As a regional IT manager for the Weitz Company, a large general building contractor based in Des Moines, Iowa, Jill Davis wanted to boost her infosec knowledge and take a more proactive stance in protecting the firm's cyber assets.
"We're in that day and age where you can't stick your head in the sand and say 'What I don't know won't hurt me'," says Davis, who supports Weitz's Colorado division.
"I felt that we had to gain as much knowledge as possible to be preventative, instead of reactive. It seems like every time a virus comes out, we are running like mad people trying to put out the fires. If you know a little bit more to be preventative, it helps."
A hands-on program
So she decided to take a five-day "Ethical Hacker" course offered by New Horizons Computer Learning Centers. The hands-on program aims to help students secure their organizations by showing them how to attack a system themselves. By knowing how a malicious hacker operates, the theory goes, an IT professional will gain a better understanding of how to secure their systems.
"It's aimed at anybody who is a security professional, anyone who is concerned about the integrity of their network infrastructure," explains John Golden, New Horizons vice-president of products and programs.
He notes that students must sign a legal agreement that they're attending the course for educational purposes and will not use the skills or tools they learn for malicious purposes: "There is a duty of care on behalf of both New Horizons and the organizations to ensure that we're not creating a raft of hackers, but rather a raft of security professionals."
Upgrading privileges
In the course, students use tools that penetration testers and hackers also use to perform a network attack in a controlled environment. They learn how attackers can upgrade their system privileges and how to prevent that.
The program also covers enumeration, Trojans, denial-of-service attacks, buffer overflows, session hijacking, and Novell and Linux hacking, among many other topics.
"It was a lot of information. We went through everything, from social engineering to viruses, to how people can unknowingly open backdoors into systems. Basically, we learned about what to look for and countermeasures for different types of attacks," explains Davis.
She learned to look at log files and IP tables to detect possible attacks, and countermeasures such as ensuring a firewall is secure and that ports are not left open. She also learned how employees can unknowingly introduce viruses and intruders into the network. "Your worst enemy can be your very own users," she notes.
Opening her eyes
Weitz uses a variety of security technologies, including virus protection, password enforcement and firewalls, and is diligent about deploying security patches from Microsoft. But the course opened Davis's eyes to the wide range of cyber risks.
"After the first couple of days, I had a pit in the bottom of my stomach," she recalls.
Armed with what she describes as "an arsenal of knowledge" from the class, Davis says she is trying to put together security policies for her division's 150 employees and then develop a security training program.
"I haven't implemented everything I'd like to yet, but now it's one of those ongoing things," she says. "You have to stay ahead of the game."
Based in Anaheim, California, New Horizons offers its Certified Ethical Hacker course in 21 locations spread around the U.S. For more information, visit www.newhorizons.com