It seems like every other month that a major corporation suffers an epic hack, with millions of customers’ data stolen. In the aftermath of those attacks, many companies are turning to ethical or “white hat” hackers to test their defenses. But is ethical hacking an effective counter to unethical hacking, especially when those who practice the latter can do pretty much whatever they want with a wide variety of tools?
Ethical hacking’s cause isn’t helped by the fact that the EC-Council, the Albuquerque, New Mexico-based organization that offers a certification in ethical hacking, was hacked in February. (It doesn’t get much more meta than that.) Michael Goldner, dean at EC-Council’s University, insisted in an interview that the breach occurred downstream: “Our website was secure, but the hosting company under contract had weaknesses in their systems.”
Whatever the cause of the EC-Council breach, ethical hacking as a concept isn’t undermined—but it isn’t the sole solution to the Web’s chronic vulnerabilities. According to Jeff Williams, CTO at Contrast Security, a Mountain View, California-based interactive application security testing company, a realistic approach to defending an organization’s systems involves threat modeling, security architecture, building strong defenses, security testing, code analysis, and eventually some sort of ethical hacking to test potential vulnerabilities.
Williams argues that unbreakable security is a myth: there will always be unethical hackers, and sometimes they will succeed in breaking into a system. “But if organizations monitor the attacks on their infrastructure and respond appropriately, they can learn and make themselves stronger,” he said.
So is there value in an ethical hacker certification? The hack at the EC-Council isn’t exactly a vote of confidence. But the EC-Council’s ethical-hacking certification isn’t the only one that falls under the umbrella of DoD 8750, the Department of Defense directive that established baseline certification guidance for Information Assurance (IA) positions; other, related certifications include the CISSP, OSCP, and Security+ CE. “Typically, these certifications are offered after a class,” Williams said, while cautioning: “None of the skills that hacking requires is easily measurable in a class and exam format.”
Marc Maiffret, CTO of BeyondTrust, a Phoenix-based privileged account management and vulnerability management software-solutions company, admits that while certifications are a start, an ethical hacker needs real world experience and on-the-job training. Like Williams, he’s also a realist: “There is no match for someone with unlimited time and resources… If someone wants to get into your organization, they will.” To minimize the impact of an attack, he added, organizations have to adopt an approach that focuses on monitoring and regulating user privileges once a breach occurs.
“Certifications are a calling card to say you’re committed to the industry, the profession, and lifelong learning,” said Philip Casesa, director of service operations at (ISC)2, a Clearwater, Florida-based nonprofit organization that specializes in information security education and certification. “To maintain certification with us, you have to do education credits. You have to keep learning new technology, skills, threats and protections.” An organization’s commitment to security, he added, ultimately matters far more than any one certification.
Hiring managers are still on the lookout for certifications, and that’s what ultimately matters with regard to getting a job. Cameron Camp, a malware researcher in the San Diego offices of ESET, an IT security company, believes that certifications continue to offer substantial value and a bit more. “They provide a base level of knowledge, and that’s important,” he said. The onus is on the professional to put in the time on the job. “Core development work isn’t always pretty, but you need to apply your skills in the real world.”
- Survey: Certifications Are Key to Security Salaries
- Penetration Testing Is a White-Hot Industry
- Cyberattacks Focus Employers on Security Certifications