Thinking Like the Enemy David and Barry Kaufman, the founders of the Intense School, recently added several security courses, including the five-day "Professional Hacking Boot Camp" and "Social Engineering in Two Days." Information technology departments must know how to protect organizational information. Therefore, organizations must teach their IT personnel how to protect their systems, especially in light of the many new government regulations, such as the Health Insurance Portability and Accountability Act (HIPPA), that demand secure systems. The concept of sending IT professionals to a hacking school seems counterintuitive; it is somewhat similar to sending accountants to an Embezzling 101 course.
The Intense School does not strive to breed the next generation of hackers, however, but to teach its students how to be "ethical" hackers: to use their skills to build better locks, and to understand the minds of those who would attempt to crack them. The main philosophy of the security courses at the Intense School is simply "To know thy enemy." In fact, one of the teachers at the Intense School is none other than Kevin Mitnick, the famous hacker who was imprisoned from 1995 to 2000. Teaching security from the hacker's perspective, as Mitnick does, is more difficult than teaching hacking itself.
A hacker just needs to know one way into a system, David Kaufman noted, but a security professional needs to know all of the system's vulnerabilities. The two courses analyze those vulnerabilities from different perspectives. The hacking course, which costs $3,500, teaches ways to protect against the mischief typically associated with hackers: worming through computer systems through vulnerabilities that are susceptible to technical, or computer-based, attacks. Mitnick's $1,950 social engineering course, by contrast, teaches the more frightening art of worming through the vulnerabilities of the people using and maintaining systems-getting passwords and access through duplicity, not technology.
People that take this class, or read Mitnick's book, The Art of Deception, never again think of passwords or the trash bin the same way. So how does the Intense School teach hacking? With sessions on dumpster diving (the unsavory practice of looking for passwords and other bits of information on discarded papers), with field trips to case target systems, and with practice runs at the company's in-house "target range," a network of computers set up to thwart and educate students.
One feature of the Intense School that raises a few questions is that the school does not check on morals at the door: Anyone paying the tuition can attend the school. Given the potential danger that an unchecked graduate of a hacking school could represent, it is surprising that the FBI does not collect the names of the graduates. But perhaps it gets them anyhow-several governmental agencies have sent students to the school.
Questions
1. How could an organization benefit from attending one of the courses offered at the Intense School?
2. What are the two primary lines of security defense and how can organizational employees use the information taught by the Intense School when drafting an information security plan?
3. Determine the differences between the two primary courses offered at the Intense School, "Professional Hacking Boot Camp" and "Social Engineering in Two Days." Which course is more important for organizational employees to attend?
4. If your employer sent you to take a course at the Intense School, which one would you choose and why?
5. What are the ethical dilemmas involved with having such a course offered by a private company?