As an IT professional having just acquired the skills to administer your assets, and the certifications to prove it, the next stage has to be to ensure they are secure. Security is not just a question of firewalls, anti-virus and permissions. Security is the much wider topic of protecting the entire footprint of your organisation both technically and physically.
The current MCSA and MCSE certifications prove you can administer your systems on a day-to-day basis to provide functionality and reliability but you now have to go one step further to ensure an adequate level of security. Using the services of a professional penetration tester can help to measure your security status and help you move to a consistent level of security, but why not take the time to progress your knowledge to the next level by training in the area of ethical hacking.
Hackers do not play by the rules and the attacks are getting progressively more sophisticated both against networks and users. Attacks are remote, launched over the network, and initiated from the inside of the network, so the ability to be able spot and mitigate both types of attack is now vital.
Ethical hacking is the process of providing protection by measuring security using the same tools and techniques as hackers would do, but within an agreed framework. Understanding networks is one thing but learning how to scan and probe networks, how to manipulate network packets, how to launch attacks against your servers and clients, this is the world of the ethical hacker. Understanding how the hackers get in is the key to keeping them out. By understanding the hacking cycle from reconnaissance to covering tracks helps a good IT professional to improve the security status of not just the network and systems but of the entire organisation.
You have to remember that vulnerability scanners can check your systems and ensure that they are patched to the correct level but if you can run a scanner against your own systems, could the bad guys do the same?
By mastering the same techniques as the hackers you are able to stay one step ahead by ensuring that their methods won’t work on your systems. System and network security is dynamic in a world of constantly evolving threats. An IT professional needs to be equally dynamic by mastering the latest techniques involved in cyber-crime. To be an ethical hacker requires a good knowledge of all aspects of IT infrastructure from networks to web to wireless. These are all ways in to your systems and the damage caused, be it reputational or financial, could be irreparable.
Don’t forget physical security either, think of the following questions:
- Is your server room access as secure as it could be?
- Would it be possible to install a hardware key logger on one of the systems?
- How aware are you of social engineering techniques?
Consider also the well-known system threats against your systems:
- A good MCSA in SQL will want to ensure that the databases that they are responsible for are not being exploited by known SQL injection vulnerabilities.
- A .NET developer will not want to be the guilty party when an application suffers from a buffer overflow attack.
- What happens when a well-crafted DNS poisoning attack is launched?
There are a number of either self-study or instructor led training courses available in all aspects of security from recognised vendors. Ethical Hacker training stretches the mind and becomes self-fulfilling because it not only improves your security posture but also creates that urge to stay one step ahead of the hackers, thus driving the need to learn more. To cement the knowledge acquired there are several recognised certifications from the SANS Institute and EC-Council that provide confirmation of the level of expertise. These certifications can give employers a good indication of not only your skill set but of your mindset as a true IT professional.
Are you open to the idea of ethical hacking in your environment? perhaps 'letting' a hacker loose in your environment send shivers down your back. Let us know in the comments section below, or via @TechNetUK.