IT Security, a way of life.
IT Security, a way of life.
IT Security is a choice for some and a lifestyle for others.It brings us satisfaction that we accomplished something, we learned something new, and we see the world in a different light.A war is waged on the internet, twenty-four hours a day, seven days a week. Some attack and some defend.Targets can include: Corporate Networks, Government Networks and even Home Networks.Most often times attacking a network can be seen as wrong and we as humans commonly only see one side of the coin.Humans as a whole most often times we as humans see offensive security as illegal.It brings up so many questions, such as: Is being on the defensive side of computer security the only legal and ethical option? How can being on the offensive side of computer security possibly be legal? Is there a way to do both, ethically and legally?
How can being on the offensive side of computer security be legal? Offensive security, is a privilege, not a right, to be held.Company's and governments alike hire on Information Technology Security Professionals for the purpose of pen-testing their networks, as well as to strengthen their defenses.This option is only given to those who have shown integrity, trust, knowledge and understanding of networks and policies as well as loyalty to protecting a company's or governments assets, confidentiality, and the identity of those envolved within the company, regardless of whether they are an employee or a customer.It is an opportunity to explore the network you were authorized to pen-test, an opportunity to try new attack vectors and an opportunity to become more efficient on the pen-testing side of things.Typical pen-tests consist of the following: Rules and guidelines as to what is allowed and not allowed during the authorized pen-test List of systems the government, company or entity wishes to have tested Methods allowed to pen-test the target network given the amount of resources available(A smaller company for example may not allow a simulated DDoS attack but a larger company might for purposes of network stress testing)
Is there a way to do both, ethically and legally? Yes, while practicing offensive security, you practice writing patches for the security holes that you do find.Some other methods for practicing defensive security, during penetration tests, are all common knowledge, such as: Keeping your computers and servers, up to date Using strong passwords of at least twelve characters, while using uppercase and lowercase letters, number and symbols. Keeping your defenses such as IDS, IPS, firewalls, etc. up-to-date Those are but a few examples.From there, you expand your skills and knowledge further you can even test your own systems, or petition a company to set up computers and servers with there defenses at max, to see if you can get around the heightened security.
Is being on the defensive side of computer security the only legal and ethical option? No, as referenced above, company's, governments and other organizations hire not only defensive security IT professionals, but offensive security IT professionals as well.The more you know and the higher the integrity you have, the higher chances you have of becoming an offensive security professional are.
In closing, I can only hope that this was an insightful, inspiring essay that has shed some light on the offensive security world.An IT professional who specializes in digital forensics known as Allan Brill once said "there is a difference and the difference is this: I think the typical forensics specialist is somebody that has that skill set but their moral compass has rusted on good." This is also true for offensive security.
fungus 12 years ago
Nice article. Would you know what kind of career path someone would have to take to reach this level? Do certifications play an important role in the IT field or would someone have to earn some kind of degree and branch off into security.
Gh0st 11 years ago
You have a few options:Obtain a degree in Network Administration and IT Security, either individually or at the same time.You could obtain, a Comptia Network + Certification and a Comptia Security + Certification, or you could go vendor specific, and go a route such as Cisco Certified Networking Professional(CCNP) and Cisco Certified Networking Professional(CCNP) Security Certifications.You would want at least 3 years hands on experience in network administration, prior to attempting a career in Offensive IT Security though.
ynori7 11 years ago
Not very much content here, and not particularly informative. Also, there should be a space between periods and the first word of the next sentence.
Gh0st 11 years ago
ynori7 It was meant to shed basic light on our field of expertise. It was not designed to be in depth. You are correct that it does not tell very much information and that there is not much content because it was designed to be very basic. It served the purpose for which it was written. Also, thank you very much for the correction in my grammar.