重点 (Top highlight)
分发到网络安全 (Distributed to Cybersecurity)
本文目的 (Purpose of this article)
In this article, I want to create awareness on ethical hacking, its purpose, use cases, and a brief introduction to the role of ethical hackers in digital transformation initiatives. My aim is to help security executives and managers choose the best ethical hackers for their business. As a by-product, the information in this article can also guide the aspiring ethical hackers to build their skills and plan their experience.
在本文中,我想提高人们对道德黑客,其目的,用例的认识,并简要介绍道德黑客在数字化转型计划中的作用。 我的目的是帮助安全主管和经理为他们的业务选择最佳的道德黑客。 作为副产品,本文中的信息还可以指导有抱负的道德黑客建立技能和计划经验。
语境 (Context)
Ethical hacking is a critical function for security and cybersecurity requirements of digital transformation initiatives. Every sizable digital transformation project requires at least one ethical hacker. Some massive programs may have multiple ethical hackers specializing in critical aspects and various domains of the program.
道德黑客对于数字化转型计划的安全性和网络安全要求至关重要。 每个大型数字化转型项目都至少需要一名道德黑客。 一些大型程序可能会有多个道德黑客专门研究程序的关键方面和各个领域。
背景 (Background)
Security, in a local sense, and cybersecurity in the connected world, touch every domain, solution construct, and building blocks of the solutions in digital transformation initiatives. To this end, there are critical requirements to leverage the skills and experience of ethical hackers in these initiatives.
从本地意义上讲,安全性和连接世界中的网络安全性涉及数字转换计划中的每个领域,解决方案构造以及解决方案的组成部分。 为此,存在在这些计划中利用道德黑客的技能和经验的关键要求。
One may ask what ethical hacking mean, who ethical hackers are, what they do, why they do what they are supposed to do, and how they do them. These questions set the objectives of this article. I want to share my experience in the field. However, some points from my experience may conflict with traditional sources or text books.
有人可能会问道德黑客是什么意思,道德黑客是谁,他们做什么,为什么要做他们应该做的事情,以及他们如何做。 这些问题确定了本文的目标。 我想分享我在该领域的经验。 但是,根据我的经验,有些观点可能与传统资料或教科书相抵触。
In several previous articles, I introduced digital transformation initiatives under different subtopics. Instead of giving additional background on digital transformation, I’d refer you to one of my comprehensive articles. This article can provide you with useful background on digital transformation.
在之前的几篇文章中,我介绍了不同子主题下的数字化转型计划。 除了给您提供有关数字转换的其他背景知识外,我还请您参考我的综合文章之一。 本文可以为您提供有关数字转换的有用背景。
The primary use case for ethical hacking in digital transformation initiatives is to identify vulnerabilities in the systems and the solution building blocks. Identifying these vulnerabilities and addressing them in an agile manner requires deep security and cybersecurity expertise. The best talent to meet the requirements and expectations of the business stakeholders are ethical hackers.
数字化转型计划中道德黑客的主要用例是 识别系统和解决方案构建块中的漏洞 。 识别这些漏洞并以敏捷的方式解决它们需要深入的安全和网络安全专业知识。 符合业务利益相关者要求和期望的最佳人才是道德黑客。
数字化转型计划中的道德黑客和道德黑客 (Ethical hacking and ethical hackers in digital transformation initiatives)
Ethical hackers are qualified technical specialists in the security and cybersecurity domains. These talented professionals have the required expertise and they understand security domains such as authentication, authorization, accounting, and auditing functions in detail.
道德黑客是安全和网络安全领域的合格技术专家。 这些才华横溢的专业人员具有所需的专业知识,并且他们详细了解安全领域,例如身份验证,授权,记帐和审计功能。
These are broad categories with many subcategories underneath. I only want to provide a high-level picture so that we focus on ethical hacking and ethical hackers as the primary objective of this article. While introducing the roles and responsibilities of ethical hackers in following sections, I touch on some subcategories of security domains.
