.

Is the end of ethical hacking soooooon ?????

<<

snouto

Newbie
Newbie

Posts: 7

Joined: Sat Feb 16, 2008 5:51 pm

Post Sat Feb 16, 2008 6:01 pm

Is the end of ethical hacking soooooon ?????

Hello everybody in this forum , i would like to ask a question which
irritates me badly and i need a strict and real answer for it

the question is :

What is the future of ethical hacking in coming years in the presence
of the newer secure technology as Java and .Net applications ???

Where is there no buffer overflow vulnerabilities or the like ????

of those vulnerabilities exist in C/c++ and CGI scripting ???????

to explain more my point of view


i find that vulnerabilities are decreasing from time to time in number

and incidence due to the new technology of

1 - .Net && Java where there is no buffer overflows ?

2- ASP.NET is secure , and to extract high risk vulnerabilities from
those technologies it is hard  and conduct more time

3 - Presence of IDS ( intrusion detection systems ) and IDPS (Intrusion
detection prevention systems )  , Smart Firewalls and the like ???


another question also i need to have an answer for

which is


<< what is the future of penetration testing as a carreer (if i want

to take this track as a job ) in the presence of those sophisticated

security technologies , Will network administrators depend on those machines in protecting their network or will need penetration tester for that ???? >>> what is the future of vulnerabilities ??


do they decrease with increase in security technologies or what ????




Thanks .
Last edited by snouto on Sat Feb 16, 2008 9:30 pm, edited 1 time in total.
<<

kabal

Newbie
Newbie

Posts: 4

Joined: Sun Feb 17, 2008 1:30 pm

Post Sun Feb 17, 2008 1:40 pm

Re: Is the end of ethical hacking soooooon ?????

hey
I had the same questions lately but still there are fun things to concider.

yes asp.net and java get more and more secure but you have to be more of an expert then ever before. You have to not only know asp.net (web+app) and java so u can spot flaws in the framework itself.

The implementation for instance of AJAX in asp.net was a real security issue and in many cases still is cause the majority of the programmers were poorly trained in implementing the technology.

But i agree with you in that it is more and more difficult but still security issues are still found.

Its hard to keep up with the rapid new technologies that are emerging.



a lot of companies still dont have the time to have someone on fulltime looking after keeping security uptodate and implementing new updates takes more and more time these days with complying to internal and external compliance guidlines and laws so it gives you a window of oppertunity.
<<

matthiasfan

Newbie
Newbie

Posts: 25

Joined: Tue Aug 07, 2007 2:18 pm

Post Sun Feb 17, 2008 6:04 pm

Re: Is the end of ethical hacking soooooon ?????

No matter what, there will always be a way to get into a system, so that is why ethical hacking will not go away.  There is always the ability to "hack" something, so people are needed to make a solution for the hacks. 
<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Sun Feb 17, 2008 8:11 pm

Re: Is the end of ethical hacking soooooon ?????

To add to what matthiasfan and kabal said, Ethical Hacking also involves Social Engineering. Remember the famous quote:

People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems. - Bruce Schneier, Secrets and Lies


As long as we (the people) are building the applications and solutions, we are prone to make errors due to various factos like poor training, lack of security awareness etc. So in my view, the scope is going to increase only rathter than decrease as the number of vulnerabilities explored on a daily basis is increasing only and not decreasing.
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
<<

jimbob

Post Mon Feb 18, 2008 7:32 am

Re: Is the end of ethical hacking soooooon ?????

The absence of buffer overflows is not a panacea in information security. Buffer overflows may become more 'old school' as time passes, but plenty of other  vulnerabilities exist. A large number of these are related to improperly handled input, of which buffer overflows are a subset. Consider SQL injection, XSS and format string vulnerabilites.

There are a lot of insecure application out there written in Java/ASP.Net. Relying solely on edge devices like firewalls and IPS to protect your applications is short sighted, the need for defence in depth will never go away.

Jimbob
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Mon Feb 18, 2008 10:25 am

Re: Is the end of ethical hacking soooooon ?????

With HIPAA, SOX and many other regulations being handed down by the gov't, both internal and external pen tests/audits/ethical hacking are pretty much being mandated by law. That alone says it's not going anywhere for the foreseeable future. Good news for sites like this one.  ;)

As for more secure systems, you are correct. But like any war, the tactics simply change to accomodate a new landscape. This can clearly be seen by many reports from CSI/FBI, Symantec, Microsoft, etc. that cyber criminals simply moved away from attacking the servers and networking infrastructure of large organizations to hitting people. And since there are many more people than servers, they're doing pretty well.

