Ok, so the title is a bit controversial, I wanted people to read the article. I know that EC Council’s ethical hacking qualification is not popular amongst the security community and believe me I know first-hand, having gone with high hopes, just why that is.
I had always wanted to take that course, I got the opportunity and it was a huge let down. I didn’t become an ethical hacker. I didn’t become any kind of hacker at all. What I did get from it though was an awareness, an insight, an overview of things I never even dreamed possible.
The first computer that I touched was a Sinclair ZX80 and yes I am that old. I was in the military and “The Computer Club” got one to use alongside the Tandy TRS-80 we had all learned to program on. We were so excited we all chipped in to get the 16Kb RAM pack – yes that is right an additional 16Kb of RAM. Since then I’ve worked in or taught IT, computing and communications at various times in my career. For the past fifteen years I’ve been an IT manager either in education or in industry.
Until June 2018, I had never heard the words Netcat, RAT, Metasploit, Meterpreter, MSVenom or Mimikatz. Until very recently I had no idea that Microsoft, in their wisdom, store my password in plain text memory.
I had on occasion attended a variety of “free” workshops and demonstrations. I’d listened avidly to James Lyne and watched demonstrations of his at various Sophos events and I watched a number of TED Talks by Mikko Hypponen from F-Secure. What these two gents showed me seemed like magic. Surely this was the world of some very special, very technical and very evil groups of geniuses (by the way I am pretty sure James Lyne is an evil genius). I never for one-minute thought it was possible for any young kid to get the software, for free and start hacking. Like many of my uninformed colleagues, I had a long held and traditional belief that AV and Malwarebytes would be the combined answer to all my woes – if they didn’t find anything then I must be OK.
Things changed after Wannacry. I think the landscape changed immeasurably. For the first time of any note, computer security was making headline news on prime time TV. CEOs, CFOs and other senior staff were asking – “could this happen to us?”
My answer when asked was an unquestionable yes it could. I knew enough by this point that one click on an attachment by any member of staff could bring this or something similar into us. I still believed that AV and endpoint software was probably the answer, but I was genuinely worried. The events saw a significant increase in our security budget not long after that. A security steering group was changed and was now chaired by the CFO and business leaders took an active interest.
The extra budget got me the opportunity to go and do CEH. I’ve never been so excited about any training ever. I took five days from my busy schedule in the summer and I was sent me to Dublin to do an ethical hacking course. I was absolutely astounded by what was possible. I hung on every word the instructor said and every lab we worked through. Scanning, enumeration, foot printing, exploiting… all words and steps that had never even entered my conscious thought before.
Using NMAP properly for the first time, understanding what the switches actually meant and seeing what one can do with it was beautiful and informative. Seeing what information Microsoft and Google kindly give away to the world on my behalf was shocking but enlightening.
Working through a single very simple exploit using Backtrack 5 and exploiting MS08_067 with Metasploit was the single most terrifying, eye opening and pleasurable thing I’ve ever done in my thirty years in IT… looking at what was possible in the meterpreter console filled me with a mixture of fear and intrigue.
Maybe I was lucky, maybe I did a good course and had an experienced instructor who gave me a taste of what was possible, I don’t know, but I came back from those five days with an appetite for learning not seen for many years and a whole new view on what I need to do to secure the systems that I looked after.
A few weeks ago, a subsidiary of the company I work for were successfully breached. It was a small acquisition who had been left to “do their own thing”. An exposed RDP session and weak passwords invited a very non-technical breach. The IT services company who had supported that business had never tested restores from backups and never restored more than a few files. Certainly not a whole machine. Part of their remediation plan was to run Malwarebytes on every machine – there’s that cure all again.
CEH does not in any way prepare you or make you an ethical hacker. I do believe though that it has a place in our world and a place that should be better spoken of. Taken in the right context it can lead the student to a path of enlightened cyber security awareness in which Malwarebytes has no part, in which you can at least look at your estate and see the holes even if you don’t yet know how to fix them. It can engage you in a whole new world of possibilities and can change minds on a variety of things not least of which could result in more regular, more timely patching and a much better understanding of the consequences of not doing that simple task. It may bring a more informed risk assessment of not patching “because it breaks stuff” vs not patching and being breached, with a much clearer view of what breached means.
The one thing cyber security people are not good at – getting small businesses and small business IT managers to believe that what they say is possible, is actually possible and not just possible, but very easy to achieve.
So I go back to the article title, maybe all IT managers should do CEH. We, those of us who now know what’s possible, should encourage the use of multiple-choice courses like CEH. By all means, make clear to those who take them the basic level at which they are pitched, but be positive. Maybe if we encourage the plethora of multi skilled IT people who look after and care for small businesses to take these courses we’ll see a more informed approach to cyber security from a wider part of the industry, one of the biggest parts of the industry and one that still thinks cyber security is just about a firewall, good Anti-Virus and that there is no risk exposing RDP to the world.