Corporate security and IT professionals got a chance last week to think like hackers so they could learn how to better prevent unauthorized users from gaining access to their networks.
More than a dozen computer specialists from across the country took part in an intensive five-day “boot camp” offered by New York-based Ernst & Young LLP on the defense of enterprise networks. They paid US$5,000 apiece for the training in Boston.
Though not always an enterprise’s top priority, network security has quickly moved into the spotlight since the Sept. 11 terrorist attacks and the discovery of the Nimda and Code Red worms last year.
Dubbed Extreme Hacking: Defending Your Site, the four-year-old class originally began as a training course for Ernst & Young employees, focusing on network and system security for Windows NT and Unix systems.
Ron Dongoski, a partner in Ernst & Young’s security and technology solutions practice in New England, said many of the company’s clients already use outside consultants or security experts to do site assessments of their systems on a quarterly basis to determine if there are any vulnerabilities.
But now those companies want their own employees to take corporate security to another level by performing more frequent site assessments. That, Dongoski said, is why they send workers to take the hacking course.
During the 45-hour class, Ernst & Young security professionals take students step-by-step through all the ways hackers try to subvert mission-critical servers and network configurations.
Using dual-bootable NT/Linux laptops and an accompanying network setup for practicing subversive attacks, attendees were taught a new bag of tools and tricks to help them understand how hackers identify IP addresses, collect information about the systems they want to compromise and exploit weaknesses without being noticed.
Students spent half their course time conducting hands-on exercises using the techniques they learned from lectures to compromise three self-contained Windows NT boxes.
Among the attendees at last week’s class was Jason Buckley, security officer for corporate IT security at Boston-based CCBN Inc., which builds, manages and hosts the investor relations sections of Web sites for more than 2,500 public companies.
Buckley, who successfully compromised all three machines, said one of the reasons he signed up for the course was to get fresh ideas and better understand what he’s up against.
“We wanted to take our security to the next level,” he said. “Although we do penetration testing and third-party auditing [of our network], I wanted to look at our site from the outside and try to penetrate it.”
Buckley said the class also taught him what to do to defend against an attack.
“This class was invaluable,” he said.