Also, think about this... The servers and networking equipment ARE more secure from the get go. That also means that certain features with more cool factor that some organizations may want to have are not being used. So what do they do? They get 3rd party apps to add on top of that secure infrastructure. Now the attack surface just grew exponentially.

So to give you credit, I think your initial thought is correct. I just think the conclusion is not. Then again, mine is just one man's opinion.

Thanks for contributing,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

Data_Raid

User avatar

Full Member
Full Member

Posts: 165

Joined: Fri Nov 09, 2007 5:55 am

Post Mon Feb 18, 2008 4:42 pm

Re: Is the end of ethical hacking soooooon ?????

Good post and good questions, something I too have been thinking about lately.
I don't think ethical hacking or the requirement for pen testing will decrease as more secure and "intelligent" code is written. There will always be a requirement for testing IT security. My reasons are that code is written by humans, and as the saying goes humans are not perfect so there will always be some vulnerabilities to explore/exploit. There are methods to evade IDS, and with regards to more secure code, if you can't directly exploit that code then try other methods, for example MITM/session hijacking.

Just my two cents
It's also my first post, been a lurker for a long time, great site Don ;)
All men by nature desire knowledge.

Aristotle
<<

rance

User avatar

Full Member
Full Member

Posts: 212

Joined: Thu Jan 03, 2008 5:24 pm

Location: Earth

Post Mon Feb 18, 2008 6:14 pm

Re: Is the end of ethical hacking soooooon ?????

I'll just put it simply...

"There's no patch for stupidity."

;D
Poking at security since 1986.  +++ATH
<<

LSOChris

Post Mon Feb 18, 2008 6:39 pm

Re: Is the end of ethical hacking soooooon ?????

its not that hacking is going away in just that the technical ability of testers has to go up. 

yes stack overflows may be going away but heap overflows are still running strong but its much harder to find and exploit them.

things are still exploitable just harder to exploit with DEP,NX execshield, etc. 

passing your CEH wont automatically give you everything you need to go to work doing this, doing internships with people with the advanced skills may come about as the way to get the skills you need.
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Mon Feb 18, 2008 9:39 pm

Re: Is the end of ethical hacking soooooon ?????

Let me pull out my crystal ball, dust it off and throw in my 2 cents.  I believe the need for Ethical Hackers will increase in the near future and then in time get less. It should increase as people are being made more aware of the need. If government regulation gets more and more strict and requires security testing, that will only increase the need. Of course the business world will always see the pentester as a necessary evil.  That’s just the way it goes with anything that doesn’t directly create revenue.  Anything that is seen as maintenance, etc… is seen as something that sucks away the profits.

At some point, security is going to be so strong and automated that breaking down the front gates is going to be so rare. Companies will hire us more for our internal auditing and social engineering skills.  The Ethical hacker as defined by the practice of testing by running a number of “hacker tools” against a network and that’s the limit of their skill, will become less needed in time. However, the current rare group of highly skilled security specialists that have a deep understanding of programming, networking, firewalls, anti-virus, etc… will have a good future for many years to come.  If someone feels insecure about the future, then strive to be the best and don't settle for just enough to get by.
Last edited by Kev on Mon Feb 18, 2008 9:42 pm, edited 1 time in total.
<<

rance

User avatar

Full Member
Full Member

Posts: 212

Joined: Thu Jan 03, 2008 5:24 pm

Location: Earth

Post Wed Feb 20, 2008 11:10 am

Re: Is the end of ethical hacking soooooon ?????

Kev wrote:
..snip..

At some point, security is going to be so strong and automated that breaking down the front gates is going to be so rare.

../snip..



As I once heard an auditor say... "You can have the biggest, baddest, thickest steel front door in existence, but it doesn't matter much if it's protecting a tent."

You touched a bit on internal stuff.  But I also believe, as long as we have servers in our DMZs, especially with back end connectivity, and as long as humans are allowed to continue programming, there are always going to be "external" issues.

The biggest problem I seem to come across, is that for so long, all the focus has been on firewalls and protecting the perimeter, that the internal network has been forgotten.  The mantra I seem to hear a lot is "well, the firewall is good, and our internal network is trusted... so it's all A-OK!"  Hate that response.

I think we'll have plenty of work for years to come...
Poking at security since 1986.  +++ATH
<<

Saber123316

Newbie
Newbie

Posts: 7

Joined: Wed Apr 25, 2007 9:06 pm

Post Sun Mar 02, 2008 6:02 am

Re: Is the end of ethical hacking soooooon ?????