这些是广泛的类别,下面有许多子类别。 我只想提供一个高层次的视图,以便我们将道德黑客和道德黑客作为本文的主要目标。 在以下各节中介绍道德黑客的角色和职责时,我将介绍安全域的一些子类别。
犯罪和道德黑客之间的区别 (The difference between criminal and ethical hackers)
To understand the role and responsibilities of ethical hackers, it can be useful; first, we know about criminal hackers. Probably you heard a lot about the criminal hackers in the media. They are the scary and bad guys with ill intentions.
要了解道德黑客的角色和责任,它可能会很有用; 首先,我们了解犯罪黑客 。 可能您在媒体上听到了很多有关犯罪黑客的信息。 他们是有恶意的坏人。
Criminal hackers aim to steal data, information, knowledge, assets, and money. They may defame people. They can destroy systems, applications, and data. They can also blackmail people into gaining financial benefits. In short, they are into illegal activities. Criminal hackers are known as black hat hackers in the industry.
犯罪黑客旨在窃取数据,信息,知识,资产和金钱。 他们可能会诽谤他人。 它们会破坏系统,应用程序和数据。 他们还可以勒索人们以获得经济利益。 简而言之,他们从事非法活动。 犯罪黑客在业界被称为黑帽黑客。
Whereas ethical hackers can support people and business, improve conditions, resolve situations, and prevent threats and vulnerabilities. They are known as white hat hackers.
道德黑客可以为人员和企业提供支持,改善条件,解决情况并防止威胁和漏洞。 他们被称为白帽黑客。
In addition to these two types of hackers, there are also grey hat hackers who can be in between these two types. They are not as dangerous as the criminal hackers but not as desirable as ethical hackers. The key difference is that the grey hat hackers may access the systems without permission, but they do not necessarily mean harm. Some grey hat hackers have altruistic purposes.
除了这两种类型的黑客之外,还有灰帽子黑客可以介于这两种类型之间。 它们不像犯罪黑客那样危险,但不如道德黑客那么可取。 关键区别在于,戴着灰色帽子的黑客可能会在未经许可的情况下访问系统,但不一定意味着有害。 一些灰帽子黑客有利他的目的。
After this brief background, let’s focus on ethical hackers.
在这简短的背景之后,让我们集中讨论道德黑客。
道德黑客是犯罪黑客的解药。 (Ethical hackers are an antidote to criminal hacking.)
Ethical hackers are as knowledgeable and skillful as criminal hackers. In fact, some professional ethical hackers are more knowledgeable and skilled than the criminal ones. In the industry, ethical hackers are expected to outsmart criminal hackers. This quality is tested during the interviews using intricate questions, simulations, and using real-life scenarios.
道德黑客与犯罪黑客一样,知识渊博,技术娴熟。 实际上,一些职业道德黑客比犯罪黑客知识和技能更高。 在该行业中, 道德黑客有望胜过犯罪黑客。 在访谈过程中,使用复杂的问题,模拟和真实场景来测试这种质量。
Ethical hackers proactively monitor the systems, identify gaps, inform the stakeholders, create a plan of action, and help execute the plan.
道德黑客会主动监控系统,发现漏洞,通知利益相关者,制定行动计划并帮助执行计划。
Ethical hackers are equipped with various powerful security management tools. The most prominent tool-set is the sniffer, also known as the packet analyzer. A packet analyzer is a software or hardware (appliance) program that can intercept in the network and capture network traffic (as communication packets).
道德黑客配备了各种强大的安全管理工具。 最突出的工具集是嗅探器,也称为数据包分析器。 数据包分析器是一种软件或硬件(设备)程序,可以在网络中进行拦截并捕获网络流量(作为通信数据包)。
In addition to understanding the systems and solutions, ethical hackers also understand regulatory, safety, security and industry compliance requirements. Digital products and services consumption by the public requires rigorous compliance review, auditing, and corrective actions.
