The Case for Ethical HackingWhy the Profession is in High Demand
"A lot of government agencies, professionals and corporations now understand that if you want to protect a system, you cannot do it by just locking your doors," Bavisi says in an interview with Tom Field of Information Security Media Group [transcript below].
Bavisi, president and co-founder of the International Council of E-Commerce Consultants, created an ethical hacker standard now used by the Pentagon.
Bavisi describes an ethical hacker as someone who is "trying to figure out if they are able to protect your system and if the system has been sufficiently protected." An ethical hacker needs to think and act like a hacker in order to aid an organization in its efforts to protect valuable information assets.
Becoming an ethical hacker is a multi-step process. Interested candidates need to have a network background, either a vendor certification or experience working in a networking environment. Then they need to go through the EC Council's Certified Ethical Hacker course, which Bavisi says is "five days of sheer hell." Candidates will go through hundreds of hacking tools, methodologies, programs and exploits, in a boot-camp like training facility. After the program, a four-hour exam is administered, that if completed successfully, warrants a licensed penetration testing standard.
"If you went to Monster.com today, you'll see that there's a serious shortage of ethical hackers in the world," Bavisi says. "And that's why Foote Partners, who do annual research on information security jobs and their salaries, would tell you one of the highest paid and fastest growing segments is certified ethical hacker."
In an exclusive interview, Bavisi discusses:
- The recent Australian incident and what it tells us about ethical hacking;
- Why we need ethical hacking;
- The future of the profession - and career opportunities.
Bavisi is the president and co-founder of the International Council of E-Commerce Consultants, a global organization that certifies professionals in cybersecurity and e-commerce disciplines. He created the "Certified Ethical Hacker" standard now used by the Pentagon. His organization has trained more than 90,000 security professionals and has 450 training centers around the world. Bavisi is a regularly featured speaker at e-commerce and cybersecurity conferences in the U.S., Asia, Europe and the Middle East.
The EC CouncilTOM FIELD: Will you tell us a little bit about yourself, the council and the mission of the group, in particular?
JAY BAVISI: EC Council was founded after the September 11 attacks. I was sitting in front of the television set looking at the towers crumbling and I asked myself a question. If any terrorist organization around the world, or cybercriminal group, were to launch an attack against some country - it could be the United States, Japan, Korea, almost anyone - how prepared are those global nations to deal with an attack like that? And I said I don't know the answer, so I went to a search engine to find out. At that point in time, Google didn't exist, so I used Lycos and Excite. I realized that there really wasn't any global certification body that was extensively focusing on raising the standards and awareness of the information security community to deal with what we call today ethical hacking. And I said this is going to be the path of a future attack, and nations are so badly prepared. Someone needs to start a global organization, and I think it's going to be me. I got hold of quite a few information security experts from all across the world, and we started EC Council. And after two years of research, in 2003 we launched Certified Ethical Hacker.
FIELD: Now Jay, your take please on what we saw in Australia a week ago. We had an incident there that was widely reported. I know you've been quoted on it. What does that particular incident tell us about ethical hacking?
BAVISI: It tells us two things. Number one, that was not ethical hacking, because many people misunderstand what ethical hacking is. I remember in my earlier days when I founded EC Council, I was bombarded by the U.S. media for coming up with such a stupid term as ethical hacking. They said it was an oxymoron, and they said ethical hacking doesn't exist, and how can a hacker be ethical. So I think number one is the issue of definition, which I'll get into slightly later. But to point to your question, what happened in Australia was hacking. If somebody gained access to somebody else's data on someone else's system without their permission, that is hacking. According to the news report that I read, this was an impromptu, live hacking scenario of one researcher hacking into the Facebook account of his rival. That was hacking. My thoughts were that in the press report that I saw, they quoted the chief of the Queensland Police Department saying that this is bad. We don't need ethical hackers. I had a letter that I sent out to the editor of ZDNet saying that that was a very, very uninformed statement, because this was not ethical hacking, to begin with. This was hacking. And I think that the entire thing has been blown out of proportion.
What is Ethical Hacking?FIELD: Take the opportunity now and educate us and our audience. What is ethical hacking and why do we need it?