As long as computers are getting more advanced so to will the hacks needed to access those systems. however humans never change it just takes one person to slip out one piece of info or not properly dispose of information and all of a sudden you have your entire network vulnerable.

Also not to mention how many company's out there still have dial up as a means to a back end? some of the old school ways of war dialing is still popular in parts of the world.
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Sun Mar 02, 2008 10:53 am

Re: Is the end of ethical hacking soooooon ?????

You guys are all hitting different aspects of what's been called "the evolution of network security."  Basically there are a bunch of research groups that have put together a road map of where they think we've been and where we think we are going.  It generally looks like Device -> Perimeter -> Application -> Data -> Clouds.  (check out whitepapers here http://opengroup.org/jericho/publications.htm) When security first started to become a concern the logical response was to start hardening individual devices.  This is where a lot of us got our start.  This mindset quickly moved to defining your environment and then trying to secure the perimeter.  (and on the 8th day he created firewalls and it was good)  This is where we've been for the last few years, and many companies are still at this level.  The next step is realizing that most access to your environment comes through a variety of applications, so the security mindset is moving towards hardening how applications interact with people and the environment.  This is where some companies are now and where most companies know they need to get to.  Many people predict the next stage is going to be protecting data itself, because at the end of the day the data (how its used, where it goes) is what really matters.  There are several study groups right now designing new file formats that will make data self destruct after certain time limits or after it moves a specific number of hops.  Others are working in the direction of having all data publicly available, but it can only be read by specific individuals who hold cryptographic keys.  On the horizon is the idea of all data existing in clouds (Google is already close to this).  Basically the information floats around in massive server farms and access to it is controlled by complicated relationship rules.  So if you think about it, at this stage in the game we are somewhere between Perimeter and Application with some reasonable guesses at where we are going to be in the future.  I'd call it job security, but you had better know what the hell you are doing in the next few years 'cause it will get far more technical.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

LSOChris

Post Sun Mar 02, 2008 3:10 pm

Re: Is the end of ethical hacking soooooon ?????

good post man
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Sun Mar 02, 2008 4:21 pm

Re: Is the end of ethical hacking soooooon ?????

This may add a little credibility to the side that thinks it's not going away any time soon:


InfoWorld's Roger Grimes weighs in on why security expert Bruce Schneier thinks computer security won't get any better in the next 10 years

As longtime readers already know, I’m a big fan of Bruce Schneier, CTO and founder of BT Counterpane. Besides being a cryptographic and computer security authority, cryptographic algorithm creator, and author of many best-selling books on security, Bruce produces some of the most relevant conversations on computer security. I consider his books, his Cryptogram newsletter, and his blog must-reads for anyone in computer security.

Bruce is a guy who pushes us to rethink our currently held paradigms. He lays bare unsubstantiated dogma. I don’t always agree with Bruce. But many of the potent ideas that I disagreed with when he espoused them a half decade ago, I find myself agreeing with years later, ideas like how two-factor authentication won’t stop malicious hackers from stealing gobs of money from the online banking industry, and how the biggest problem with security, in general, is us and our irrational ranking of threats.

I distinctly remember Bruce telling me a decade ago how computer security, with all of its advances, was more than likely going to get worse in the future. This was in the face of increasingly accurate anti-virus programs, improved patch management, and solid improvements in OS security across all platforms. He said this in the days of Windows 95 with almost no security, and today we’ve got User Access Control and security so tight on a Windows system that vendors are frequently complaining. At the time, Bruce was the only voice saying that computer security was going to get worse. And he was right.

But it’s a decade later now. ISS’ annual report announced that the number of vulnerabilities went down for the first time in a long time, along with the amount of spam. (Interestingly, they also said that 50 percent of reported vulnerabilities could not be fixed by a patch.) The latest evolving security technologies (such as IPv6, IPSec, Network Access Protection/Network Access Control, anti-malware software, and so on) are promising. End-user education is higher than it’s ever been. Many professional entities and governments are requiring baseline security compliance. My friends only send me half the hoax virus warning messages now that I used to receive.

So, I asked Bruce the same question again, “Will computer security get better or worse over the next decade?”

Here’s his response:

"Computer security is not likely to improve in the near future because of two reasons. One, bad guys are getting better at attacking us. And two, we’re not getting better at defending ourselves.



For the full article:
http://www.infoworld.com/article/08/02/ ... ier_1.html

Don
CISSP, MCSE, CSTA, Security+ SME

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software