Information Technology

The HSE has now confirmed that a ransom has been sought by the attackers.
Getty Images/iStockphoto
Ireland’s Health Service Executive (HSE) has ruled out giving in to hackers’ demands as the country’s healthcare and social services continue to deal with the disruption caused by a significant ransomware attack that occurred a few days ago.   The HSE has now confirmed that a ransom has been sought by the attackers, although the exact amount is yet to be clarified. “Following an initial assessment we know this is a variant of the Conti virus that our security providers had not seen before. A ransom has been sought and won’t be paid in line with state policy,” the HSE said. Last week, the organization was targeted by a cyber-attack on its IT systems, which was described by government officials as possibly the ‘most significant’ case of cybercrime against the Irish State. Irish Taoiseach (Prime Minister) Micheál Martin also ruled out paying the gang, saying “We’re very clear we will not be paying any ransom or engaging in any of that sort of stuff,” according to broadcaster RTE.

The attack took the form of ransomware, which occurs when cyber criminals use a form of malware to encrypt networks, then demand payment in exchange for the decryption key.  In response, the HSE immediately shut down all of its computer systems – a precautionary measure to protect the organization’s networks from further attack.  This has inevitably affected the delivery of key services across the country. In its latest update, the HSE said that patients should expect cancellations of outpatient services, with x-ray appointments and laboratory services, in particular, to remain severely affected.    Patients will also see delays in getting their COVID-19 test results, and contact-tracing, while still operating as normal, will take longer than usual. 

COVID-19 vaccination appointments are going ahead as normal, maintained the health services, encouraging those booked in for a jab to attend their appointment as planned.   Emergency departments, sexual assault treatment units and the national ambulance service are still operating.   The impact of the attack varies across hospital and community services nationwide, with teams on the ground working to re-deploy staff and re-schedule procedures and appointments as needed, said the HSE.    The organization has been working with the National Cyber Security Centre (NCSC) and third-party cybersecurity experts like McAfee to investigate the incident. The attack was identified as a human-operated ransomware variant known as “Conti”, which has been on the rise in recent months.  Conti operates on the basis of “double extortion” attacks, which means that attackers threaten to release information stolen from the victims if they refuse to pay the ransom. The idea is to push the threat of data exposure to further blackmail victims into meeting hackers’ demands.  “We are dealing with this in accordance with the advice we received from cybersecurity experts and I think we’re very clear we will not be paying any ransom,” Micheál Martin, the prime minister of Ireland, said during a news briefing. “So the work continues by the experts.”  Instead, the NCSC has recommended a remediation strategy that involves containing the attack by isolating the systems that were hacked, before wiping, rebuilding and updated all the infected devices. The HSE should then ensure that antivirus is up to date on all systems, before using offsite backups to restore systems safely.  The HSE has confirmed that it is in the process of assessing up to 2,000 patient-facing IT systems, which each include multiple servers and devices, to enable recovery in a controlled way. There are 80,000 HSE devices to be checked before they can be brought back online.   Priority is given to key patient care systems, including diagnostic imaging, laboratory systems and radiation oncology, and some systems have already been recovered.  “Some progress has been made on getting servers cleaned, restored and back online. This is in line with the pace we had anticipated, and is a stepped, methodical process, to mitigate the risk of re-infection. We are also looking at interim solutions to get some servers back online in a proven safe way,” said the HSE.  But while it is clear that data on some servers has been encrypted, the organization conceded that the full extent of the issue is unknown at this point.  Earlier this year, Conti claimed responsibility for an attack against the Scottish Environment Protection Agency (SEPA), during which 1.2GB of data was stolen. Thousands of stolen files were published after the organization refused to pay the ransom.  The latest attack against Ireland’s HSE comes only days after one of the largest pipeline operators in the US paid close to $5 million to a ransomware group that had encrypted key systems, which forced the fuel giant to temporarily close down its IT operations and hugely affected supplies across the country.  More

The biggest security challenge in 10 years, according to Google Security VP Royal Hansen, will be “shifting the focus of security from the technical hygiene of code and configuration to self defending data will save time and resources while unlocking rapid and safe innovation.” Hansen is one of a handful of security experts from Google offering some insights and predictions about the next decade of security ahead of the annual RSA Conference. Hansen elaborated: “Defense in depth and the control design we have learned from engineering methodologies will finally catch up to the dynamic nature of software. The better analogieswill become biological – the immune system or the combination of organ systems like circulatory and respiratory.  Independent and constantly evolving but stronger operating together in the same superorganism.”Taking a step back to look at the bigger picture can be useful, as cybersecurity becomes an increasingly pressing issue. For most security officers, the threat landscape is concerning enough that they’re worried about getting through the next 12 months.You can click here to check out more predictions from Vint Cerf, Sunil Potti, Jeanette Manfra and others. More

The healthiest way to approach keeping people safe from online threats is to talk about misjudgements and errors – and to do so in a way that lets them understand that almost everyone has made a cybersecurity mistake at some point.Encouraging discussion around the threats people have faced can go a long way to helping others becoming more aware of what to look out for – and to avoid falling victim to cyber criminals themselves.