道德黑客除了了解系统和解决方案外,还了解法规,安全性,安全性和行业合规性要求。 公众消费数字产品和服务需要严格的合规性审查,审核和纠正措施。
I want to share the set of criteria that I developed in engaging ethical hackers in my digital transformation solutions. These criteria can help you understand the roles and responsibilities of ethical hackers in digital transformation solutions.
我想分享我在促使道德黑客参与我的数字转换解决方案时制定的一套标准。 这些标准可以帮助您了解道德黑客在数字转换解决方案中的角色和职责。
Let me point out a caveat here. These criteria may sound broader and more comprehensive than the traditional requirements. The rationale is there appear to be additional focus areas in transformative programs covering emerging technology stacks, extensive virtual platforms, Big Data, innovative and bespoke solutions, and critical non-functional requirements such as intricate interoperability, mobility, scalability, and capacity concerns.
让我指出一个警告。 这些标准听起来比传统要求更广泛,更全面。 从根本上讲,转型计划中似乎还有其他重点领域,包括新兴技术堆栈,广泛的虚拟平台,大数据,创新的定制解决方案以及关键的非功能性要求,例如复杂的互操作性,移动性,可伸缩性和容量问题。
如何成为一名道德黑客? (How to be an ethical hacker?)
In this section I provide the criteria for becoming an ethical hacker in digital transformation programs. To make the criteria easy to read, I categorized the requirements under 6 broad categories: 1. Architecture, Design, & Industry Understanding, 2. Core Security Expertise, 3. Analytical Skills, 4. Technical Skills, 5. Interpersonal Skills 6. Business, Stakeholder, Project, and Organizational Skills
在本节中,我提供了成为数字转换程序中的道德黑客的标准。 为了使标准易于阅读,我将需求分为6大类:1.体系结构,设计和行业理解; 2.核心安全专业知识; 3.分析技能; 4.技术技能; 5.人际交往能力6.商业,利益相关者,项目和组织技能
1.建筑,设计和行业理解 (1. Architecture, Design, & Industry Understanding)
Even though ethical hackers are considered technical specialists, they also need to understand architecture, design, and governance schemes. These skills enable ethical hackers to understand requirements and architectural decisions, understand the architectural and design constraints, and interpret viability assessment work-products.
即使道德黑客被视为技术专家,他们也需要了解体系结构,设计和治理方案。 这些技能使道德的黑客能够了解需求和体系结构决策,了解体系结构和设计约束以及解释可行性评估工作产品。
Some key points are to understand the business process, consumption model, application landscape, data platforms and practices.
一些关键点是了解业务流程,消费模型,应用程序环境,数据平台和实践。
Ethical hackers must know their specific industry details because the rules and regulations may vary in different industries.
道德黑客必须了解其特定的行业详细信息,因为规则和法规在不同的行业可能有所不同。
In architecture phases (e.g. macro design), ethical hackers perform pragmatically. They can conduct quick experiments, proof of concept, and proof of technology in urgent solution delivery cases.
在架构阶段(例如,宏设计),道德黑客会务实地执行。 他们可以在紧急解决方案交付案例中进行快速实验,概念验证和技术验证。
Ethical hackers participate in design authority and architecture review boards as security subject matter experts.
道德黑客以安全主题专家的身份参加设计权威和体系结构审查委员会。
2.安全专长 (2. Security Expertise)
From specialty point of view, ethical hackers must have broad and deep demonstrated security and cybersecurity experience. Their security knowledge must be end-to-end and up-to-date.
从专业的角度来看,道德黑客必须具有广泛而深刻的安全和网络安全经验。 他们的安全知识必须是端到端的和最新的。
They need to follow the security news, development, and trends carefully. Global security awareness is a critical requirement for them. At the highest level, they need to know the theories and mechanisms for an end-to-end security requirements perspective in digital transformation programs.
他们需要仔细跟踪安全新闻,发展和趋势。 全球安全意识是他们的关键要求。 在最高级别,他们需要了解数字转换程序中端对端安全需求观点的理论和机制。
Security architecture is a critical knowledge area for ethical hackers. They must have deep technical knowledge of security systems, security frameworks, security patterns, and integration of security components.
