THE INCREASED national dependence on computer-based information systems has amplified the need for safety, security, and resilience of cyber space. However, due to the evolving threats and vulnerabilities of the cyber space, the effective protection of cyber space is a non-trivial task. This is evident from the following facts: (1) according to conservative estimates, the online criminal activities are said to have been costing the global economy anywhere from $114 billion to $338 billion annually, with an estimated fraudulent earnings of $80 billion by the criminals globally in the year 2007 alone; (2) the high profile cases illustrate that cyber space is now being aggressively used by the terrorists for coordination, training, recruiting and dissemination of propaganda by covertly using the legitimate computer networks around the world; (3) the cyber warfare has now been acknowledged as a real threat after its potential was highlighted in the conflicts between Russia and Estonia, Russia and Georgia, Egypt and Israel, and the recent attacks against Iran through the Stuxnet worm.
Pakistan is no exception. The national threats, in the aforementioned domains, are evident by analysis of the scantly available official data and the news reports. (1) According to the National Response Centre for Cyber Crimes (NR3C), established under the Federal Investigation Agency (FIA), the cyber crimes in Pakistan range from bank ATM frauds, mobile balance transfer frauds, abusive and threatening messages to illegal access of websites through hacking. (2) The news reports illustrate illegitimate use of cyber space by the terrorists for both the coordination of criminal activities and for promotion of terrorist agenda. (3) The recent attacks on the websites of the government of Pakistan demonstrate the vulnerabilities in the national infrastructure, which may break down under coordinated attacks by the independent or enemy sponsored hacktivists.
The nations around the world are fast becoming aware of the emerging threats in the cyber space. Consequently, most advanced nations have developed comprehensive strategies that typically involve reducing the risks within the cyber space in a manner that it remains robust enough to exploit its fullest potential and at the same time strategically invest in improving the knowledge, capabilities, and decision making to improve the safety, security and resilience of the cyber space.
In the short-term, a set of necessary skills have to be identified that must be bridged to keep the strategic national assets secure. In this regard, there is an urgent need in Pakistan to develop a specialized skill set amongst the Information Technology professionals that are trained to assess vulnerabilities in the computer networks and applications with an objective of developing effective countermeasures for evolving threats in the cyber space.
Penetration testing is a method for assessing the security of computer networks by simulating attacks to identify ways that malicious users may use to bypass security controls of a single computer, computer network or an application. The method involves employing tools and techniques commonly used by real hackers to attack real systems to look for set of vulnerabilities in a computer system. The objective of penetration testing is to determine: (a) the tolerance of a system; (b) the complexity required to compromise the system; (c) the additional countermeasures required for security; and (d) the systems detection and response ability.
A Licensed Penetration Tester (LPT) training and certification, offered by EC-Council, prepares a professional to conduct penetration testing of computer networks. The qualification is comprised of two independent modules: (1) Certified Ethical Hacker (CEH), and (2) EC-Council Certified Security Analyst (ECSA). After completing the two modules, a professional qualifies for obtaining the LPT. The CEH module prepares the professionals to learn hacking skills by exposing them to the cutting edge tools and technologies. Whereas, the ECSA training provides the necessary skills to analyze the outcome of these attacks by following the required protocols of planning, discovering, analyzing and reporting the testing results.
The Riphah International University is the first academic and professional partner of the EC-Council – a leading information security certification body. It offers trainings in over 60 countries and has trained over 80,000 professionals. Its certifications are recognized by the US governmental agencies like National Security Agency (NSA), Federal Bureau of Investigation (FBI) and the Committee on National Security Systems (CNSS) to name only a few.
RIU has developed Professional Development Centre (PDC) at the Faculty of Computing with the aim of capacity building of students, teachers, and professionals in the field of Information Technology. The centre offers training in cutting edge technologies to develop necessary skill set required in the industry and the academia in Pakistan. The centre also provides consultations to the industry.
The PDC offers one of the most sought after information security training opportunities – EC-Councils Certified Ethical Hacker (C|EH) training. In partnership with the EC-Council PDC has trained over 40 professionals from the Ministry of Defence, Banks, educational institutions, and other public and private organizations. RIU is the first organization in Pakistan to offer Licensed Penetration Tester certification in collaboration with EC-Council. Other trainings include EC-Council Certified Security Analyst and EC-Council Network Security Administrator (ENSA). In addition, PDC also offers Certified Information System Auditor and Certified Information Security Manager training programs.
The writer is Dean, Faculty of Computing, Riphah International University, Islamabad, Pakistan, and can be reached at email@example.com