Even the most seasoned information security professional will have made mistakes at some point, so it isn’t right that everyone else should be chastised or even punished if they click on a phishing link, whether for real or during a company phishing test.SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)”One of my favourite things I like to ask big groups of people in information security is ‘Can anyone in here guarantee that they’ve never clicked the bad link?’ In a room of hundreds of people, no one will raise their hand,” Margaret Cunningham, principal research scientist at Forcepoint, told ZDNet Security Update. “And to me that says no matter what your expertise, no matter how long you’ve been thinking about security, links, phishing social engineering, whatever – you can still be the person who makes the mistake.”It’s not unusual for companies to attempt to run cybersecurity awareness campaigns around shame and fear by punishing or embarrassing employees who fail a phishing test – but according to Cunningham, this attitude doesn’t help people get to grips with what, for many, is a subject that’s still difficult to understand.

“Helping people understand the risk and also communicating about that risk is difficult, especially if your organistional culture is sort of punitive – like ‘you make a mistake, see you later’ – that’s not actually going to help you very much,” she said. If anything, people should be encouraged to talk about the online security mistakes they’ve made, because not only could it help others be more aware of potential cyber threats, it demonstrates how everyone can make mistakes and that there’s nothing for people to be ashamed of if they do fall victim to phishing, social engineering or other forms of attack.SEE: Ransomware just got very real. And it’s likely to get worse”There’s a huge organisational value to talking about dumb things that we’ve done – things that we’ve fallen for, the mistakes that we’ve made,” Cunningham explained.”It makes a big difference to talk about it, even if people give you the eye roll and an ‘I know,’ well, let’s just remind ourselves,” she added. MORE ON CYBERSECURITY More

Cybersecurity researchers with Flashpoint, Digital Shadows’ Photon Research Team and other firms have confirmed that XSS, a popular cybercriminal forum, has outright banned ransomware sales, ransomware rental, and ransomware affiliate programs on their platform, according to a announcement released in Russian. The move comes after global scrutiny of ransomware groups increased following a damaging attack on Colonial Pipeline that left parts of the United States with gas shortages for days. Flashpoint reported that on Thursday evening, an administrator of XSS said the decision to outlaw the ransomware activities of active groups like REvil, Babuk, Darkside, LockBit, Nefilim, and Netwalker was due to “ideological differences” as well as the increased media attention resulting from latest high profile attacks. The statement said the “critical mass of nonsense, hype, and noise” was leading to concerns among the forum’s members about law enforcement. They cited a recent comment from Dmitry Peskov, press secretary for Russian President Vladimir Putin, that said the Russian state was not involved in the attack on Colonial Pipeline.”Peskov is forced to make excuses in front of our overseas ‘friends’ – this is a bit too much,” the statement said, according to Flashpoint’s translation. The company noted that by 7 am on Friday, all of DarkSide’s posts in the forum had been removed. DarkSide is allegedly feeling the pressure in other ways, according to Flashpoint, with the group sending out a statement on another cybercriminal forum, Exploit, claiming to have had some of their tools disrupted. In a now deleted post, DarkSide representatives wrote that the group had “lost access to the public part of our infrastructure,” which included the group’s blog, their payment server and DOS servers.

