The Final Grade

By eweek  |  Posted 2001-04-09 Print this article Print

The Final Grade

No matter how intriguing, or fun, a hacking course may sound, the question remains: Does it make sense for my business? Tuition for Foundstones "Ultimate Hacking" class is $3,500 per person, in addition to travel expenses and lost work time. Can that be cost-justified? For most companies, the answer is a resounding "probably."

The educational value of Foundstones class is undeniable. The extensive use of hands-on practice, culminating with elaborate laboratory exercises, is extremely effective in helping students integrate a wide array of esoteric facts. This is particularly valuable if an employees duties include security auditing or intrusion testing. "Even if you have a background in security, you really get a much better sense of how easy some stuff is," notes Florindo Gallicchio of consultancy Esavio, a student at Foundstone. "I definitely learned things I didnt already know, and I used to work with the NSA [National Security Agency]."

The intruders perspective encourages a very different, deeper understanding of how the disparate elements of a network fit together. Systems administrators and developers are primarily concerned with how things work and are generally happy as long as they can head off user complaints. Network intruders, on the other hand, are interested in how things fail, and constantly search for ways to force a system to behave in unexpected, or unintended, ways. As a result, they—and, however briefly, Foundstones students—develop an extraordinary mastery of the minutiae of network technologies and protocols.

Perhaps even more important, a grasp of the attackers goals and mind set provides the defender with a tactical advantage. "Its an idea as old as combat itself," says Captain John Yarger, a networking instructor with the U.S. Marine Corps who attended Foundstones class in February. "Its in Sun Tzus Art of War—Know your enemy as well as you know yourself. "

Some experts, however, question the business value of hacking school. "These classes are a good way to get your feet wet with some of these issues, but they only look at a very small part of the problem," says Chris Klaus, CTO and founder of Internet Security Systems. "The real issue is how to extend defensive solutions across the enterprise."

Marcus Ranum of NFR Security goes even further in criticizing the educational process. "I dont think that teaching people a list of exploits is really the best way to convey the underlying principles of security," he asserts. "What theyre really doing is giving these people just enough knowledge to be dangerous; most of them are going to come back from these classes and practice their new skills by hacking their corporate networks."


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel