The man who kept the White House site secure shares his views

Not many institutes train students in ethical hacking. Where should one learn it?
I don’t think one should waste one’s time learning (only) hacking. You should learn something useful like system administration and networking, programming and general computing principles, because hacking calls for looking for failures in someone else’s process of building a system or application. If you know how to build systems and applications, then the process of thinking about flaws should follow naturally from your own experience.

What do you think about the future of ethical hacking as a full-time profession?
I’m sure it will be a profession for a while, though that’s unfortunate. Ethical hacking is a stop-gap measure that doesn’t do much to improve security. 

Many of the penetration testers that I know spend a lot of time teaching clients how to remedy their security, improve their code, do system administration, and work with quality assurance. Those are all worthwhile and I think that we’ll see ethical hacking sort of melt into the role of general security practice.

What led you to become a computer security expert?
I never was particularly interested in security, per se. The way my brain works, I try to understand how systems of problems work. My original interest was in system administration and UNIX system programming. I got into firewalls because I was given the task of improving one of our company’s Internet gateways. This was at a time when no commercial firewalls were available. I found the problem interesting and enjoyed trying to understand the balance between security and usability. More than 20 years later, I’m still trying to understand it.

A computer security expert can abuse that knowledge, which brings into question the appropriateness of producing more experts. What do you say?
I’ve (always) argued that ‘ex-hackers’ are not the best people to use as security practitioners, because they have already shown that they are capable of abusing their knowledge.

Many of my customers perform employee background checks, and are unlikely to hire someone with a criminal past. Generally, for a position of responsibility, what you want is someone who has a history of being dependable and trustworthy.

What did you do in particular to become an ethical hacker?
I haven’t ever taken any training. I still read a tremendous amount of material. I think that attempting to understand a wide range of things helps you learn how to analyse complex things like security problems. 

Read and absorb, then ask yourself, ‘How does this apply to what I am doing?’ When you’re ahead of the cutting edge, nobody can teach you. You have to fall back on your understanding of the problem and good design and do what makes sense.

Tagged in MAT MAT test pattern MAT exam AIMA MAT exam structure

Like us on :