Tuesday, September 16, 2008

CEH Certified Ethical Hacker: Training Without Ethics?

I just received "great news" from an attendee of a local training of CEH or Certified Ethical Hacker held somewhere in Metro Manila. The attendee came from a local bank and came right to us that he tried to crack our website's security

It came to a surprise to me that their instructor in the "certification" training made them nominate a website for them to hack and test their newly-acquired skills. The attendee gladly told us he wasn't able to penetrate our website and so congratulated us, including me being the information security officer, for such a job well done.

I'm not going to discuss it fully and didn't rebut the attendee but there really is something wrong here.

What the certified ethical hacker instructor did was actually ethical. He ordered his students to attempt to hack websites without the website owners' written approval. Something penetration testing professionals and vulnerability assessment consultants have prior to the engagement.

CEH-EC should check him out. Gaining the basic skills to conduct security assessments is very easy even by just browsing the Internet, but who will certify hackers as ethical when the instructor himself is urging his students to let loose their new-found skills?

There is only thing that separates white hat hackers from black hats from one another despite having the same set of skills: Permission!

Poking around systems without permission is unethical and downright illegal!

1 comment: