Certified Ethical Hacker – It is not uncommon for people to talk about a website being ‘ hacked’ and you might have seen news reports about popular websites being hacked by a group of people or by an individual. In the cyberworld, the people who perform such ‘criminal’ acts are called hackers. They may be intelligent programmers or network administrators who may be doing for the thrill of it or to steal information or take control of a website or portal.
In order to find loopholes in a system or a property, the best method is to employ a thief and find it out. In information technology, loopholes and weaknesses in a website is found out by companies by employing ethical hackers. They are trained certified people with years of experience to detect loopholes so that companies can plug it soon and prevent huge loss in case of an unsuspected hacking or virus attack on a site.
The severity of the cyber attacks can be gauged from the US White House action plan to spend $19 bn on cyber security initiatives, including educating consumers to use two-factor authentication. This follows recent hacking that compromised personal data of US citizens- in November, Federal authorities charged three men for intruding into systems of nine financial institutions including JP Morgan, Dow Jones, Scottrade and eTrade putting the data of 100 mn customers under risk.
A study by Ponemon Institute in 2014 showed that average cost of a data breach for the affected company is $3.5 mn
Many industry research and survey reports have indicated rising security breaches in websites and computer networks thereby increasing the opportunities for trained or licensed ethical hackers.
CEH vs CPT Infographics
How to become a Certified Ethical Hacker?
There are many institutions offering hacker training courses but ultimately it should lead you to get the Certified Ethical Hacker (CEH) certification offered by the International Council of Electronic Commerce Consultants (popularly called EC- Council).
It is not easy for just anyone to become an ethical hacker or a certified ethical hacker as previous experience in the IT industry is a requirement for any formal education in this domain. Ideally, an ethical hacker should have a programming background with a bachelor’s degree in computer engineering or information technology (IT). The first step is to get a certification in networking, gain some experience in the area before going for Cisco CCNA certification (Cisco Certified Network Associate). It is a certificate that validates a professional’s ability to understand configure, operate, configure and troubleshoot medium-level switched and routed networks and also includes the verification and implementation of connections via remote sites using WAN.
Thereafter, it is better to go for earning additional certifications in Securty, CISSP or TICSA. This will enable the person to get a position in information security. At this stage, it will be better to gain experience in penetration testing. Penetration test involves assessment of security of IT implementation done in an organization. It is done with the objective of identifying the vulnerabilities present in the network. The areas that are vulnerable include servers, operating systems, wireless networks, mobile devices, service, configurations and applications. These tests can be done manually or by running automated programs.
Thereafter, after gaining more exposure in the industry, one can try for the international Certified Ethical Hacker (CEH) certification provided by International Council of Electronic Commerce Consultants (EC –Council). According to EC, the Certified Ethical Hacker program is the pinnacle of the most desied information security training programs for professionals.
Apart from networking lessons, an ethical hacker should have knowledge of Unix/Linux commands and distributions, programming in C, LISP, Perl or Java. Knowledge of databases such as MySQL will also come in handy for ethical hackers.
Apart from technical knowledge they also need have problem solving and people skills or social engineering. They should get people to disclose their credentials, restart or shut down systems or execute files.
There are five phases in ethical hacking- 1) Reconnaisance, 2) Gaining Access 3)Enumeration, 4) Maintaining Access and 5) lastly covering your tracks. Reconnaisance involves gathering information about an intended target of a malicious hack by probing the target system. The ports are scan to find weaknesses in the system and to find are vulnerabilities around the firewall and routers. Once it is detected the means to access the system can be worked out by the hacker. There are two types of reconnaissance- active and passive.
Passive reconnaissance may have nothing to do with information security or IT systems but it could be knowledge about company routines- the times when employees arrive and leave. Or it could be internet protocol (IP) changes, naming conventions, hidden server or networks. The hacker monitors the flow of data to see at what times transactions are taking place and the traffic routes.
Gaining access to the system is the most important phase of the hacker attack. It can happen over local area network (LAN) or internet, local access to a PC or even offline access. It includes stack-based buffering overflows, denial of service (DoS) and session hijacking.
The enumeration or scanning phase involves examining the network based on information gathered during reconnaissance. The tools used are dialers, port scanners, network mappers, sweepers and vulnerability scanners.
Maintaining access is vital to keep it for future use. Sometimes they maintain exclusive access through backdoors, Trojans, rootkits. The final stage is covering of tracks to avoid detection by security personnel. Certified Ethical Hacking (CEH) program covers these topics in detail and is tested by EC-Council before awarding certification which qualifies the candidate to take up challenging assignments in industry.
The exam tests the knowledge and skills of candidates in the following areas-
- Telecom, networks, cyber media and IT systems
- Have a broad understanding of security protocols associated with the operating systems-MAC, Linux, and Windows,
- Should be able to hack the hack into a computer system of an organization to assess its vulnerabilities and weaknesses with due permission-
- Undertake preventive and corrective measures against malicious attack
- They should be adept at identifying and cracking different types of passwords, and thwart password attacks.
- Understand cryptography and encryption techniques with private/public key infrastructure.
- They should have knowledge of cyber attacks including Trojan, URL, obfuscation, identity theft and social engineering.