BAVISI: An ethical hacker is nothing more than a computer bodyguard. Ethical hackers are trying their best to determine if a hacker were to attack your network, how they would do it. They're trying to figure out if they are able to protect your system and if the system has been sufficiently protected. That's what an ethical hacker is. An ethical hacker is not a person that goes out and picks any Tom, Dick or Harry, or any corporation and without their permission launches an attack and then comes back to you and says we attacked your system and you are vulnerable. That's not ethical hacking. There's a lot of confusion between the term hacker, ethical hacker and penetration tester.
Let me set this out clear to the community. A hacker is basically someone who gains access to your system without your permission. Period. Now, a hacker can be classified as someone that's just shoulder-surfing you and figuring out what a password is and then entering a username and password and getting access to your data. That is hacking. A hacker is also someone that calls you, pretends to be a federal agent and makes you hand over your username and password over the phone, what we know as social engineering, and then gains access to your data on the system. That is hacking as well. And a hacker is also a person that uses software, tools and scripts to gain access to your computer, like what we've seen elsewhere. All of these are terms of a hacker.
An ethical hacker is the complete opposite of a hacker. An ethical hacker is an information security professional. This is a good guy. This is a computer bodyguard trained in the exact same skills as the bad guy. They would go to a program like EC Council's Certified Ethical Hacker, where they go through a rigorous five-day training program. They go through all the hacking tools and techniques. They go through a tremendous amount of advanced training, and then they've got to sit for an exam. They have to sign a waiver saying that they'll remain loyal to the ethical standard required of the certification. That's a tremendous amount of work that gets them to that point. And then they go out and get hired by corporations who say, "Please come into my corporation and determine if it's secure from an attack." They'll run tests like a hacker. That is an ethical hacker.
A penetration tester is a step beyond that. The difference between an ethical hacker and a penetration tester is an ethical hacker would try to discover a known vulnerability that exists in your system. A penetration tester would take the known vulnerability, found through vulnerability testing, and then try to exploit that vulnerability to see what kind of damage that corporation or institution will endure. All of this is done within what we call the "rules of engagement" between the penetration tester and the corporation. It's not like the corporation doesn't know what they're doing. They're hiring these professionals to test. That's why I call them computer bodyguards, because they're there to do a job at the behest of the institution that hires them, under their critical scrutiny. And this is why you should not equate them as hackers.
FIELD: That's a nice, neat explanation and description. I appreciate that. But where do the lines between these distinctions start to get blurry, and how does the EC Council help to clear those lines?
BAVISI: Are you talking about the blurry lines between a hacker and an ethical hacker, or a hacker and a penetration tester?
FIELD: All three.
BAVISI: A hacker and an ethical hacker is simple - the word hacker, right? When I started EC Council with Haja, my co-founder, I remember in the early days we would walk into government agencies and they would literally not want to see us. They'd say, "Oh, the hackers are here. We have nothing to do with hackers. We don't want hacking certification. We don't want to make hackers out of our information security professionals." That is what it was like seven, eight years ago.
Today, the Department of Defense has EC Council Certified Ethical Hacker as one of the certifications in its mandate, the DoD 8570. The CEH has attained the National Security Agency's CNSS standard. So times have really changed. And a lot of the government agencies, professionals and corporations now understand that if you want to protect a system, you cannot do it by just locking your doors. You must have someone come in and test to see if all of your security measures actually yield any results. When are you going to check that? The day a hacker really gets in? No, you want to do it way before that, and that's why you hire ethical hackers or penetration testers. And that's why if you went on Monster.com today, you'll see that there's a serious shortage of ethical hackers all across the world. And that's why Foote Partners, who do annual or biannual research on information security jobs and their salaries, would tell you that one of the highest paid and fastest growing segments is certified ethical hacker. The blurring has really been part of the ignorance of the people that have blurred it. It's not intentional.
FIELD: Tell us what one goes through to be certified as an ethical hacker. What is the process?
