|
 In
a society so dependent on computers, breaking through anybody’s
system is obviously considered anti-social. What can organisations
do when inspite of having the best security policy in place, a breakin
still occurs! While the “best of security” continues to
get broken into by determined hackers, what options can a helpless
organisation look forward to? The answer could lie in the form of
ethical hackers, who unlike their more notorious cousins (the black
hats), get paid to hack into supposedly secure networks and expose
flaws. And, unlike mock drills where security consultants carry
out specific tests to check out vulnerabilities a hacking done by
an ethical hacker is as close as you can get to the real one. Also,
no matter how extensive and layered the security architecture is
constructed, the organisation does not know the real potential for
external intrusion until its defenses are realistically tested.
Though
companies hire specialist security firms to protect their domains,
the fact remains that security breaches happen due to a company’s
lack of knowledge about its system. What can be the best way to
help organisations or even individuals tackle hackers? The solution
could be in training companies or even students trained in the art
of ethical hacking, which simply means a way of crippling the hacker’s
plans by knowing the ways one can hack or break into a system. But
a key impediment is the shortage of skill sets. Though you would
find thousands of security consultants from various companies, very
few of them are actually aware of measures to counter hacker threats.
So,
does India Inc need an institution which would train companies or
students in the art of defending their own cyberspace or in other
words, should ethical hacking be taught as a career course? This
question was likely to get a tooth and nail reaction and it did
when we asked some of India’s best known security consultants
about their views on introducing a career course in Ethical Hacking
(EH).
Counters
Rajat Mohanty, CEO, Palladion Networks, one of India’s best
known security consultants, “No, ethical hacking should not
be taught as a career course. Teaching ethical hacking will create
a horde of skilled hackers, and if they don’t find gainful
employment can create havoc. Currently, most of the hackers are
script kiddies who hack using powerful tools available on the Net.
If we have skilled people using these tools, the damage will be
much higher. It should be more like in-house training of security
professionals to become ethical hackers.” The same views were
echoed by many others who believed that this course, if commercialised,
could lead to dangerous consequences instead of providing well-qualified
and trained professionals.
Adds
Abhay Mehta, co-founder and CTO, Securesoft, “It would be really
stupid if it were canned and taught from a book. The purpose of
the entire exercise would be lost and you would simply get more
coding coolies who do not understand much.” Others like Iqbal
Gandham, CTO, Net4India, feel that ethical hacking should not be
taught as a career course simply because good system administration
is already being taught and a separate course would teach nothing
extra. Many security consultants were also of the view that more
training means more knowledge on removing traces and erasing audit
trails.
The
fact remains that though IT security companies have existed for
a long time, break-ins still happen, even on systems managed by
security companies. This view is best summed by Srijith K, who manages
the site Indiacracked.com (which gives a listing of cracked Indian
websites), “I feel that security companies think only from
one point of view. They are more concerned about solving existing
problems rather than finding new ones. Ethical hackers by simply
thinking from a different point of view can visualise and create
different situations. When one works with an IT company, one loses
touch with some of the underground work going on. It is these underground
places that breed attacks. Ethical hackers who keep in touch with
various developments can be an effective counter to real attacks.”
Globally,
the hiring of ethical hackers is on the rise with most of them working
with top consulting firms. In the US, an ethical hacker can make
upwards of $1,00,000 per annum and the same figure in India could
be upwards of Rs 6 lakh per annum. Freelance ethical hackers can
expect to make $10,000 per assignment in the US. In India, freelance
ethical hackers are not employed by established companies as most
prefer to hire them from known security firms.
While
most security companies believe that there are more cons in introducing
a career course in ethical hacking, what could possibly be the pros?
One, companies could find individuals who are capable of finding
holes in their
organisation’s
network and help them secure it. Also, companies would become more
responsible in the kind of software they develop. Surprisingly,
there are a few advocates of the idea of teaching ethical hacking
as a subject.
Adds
Milind Dikshit, head-technology solutions and security, Bangalore
Labs, “As a subject-yes, it should be taught as an analytical
science. Teaching principles of security is a logical pre-cursor
to penetration testing or ethical hacking. One of the greatest demands
for such skills is going to be in ‘building secure systems’.
Security product companies
could
use their expertise in designing their systems and finally get them
to test the products for security before releasing them for commercial
use.” Though it is understandable that security consultants
fear a well trained community getting into unethical hacking, there
is also an urgent need for people trained in the art of ethical
hacking who don’t go strictly by the book and look for ways
to find loopholes in existing systems. The need is therefore to
strike a balance between the two and find a solution.
Explains
Rajeev Wadhwa, COO, Global e-Secure, “Ethical hacking as a
course needs to be taught with a wider vision keeping in view the
social, cultural and legal implications. Also strict standards and
guidelines need to be adopted as a part of the curriculum. The training
should also be restricted and all would be ethical hackers should
first be made aware of the IT laws. Most importantly, an ethical
hacker should possess the quality of being honest and trustworthy
for the simple reason that while auditing and testing the security
of an organisation, he will uncover confidential information which
has to be safeguarded from leaking out. The ‘ethical’
factor is the key which separates the good men from the bad, and
this has to be embedded in the minds of the students.” While
security experts like Dikshit do support the teaching of ethical
hacking as a science, they are also careful to add that this should
not be commercialised like any other computer course.
Diskhit
believes that in order to ensure that the skills do not go into
the wrong hands, there should be strict qualification criteria,
both for the instructors and the students. In India, players like
Global e-Secure already offer training in the field of ethical hacking.
While majority of the players here are still not sure about the
merits of introducing a course in ethical hacking, global organisations
like SANS, Foundstone, esgulf, jump4it and ISS have been teaching
ethical hacking for years. And if strictness is indeed maintained
in introducing such a course, it would herald a significant change
in the mindset of Indian corporates who would be better prepared
in handling intruder attacks.
|
