Last week, I infiltrated a den of hackers. The air was thick — not of cigarette smoke and Matrix allusions, but of IT acronyms, Starbucks House Blend, and PowerPoint projections. The silence was deafening, and the commando vocabulary was out of control. But these code breakers — working to “target live hosts,” “hijack the GUI,” and “attack the target” — were not holed up in a renegade warehouse under the cover of night. Instead, they were assembled on the 46th floor of Boston’s John Hancock Tower for a five-day hacker boot camp presented by Ernst & Young.
Extreme Hacking: Defending Your Site is an intensive workshop that takes an inside-out approach to network security. Rather than outlining and indexing a hacker’s most common modus operandi, this 45-hour seminar teaches network and system administrators how to hack into their own networks from the Internet, a dial-up connection, and inside the corporate intranet. (According to class leader Steve Smith, most computer crime occurs within organizations as disgruntled employees try to access unauthorized areas of the network.) By becoming their own worst enemies, the hackers in training come to recognize the Achilles’ heels and costly oversights of their own networks, says Rob Dongoski, leader of Ernst & Young’s security and technology solutions practice in New England.
“As Bill Murray says in Caddyshack, ‘To catch a gopher, you must think like a gopher,’ ” Dongoski says. “To protect your network from a hacker, you’ve got to get inside that hacker’s mind. By participating in a class that is incredibly intensive and extremely hands-on, our students are really able to see hacking techniques in action and figure out how to derail them.”
Extreme Hacking, which began as an internal training seminar and now serves Ernst & Young’s clients, aims to help IT professionals recognize and exploit “misconfigurations” and vulnerabilities in their own networks. For example, class instructors warned attendees against using common usernames like “admin,” “dev,” or “test.” When trying to infiltrate an NT network, for example, an intruder’s first move is often to search for those usernames and then try to gain brute-force authentication by matching them with no-brainer passwords like “admin,” “12345,” or simply “password.” “Weak passwords are the number-one security problem,” says Smith, who recommended instituting seven-digit passwords, which have proven more difficult to crack than either six- or eight-digit alternatives.
After gaining access to a username and password, the Ernst & Young students work to gain domain-administrator access privileges — the hacker’s Holy Grail. “Good hackers, once established as an administrator or equivalent, will avoid detection, cover their tracks, and install various backdoors for future access,” says the Extreme Hacking manual, a 900-page behemoth that guides attendees through the course instruction. After more than four hours of lecture each morning, students break into teams that tackle hands-on hacking assignments. Last Tuesday, they played a virtual version of capture the flag — competing to see which group could infiltrate a simulated payroll server by following a trail of clues.
“If something goes wrong, you’ll be blamed,” warns the Extreme Hacking manual. “Make sure every tool you run is documented and every system you touch is documented.”
Ernst & Young’s students — 16 middle-aged men and one middle-aged woman — are not naive to the dangers lurking beyond their firewalls. But many are attending this seminar at the insistence of their CEOs and presidents, who identified security as a top priority after September 11. The all-too-real threat of external or internal invasion has prompted many Ernst & Young clients to enroll their network administrators in Extreme Hacking, Dongoski says.
“There is a greatly heightened awareness at the executive level,” he says. “I came from the IT-operations world, and I know you only care about three things there: performance, capacity, and reliability. Security is one of those things that, ‘Yeah, I need to do it. But I’ll get to it when I have more time.’ Now people are insisting that companies can no longer delay that work. Security has got to happen now.”
Many attendees already employ outside consultants or security experts who hack into their sites on a quarterly basis to diagnose problems. Still tremendously useful, those exercises do not necessarily train IT professionals how to identify warning signs, educate employees, or quash a hack in progress, Dongoski says.
“The best strategy is to understand your exposures from a business-risk standpoint,” he says. “Minimize those exposures and then, when something does happen, have good procedures in place to react.”
Anni Layne Rodgers (email@example.com) is the Fast Company senior Web editor. Learn more about Extreme Hacking on the Web.