Offence is the best defence!
Thanks to the rising curve of cyber crime, IT security professionals and ethical hackers are expected to make hay in the near future Vimal Chander Joshi reports.education Updated: Oct 01, 2009 09:59 IST
As a 12-year-old, Ankit Fadia allegedly hacked the website of a magazine. That was when this ‘ethical hacker’ had just learnt to take baby steps in a cyberspace still at its nascent stages. After this ‘intelligent’ intrusion, and afraid of the probable fallout, Fadia went into damage control mode. Within a day, he sent an e-mail to the editor, suggesting preventive measures… and got himself a job.
Bowled over by Fadia’s intelligence, the editor hired him then and there.
Twelve years later, Fadia has made a name for himself in ethical hacking and runs the programme ‘Ankit Fadia Certified Ethical Hacker’.
“We would need many ethical hackers to make the huge Indian IT industry secure,” says Fadia. “Those interested in making a career out of it can study ethical hacking and, with it, do a Master’s or Bachelor’s in computer applications.”
You will then have three career options. As a penetration tester, you will test the feasibility of firewalls (part of the network that blocks unauthorised access while permitting outward communication) created to protect web portals.
As a networking specialist, you will ensure the safety of an organisation’s computer network, which facilitates online links between staff for sharing data and interacting with each other. Even small gaps in this network security can sabotage the system.
The third job option, that of an application security professional, involves preventing intrusions in the application software used by organisations.
“The demand for penetration testers and network specialists is growing,” says Fadia.
“BPOs, finance, banking and IT require ethical hackers. Firms like Reliance hire 100-150 of them.”
However, few institutes offer a course in hacking. This probably relates to fears that the training could be misused. In India, ethical hacking is still a new domain — but thanks to Fadia, at least the beginning has been made.
What’s it about?
An ethical hacker is usually employed by an organisation to protect its computer network.
He has to be trustworthy enough to undertake an attempt to penetrate networks and/or computer systems, using the same methods as a hacker would — but his job is to devise a foolproof system to prevent hacking of the network, too. Hacking is felony, but when it is done on request and under a contract between an ethical hacker and an organisation, it is legal
One has to generally work in networking or the security domain for around two years to understand the dynamics of computers, UNIX (computer operating system) and other IT-related matters. After becoming a penetration tester or ethical hacker, one can make Rs 20,000 to Rs 25,000 and can grow rapidly depending on his/her skills. There are people who have grown by leaps and bounds and reached top technical positions. In the West, one can make around $50,000-$70,000 a year as an ethical hacker
9 am: Leave for office
10 am: Start work, carry out tests and checks
10.30 am: Attend team meeting
Noon: Study current needs and steps required to check them
2 pm: Lunch
2.30 pm: Work on firewalls and sort out network glitches to protect it from hackers
5.30 pm: Leave for home
. The most important prerequisite before one studies to become an ethical hacker is to ace computer networking knowledge
. Expertise in at least one application like Java or C++
. Knowledge of the functioning of UNIX
. One should have an analytical approach and should probe every functioning with a critical bent of mind
How do i get there?
First of all, one should work in a company on networking designs, administration principles, system designs or application software. You can undergo a certificate/ diploma programme in ethical hacking to earn merit over others. These certifications like ‘Ankit Fadia Certified Ethical Hacker’ and ‘Certified Ethical Hacker’ run by EC-Council are not approved by any university but there is no alternate and reliable bet in the market
Institutes & urls
. Reliance Web Worlds (for Ankit Fadia Certified Ethical Hacker
. Koenig Solutions (Indian centres of EC-Council’s Certified Ethical Hacker
www.eccouncil.org/ceh.htm and www.koenig-solutions.com
. Innobuzz Knowledge Solutions
. IMT Ghaziabad
Pros & Cons
. It is challenging and enterprising
. Industry estimates show that there is a scarcity of IT security professionals, which means good job prospects
. Becoming a pro is a little difficult. Few institutes offer training in ethical hacking and some even ask for prior experience
. Professionals must continuously improve and update themselves as technology changes at breakneck speed
‘It’s a balance between security and usability’
The man who kept the White House site secure shares his views
Not many institutes train students in ethical hacking. Where should one learn it?
I don’t think one should waste one’s time learning (only) hacking. You should learn something useful like system administration and networking, programming and general computing principles, because hacking calls for looking for failures in someone else’s process of building a system or application. If you know how to build systems and applications, then the process of thinking about flaws should follow naturally from your own experience.
What do you think about the future of ethical hacking as a full-time profession?
I’m sure it will be a profession for a while, though that’s unfortunate. Ethical hacking is a stop-gap measure that doesn’t do much to improve security.
Many of the penetration testers that I know spend a lot of time teaching clients how to remedy their security, improve their code, do system administration, and work with quality assurance. Those are all worthwhile and I think that we’ll see ethical hacking sort of melt into the role of general security practice.
What led you to become a computer security expert?
I never was particularly interested in security, per se. The way my brain works, I try to understand how systems of problems work. My original interest was in system administration and UNIX system programming. I got into firewalls because I was given the task of improving one of our company’s Internet gateways. This was at a time when no commercial firewalls were available. I found the problem interesting and enjoyed trying to understand the balance between security and usability. More than 20 years later, I’m still trying to understand it.
A computer security expert can abuse that knowledge, which brings into question theappropriateness of producing more experts. What do you say?
I’ve (always) argued that ‘ex-hackers’ are not the best people to use as security practitioners, because they have already shown that they are capable of abusing their knowledge.
Many of my customers perform employee background checks, and are unlikely to hire someone with a criminal past. Generally, for a position of responsibility, what you want is someone who has a history of being dependable and trustworthy.
What did you do in particular to become an ethical hacker?
I haven’t ever taken any training. I still read a tremendous amount of material. I think that attempting to understand a wide range of things helps you learn how to analyse complex things like security problems.
Read and absorb, then ask yourself, ‘How does this apply to what I am doing?’ When you’re ahead of the cutting edge, nobody can teach you. You have to fall back on your understanding of the problem and good design and do what makes sense.
Marcus J Ranum Interviewed by Vimal Chander Joshi