Marc Maiffret woke up one morning at his mother's home in Southern California, feeling something against his head. It was an FBI agent with his gun drawn, ordering him not to move. The agent yanked the covers off Maiffret as other agents ran outside his window, surrounding the house. Maiffret's hacking exploits in the last two years had finally caught up to him. He was 17 years old.
"It's not like I was going to do any physical harm," said Maiffret, referring to the way he was frisked for weapons and asked to have his hands up as if he were a potentially violent criminal. "But when you're a hacker, it's just like you're a drug dealer or something."
Despite his dramatic capture, Maiffret was released without charges for lack of incriminating evidence. Fifteen years later today, he is still a hacker -- but an ethical hacker, and the CTO of eEye Digital Security, an Irvine Calif.-based security technology provider he co-founded in 1998.
"It served as a wake up call," said Maiffret. "But with that hacking experience, I ended up getting a job at an e-biz software company doing security for them. That's where I came up with Retina, my first hacking security tool, that showed companies what their sites looked like to hackers."
As more businesses put sensitive data online, the number of malicious hacks is increasing -- and so is the need for "white-hat" hackers.
Becoming a 'White Hat' Hacker
The International Council of Electronic Commerce Consultants (EC-Council), defines an ethical hacker, also known as a white-hat hacker, as a penetration tester who looks for weaknesses in network systems in order to fix them before they can be exploited by "black hat" hackers. While hacking is a felony in the U.S., it is legal under a contract with an organization for the purposes of reinforcing its target systems against attacks.
Security professionals angling for a career in ethical hacking should cultivate a strong troubleshooting background on network and operating systems, industry professionals say. Employers also note that an increasingly common route to becoming an ethical hacker is to get certified.
Since 2002, the EC-Council has offered a number of certifications for online security professionals, foremost of which is the Certified Ethical Hacker (CEH) certification. While hacker certifications offer a standard measure of baseline hacking knowledge, experts say that they are not necessary in securing a job as an ethical hacker.
The CEH course takes about a week and is conducted periodically in Washington D.C. and teaches basic offensive hacking techniques, on the classic think-like-the-bad-guy premise of defense.
"It was really intense, 12-hour days," said Terry Cutler, who got his CEH certification in 2005 and is now a premium service engineer at Novell, a Waltham, Ma.-based infrastructure software firm. "And it's a complete orientation for beginners to learn the tools to break into a company."
To keep the real bad guys out of the program though, the EC-Council requires enrollees to go through rigorous background checks and to have had a minimum of at least two years of security background experience at a company. Candidates are also required to sign a legally binding contract vowing not to abuse knowledge gained from the program.
"We don't want to just give away the goods," said Jessica Bair, senior director of curriculum development at Guidance Software, which offers its own ethical hacker certification course in partnership with the EC-Council. "If you break the contract, you're going to be flagged in the industry with a permanent black mark."
Plenty of Opportunity
According to a 2010 survey by the High Technology Crime Investigation Association conducted among cyber crime investigators and analysts, almost 70% of the respondents noted an increase in computer and internet use as a direct tool in a criminal offense.
"Thousands and thousands of attacks happen everyday," said Anthony DiBello, product marketing manager at Guidance Software, a Pasadena, Calif.-based digital investigations firm. "And it's not just because of the complexities of network vulnerabilities -- it's also that ten years ago, companies weren't storing as much sensitive information online."
Respondents of a 2009 Computer Security Institute survey also noted "big jumps" in occurrences of malware infections and phishing frauds that year.
"It's really easy to get away with attacks," said Ira Winkler, president and CEO of the Internet Security Advisors Group. "It's a high-payback, low-risk undertaking because most companies are still poor at protecting themselves, so the likelihood of detection of very small. In fact the likelihood of actually tracking and prosecuting a perpetrator is less than 10%."
Security experts say that while a basic certification is helpful in ensuring a certificant has the baseline knowledge the job requires, keeping up with the rapidly changing landscape of the hacking attacks takes a much higher level of engagement. In recent years, for instance, the ease of purchasing botnets has caused an increase in Denial-of-Service (DOS) attacks, which notoriously crippled Twitter and Facebook in August last year. This year, experts say, it's targeted virus attacks called spear-phishing.
"New technologies come out daily, and with it, new cyber crimes," said Dave Marcus, director of security research and communications at McAfee Labs. "Truthfully, with certification courses you're getting only the basic concepts. There are always going to be new applications for which testers will have to know or figure out how to reverse-engineer code, rather than just rely on textbook knowledge."
Staying Ahead of the Curve
Marcus recommends computer security professionals keep their knowledge up to date using online resources such as Offensive Computing, which offer information on malware, posted by contributors including other white-hat hackers.
For ethical hackers, passion and in-depth knowledge are often more valuable than paper qualifications, say employers. "Most white-hat hackers today are self-taught, and the successful ones are those who show that streak of obsession," said Maiffret, who said he often hires professionals who work on personal security projects outside work hours.
"It's just the way true security enthusiasts are," said Maiffret. "With hacking and security, sure there is a vast amount to memorize, but it's much more an art form. You have to have that habit of looking for flaws within systems. It's more than a job -- it's this constant way of thought."
Write to Sindhu Sundar
