SPONSORED BY: Dice
SearchNetworking.com Career Center
|
The Value of "How-to-Hack" Courses
|
![]() |
|
by Eric Berkman
|
If you're looking to hackproof your systems by getting inside the heads of perpetrators, "how-to-hack" courses might be the thing for you, say IT and security experts.
"I believe that knowing a hacker's mindset would be valuable for anyone in a security-related profession," says Chad Robinson, a senior research analyst who covers information security for the Robert Frances Group in Westport, Conn. "That goes for system administrators, security specialists and anyone else directly or indirectly responsible for security."
| SPONSORED BY:
Dice
|
![]() |
SearchNetworking.com Career Center
Searching for career resources? Visit the recently launched SearchNetworking.com Career Center powered by Dice and find training, certification and resume resources along with over 27,000 IT job openings to search through. Get e-mails when a listing matches your search criteria, post your resume so that employers can find you and access a host of career resources and tips and much more.
>> Click here to visit the Career Center today!
|
|
![]() |
|
But if you're shopping for a course or considering sending an employee or two, experts advise you to consider the following:
- The most valuable courses cover detection and incident-handling in addition to hacker tactics;
- certain IT roles will benefit more from these courses than others;
- sending the wrong employee may be a recipe for disaster; and
- check out a book on the topic before investing in the course.
"How-to-hack" courses are valuable in two ways, says Larry DeCair, the IT director for Triangle Network, a nationwide logistics firm based in Santa Fe Springs, Calif. First, they can help network and systems managers understand when and why attacks happen and how to detect them. Additionally, IT managers with penetration skills can "ethically hack" their own networks in order to justify, say, $200,000 in new firewalls across 20 or 30 locations. "You can tell [a CIO or CSO] they're vulnerable all day, but if you can't prove it, they'll say, 'Why should I be paying?'" says DeCair.
At the same time, courses with a pure "how-to-hack" methodology carry limited value if they don't also cover defensive strategies, like intrusion-detection and response, says Ed Skoudis, a security consultant with International Network and Services in Santa Clara, Calif.. That's because knowing how hackers think only gets you so far if you don't also know how to use it to secure your systems. "You have to wrap it up in a package of meaning to help people do their jobs better," says Skoudis, who teaches such a course for SANS Institute, a leading security training and certification provider.
Of course, some IT roles will receive more value from "how-to-hack" courses than others, experts say. Robinson breaks the courses into several categories. His first category contains highly technical courses that focus on software vulnerabilities. These courses are geared more toward developers looking to write secure code as well as heavy hitters on the security front. "Systems and network administrators are unlikely to be working at that high a technical level," says Robinson. "Like high-octane fuel, it does you no harm and can certainly be helpful, but you have to be a very aggressive and focused security guru [to get full value]."
The second category of courses focuses more on "social-engineering attacks," where hackers take advantage of services turned on that shouldn't be, carelessness with passwords, and unprotected networks. These courses put attendees in the mindframe of hackers and are more useful for general security staff and system administrators, says Robinson.
The third category consists of forums like DEFCON, an underground event that features activities like "capture the flag" sessions where everyone tries to hack into everyone else's box, with a monitor showing who's doing what where (Skoudis' course offers a similar activity). "It shows more what hackers are thinking than a class with a teacher trying to teach material to 25 people," says Robinson These would mostly benefit a tactical-level security professional just below the CSO, he adds.
But if you're sending an employee to any course, you need to be extremely careful of who you pick, Skoudis points out. "Anyone who attends a course, will pick up ideas about how bad guys manipulate systems and how to stop them. But if they're malicious themselves, they can use their skills against your organization. So send someone you trust."
Robinson adds that hacking techniques are constantly changing, giving "how-to-hack" courses limited shelf lives. "You'd want to go on a yearly basis to keep up," he says.
Meanwhile, traditional 5-to-10-day "how-to-hack" courses offered by organizations like SANS, Internet Security Systems (ISS), Global Knowledge and others, can be quite expensive, ranging from $500 to $1000 a day. So DeCair advises browsing through third-party books on your own before making the investment. "That's a good first step, depending on the individual," he says. "If you're not a great self-starter, but interact really well in a classroom environment, it probably makes more sense to take the course."
How To Get The Most Out of How-To-Hack Courses
- Look for a course that teaches defense in addition to offense.
- Realize that -- depending on the course -- certain IT pros benefit more than others.
- Keep the fox out of the henhouse; send someone you trust.
- Read up on hacking techniques before investing in the course.
|
|
