Sometimes hacking is not a negative thing, says ethical-hacking instructor
Reports of hacking attacks against some of the largest banks in the country this year have been among the latest negative press for hacking.
But the term is not all bad.
Chuck Davis is a Harrisburg University of Science and Technology corporate faculty member who teaches ethical hacking, computer forensics and malware. He is also an adjunct professor teaching computer forensics at Penn State Harrisburg.
Yes, that's correct. Ethical hacking. It is a specialty, and one that's in demand even if it might go by a different name now, Davis said.
Hacker itself was originally a term for tinkerers who like to work with computer code and find out what is possible, he said. It was only later usurped in the popular definition by the actions of certain hackers, Davis said.
Davis recently spoke with the Business Journal about the value of contracted practitioners, as well as how the midstate could benefit from a hack-a-thon.
Q: Ethical hacking? I imagine a lot of people out there might not think of those two things in the same sentence.
A: Right. Typically when I mention the term "ethical hacking," people get a puzzled look on their face, and the first thing they ask is: Isn't that an oxymoron?
So what ethical hacking is: The term was actually created by IBM (where Davis once worked) in the early 2000s. A man named Charles Palmer at IBM ... put together this tiger team of people who were very knowledgeable about technology, the Internet, software, hardware, vulnerabilities, so on and so forth.
And he built this team that was used internally and then used externally, and (it was) sold as a service to customers who wanted a test conducted against their systems to see how "hacker-proof" they were. ...
So in comes the ethical hacker, who is paid to do any number of things, from running simple scanning tools to see if your IP addresses, your systems, are vulnerable to known issues, or sometimes ethical hackers will even go as far as social engineering if they are contracted to do so.
And what social engineering is, is trying to trick people into doing things. You've probably seen in movies where somebody shows up with the air conditioner repairman uniform, goes up to the reception desk and said the CEO called and said his office is getting hot … and the repairman is actually a bad guy trying to break into safes or computers or whatever.
So, that's what an ethical hacker does. Ethical hacking is really the methodology of penetration testing. And that's kind of the buzzword, kind of the industry term now. You don't typically in the business world go around looking for ethical hackers. They call them penetration testers now.
Where in the marketplace is there a demand for these penetration testers?
There's actually a couple of certifications out there. There's the certified ethical hacker, CEH, and there's an organization, the EC-Council, and full disclosure, I think I've been on their advisory board for close to 10 years, maybe eight years … so that is one example. I think there are one or two other ethical hacking certifications.
So just to speak to your question, the demand, obviously if there are certifications out there, and there's a benchmark for whether someone is qualified to be an ethical hacker, there definitely is a demand. Especially when you talk about the small and medium-sized business, the company that doesn't have the very large IT staff, and they don't have the very qualified, very skilled security personnel on staff and can do this type of work.
They'll set something up and then they'll go tell a vendor, "Hey, can you go run a 'pen test' for us?"
Interestingly, it's kind of one of those things where technology starts catching up with us, and so there are companies that create tools that kind of do pen testing in an automated fashion. So it can make an ethical hacker's job a little easier, or some might argue that it might put them out of a job … and a lot of companies buy these so they don't have to have ethical hackers working around the clock all the time, checking to see if there are new vulnerabilities.
So then what is a hack-a-thon?
To preface this next conversation, let's take a look at the terminology. Early on, 15, 20 years ago, 30 years ago even, a hacker was considered someone who was curious and was skilled at tinkering with things. So if you're the type of person who gets a toaster and you look at it and you want to take it apart to see how it works, that's kind of the hacker mentality.
So that's what a hacker was, and more so along the lines of creating software, so somebody who would sit down at their computer spending days on end writing code or making software and finding new and interesting ways to do things.
And then when some of this group of hackers wanted to do bad stuff, they became this subset of a hacker … and what we're left with is that when some people think of a hacker, when most people think of a hacker, they think of someone who is a miscreant out to do malice using a computer.
But we still have both definitions: one the good guy creating software, and the other, the bad guy, the miscreant trying to do some bad.
Now, the hack-a-thon is more an event around software development, programming, that sort of a thing. So it's not an event where you set up a Web server and maybe a database server and a bunch of stuff in a room and say, "Look, everybody try to hack into this and whoever is first gets a trophy." Those things do happen, but they usually happen at security conferences and they call them "capture the flag" or something.
What would be the value of having a hack-a-thon, in the first sense of the term, to the area and the business community?
So what the hack-a-thon does, it allows local people to come together to participate in a very technical event and also brings them together in a social environment and not only just individuals but businesses. So there are businesses in the midstate that need these kinds of skills, the skills that are required for thinking-outside-of-the-box software development.
And I think it is a good thing any time we can set up some sort of technology event in the midstate, because there's a lot of skill here, and I just think there's not a lot of events that we've had historically in the midstate that allow the technical folks around here to communicate and socialize with the companies that need to hire these people. (This kind of thing) has grown quite a bit, and I think Harrisburg University has done a really good job of hosting things like this — they just had (BarCamp Harrisburg) … and I think those are the kinds of things that drive innovation.
(A hack-a-thon is) a very technical kind of meeting place; it is a very technical event. BarCamp is technically minded, but it's more suited around sharing how companies use technology and social media and that kind of thing. This is very specific to programming, and I think you'd get students to come out who'd want to participate, you'd get, hopefully, companies who need to hire programmers come out, and I think it kind of introduces those two groups of people. And it's fun.