HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 50 guests and 2 members online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Network Pen Testingarrow Is the end of ethical hacking soooooon ?????
EH-Net
May 22, 2013, 05:39:34 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Is the end of ethical hacking soooooon ?????  (Read 10578 times)
0 Members and 1 Guest are viewing this topic.
snouto
Newbie
*
Offline Offline

Posts: 7


View Profile
« on: February 16, 2008, 05:01:33 PM »
Hello everybody in this forum , i would like to ask a question which
irritates me badly and i need a strict and real answer for it

the question is :

What is the future of ethical hacking in coming years in the presence
of the newer secure technology as Java and .Net applications Huh

Where is there no buffer overflow vulnerabilities or the like Huh?

of those vulnerabilities exist in C/c++ and CGI scripting HuhHuh?

to explain more my point of view


i find that vulnerabilities are decreasing from time to time in number

and incidence due to the new technology of

1 - .Net && Java where there is no buffer overflows ?

2- ASP.NET is secure , and to extract high risk vulnerabilities from
those technologies it is hard  and conduct more time

3 - Presence of IDS ( intrusion detection systems ) and IDPS (Intrusion
detection prevention systems )  , Smart Firewalls and the like Huh


another question also i need to have an answer for

which is


<< what is the future of penetration testing as a carreer (if i want

to take this track as a job ) in the presence of those sophisticated

security technologies , Will network administrators depend on those machines in protecting their network or will need penetration tester for that Huh? >>> what is the future of vulnerabilities ??


do they decrease with increase in security technologies or what Huh?




Thanks .
« Last Edit: February 16, 2008, 08:30:08 PM by don » Logged
kabal
Newbie
*
Offline Offline

Posts: 4


View Profile
« Reply #1 on: February 17, 2008, 12:40:21 PM »
hey
I had the same questions lately but still there are fun things to concider.

yes asp.net and java get more and more secure but you have to be more of an expert then ever before. You have to not only know asp.net (web+app) and java so u can spot flaws in the framework itself.

The implementation for instance of AJAX in asp.net was a real security issue and in many cases still is cause the majority of the programmers were poorly trained in implementing the technology.

But i agree with you in that it is more and more difficult but still security issues are still found.

Its hard to keep up with the rapid new technologies that are emerging.



a lot of companies still dont have the time to have someone on fulltime looking after keeping security uptodate and implementing new updates takes more and more time these days with complying to internal and external compliance guidlines and laws so it gives you a window of oppertunity.


Logged
matthiasfan
Newbie
*
Offline Offline

Posts: 25


View Profile
« Reply #2 on: February 17, 2008, 05:04:02 PM »
No matter what, there will always be a way to get into a system, so that is why ethical hacking will not go away.  There is always the ability to "hack" something, so people are needed to make a solution for the hacks. 
Logged
Manu Zacharia (-M-)
Sr. Member
****
Offline Offline

Posts: 393


c0c0n Hacking Conference - where hackers unite


View Profile WWW
« Reply #3 on: February 17, 2008, 07:11:08 PM »
To add to what matthiasfan and kabal said, Ethical Hacking also involves Social Engineering. Remember the famous quote:

Quote
People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems. - Bruce Schneier, Secrets and Lies

As long as we (the people) are building the applications and solutions, we are prone to make errors due to various factos like poor training, lack of security awareness etc. So in my view, the scope is going to increase only rathter than decrease as the number of vulnerabilities explored on a daily basis is increasing only and not decreasing.
Logged
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
jimbob
Guest
« Reply #4 on: February 18, 2008, 06:32:37 AM »
The absence of buffer overflows is not a panacea in information security. Buffer overflows may become more 'old school' as time passes, but plenty of other  vulnerabilities exist. A large number of these are related to improperly handled input, of which buffer overflows are a subset. Consider SQL injection, XSS and format string vulnerabilites.

There are a lot of insecure application out there written in Java/ASP.Net. Relying solely on edge devices like firewalls and IPS to protect your applications is short sighted, the need for defence in depth will never go away.

Jimbob
Logged
don
Editor-In-Chief
Administrator
Hero Member
*****
Offline Offline

Posts: 4165


Editor-In-Chief


View Profile WWW
« Reply #5 on: February 18, 2008, 09:25:14 AM »
With HIPAA, SOX and many other regulations being handed down by the gov't, both internal and external pen tests/audits/ethical hacking are pretty much being mandated by law. That alone says it's not going anywhere for the foreseeable future. Good news for sites like this one.  Wink

As for more secure systems, you are correct. But like any war, the tactics simply change to accomodate a new landscape. This can clearly be seen by many reports from CSI/FBI, Symantec, Microsoft, etc. that cyber criminals simply moved away from attacking the servers and networking infrastructure of large organizations to hitting people. And since there are many more people than servers, they're doing pretty well.

