Ethical hackers attempt to compromise computer systems or networks at the request of the system or network owner. By using the same methodology and resources available to criminal hackers, ethical hackers help to identify security vulnerabilities that could be exploited. These weaknesses can then be addressed by programmers or others that are assigned to work on that particular vulnerable hardware or software.
An attempt to circumvent system security and compromise a computer system is commonly known as a penetration test. It is a realistic simulation of a malicious computer attack and can be launched from external sources or from a compromised internal source. Ideally, networks and computer systems should be equally secure from both sources. In reality, they often are not.
The International Council of E-Commerce Consultants, which is known in the IT industry as the EC-Council, offers training and professional certification in ethical hacking. Certified Ethical Hackers must attend an accredited training center or combine at least two years of information security work with an approved self-study program. The CEHv8 test consists of 150 multiple-choice questions that must be completed within a 4-hour period with a minimum score of 70 percent. The test costs approximately $500, and a $100 eligibility fee is also required.
After CEH certification, IT security professions seek more advanced Certified Security Analyst/Licensed Penetration Tester credentials. The ECSA/LPT certification (http://www.trainace.com/courses/lpt/) covers advanced information security techniques and is also provided by the EC-Council. ECSA/LPTs focus on the analysis of penetration test outcomes and create risk mitigation measures to protect IT infrastructure. The course emphasizes best practices from experts in many areas of IT security.
The third tier of certification in the ethical hacking credentialing hierarchy is the Cyber War / Advanced Penetration Testing training. This certification, which is offered through Advanced Security by Academy of Computer Education, instructs IT security professionals in advanced, persistent threat tactics for penetration testing of high-security systems and networks. Advanced Security by Academy of Computer Education is a preferred training provider for the U.S. military, DHS, the FBI and other government agencies for this reason.
The course lasts for five days and focuses on the penetration of highly secured data environments. Patched and hardened versions of Vista, Windows 7, Windows Server 2008, and up-to-date Linux servers are used as course targets. The course covers both host-based and network intrusion detection systems and intrusion prevention systems.
In this industry leading advanced hacking training class, students first learn to deal with load balancing, network IDS/IPS, and deep packet inspection while attempting penetration from outside a network. The course then progresses to penetration of web-based applications with typical security measures in place.
The third step in the class is the study of LAN-based attacks, the penetration of locked down workstations, and a study of methods of dealing with host-based IDS/IPS as opposed to networked systems. The final phase of the advanced pen testing class deals with controlling active directories.
Criminal hackers are constantly sharing new ideas and penetration techniques. Many of their approaches can be quite sophisticated. IT security professionals often hear about these approaches only after it is too late to prevent intrusion. CEH, ESCA/LPT, and Cyber War are designed to ensure exposure to cutting-edge penetration and exploitation methodologies, and the courses cover hands-on hacking techniques that simply aren’t taught in routine educational settings. By teaching security professionals to think like hackers, these classes enable IT personnel to anticipate advances that hackers have not yet made.