安全体系结构是道德黑客的重要知识领域。 他们必须具有安全系统,安全框架,安全模式以及安全组件集成的深入技术知识。
Since encrypted messages in internetworks are critical in transforming business environments, ethical hackers must have a deep understanding of cryptography.
由于Internetworks中的加密消息对于改变业务环境至关重要,因此道德黑客必须对加密技术有深刻的了解。
Social engineering is one of the most significant risks in business organizations. Social engineering is a widespread and the easiest way to exploit vulnerable users. Users’ lack of knowledge, social fear, confusion, assumptions can create tremendous risks. Ethical hackers know how criminal hackers use social engineering to hack complex systems. They inform all stakeholders and educate the users not to fall into the social engineering traps.
社会工程是商业组织中最重大的风险之一。 社会工程是一种广泛利用和最容易利用脆弱用户的方法。 用户缺乏知识,社交恐惧,困惑和假设会带来巨大的风险。 道德黑客知道犯罪黑客如何利用社会工程技术来入侵复杂的系统。 他们告知所有利益相关者,并教育用户不要陷入社会工程陷阱。
In addition, ethical hackers understand how the dark side of the Internet works. In digital transformation programs, the “darknet” or “darkweb” poses high risks and creates a huge fear for digital assets. To this end, ethical hackers inform the stakeholders and the users to take necessary measures and precautions to protect their assets proactively.
此外,道德黑客也了解Internet的阴暗面是如何工作的。 在数字转换计划中,“暗网”或“暗网”构成了高风险,并给数字资产带来了巨大的恐惧。 为此,道德黑客会通知利益相关者和用户采取必要的措施和预防措施,以主动保护其资产。
3.分析能力 (3. Analytical Skills)
One of the fundamental roles of ethical hackers is to analyze systems, networks, solutions, applications, data, and databases. They can deep dive to analytical matters. They have a sharp eye for detail. They are observant and be able to see intricate and obscure patterns. They can perform the role of a security auditor in incident management teams.
道德黑客的基本角色之一是分析系统,网络,解决方案,应用程序,数据和数据库。 他们可以深入分析问题。 他们非常注重细节。 他们观察力强,能够看到错综复杂的图案。 他们可以在事件管理团队中扮演安全审核员的角色。
4.技术技能 (4. Technical Skills)
Programming (coding) and scripting skills are essential for ethical hackers. Some common languages are Python, C++, and Java. The language requirements may vary based on the program platforms. I used these 3 as an example.
编程(编码)和脚本编写技能对于道德黑客至关重要。 一些常见的语言是Python,C ++和Java。 语言要求可能会因程序平台而异。 我以这三个为例。
Ethical hackers must possess core hacking techniques such as sniffing, scanning (e.g. W3af, Nessus, Burp), reverse engineering, disk/memory forensics, vulnerability analysis, frameworks such as Metasploit, and DoS attack. There are many more specialist hacking techniques, and those details are beyond the scope of this article.
道德的黑客必须拥有核心的黑客技术,例如嗅探,扫描(例如W3af,Nessus,Burp),逆向工程,磁盘/内存取证,漏洞分析以及诸如Metasploit和DoS攻击之类的框架。 还有更多的专业黑客技术 ,这些细节不在本文讨论范围之内。
Operating system knowledge is also essential. Some commonly used operating systems are Linux, Windows, Unix, ZoS, Android, macOS, iOS and other proprietary operating systems.
操作系统知识也很重要。 一些常用的操作系统是Linux,Windows,Unix,ZoS,Android,macOS,iOS和其他专有操作系统。
Networking and internet-working skills are critical. Ethical hackers need to understand network protocols, wireless protocols, architectures, frameworks, patterns, devices, functions, tools, connectivity, mobility, communications, and integration both in local and wide area networks.
联网和互联网工作技能至关重要。 道德黑客需要了解局域网和广域网中的网络协议,无线协议,体系结构,框架,模式,设备,功能,工具,连接性,移动性,通信和集成。
As ethical hackers have to deal with data from many angles, understanding the data platforms, practices, storage, data lakes, data lifecycle management, databases, information, and knowledge systems. They also deal a lot with the Big Data for special forensic investments.
