IBM®
Skip to main content
    United Kingdom [change]      Terms of use
 
 
   
     Home      Products      Services & solutions      Support & downloads      My account     
Blue Fusion. Articles. A selection of articles to provide an insight into technologies and careers.
 
  William Hau - Ethical Hacking

With the massive growth of the Internet as a way for companies to do business, computer security has become a major area of concern for businesses and governments alike. They want to be able to take advantage of the Internet for electronically buying and selling goods, advertising, distributing information and access etc, but they are worried about the possibility of being “hacked.” At the same time, the potential customers of Internet services are worried about keeping their personal information private and safe, whether it's a credit card number or a home address.

So what does it mean to be "hacked"? What is a hacker? The definition of a hacking is: "To gain access to a computer file or network illegally or without authorisation." As with most technology, there is a dark side and for the Internet, criminal hackers are the forces at large that have companies worried. Hackers try to get through the security of companies' IT systems to either just prove that they can and embarrass the company in the process, or to steal information. A company that has its security exposed by hackers as flawed, not only to customers but also to the public at large, is not very good for business.

In their search for a way to approach this security problem, companies have come to realise that one of the best ways to evaluate intruder threats would be to have independent computer security professionals attempt to break into their computer systems. In the case of computer security, these 'tiger teams' or 'ethical hackers' would employ the same tools and techniques as the intruders, but they would neither damage the target systems or steal information. Instead, they would evaluate the target systems' security and report back to the owners with the vulnerabilities they found and instructions on how to remedy them. By employing ethical hackers, companies have a way of evaluating their security and keeping customer confidence high.

IBM has an ethical hacking team that offers its services to customers all over the world - the UK team is headed up by William Hau who had this to say about his job:

  What do you do at IBM?

I head up the ethical hacking team in the UK. A great aspect of my job is that there is no typical day - every project is different. We offer a variety of services to customers, which include testing the security of IT systems, where we try to hack our way into their network remotely, or a physical test, where we try to get in to their building to access their machines.

If we are performing a physical penetration test, such as legally "breaking into" a company's buildings, we will ensure that we have all the necessary paperwork to show personnel if we get caught. We can spend up to a day performing a reconnaissance of the area, buildings and personnel. Then we formulate our plan to breach the physical security and obtain the information to prove we have infiltrated their security barriers.

This is a picture from a live engagement where we broke into a Financial Services company's computer room and took control of their main computers during daylight and whilst other people were in the room as well.

If we are performing a test over the internet, without going into the technical details, it is a lot like the process for performing a physical test. Once we have identified all the possible weakness within the systems, we formulate a plan to exploit those weaknesses, giving us complete access to the organisation's systems. What we are looking for is poorly written programming code or poor server configuration so that we can gain access to their contents.

  Why do you think your work is important?

Our work provides organisations with an independent review of their security, and identifies any potential security problems before they occur. The key to the success of the internet as a communication and trading channel is trust. Without trust, businesses will not use the internet for doing business.

  What types of professionals do you work with?

We work with chief information officers, IT directors, managing directors, lawyers and security professionals in our client companies.

  What kind of software and hardware do you use in your line of work?

We work with all kinds of technology depending on the nature of the assignment. Each has their own specific weaknesses and strengths.

  What's the fastest time you've accessed confidential material on a site?

All work we perform for clients are covered by non-disclosure agreements, so unfortunately I can't say!

  How did you get into this field and why do you do it?

I have always been interested in information security and I find this an exciting and challenging role.

  What kind of qualifications do you need?

There are no formal qualifications. You need to be very IT-literate, have an inquisitive mind, a willingness to learn and question how, why and what if scenarios.

  Hacking has been the subject of many files and it always seems very glamourous. What is the reality of it?

Films such as The Matrix Reloaded have glamourised hacking. The reality is a lot of painstaking, meticulous work needs to be performed before you can even begin to exploit vulnerability, and it may take many attempts before you succeed.

  Do you enjoy your job?

Oh yes...

  Do you have any advice for young people wanting to get into testing web site security?

Don't be tempted to hack anyone's site without their express permission. It is illegal, and you will get a criminal record, and top companies would not hire you for this job as a result.

 
  More Articles
Back to the list of articles
0

    About IBM      Privacy      Contact IBM