Hire hackers to find loopholes in IT system, firms advised

[InfoSec News <isn () c4i org>]

http://biz.thestar.com.my/news/story.asp?file=/2002/10/30/business/yvword&sec=business

By Yvonne Chong 
October 30, 2002

AS computer system security becomes an increasingly major concern for
businesses and governments alike, organisations can look to hiring
ethical hackers to uncover their systems' vulnerabilities before the
hackers do.

To prevent the growing legions of hackers from crippling an or-
ganisation's business operations and destroying their profit margin,
local businesses must learn to think and act like hackers, said
Wordware (M) Sdn Bhd managing director Wilson Wong.

"Before companies can understand today's security threats, they need
to know how hackers select and exploit companies' vulnerabilities, how
to eliminate those vulnerabilities, and the counter measures
available," Wong said at a seminar on Ethical hacking and
counter-measures in Kuala Lumpur yesterday.

Known in Malaysia as "penetration testing engineers" as opposed to the
more controversial term "ethical hackers", these professionals who are
skilled in all the hacking tools and counter measures are a relatively
new breed here.

Wong noted that the awareness level of the imminent and actual threats
of hacking was low, particularly among the small- and medium-sized
enterprises (SMEs), which formed the bulk of local companies.

Many organisations are un- aware that hacking tools are readily
available on the Internet to be downloaded. These tools can be used to
steal database, including credit card and other personal details, and
sensitive or confidential company information.

A hacker need not even know any programming language to use the tools
to cause serious damage to a company that is not adequately protected.

Some 3,000 cases of cybercrimes and Internet security breaches were
reported in Malaysia from August 1997 and July 2002.

Wordware vice- sales and marketing president Sanjay Bavisis said the
fear was not so much of having one's website defaced with big bold
"You've been hacked!" or the logo replaced with pornography, because
then the organisation would know it had been hacked and do something
about it.

"It's when everything seems to be just the way they were. But behind
that, your data had been compromised, stolen and altered, some
software implanted in your system that transmit all your secrets out
... and you are not even aware of it," he said.

Wordware and US-based International Council of E-Commerce Consultants
(EC-Council) recently introduced "Ethical hacking and
counter-measures" as an e-business qualification in Malaysia.  
Candidates who pass the programme would be accorded the title
"Certified Ethical Hacker" (CEH).

The seminar was attended by over 300 professionals from the banking
and finance industry, IT and telecommunication sectors, students and
human resource managers.

Topics covered included Hacker ethics: Are there any ethics?, legal
implications of hacking, computer crime and punishment, hacking and
protecting your Windows 2000 OS and hacking and protecting your
dial-up, voicemail and VPN.

Wordware has 26 authorised training centres nationwide to teach and
train students in the course, among other e-business courses. "Each
centre plans to have 10 to 20 CEH trained every month," Wong said.

While the profession was slowly gaining momentum here, the growing
trend in US companies was to groom their own ethical hackers, said
EC-Council technical director Haja Mohideen.

"There's now a new title: chief hacking officer (CHO)," Haja said,
adding that it was only a matter of time when the same trend came to
Malaysia.

CHOs are a breed of ethical hackers that have mastered all the hacking
tools and know all the counter measures. They are not involved in
providing security for the company but their role is to find all the
gaps and loopholes in an organisation's system, somewhat like the
final checkpoint in the system's quality control, according to Haja.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.