Also, think about this... The servers and networking equipment ARE more secure from the get go. That also means that certain features with more cool factor that some organizations may want to have are not being used. So what do they do? They get 3rd party apps to add on top of that secure infrastructure. Now the attack surface just grew exponentially.

So to give you credit, I think your initial thought is correct. I just think the conclusion is not. Then again, mine is just one man's opinion.

Thanks for contributing,
Don
Logged
CISSP, MCSE, CSTA, Security+ SME
Data_Raid
Full Member
***
Offline Offline

Posts: 165



View Profile
« Reply #6 on: February 18, 2008, 03:42:18 PM »
Good post and good questions, something I too have been thinking about lately.
I don't think ethical hacking or the requirement for pen testing will decrease as more secure and "intelligent" code is written. There will always be a requirement for testing IT security. My reasons are that code is written by humans, and as the saying goes humans are not perfect so there will always be some vulnerabilities to explore/exploit. There are methods to evade IDS, and with regards to more secure code, if you can't directly exploit that code then try other methods, for example MITM/session hijacking.

Just my two cents
It's also my first post, been a lurker for a long time, great site Don Wink
Logged
All men by nature desire knowledge.

Aristotle
rance
Full Member
***
Offline Offline

Posts: 212


<censored>


View Profile
« Reply #7 on: February 18, 2008, 05:14:57 PM »
I'll just put it simply...

"There's no patch for stupidity."

 Grin
Logged
Poking at security since 1986.  +++ATH
LSOChris
Guest
« Reply #8 on: February 18, 2008, 05:39:57 PM »
its not that hacking is going away in just that the technical ability of testers has to go up. 

yes stack overflows may be going away but heap overflows are still running strong but its much harder to find and exploit them.

things are still exploitable just harder to exploit with DEP,NX execshield, etc. 

passing your CEH wont automatically give you everything you need to go to work doing this, doing internships with people with the advanced skills may come about as the way to get the skills you need.
Logged
Kev
Sr. Member
****
Offline Offline

Posts: 428


View Profile
« Reply #9 on: February 18, 2008, 08:39:06 PM »
Let me pull out my crystal ball, dust it off and throw in my 2 cents.  I believe the need for Ethical Hackers will increase in the near future and then in time get less. It should increase as people are being made more aware of the need. If government regulation gets more and more strict and requires security testing, that will only increase the need. Of course the business world will always see the pentester as a necessary evil.  That’s just the way it goes with anything that doesn’t directly create revenue.  Anything that is seen as maintenance, etc… is seen as something that sucks away the profits.

At some point, security is going to be so strong and automated that breaking down the front gates is going to be so rare. Companies will hire us more for our internal auditing and social engineering skills.  The Ethical hacker as defined by the practice of testing by running a number of “hacker tools” against a network and that’s the limit of their skill, will become less needed in time. However, the current rare group of highly skilled security specialists that have a deep understanding of programming, networking, firewalls, anti-virus, etc… will have a good future for many years to come.  If someone feels insecure about the future, then strive to be the best and don't settle for just enough to get by.
« Last Edit: February 18, 2008, 08:42:12 PM by Kev » Logged
rance
Full Member
***
Offline Offline

Posts: 212


<censored>


View Profile
« Reply #10 on: February 20, 2008, 10:10:17 AM »
Quote from: Kev on February 18, 2008, 08:39:06 PM

..snip..

At some point, security is going to be so strong and automated that breaking down the front gates is going to be so rare.

../snip..


As I once heard an auditor say... "You can have the biggest, baddest, thickest steel front door in existence, but it doesn't matter much if it's protecting a tent."

You touched a bit on internal stuff.  But I also believe, as long as we have servers in our DMZs, especially with back end connectivity, and as long as humans are allowed to continue programming, there are always going to be "external" issues.

The biggest problem I seem to come across, is that for so long, all the focus has been on firewalls and protecting the perimeter, that the internal network has been forgotten.  The mantra I seem to hear a lot is "well, the firewall is good, and our internal network is trusted... so it's all A-OK!"  Hate that response.

I think we'll have plenty of work for years to come...
Logged
Poking at security since 1986.  +++ATH
Saber123316
Newbie
*
Offline Offline

Posts: 7


View Profile
« Reply #11 on: March 02, 2008, 05:02:05 AM »
As long as computers are getting more advanced so to will the hacks needed to access those systems. however humans never change it just takes one person to slip out one piece of info or not properly dispose of information and all of a sudden you have your entire network vulnerable.

