To catch a hacker, it pays to think like a hacker
By Abha Bhattarai,
After a week-long boot camp, Frank Bentz, chief information security officer at Sandy Spring Bank, emerged with a new title: Certified Ethical Hacker.
It took about 60 hours of training and countless hours spent hacking into fake computer networks, but Bentz said he’s learned “to think like the bad guys.”
The InfoSec Institute, an Elmwood Park, Ill.-based company, has been offering workshops in hacking at its Dulles facility for 14 years. Demand has been up in recent years, as high-profile overseas hackers become more aggressive, said Jack Koziol, director of educational services at the company.
“It’s an arms race.” Koziol said. “The profile of a hacker has really changed through the years, and it’s hard to understand how your system can be attacked if you don’t actually attack it yourself.”
Last year, InfoSec brought in about $25 million in revenue. This year, Koziol says the company is on track to exceed that by 21 percent.
The company offers workshops throughout the country, in cities such as Orlando, Atlanta and Las Vegas, but half of the institute’s business is based in the Washington area, where industry experts train Fortune 500 companies, financial institutions and government agencies on the finer points of hacking into computer networks, breaking through firewalls and stealing encrypted data.
Solomon Eshun, a security specialist for the Justice Department, took the certification course last month and said he is in the process of applying what he learned.
“The government is big and you can’t just make changes suddenly, but I’ve made some recommendations,” Eshun said. “Every day, there are new companies being targeted and you need to understand how to protect everything, inside and out.”
For Bentz of Sandy Spring Bank, attending a course seemed like a good way of protecting not only the bank, but also its customers.
“We’re focused where the bad guys are focused,” Bentz said. “And right now, they’re focused on small businesses.”
The bank has made a broader push to ramp up security in recent years. It has begun meeting with clients to teach them how to protect their accounts, and recently started a service that helps retail clients detect financial malware on their networks.
“Sometimes we’ll get a bank robber who’s also tried to hack us on his computer,” said John D. Sadowski, chief information officer at Sandy Spring Bank. “These guys are smart — they’re not just college students trying to pull a fast one and get 50 bucks anymore.”
InfoSec reassesses its hacking curriculum every quarter, often adding information about new attacks and finding ways to keep up with changing technology. Earlier this year, the company added a section about hacking into iPhones and mobile applications.
“Everything is moving to mobile,” Koziol said. “So are the bad guys.”
The five-day course offered by InfoSec costs about $4,000.
Students learn hacking techniques during the day and spend their evenings practicing their skills on a network of 15 to 20 computers that are set up to emulate a company’s virtual network.
“You learn where the holes are,” Koziol said. “You see what kinds of configurations and setups lead to vulnerabilities.”
Bentz took the ethical hacking course three years ago. Since then, he spends 40 hours a year receiving ongoing training online to freshen his skills.
“It’s a cat-and-mouse game,” Bentz said. “You’re always trying to figure out where this is headed next.”