"It should be emphasised that Espion, in no manner whatsoever, encourages the use of these tools for illegitimate purposes. If you are in doubt as to whether or not the application of a given tool is legal or not, you should contact either your company’s legal counsel or relevant public authorities."
This is the disclaimer that greets you as you walk into the course that promises "a practical and legal analysis of the threats your IT systems pose to your business". It’s a hacking course for sysadmins. But because we are only planning to use what we’ll learn to protect our own networks, rather than attack others’, it’s an "ethical" hacking course. The big, bold disclaimer deals with the first hurdle that such a course throws in your path.
Mention hacking and you tend to get one of two reactions: conspiratorial talk or dismissive boredom. With the largely self-perpetuating security industry throwing out dozens of "critical" software holes every week that all threaten company meltdown unless you buy Product X, it is hardly surprising that those who have to actually deal with the problem are pushed to the extremes.
The simple truth though is that hacking is something sysadmins need to understand just as much as the mentality of the end-user or the compatibility problems that new hardware will bring. It’s an important part of the job. The other truth is that few IT professionals understand hacking beyond the application of patches, a few cult movies, and breathless magazine articles about Kevin Mitnick.
This is what the two-day ethical course by Espion hopes to cover, and it does a pretty good job of it. The course is split between coverage of hacking itself (including legal issues) and a hands-on run-through of what someone targeting your system will actually be doing at the other end of a connection. It's eye-opening stuff. You will have heard scare stories about script kiddies downloading a bit of software and with the click of a button, gaining access to company systems and wreaking havoc. But once you have downloaded the software itself and used it to break into a system, you have a far better handle on things.
Not breaking the law
The advantage of a teaching course is that you don’t have to break the law to do so - a bank of PCs are set up and the bulk of the practical work is done by targeting each other’s computer through individual IP addresses. The peculiar truth you learn is that hacking is easier than you thought but at the same time easier to deal with than you might have assumed.
If you maintain a passing interest in hacking, chances are that you will know a good chunk of the background that is given - who the people are that will target your system, how they will do it and what they do it for. If you have ever delved into the practical aspects of hacking by touring about online, you will know some of the commands, approaches and sites that hackers use to get into systems, many of which you are pointed to. And if you have been in charge of a big IT system, you will probably have had to deal with the problem from the other side - a site defacement or a denial-of-service attack.
But having it all laid out and up for discussion by someone who makes a living testing companies' systems - the course instructor Colm Murphy - is extremely instructive. Digging into what hackers are up to, how basic protocols work and how they are put to nefarious purposes, and then downloading, installing and running hacking tools, while sharing the odd anecdote is intriguing stuff. And you will learn something you didn’t know before. One knowledgeable sysadmin on the course was excited to find a free software tool that did exactly what he’s been trying to do on his network for months.
The course is not for novices though. A lot of information is packed into a short period of time and the demonstrations are run through swiftly on the assumption you are comfortable with the registry and Unix commands. But at the end of the first day, you will have gained a useful overview of this security problem, an insight into hackers’ minds and have broken into a real Web server - albeit one setup by the course.
Why is any of this useful? Because if you have ever been bored enough to view your firewall data, you will find numerous and constant scans of your systems, looking for a hole. Fine, you say, install patches as and when they appear and hacking tools are always going to be one step behind. But while a passive, if constant, approach to securing your system will mostly likely protect your system, a far better method is to step back and concentrate on hacking your own system. The vast majority of hackers will just be scanning for holes and don’t much care who you are. You have the advantage that you know exactly who you are and where you can find your systems.
If you can then run every tool against your own system and fix any problems, you can be far more confident that a random visitor will not hang around for long. "Ninety-five percent of hackers are just trying doors," said Murphy, "all you want to do is push those people on to someone other than you." What will surprise you is the ease with which you can check your system and the tools that are immediately available for exploiting and fixing any holes you find. Unfortunately, it also works the other way around - someone else could be doing the very same as you right now.
And they may already have been there. One surprising piece of software was able to hide tell-tale registry keys on a system. Even if you know where to look, they won’t appear. Unless of course you run the masking software and know where it hides itself.
Hacking may still be more scaremongering than real threat to your system, but that doesn’t mean you aren’t at risk. Balancing risk with the effort required to deal with it is something that every system administrator will be used to. Whether a two-day course that gives you the foundation to deal with a high-profile security problem is worth your while is something you’ll have to decide. But it will certainly be more interesting than the other courses you go to this year.
The course costs £849 for two days and is held in Manchester. Further courses may he held in London and Birmingham according to demand. Espion will be running its next two-day course in Manchester on 2-3 December. For more details visit http://www.espion.co.uk or e-mail David Chapman at [email protected]