# Ethical Hacking



## jvarnell (Sep 7, 2012)

With all of the rsearch I have been doing into Masonary I have been thinking is there such a thing as ethical hacking.  A Cyber Security expert has to learn how someone would cause an exploit.  When I was growing up in computers starting in 1977 you learned by doing. (yes the PDP-11/35 and RSX-11 and BSD)


----------



## Brent Heilman (Sep 7, 2012)

Yes there is. There are courses that are offered in a conference type setting all the time. There are some IT Security guys out there that do as a consulting business. Good stuff to know if you are into the security side of the IT house.


----------



## jvarnell (Sep 8, 2012)

The reason I posed this question is that in the college cources that teach these days is just not right.  They just can't teach a way to get the mind set and thought patern down.  Now they teach a cyber security professional a process and how to do forensics.  Cyber security is a thought patern and a psychology not watching for port scans and a buffer flow.  I was thinking about teaching some young gun we have what reality was but I don't know if they will practise to systems I know are safe for this.   They will also have to learn the social part of find info because it takes a lack of knowledge of the system that is the target to get the true feel of knowing whats in a hackers head.  Some of the most successful penatrations start with diging through trash.

So It is my lack of control I am worried about after helping them with the thought paterns.


----------



## Blake Bowden (Sep 9, 2012)

China has no problem using hackers to penetrate our systems, I say we should encourage it. It's the future of warfare imo. I still can't get over the Stuxnet virus Stuxnet - Wikipedia, the free encyclopedia

Back in the day I would war dial looking for vulnerable systems and later on used torjan viruses, mainly for pranks on friends. Not much of a hacker myself though.


----------



## jvarnell (Sep 9, 2012)

Stuxnet was a us /Israeli atack on the irans centrafuges.   It is very hard to contain stuff like that it is like a controled burn .  When i disambled it you see 3 styles of coding in it.


----------



## JTM (Sep 9, 2012)

Just as with everything else, be willing to accept the consequences of whatever you decide.  If you think it's okay but the law doesn't, then decide for yourself whether it's worth it to stand by your platitudes.


----------



## Brent Heilman (Sep 10, 2012)

I have played around with some hacking stuff. I hacked the network at a hotel I was staying at a few years back to just to see how easy it would be. It took 10 minutes. The tools are out there and they are free to get. The penalties though if caught are not. If you want to get a feel for it and play around legally go here: Hack This Site!


----------



## jvarnell (Sep 10, 2012)

I know and my point is if I teach them real world stuff and not just the script kiddy stuff that the colleges are teaching them today should I feel moraly oblageted id they use it wrong.


----------



## apursell (Sep 11, 2012)

I took these courses/certifications years ago...I'm sure much has changed, however they're good classes/certifications.

Network Penetration Testing and Ethical Hacking

Hacker Techniques, Exploits & Incident Handling


----------



## jvarnell (Sep 12, 2012)

apursell said:


> I took these courses/certifications years ago...I'm sure much has changed, however they're good classes/certifications.
> 
> Network Penetration Testing and Ethical Hacking
> 
> Hacker Techniques, Exploits & Incident Handling



But the one thing I you can't get from that that my guy need to know is that those are guidline for a hacker to know what you are looking for and they don't have to spend much time on that line of thought. Back in the late 80's Stephen Nortcutt of SANS when he was DoD told me you don't need to think what data they are after as a target.  But I think you do.


----------



## apursell (Sep 12, 2012)

I guess I agree with that statement from Northcutt. When I apply security aspects to any of the networks I've worked on I am not concerned with what data they're after, I go to protect all data. From my experience in the IS field for 12 years as a Government contractor for DoD and various unnamed organizations, applying the least amount of privilege is key and also your biggest threat is from insiders.


----------



## jvarnell (Sep 12, 2012)

apursell said:


> I guess I agree with that statement from Northcutt. When I apply security aspects to any of the networks I've worked on I am not concerned with what data they're after, I go to protect all data. From my experience in the IS field for 12 years as a Government contractor for DoD and various unnamed organizations, applying the least amount of privilege is key and also your biggest threat is from insiders.



But that is what is wrong with the coledge training to know what to watch with extra zeal you need to know what is valuable.  90% proctect 10% detect it is that 10% after the fact that will kill you. With the NIST 800-53 the hackers know what not to do it is writen right there.  They just do other stuff.


----------



## apursell (Sep 12, 2012)

At my non profit I now work for we deny all on firewall and only open as needed and also I have implemented a full suite of HIDS and NIDS. When I see weird traffic you investigate. Most of it is just seeing what happens, if your feeling frisky you can always put out a honeypot..


----------