Also not to mention how many company's out there still have dial up as a means to a back end? some of the old school ways of war dialing is still popular in parts of the world.
Logged
pseud0
Recruiters
Full Member
*
Offline Offline

Posts: 208



View Profile
« Reply #12 on: March 02, 2008, 09:53:15 AM »
You guys are all hitting different aspects of what's been called "the evolution of network security."  Basically there are a bunch of research groups that have put together a road map of where they think we've been and where we think we are going.  It generally looks like Device -> Perimeter -> Application -> Data -> Clouds.   (check out whitepapers here http://opengroup.org/jericho/publications.htm) When security first started to become a concern the logical response was to start hardening individual devices.  This is where a lot of us got our start.  This mindset quickly moved to defining your environment and then trying to secure the perimeter.  (and on the 8th day he created firewalls and it was good)  This is where we've been for the last few years, and many companies are still at this level.  The next step is realizing that most access to your environment comes through a variety of applications, so the security mindset is moving towards hardening how applications interact with people and the environment.  This is where some companies are now and where most companies know they need to get to.  Many people predict the next stage is going to be protecting data itself, because at the end of the day the data (how its used, where it goes) is what really matters.  There are several study groups right now designing new file formats that will make data self destruct after certain time limits or after it moves a specific number of hops.  Others are working in the direction of having all data publicly available, but it can only be read by specific individuals who hold cryptographic keys.  On the horizon is the idea of all data existing in clouds (Google is already close to this).  Basically the information floats around in massive server farms and access to it is controlled by complicated relationship rules.  So if you think about it, at this stage in the game we are somewhere between Perimeter and Application with some reasonable guesses at where we are going to be in the future.  I'd call it job security, but you had better know what the hell you are doing in the next few years 'cause it will get far more technical.
Logged
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
LSOChris
Guest
« Reply #13 on: March 02, 2008, 02:10:22 PM »
good post man
Logged
don
Editor-In-Chief
Administrator
Hero Member
*****
Offline Offline

Posts: 4165


Editor-In-Chief


View Profile WWW
« Reply #14 on: March 02, 2008, 03:21:26 PM »
This may add a little credibility to the side that thinks it's not going away any time soon:

Quote

InfoWorld's Roger Grimes weighs in on why security expert Bruce Schneier thinks computer security won't get any better in the next 10 years

As longtime readers already know, I’m a big fan of Bruce Schneier, CTO and founder of BT Counterpane. Besides being a cryptographic and computer security authority, cryptographic algorithm creator, and author of many best-selling books on security, Bruce produces some of the most relevant conversations on computer security. I consider his books, his Cryptogram newsletter, and his blog must-reads for anyone in computer security.

Bruce is a guy who pushes us to rethink our currently held paradigms. He lays bare unsubstantiated dogma. I don’t always agree with Bruce. But many of the potent ideas that I disagreed with when he espoused them a half decade ago, I find myself agreeing with years later, ideas like how two-factor authentication won’t stop malicious hackers from stealing gobs of money from the online banking industry, and how the biggest problem with security, in general, is us and our irrational ranking of threats.

I distinctly remember Bruce telling me a decade ago how computer security, with all of its advances, was more than likely going to get worse in the future. This was in the face of increasingly accurate anti-virus programs, improved patch management, and solid improvements in OS security across all platforms. He said this in the days of Windows 95 with almost no security, and today we’ve got User Access Control and security so tight on a Windows system that vendors are frequently complaining. At the time, Bruce was the only voice saying that computer security was going to get worse. And he was right.

But it’s a decade later now. ISS’ annual report announced that the number of vulnerabilities went down for the first time in a long time, along with the amount of spam. (Interestingly, they also said that 50 percent of reported vulnerabilities could not be fixed by a patch.) The latest evolving security technologies (such as IPv6, IPSec, Network Access Protection/Network Access Control, anti-malware software, and so on) are promising. End-user education is higher than it’s ever been. Many professional entities and governments are requiring baseline security compliance. My friends only send me half the hoax virus warning messages now that I used to receive.

So, I asked Bruce the same question again, “Will computer security get better or worse over the next decade?”

Here’s his response:

"Computer security is not likely to improve in the near future because of two reasons. One, bad guys are getting better at attacking us. And two, we’re not getting better at defending ourselves.


For the full article:
http://www.infoworld.com/article/08/02/22/08OP-security-schneier_1.html

Don
Logged
CISSP, MCSE, CSTA, Security+ SME
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.083 seconds with 25 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.