Print Page      Email Page
Back to Article List

Bootcamp for the Pros; Why Ernst & Young Will Lead Security Auditing Standards
By Laura Taylor
December 7th, 2000

Course Summary
Ernst & Young, has put together the quintessential course for security engineers looking to improve their ability to protect their organization's website, systems, and network. Dubbed eXtreme Hacking, and carrying a price tag of $5,000 a slot, this course is for anyone but hacks. With an impressive course book that fills a two-inch thick binder, leading Ernst & Young security engineers take you step-by-step through all the ways that bad guys try to subvert your mission critical servers and network configurations. Using dual-bootable NT-Linux laptops, and an accompanying network setup for practicing subversive attacks and exploits, attendees will leave the course with an entire new bag of tools and tricks that help them understand how bad guys identify target IP addresses, collect information about the systems they plan on compromising, and exploit weaknesses without being noticed. The idea is to learn how to figure out what the weaknesses are in your organization's network before the bad guys do.

Educational Strategy and Trajectory
Other security consulting companies have tried to put together similar courses, often modeled after the Ernst & Young course. For the sake of this article, "hacking" shall be defined as the art of system and network penetration, regardless of intention. Similar to surgery, hacking is indeed a mixture of art and science. Having the right tools, and the technology, is just one part of the procedure. You need to know how to use the tools, when, why, and on which occasions. You need to understand not just what hackers do, but how hackers think. eXtreme Hacking is for all intent purposes, a course on how to audit the security of an information technology network by not only learning what tools to use, but taking into consideration hacking strategies, and how hackers think.

Company Background
Ernst & Young LLP, best-known for its traditional tax and audit services, has with extreme Hacking, taken auditing to a new level.

Table 1: Ernst & Young Corporate Information
Financials : 1995 Revenues: $6,867 million
1996 Revenues: $7,800 million
1997 revenues: $9,100 million
1998 Revenues:$10,900 million
FY 99 Revenues / Growth: $12,510 million / 14.8%

Company Ownership : Privately held. Ranked #10 in Forbes Private 500.

Employees : 97,000 worldwide

Company Address : 787 7th Avenue, New York, NY 10019
Tel: 212.773.3000

A multi-national professional services firm, Ernst & Young employs over 97,000 people and can be found in more than 130 countries with 660 offices worldwide. The company has a long and eventful history, with its information security consulting practice being one of the newest divisions. Ernst & Young's roots are a multi-century evolution starting with a hatmaker's business back in 1849 in the United Kingdom. A bookkeeper for R. P. Harding's hatmaking business displayed such flawless and detailed ledgers during a 19th century court proceeding, that he was advised to take up accounting. The bookkeeper, Frederick Whinney, went on to nurture an accounting business named Whinney, Smith, & Whinney which eventually merged with an American accounting firm named Ernst & Ernst after World War II. Founded in Cleveland, by Alwin & Theodore Ernst, Ernst & Ernst together with the Whinney firm, went through numerous other rocky mergers, one with a company named Arthur Young, before finally emerging as Ernst & Young in the early 1990s. Having withstood numerous legal battles, many successful and also failed acquisitions, today Ernst & Young has finally gotten its feet planted in a somewhat formidable and stable position.

Like other big five accounting firms, in recent years, Ernst & Young's consulting divisions have grown much faster than their basic tax and revenue auditing business. Today, under close scrutiny from the SEC, Ernst & Young, as well as other big accounting firms, are under continuous pressure to separate their consulting businesses from their basic tax and revenue auditing business. Due to auditing failures that have cost investors billions of dollars in recent years, the SEC has cautioned firms such as Ernst & Young that consulting for the same companies that you audit is a conflict of interest. This may be the biggest reason why Ernst & Young recently spun-off a new company known as which specializes in information security content, management, and online services.

Course Strengths
System and network auditing has not been around long enough to have succumb to as formal a process as tax and revenue auditing. There is a dearth of experts who understand how to do it, and of the ones who do, there is not always consistent agreement on how the process should move forward. By developing a network audit course, Ernst & Young is sowing the seeds.

Right when the SEC thought that consulting and auditing should remain separate entities, with this course we envision the groundwork for more regulated and formalized system and network audits to someday become a standard part of state and federal laws, much in the same way that tax and revenue auditing has evolved to today.

With revenue and tax audits susceptible to manipulation due to security vulnerabilities, the line where tax and revenue audits end and system and network audits begin, is starting to blur. If a corporation's tax and revenue audits are mathematically accurate, but based on incorrect information due to a compromised computer system, is the problem an information security problem or an accounting problem? If a discrepancy is caused by an outsider, who has hacked a financial electronic funds' transfer, should the corporation be held liable for SEC and audit violations or system security violations? With few standards for system security and network audits, there will come a time when whether a company is at fault for lousy accounting practices, or lousy information and network security practices will be indiscernible. Clearly a lawful and standardized information security auditing process needs to emerge. By formalizing the information security process through the development of courses such as eXtreme Hacking, we expect Ernst & Young to lead the industry sector in establishing new information security auditing standards.

With eXtreme Hacking, Ernst & Young has taken the mystery out of computer and network security fraud. With a methodology that explains how hackers decide upon which computers to attack, how to find out basic exploitable information on the target, and how to intrude and take over the system, the Ernst & Young team has fully documented and formalized the process for understanding system and information security fraud. From starting with zero information about the target network, then methodically gathering network and host information, the savvy security engineers at Ernst & Young can teach participants how to exploit weak links, and what tools to use to penetrate and take over a system and entire network. From penetrating firewalls to poisoning a DNS cache, the Ernst & Young team clearly understands not just what tools hackers use, but how hackers think.

Course Recommendations
It's hard to improve upon something that is top-notch already. However, one element that could give extreme Hacking some added value is if they had a life-long learning site exclusively for all the students who have signed up for this course. This could be a private site, that requires authentication, and one that would keep the student updated on new hacking scenarios, tools, and classroom examples. Putting a hacking practice network up on a private site could also be very helpful for students to practice their newly homed hacking skills. Another potential added value would be to offer this course on-line through a distance-learning scenario. Dedicating a key employee to an entire week of training can be tough for an already strapped IT department or security group. An on-line distance learning program would allow employees to take the course at their own pace, whenever they can find the time.

User Recommendations
This course is designed for technologists who have at least an intermediate level of understanding in NT or UNIX. It is a hands-on course, and students can expect to have their own dedicated laptop to use for the duration of the course. The course is appropriate for both technical engineers, and security management and consulting professionals. Having some knowledge of the TCP/IP protocol beforehand will definitely help in understanding some of the basics. Perspective students who are not currently familiar with TCP/IP might want to do some reading in TCP/IP Illustrated, Vol 2 by Richard Stevens, or Teach Yourself TCP/IP Network Administration in 21 days by Brian Komar, prior to taking the course. Whether you want to learn how hackers hack NT, UNIX, or Netware, the Ernst & Young course is a must for anyone wanting to understand the files, tools, procedures, and methodologies used for subverting even diligent system and network security.


DHTML Menu By Milonic JavaScript