Saturday 26 January 2008

Why have Ethical Hacker Training companies got it so wrong?

Brand Killer Robots reveal::
We ask, just who are the people that you are sending on Ethical hacker training courses and why are you sending them?

Firstly, lets look at what Ethical hacking is all about.

First and foremost Ethical Hacking is about the good guys outsmarting the bad guys, in order to protect your company's computing assets from taking a hit. In other words, the white hats, outhinking the black hats, in order to forsee and/or repel against attacks by criminals.

So lets first look at the white hats.
Profile: Computer Science graduate working in corporate IT for about 5 years say, or network engineer or manager who has been treading the boards for about 10 years.

Ok, now lets look at the black hats.
Profile: Yuan Lopez, 33 from Paraiba, Brazil. (convicted 3 times for purgery, forgery and counterfeiting). Ex bank worker and trader. 2 ex wives, 10 kids and likes a little bit of the white snorty, snorty stuff every now and again.

Ok now, lets look at the Ethical Hacker trainer.
Profile: Ex Network Guru, Programmer, with an arm load of IT security certificates, from here to Amsterdam. Tony also worked for the BBC where he is used to working in high security IT environments (lol). His forte is social engineering, where he tells loads of cool stories about intrusion and deception attacks (as presumeably made up by Kevin Mitnick) and how they are common place and how through analogy you will learn many of the most frequent attack patterns. Of course this analogy is based on limited content, so not particularly creative.

Ok, get the setting?
What we have here are a bunch of IT guys, who are going to protect your company from a corporate desparado, who would just as soon shoot his mother in the head, than go back to prison. This guy has no concept of IT departments, CISSP certificates or brightly coloured ethical hacking training manuals. Once he has a motive and a target, there is absolutely no stopping him and he has a spectrum of villanous alternatives to choose from in order to carry out his attack.

Do you really think that Tony the IT engineer has a cat in hells chance of repelling an attack from a sophisticated, finance-savvy bandit like Mr Juan Lopez. Just how many angles are there to an attack vector anyway? Can you really cover them all?

As we have said in the past, the only reason why your company has never sustained a really serious attack is because you have never really become a targeted.

Until business leaders realise that security is a brand-level, multi-disciplinary, multi-faceted, multi-functional issue of intelligence that needs to be integrated effectively, ethical hacking (as it is called), will remain in the Dark Ages?

What is required are executive-level 'ethical hackers' who have IT, business and real-life experience and who can properly watch the backs of the CEO and the company of the day.

We ask - Why have Ethical Hacker Training companies got it so wrong?

No comments: