Ethical hacking is one of the newer and more interesting vocational areas in IT today. Based on the idea of getting inside your opponent’s head, it involves learning all about the skills, techniques and strategies of the black hats. The Training Camp runs an intensive five-day course on this subject, which culminates with an exam for EC-Council’s Certified Ethical Hacker (CEH) credential.
“The basic premise of the CEH is to know your enemy,” said Andrew Whittaker, director of enterprise information security and networking for The Training Camp. “People who routinely have to secure their infrastructure — whether it be government or the private sector — are finding that it’s not enough to just take a class on firewalls or some other piece of technology. What they really need to know is, ‘What is the enemy doing?’ They need to know what the malicious hackers are doing.”
The Training Camp’s InfoSec Academy bootcamp, which was held in the Chicago area last week, sends candidates to an isolated location for a concentrated series of ethical hacking drills. “We cover everything from reconnaissance, how to gather information about a product or company,” Whittaker said. “We cover how to break into online banking systems. There’s actually a simulated online banking system in the classroom. They learn how to steal credit cards, how to create their own Trojan and virus software that will not be detected by any antivirus software. They’ll learn how to launch distributed denial-of-service attacks, and how to do that through proxy so they will not be easily detected. They also learn wireless hacking, how to deface a Web site, how to crack passwords, you name it.”
Although there’s a certain amount of risk in training individuals on these concepts (because of the sensitive subject-matter involved, The Training Camp has to check out prospective participants), it’s important for security professionals to understand them, Whittaker explained. “As a security professional, you have to be right 100 percent of the time. A hacker only has to be right 1 percent of the time. You need to know what those techniques are, so you’re trained in how to do the malicious hacking, as well as how to test your organization to see if it’s vulnerable and the countermeasures to protect against the attacks.”