Learn how to protect businesses from the dangers of malicious hacking efforts. Assess security of computer systems, using penetration testing techniques. Develop ethical hacking skills.
Penetration testing has the manifold objective of protecting its vital IT systems from external attack and it involves putting the endpoints, applications, networks to stipulated tests. It enables security professionals to ward of any possible threat well in advance by initiating remedial action where vulnerabilities are found.
Regular pen testing is beneficial for companies to know beforehand what all security risks the IT system is exposed to. Timely remedial measures prevent the hackers from intruding into the network compromising valuable data. It avoids the cost involved in a security breach which could runs into millions of dollars and loss of image regarding customer protection of data and business to business information involving third party data also. Penetration testing helps organization to meet with compliance/auditing regulations such as GLBa, HIPAA and Sarbanes-Oxley. Companies can save significant of money by way of fines related to security non-compliance with penetration testing. They will be able to comply with testing as mandated in federal FISMA, PCI-DSS or NIST.
Licensed Penetration Testing by EC-Council
The EC-Council rates the Licensed Penetration (LPT) as the pinnacle of the information security programs that has Certified Ethical Hacker program and also EC-Council Certified Security Analyst (ECCSA) Program.
The EC-Council LPT exam is the most challenging practical exam prior to awarding of certification. The online version of the course has over 39 intense modules, over 2300 slides that foray into complex aspects of penetration testing. The course provides 1100 tools to help them dive deep into the science of penetration testing.
The EC-Council says that that the LPT exam was developed in collaboration with small and medium enterprises and practitioners across the globe after a thorough job, role, job task and skills-gap analysis. It simulates a complex network of a multi-national organization in real time.
The online version of the course enables information security personnel to learn penetration testing from anywhere in the world and apply for LPT license. The license is an assurance to your stakeholders that you possess the ‘hands on’ skills based competency to perform a thorough security assessment.
Not all IT professionals are eligible to apply for EC-Council licensing especially for Pen testing. The candidate has to be an ECSA member in good standing, having minimum two years experience in pentesting, and also have approved industry certifications such as OSCP or GPEN. Applicants can directly apply to EC-Council via online web form.
The advantages of certification
- The certification allows candidates to practice penetration testing and consulting on a global basis.
- Industry acceptance as a legal and ethical security professional.
- Access to software, templates and testing methodologies of EC-Council.
Although different agencies provide certification, EC-Council certification enables them the opportunity to practice their skills so that they are able to function as a licensed penetration tester.
Although Ethical Hacking and Penetration fall in the realm of information security, they are subtley different in their role and functions. The Certified Ethical Hacker is trained in mastering hacking technologies while a licensed penetration tester program is for professionals who are authorized to conduct penetration testing of corporate networks.
The EC Council certification exam applications are accepted online from https://cert.eccouncil.org/lpt-application-form.html.
Ankit Fadia’s Certified Ethical Hacker is also a program that is recognized the world over. It was devised by globally famous authority on computer security. It provides the latest tools techniques and methods used by cyber criminals and terrorists. It also shows how to fight them. Ankit Fadia also shows how he hacks into websites, accounts, mobile phones and passwords right in front of your eyes.
The potential of penetration testing and ethical marketing is huge with India’s leading service sector portal Naukri.com displaying 115 vacant positions in this area.
The role of Certified Ethical Hacker (CEH) and Penetration tester are different although they fall in the realm of information security. The CEH is responsible to protect the IT systems by performing certain routines that protect the system from external threats. In this domain, experts are employed as security auditors, network security specialists, penetration testers, site administrators, security consultants depending on knowledge, ability and experience. Experts in these areas with certification from EC-Council are in great demand in government sector, military and defense. Courses in ethical hacking that aligns with EC Council’s syllabi prepares information security personnel to get EC-Council certification. They are offered by schools in private sector, universities in several countries.
In the industry one may find information security professionals with and without global certification. However, it pays to get certified as majority of hiring manager consider certifications as a factor in their hiring decisions. They get a better start in the career, better salary and pay raises.
According to US Bureau of Labor Statistics, demand for information security analysts are expected to grow 18% from 2014 to 2024 which is at a much faster rate than most other occupations. In India there are only 50,000 cyber security professionals but the nation needs five million professionals by 2020, according to National Association of Software and Service Companies (NASSCOM).
The country requires 77000 new ethical hackers every, year but at present only 15,000 are trained in this area. Even the best of hackers need to study more and get global certification to gain credibility. In tune with the rising demand for ethical hackers and penetration testers, several institutes have sprung up I the private sector offering various courses.
According to McKinsey, about 70% of indian companies are susceptible to cyber attacks. In one recent incident, a company had to pay huge money to regain control of its stolen data.
In USA regulations are strict with respect to compliance. India doesn’t have the equivalent of Health Insurance Portability and Accountability Act that was passed by the US Congress in 1996. The Act is meant to protect and handle confidential health information of America. It is difficult for companies that are non-compliant on HIPAA to do business in USA.
Along with ethical hacking, penetration testing, Vulnerability Assesments are also gaining popularity but often gets confused with penetration tests, experts said.
Here are some articles that will help you to get more detail about the Certified Ethical Hacker VS Certified Penetration Testers so just go through the link.