Training hackers to secure information

Wilson Wong (R) and Drew Williams (L) are on a drive to raise awareness about information security and the importance of training and hiring certified experts. Wilson Wong (R) and Drew Williams (L) are on a drive to raise awareness about information security and the importance of training and hiring certified experts.

Hackers – the word itself brings to mind people busily tapping on a keyboard with codes running across a screen as they crack the secrets of the universe. This is not the case. Wilson Wong, managing director of the EC-Council Academy, and Drew Williams, chairman of the Hacker Halted APAC 2012 and president of Condition Zebra, are on a drive to raise awareness about information security and the importance of training and hiring certified experts.

Training people to hack

EC-Council, which trains about two to three thousand certified security personnel a year across a variety of information security sectors – including hackers – is adamant that knowledge is imperative for prevention.

Hacking is "like taekwondo," says Wong. "You can use it to defend yourself, but you can also use it to kill someone. The bad guys already know how to penetrate into a network; now what about the good guys? Who’s going to teach them how to defend themselves?"

That’s where events like Hacker Halted APAC 2012 come in. Hacker Halted APAC is a platform for industry leaders from around the world to share their knowledge with the community.

Each event sees about 500 people from various sectors and industries coming together to keep abreast of the latest know-how. While the audience is usually predominantly Malaysian at the Kuala Lumpur events, there are some who travel all the way from countries like Italy and the United States to get as much knowledge as they can from Hacker Halter APAC.

Why do we need information security?

"Many people don’t understand why they need to invest in protecting their data," Wong shares, saying that many companies invest in hardware and software and consider their network safe from any harm.

"But they seriously need to consider the human factor: Who’s going to manage the network? Are you employing the right people to manage it? A lot of times, they don’t."

He explains that EC-Council also offers training for information security professionals as well as organises awareness events targeted at Human Resources, teaching them the importance of hiring and training the right people.

"Malaysia is probably one of the most influential hubs of business and emerging hubs of tech in South-East Asia," says Hacker Halted APAC's Williams.

"From a security perspective, the more noise you make, the more success you have, and the more attraction you’re going to gain from people who want to exploit those things. So, this is probably the most critical place to have an event like this."

Ethical hacking

What is "ethical hacking"? The taekwondo analogy used by Wong can be applied to ethical hacking - it is the usage of hacking skills to demonstrate a problem in a company’s existing information security (or lack thereof).

Williams gives an example of the fine line between the legal and the illegal in hacking: "I’ve gone into many banks, and accessed accounts using people’s information. But I haven’t broken the law yet. The minute I hit a button that transfers any money anywhere, then I’ve broken the law," emphasing that "the model of ethics is ‘do enough to demonstrate there is a problem, and then stop so people can come in and address the problem’."

Wong opines that similar to any other profession, "Ethics is a personal thing: A doctor can perform legal or illegal things. We do have a non-disclosure clause; when we train hackers, they have to sign an agreement stating that we’re teaching them for a good purpose - to protect. They can’t use their skills to perform illegal tasks."

About the EC-Council

Having been in the information security industry for the last 10 years as a security training provider, EC-Council has many accolades and awards under its belt, from institutions such as CyberSecurity Malaysia.

It offers many different certifications, for all levels, and currently trains two to three thousand people on a yearly basis in all sectors.

"Hacking alone is not enough; we need network security people, among others, so we have the whole training platform for different types of industry requirements. We are tying up very closely with the communities by providing experts to the government sectors as well as other sectors," says Wong, explaining that EC-Council is also the source for getting experts to work in the industry.

Information security as a career

Thinking of going into information security? Williams breaks down the possible career trajectory: After you’re certified and employed, you have the keys to the kingdom. Once you can manoeuvre around the system well, you will become reliable to the senior people and easily climb up the career ladder. Once promoted to information security officer, you would likely be involved in writing security policies for the whole company; and then, it’s just a hop away from chief information officer, manager and even chief operations officer. In another scenario, you could be a consultant or even a data analyst with a federal agency.

“There was a guy who spoke at the largest information security event – he’s the head of the National Security Agency’s cyber security division – and he said ‘I don’t know any certified security professional who is unemployed.’ And frankly, I don’t either,” ends Williams.

This consistently ascending path is why EC-Council has a series of certifications for different levels, adds Wong. “We have awareness programmes, all the way to our licensed penetration programmes, depending on different procedures that require training.”

The 9th Hacker Halted series in Malaysia (and 24th worldwide) will be held Nov 19-22, Berjaya Times Square Hotel.