BAVISI: To be an ethical hacker within the EC Council realm, the first thing you need to have is some sort of a network background. You would have either vendor certification, like a CCNA or CCNB, or you'd be working in a networking environment for at least two years so you understand network topography, the basics of network security and so on. Once you meet that criteria, you will then fit into an EC Council's course called the Certified Ethical Hacker. We will put you through five days of sheer hell. In five days, we will take you through hundreds of hacking tools, methodologies, programs and exploits. We will show you methods of cracking some of the most secured and patched environments. All of this is done in five days. Many training centers out there would run a boot camp, so they'd probably start at 8:00 in the morning and end at 9:00 at night, and the students would actually stay at the facility. Some training centers would do an extended course. Some of them do a 9:00 to 5:00, five-days a week. It depends on which training partner of EC Council you go to.
Then you sign a waiver that says you waive your right to the Data Protection Act, and that EC Council reserves the right to share your information with law enforcement should there be a request from them for data knowing what kinds of hackers have been trained in that city, certifying that. They then sign an ethical standards agreement to say that they would use all of this only for the purpose of defense and not for the purpose of unethical and illegal offense.
Once they finish all of that, they go through a certification program. They go through a four-hour exam and they need to pass with a score of 70 and above, otherwise they fail. And you pass that exam and become a Certified Ethical Hacker. That's the day your journey as an ethical hacker begins, not the day your journey ends, because from there you need to go through a licensed penetration testing program. At that point, we take you through penetration testing methodologies. We take you through real-life scenarios. We take you through report writing. We want you to provide us with your background check or security clearance requirements. We put you through a lot to make sure you're a good guy, and then if you meet all of those requirements and letters of recommendation, we will award you the licensed penetration testing standard of the EC Council. That's what it takes to be an ethical hacker and a licensed penetration tester.
The Future of the IT Security ProfessionFIELD: That's an excellent overview, and you've done a good job in the course of this conversation in telling me about the evolution of ethical hacking. Give me a sense now of what your vision is of the future of this profession.
BAVISI: I think that the future of the security profession is going to evolve just like the medical profession. In the 1950s and earlier, the medical profession had one designation, the M.D., or internationally known as the M.D.B.S. You were a medical doctor and there really wasn't any form of specialization. Information security and information technology is really in its infancy. Among the attacks that have been launched, we are seeing scaled attacks, mobile attacks, attacks against Apple or Macintosh operating systems, attacks against Linux-based operating systems, attacks against Windows-based systems, web-based attacks and physical attacks. There are so many points of attack.
My vision is that in time, this profession is going to evolve and we're going to go through the same specialization that the medical profession went through. You're going to see an ENT specialist. You're going to see an oncologist. You're going to see a cardiologist. In the same way, we're going to see different sub-specializations within information security. The vision of EC Council is to empower these professionals to that form of specialization. This is why last month EC Council launched the EC Council of Advanced Security Training. The point is very simple. You go through a CEH. You go through an LPT. Great, you understand the basics. But what if you want to learn just cryptology, and not just any cryptology but advanced cryptology? What if you want to learn advanced penetration testing in secure environments? Well, what happens then? So for professionals like this, we have already started our specialist school, and we invite only the brightest and the best to join in. They go through a rigorous training program by professionals who have done it themselves. All the instructors are hands-on professionals and consultants who have done some big stuff with a lot of experience. And that's where we are trying to drive this profession to. I hope that helps.
FIELD: What advice would you offer to somebody who wants to enter the profession today?
BAVISI: It's a big profession. It's not an easy profession. My advice would be first to get your basics of networking and computing out there. If you have a degree in computer science or engineering, you definitely want to get your hands dirty with forms of networking and forms of web development, and have the basics that are required. After that, you have to start your rigorous journey through information security, so you probably want to do the basics of CompTIA [indiscernible] Certification Security Plus or EC Council's ENSA course to have the basics. Then you start your journey by going through the Certified Ethical Hacker program. Then you follow with the EC Council's ECSA program, security analyst and penetration tester programs. And then you do the advanced courses. It's a long journey. You'll have to collect the certifications and you need to have the quest and the thirst for knowledge. If you don't have that, then this isn't a profession for you because the profession changes every day. Every day there are new attacks and new vulnerabilities, and information security professionals must brace themselves and be prepared to deal with these changes.