Certify our hackers

By Leon Engelbrecht, ITWeb senior writer

Johannesburg, 09 May 2008

Companies that are serious about security should have their own in-house hacker and make sure he is certified, says a security expert.

"Why do you want to train and certify hackers? To narrow the gap between the good and the bad guys," says EC-Council co-founder and president Sanjay Bavisi.

He addressed ITWeb Security Summit 2008, in Midrand, this week.

The New York-based security professional says good crackers can execute hacks so fast and flawlessly that once a business is compromised, they can steal everything of value and completely erase their tracks within 20 minutes.

The goal of the ethical hacker is to help organisations take pre-emptive measures against malicious attacks by attacking the system himself, all the while staying within legal limits. This philosophy stems from the proven practice of setting a thief to catch a thief.

"If you know someone wants to kill you, you better have a bodyguard. Of course, guns are bad, but if your bodyguard doesn't have a clue what a gun is, then he is not going to be able to defend you against a shooter," says Bavisi.

"If people don't understand how malware works, they can't defend against it. You must know exactly what the trade of a hacker is, how they work, what their tools are and then you reduce the threat.

"We can sit here and be idealistic and say guns are bad and they kill, but we'd rather go train our guys so they know exactly how it works so we can defend ourselves. I think it is time we pick up the guns... a lot of corporations and government agencies are with us and there are now ethical hackers," Bavisi explains.

"That's where we will see the reduction of gaps. So the most obvious security flaws will now not be exploited because the ethical hackers will block them and reduce the quantity of hackers coming after you because only the top breed will be able to get at you and that is a step in the right direction."

Getting certified

The EC-Council Web site argues that if hacking involves creativity and thinking "out-of-the-box", then vulnerability testing and security audits will not ensure the security proofing of an organisation.

"To ensure that organisations have adequately protected their information assets, they must adopt the approach of 'defence-in-depth'. In other words, they must penetrate their networks and assess the security posture for vulnerabilities and exposure," the site says.

It continues to say that the definition of an ethical hacker is similar to a penetration tester. The ethical hacker is an individual who is usually employed with the organisation and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods as a cracker.

The EC-Council's Certified Ethical Hacker (CEH) programme certifies individuals in the discipline. "CEH certification will fortify the application knowledge of security officers, auditors, security professionals, site administrators, and anyone who is concerned about the integrity of the network infrastructure."