The phrase "ethical hacker" can seem like an oxymoron. Transform it into a bona fide credential, Certified Ethical Hacker (CEH), and you compound the dissonance. Can a hacker -- a geek who disrupts computer systems -- really be ethical and certified, too?
In fact, the idea isn't as ludicrous as it sounds. Ethical hacking has roots in the corporate world -- specifically, IBM -- so anyone who questions this concept's seriousness should think again.
An ethical hacker works to identify vulnerabilities in computer systems so they can be made less susceptible to criminal hackers' malicious attacks. Without breaking laws or stealing data, ethical hackers uncover weaknesses by attacking IT systems using the same under-the-radar techniques criminal hackers employ.
"It's really like being a bodyguard," says Jay Bavisi, president of the International Council of E-Commerce Consultants, also known as the EC-Council, the organization behind the CEH credential.
Think Like a Hacker
While the first use of the term appears to date from a 1995 Computerworld interview with an IBM technologist, ethical hacking has been around since the early days of computing, according to an IBM Systems Journal article by Charles C. Palmer.
"Just as in sports or warfare, knowledge of the skills and techniques of your opponent is vital to your success," writes Palmer, who worked with IBM Global Services to start IBM's ethical hacking practice. "Ethical hackers have to know the techniques of the criminal hackers, how their activities might be detected and how to stop them.
Far from being reformed hackers with criminal histories, ethical hackers, in fact, pledge not to break the law or steal information. "The Certified Ethical Hacker certification is designed to help people to determine who is trustworthy and who is not," says Craig Bogdon, senior network engineer at Sage InfoSec, who earned the CEH credential.
Beat Hackers at Their Own Game
The CEH certification was established as a vendor-neutral credential to train IT professionals in hackers' thinking and techniques. Techies can then use that knowledge to uncover vulnerabilities in their employers' or clients' systems.
Before beginning their training, though, CEH candidates, who are expected to have two years of information security-related experience, must sign an agreement stating they will not use the skills they learn for illegal or malicious attacks.
According to Bavisi, the credential is most appropriate for information technology managers, system administrators, network administrators and other IT workers involved in security.
CEH training is typically an intense, five-day course that emphasizes the creative, ever-changing ways hackers gain access to IT systems. "Labs take students through real-world scenarios, which require them to use creativity and demonstrate the ability to solve unusual problems," says Steven DeFino, a course instructor at New Horizons Computer Learning Centers in Salt Lake City.
CEH courses are offered at EC-Council-authorized training centers around the world. Topics covered include:
- Perimeter defenses.
- Hacking tools.
- Session hijacking.
- Password cracking.
- Firewall evasion.
- Intrusion detection.
The Ethical Edge
Techies have varied reasons for pursuing the CEH certification. For Steven Whittekiend, an IT manager for Washington City, Utah, who took the course at New Horizons, learning about security flaws will help with "peace of mind as we expand our IT services and store more sensitive data for remote access."
Bogdon says he continues to use the tools and techniques he learned during his CEH training when performing security audits of clients' networks. He characterizes the credential as an "in-the-trenches view of information security," with the emphasis on learning how to break into computer systems in the manner of hackers.
With so many commodity certifications in IT, the CEH credential is one that allows techies to stand out.
"The CEH has a certain marketing cachet," Bogdon says. "It tends to get people's attention and prompt them to ask questions." Such interest gives Bogdon an opening to explain to potential clients how ethical hackers and his company's network security audit services can help protect their IT assets.