competency? What a silly question. Of course not. Hiring managers must learn the lessons of Sun Tze and employ due diligence when choosing who they trust with the keys to their kingdom.

The threat is out there; attacks are in the headlines nearly every day. Ignoring the unethical hackers won’t make them go away, or stop trying to infiltrate your system. Let us, as Certified Ethical Hackers, attack your network. Let us tinker with what is there and make the process better.  Let us do what those early hackers did and apply it to the understanding of how certifications can help our business and give them the proper amount of trust they deserve to “improve the machines and improve the world.”