Back to Article List
Bootcamp for the Pros; Why Ernst & Young Will Lead Security Auditing Standards
By Laura Taylor
December 7th, 2000
Ernst & Young, has put together the quintessential course for security engineers looking to improve their ability to protect their organization's website, systems, and network. Dubbed eXtreme Hacking, and carrying a price tag of $5,000 a slot, this course is for anyone but hacks. With an impressive course book that fills a two-inch thick binder, leading Ernst & Young security engineers take you step-by-step through all the ways that bad guys try to subvert your mission critical servers and network configurations. Using dual-bootable NT-Linux laptops, and an accompanying network setup for practicing subversive attacks and exploits, attendees will leave the course with an entire new bag of tools and tricks that help them understand how bad guys identify target IP addresses, collect information about the systems they plan on compromising, and exploit weaknesses without being noticed. The idea is to learn how to figure out what the weaknesses are in your organization's network before the bad guys do.
Educational Strategy and Trajectory
Other security consulting companies have tried to put together similar courses, often modeled after the Ernst & Young course. For the sake of this article, "hacking" shall be defined as the art of system and network penetration, regardless of intention. Similar to surgery, hacking is indeed a mixture of art and science. Having the right tools, and the technology, is just one part of the procedure. You need to know how to use the tools, when, why, and on which occasions. You need to understand not just what hackers do, but how hackers think. eXtreme Hacking is for all intent purposes, a course on how to audit the security of an information technology network by not only learning what tools to use, but taking into consideration hacking strategies, and how hackers think.
Ernst & Young LLP, best-known for its traditional tax and audit services, has with extreme Hacking, taken auditing to a new level.
Table 1: Ernst & Young Corporate Information
Like other big five accounting firms, in recent years, Ernst & Young's consulting divisions have grown much faster than their basic tax and revenue auditing business. Today, under close scrutiny from the SEC, Ernst & Young, as well as other big accounting firms, are under continuous pressure to separate their consulting businesses from their basic tax and revenue auditing business. Due to auditing failures that have cost investors billions of dollars in recent years, the SEC has cautioned firms such as Ernst & Young that consulting for the same companies that you audit is a conflict of interest. This may be the biggest reason why Ernst & Young recently spun-off a new company known as eSecurityOnline.com which specializes in information security content, management, and online services.
System and network auditing has not been around long enough to have succumb to as formal a process as tax and revenue auditing. There is a dearth of experts who understand how to do it, and of the ones who do, there is not always consistent agreement on how the process should move forward. By developing a network audit course, Ernst & Young is sowing the seeds.
Right when the SEC thought that consulting and auditing should remain separate entities, with this course we envision the groundwork for more regulated and formalized system and network audits to someday become a standard part of state and federal laws, much in the same way that tax and revenue auditing has evolved to today.
With revenue and tax audits susceptible to manipulation due to security vulnerabilities, the line where tax and revenue audits end and system and network audits begin, is starting to blur. If a corporation's tax and revenue audits are mathematically accurate, but based on incorrect information due to a compromised computer system, is the problem an information security problem or an accounting problem? If a discrepancy is caused by an outsider, who has hacked a financial electronic funds' transfer, should the corporation be held liable for SEC and audit violations or system security violations? With few standards for system security and network audits, there will come a time when whether a company is at fault for lousy accounting practices, or lousy information and network security practices will be indiscernible. Clearly a lawful and standardized information security auditing process needs to emerge. By formalizing the information security process through the development of courses such as eXtreme Hacking, we expect Ernst & Young to lead the industry sector in establishing new information security auditing standards.
With eXtreme Hacking, Ernst & Young has taken the mystery out of computer and network security fraud. With a methodology that explains how hackers decide upon which computers to attack, how to find out basic exploitable information on the target, and how to intrude and take over the system, the Ernst & Young team has fully documented and formalized the process for understanding system and information security fraud. From starting with zero information about the target network, then methodically gathering network and host information, the savvy security engineers at Ernst & Young can teach participants how to exploit weak links, and what tools to use to penetrate and take over a system and entire network. From penetrating firewalls to poisoning a DNS cache, the Ernst & Young team clearly understands not just what tools hackers use, but how hackers think.
It's hard to improve upon something that is top-notch already. However, one element that could give extreme Hacking some added value is if they had a life-long learning site exclusively for all the students who have signed up for this course. This could be a private site, that requires authentication, and one that would keep the student updated on new hacking scenarios, tools, and classroom examples. Putting a hacking practice network up on a private site could also be very helpful for students to practice their newly homed hacking skills. Another potential added value would be to offer this course on-line through a distance-learning scenario. Dedicating a key employee to an entire week of training can be tough for an already strapped IT department or security group. An on-line distance learning program would allow employees to take the course at their own pace, whenever they can find the time.
This course is designed for technologists who have at least an intermediate level of understanding in NT or UNIX. It is a hands-on course, and students can expect to have their own dedicated laptop to use for the duration of the course. The course is appropriate for both technical engineers, and security management and consulting professionals. Having some knowledge of the TCP/IP protocol beforehand will definitely help in understanding some of the basics. Perspective students who are not currently familiar with TCP/IP might want to do some reading in TCP/IP Illustrated, Vol 2 by Richard Stevens, or Teach Yourself TCP/IP Network Administration in 21 days by Brian Komar, prior to taking the course. Whether you want to learn how hackers hack NT, UNIX, or Netware, the Ernst & Young course is a must for anyone wanting to understand the files, tools, procedures, and methodologies used for subverting even diligent system and network security.
|Copyright 1997-2015 Relevant Technologies. All rights reserved | Legal and Privacy | Sitemap
Email: firstname.lastname@example.org | Tel: 240.786.4858 | Fax: 855.451.5466 | 8160 Maple Lawn Blvd, Suite 200, Fulton, MD 20759