由于道德黑客必须从多个角度处理数据,因此必须了解数据平台,实践,存储,数据湖,数据生命周期管理,数据库,信息和知识系统。 他们还与大数据打交道,以进行特殊的法证投资。
Digital mobility knowledge is critical for ethical hackers. They understand the digital technologies, mobile networks, workflows in these mobile networks, protocols, and device relationships.
数字移动知识对于道德黑客至关重要。 他们了解数字技术,移动网络,这些移动网络中的工作流程,协议和设备关系。
Ethical hackers have a broad understanding of the mechanisms and implications of emerging technology stacks such as IoT (Internet of Things), Cognitive Computing, Cloud Computing, Edge and Fog Computing, Artificial Intelligence, and Big Data Analytics.
道德黑客对物联网(IoT),认知计算,云计算,边缘和雾计算,人工智能和大数据分析等新兴技术栈的机制和含义有广泛的了解。
5.人际交往能力 (5. Interpersonal Skills)
One of the key distinguishing factors of ethical hackers is caring, trustworthy, and reliable nature. Contrary to criminal hackers, ethical hackers, have empathy and compassion for users. They are non-judgemental and can approach people with corrective actions. They are team players and mentors for other security professionals.
道德黑客的主要区别因素之一是关怀,可信赖和可靠的性质。 与犯罪黑客,道德黑客相反,他们对用户具有同理心和同情心。 他们是非判断性的,可以采取纠正措施与人们接触。 他们是其他安全专业人员的团队成员和指导者。
6.业务,涉众,项目和组织技能 (6. Business, Stakeholder, Project, and Organizational Skills)
Ethical hackers need to have excellent stakeholder management skills. Some critical capabilities in this area are communicating at all levels and speaking the business language. They can articulate risks, issues and dependencies both to technical and business stakeholders. While they can see the big picture, they are also capable of delving into details.
道德黑客需要具有出色的涉众管理技能。 该领域的一些关键功能正在各个层面进行交流并说出商务语言。 他们可以向技术和业务涉众明确表达风险,问题和依赖性。 虽然他们可以看到全局,但也可以深入研究细节。
In large business organizations, ethical hackers closely work with project managers. Therefore, they understand the project methods and tools. They have a particular focus on agile methods as security and cybersecurity issues are usually considered emergency issues requiring expedited delivery with priority number one approach.
在大型企业组织中,道德黑客与项目经理紧密合作。 因此,他们了解项目的方法和工具。 他们特别关注敏捷方法,因为安全和网络安全问题通常被认为是紧急事件,需要优先采用第一方法快速交付。
Ethical hackers do not spend too long with root cause analysis during critical situations. They have to deal with incident management processes. During the incident management process, they must identify risks, issues, and dependencies very quickly.
道德的黑客在紧急情况下不会花费太多时间进行根本原因分析。 他们必须处理事件管理流程。 在事件管理过程中,他们必须非常Swift地识别风险,问题和依赖性。
They still need to provide input to the problem management team, but it happens after the priority incidents are resolved. Therefore a reasonable knowledge service management framework such as ITIL is desirable for ethical hackers.
他们仍然需要向问题管理团队提供输入,但是这要在解决优先事件之后发生。 因此,道德黑客需要一个合理的知识服务管理框架,例如ITIL 。
They don’t have to know everything about service management as it is a broad domain. However, ethical hackers need to know how to elicit information and gain tacit knowledge by interacting with architects, specialists, project managers, and power users during the incidents. Event and configuration management are other areas they get involved in the service management domain.
他们不需要了解有关服务管理的所有知识,因为它是一个广泛的领域。 但是,道德黑客需要知道如何通过在事件发生期间与架构师,专家,项目经理和超级用户进行交互来获取信息并获得默认知识 。 事件和配置管理是它们参与服务管理领域的其他领域。
Since the legal departments in digital transformation programs use ethical hackers, they also need to understand the legal issues, hacking implications, and other legal security concerns, and be able to speak effectively with legal professionals.
