Pen testing or hacking?
Pen testing or hacking?
When I open the spring semester in our university's live fire network attack and defend class, I am invariably asked to explain why I am not teaching students to become hackers. My answer, equally invariably, is that I am doing exactly that.
I've just completed my first 50 years in information assurance, and when I came up through the ranks hacking was a noble pursuit. A hacker was someone who could put together a fast, small, efficient solution to a serious computing problem – either in programming or later in network environments.
Oh, to be sure, a lot of us honed our skills on other's computers, but there was a sort of understanding among those who did that – and those who tolerated it – and we never hacked for criminal purposes or financial gain. Simply, nobody but large organizations could afford to spend multi-hundreds of thousands of dollars on Unix servers or DEC Vaxen. So, we improvised...and learned. And many of us ended up as system administrators when we grew up…or programmers…or security experts.
Then, along came the microcomputer and we all had our own computers. I built my first PC as did many of my colleagues. I took a microcomputer course from Heathkit while I was supporting crypto systems in the Navy and learned about microprocessors. For me, the cat was well and truly out of the bag. I haven't looked back since.
Somewhere along the way, some computing wizards decided to go to the “dark side” and the press labeled them “hackers,” influenced, no doubt, by the movie of the same name. Talk about cats being out of bags: That was the end of the line for the honorable profession of hacking. Now we are crawling back with our tails between our legs. We are “ethical hackers” or “white hat hackers.” We are penetration testers. Never let us be aligned with the mass media's view of hackers. That would not be politically correct. Horse feathers!
At the end of the day, give me a good, solid, imaginative, skilled hacker who will follow a bug or vulnerability down whatever rat hole it leads. Give me critical thinkers. Ethical thinkers, to be sure, but thinkers nonetheless. Finding the holes that the bad guys might exploit today requires trained critical thinkers of the first order – and, by all accounts, we do not have nearly enough of those.
Even thinkers need good tools though. And good tools are what this month is all about. Most years, with a few new wrinkles, we see pretty much the same old line of penetration testing and vulnerability assessment (VA) tools. The bad guys have sorely tested us of late, though, and the result is that you will see real innovation this month in a group that may have begun to show signs of stodginess in past years. Open source tools, as is the case with some other product groups, have become commercial pen testing and VA products. Additions to these time- and community-tested tools are now beginning to move into the market as third party add-ins. The results are bordering on the spectacular.
Real hackers build their own tools, but there is still room for well-thought-out commercial tools, and this month is a showcase for many of those. One of the most impressive things of late, however, is a slowly emerging trend that supports that build-it-yourself mentality. Pen testing and VA tools increasingly come with ways to add in one's own scripts and code, increasingly in Python, long a favorite, along with Perl, of hackers of all colors of hats. So, hacker or pen tester, it doesn't really matter, I guess. It's all dependent on that most important of all tools – one we won't be reviewing any time soon – the one between your ears.