由于数字转换计划中的法律部门使用道德黑客,因此他们还需要了解法律问题,黑客影响和其他法律安全问题,并能够与法律专业人士进行有效对话。
Sponsoring executives also require their lead ethical hackers to have inventive and innovative mindset to contribute to their innovation agenda in their critical security initiatives such as Cloud security.
赞助高管还要求其主要的道德黑客具有创新的思维方式,以便在其关键安全计划(例如云安全)中为创新议程做出贡献。
道德黑客的认证要求 (Certification Requirements for Ethical Hackers)
I witnessed job applicants going for ethical hacking roles without certification. However, nowadays, it is a prerequisite to have recognized certification for ethical hackers. The certification covers knowledge, skills, competencies, and proven experience in the areas mentioned above.
我目睹了求职者在未经认证的情况下转而从事道德黑客活动。 但是,如今,拥有公认的道德黑客认证是前提。 该认证涵盖了上述领域的知识,技能,能力和经过验证的经验。
The most popular and globally recognized qualification is provided by The International Council of Electronic Commerce Consultants (EC-Council). EC-Council provides a qualification called CEH (Certified Ethical Hacker). CEH is the most fundamental requirement for the certification of ethical hackers.
国际电子商务顾问委员会(EC-Council)提供了最受欢迎和全球认可的资格证书。 EC-Council提供了一个称为CEH( 认证道德黑客 )的资格。 CEH是道德黑客认证的最基本要求。
Other essential qualifications are Advanced Penetration Tester, Certified Network Defender, and Forensic Investigator provided by EC-Council. There are several other education and certification programs on the market, such as OSCP (Offensive Security Certified Professional), FUH (Foundstone Ultimate Hacking).
其他基本资格包括EC-Council提供的Advanced Penetration Tester,认证的网络防御者和法医调查员。 市场上还有其他一些教育和认证计划,例如OSCP (进攻性安全认证专家), FUH (Foundstone Ultimate Hacking)。
There are also many online training programs on ethical hacking technical skills. However, I haven’t come across a training program covering all aspects mentioned in the criteria I introduced in this article. The reason is, the role of ethical hacker is not merely knowledge based but experience and expertise based.
还有许多关于道德黑客技术技能的在线培训计划。 但是,我还没有遇到涵盖我在本文中介绍的标准中提到的所有方面的培训计划。 原因是,道德黑客的角色不仅基于知识,而且基于经验和专业知识。
结论 (Conclusion)
Ethical hackers are critical security specialists and subject matter experts in digital transformation programs. They have an important mission in these programs. They possess unique skills, experience, and expertise.
道德黑客是数字转换计划中的关键安全专家和主题专家。 他们在这些计划中担负着重要的使命。 他们拥有独特的技能,经验和专业知识。
I provided an overview of the knowledge, skills, competencies, and experience requirements of ethical hackers in digital transformation programs. The content in this article can guide security executives and managers to recruit qualified ethical hackers for their business-critical initiatives in their programs.
我概述了数字转换计划中道德黑客的知识,技能,能力和经验要求。 本文中的内容可以指导安全主管和经理为他们的程序中的业务关键计划招募合格的道德黑客。
The aspiring ethical hackers who plan to work in digital transformation programs can create a checklist and plan their path using the criteria. There is a tremendous demand for ethical hackers. The field is rapidly developing, and there are not adequate number of qualified ethical hackers to meet the current market demands. My aim is to create awareness on this topic by reflecting my industry experience in the field.
计划在数字转换计划中工作的有抱负的道德黑客可以创建清单,并使用该标准来计划其路径。 对道德黑客的需求巨大。 该领域正在Swift发展,并且没有足够数量的合格道德黑客来满足当前的市场需求。 我的目的是通过反映我在该领域的行业经验来提高对此主题的认识。
翻译自: https://medium.com/illumination/ethical-hacking-8579d5709f0b
1037
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