The group claimed that “funds from the payment server (ours and clients’) were withdrawn to an unknown address.” Some security analysts questioned whether the claims were real and wondered whether the message was simply a ruse to reduce the government scrutiny of their actions. DarkSide’s situation was also having an effect on other ransomware gangs like REvil, which released a new set of “guidelines” urging its members to stay away from healthcare and educational institutions as well as government organizations. The new rules demand that all new targets must be agreed upon by the leaders of the group, according to the message found by Flashpoint. Representatives for the Avaddon ransomware released similar guidelines on Exploit, according to Digital Shadows. In the last week, both the FBI and the Australian Cyber Security Centre have released notices specifically about Avaddon. “After the closure of DarkSide, the ransomware landscape is dominated by four major collectives: REvil, LockBit, Avaddon, and Conti. Flashpoint assesses with moderate confidence that well-established ransomware collectives—including REvil, LockBit, Avaddon, and Conti—will continue to operate in private mode,” the Flashpoint report added.”Additionally, ransomware collectives will likely begin to advertise recruitment for new affiliates via their own leak sites since many cybercriminal forums, like XSS, and other similar platforms used for ransomware advertisements will now likely refuse to host their activities.”Digital Shadows noted that DarkSide still has a recruitment thread on Exploit, although it has not been updated since April. Roger Grimes, data driven defense evangelist at KnowBe4, said the fear among security researchers is that much of this is window dressing so that major powers involved can say something was done.He noted that one of the main problems with ransomware — that the people behind it cannot be arrested — is still a major issue that will lead to more attacks. “On top of that, many countries are absolutely cybercrime safe havens. Many countries have no problem with cyber criminals originating from their country as long as the criminals don’t attack their own countries and tacitly agree to do favors for the government, if asked,” Grimes explained, adding that some nations use stolen money to help fund government services.  “It funds it directly because the perpetrators are paying expensive local and political bribes to stay in business, and indirectly because they spend the money on goods and services in the country. In many countries cybercriminals are almost celebrated by the officials.” Due to the unwanted attention brought by attacking a critical pipeline like Colonial’s, Grimes said some of those involved in DarkSide may get punished or arrested but countries will not stop serving as cybercrime havens because of how lucrative it is. “The only lesson learned in this case is that a new boundary has been set. Don’t do something that causes energy shortages that gets the other nation’s government upset,” Grimes said. “But will it stop them from stealing tens of billions of dollars from tens of thousands of businesses and individuals? No.” He added that drastic action needed to be taken on a global scale to stop countries from protecting ransomware gangs who operated with impunity, noting that the UN has already started an effort to get countries to sign something akin to a “digital Geneva Convention,” although it is unlikely to get very far, Grimes said. KnowBe4 security awareness advocate Erich Kron said XSS sent a strong signal by banning these players from their forum but noted that until countries band together to do something about ransomware, little will change. “Between the pipeline issue, attacks on hospitals that closed trauma centers and emergency departments, and the loss of life suffered when a German hospital was taken down, it is no wonder the heat is on these cyber criminals,” Kron said. “It has become painfully obvious that ransomware poses a serious threat to life and to the welfare of individuals, even outside the organizations that are ransomed. Ultimately, to take a bite out of these gangs, governments across the globe need to band together and shut down the illicit infrastructures and arrest the players. We must make the risk higher than the reward if we want to put an end to this dangerous trend.” More

Anyone who thought computer security problems were some abstract trouble that had little to do with their daily life was rudely awakened recently. The Colonial Pipeline ransomware attack saw gas and oil deliveries shut down throughout the southeast. Cybersecurity failures had already become a major problem with the SolarWinds software supply chain attack and the FBI having to step in to fix broken Microsoft Exchange servers. So, on May 12th President Joe Biden signed an executive order to boost the federal government cyber defense and to warn all of America that technology security must be job one now. The Linux Foundation and its related organizations are stepping up to better Linux and open-source security.

ZDNet Recommends

The executive order recognized the vital importance of open-source software. It reads in part: “Within 90 days of publication of the preliminary guidelines … shall issue guidance identifying practices that enhance the security of the software supply chain.” Open-source software is specifically named. The government must ensure “to the extent practicable, to the integrity and provenance of open-source software used within any portion of a product.”  Specifically, it must try to provide a Software Bill of Materials (SBOM). “This is a formal record containing the details and supply chain relationships of various components used in building software.” It’s an especially important issue with open-source software because:   Software developers and vendors often create products by assembling existing open source and commercial software components.  The SBOM enumerates these components in a product.  It is analogous to a list of ingredients on food packaging.  An SBOM is useful to those who develop or manufacture software, those who select or purchase software, and those who operate software.  Developers often use available open-source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities.  Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product.  Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability.   A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration.  The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems.  So how much code is this anyway? The managed open-source company Tidelift has found that 92% of applications contain open source components. Indeed, the average modern software application may be made up of as much as 70% open-source software. Tidelift offers a service for providing open-source SBOMs. The open-source community itself has long been addressing this issue. In particular, the Software Package Data Exchange (SPDX) project has been working for the last ten years to enable software transparency and SBOM. SPDX is in the final stages of review to be the ISO/IEC International Standard 5962, and is supported by global companies with massive supply chains, and has a large open and closed source tooling support ecosystem.  SPDX 2.2 already supports the National Telecommunications and Information Administration (NTIA) current guidance minimum SBOM elements. In short, if your open-source software provides an SPDX SBOM it already meets the executive order’s requirements. For examples of SPDX see:  An NTIA “plugfest” demonstrated ten different producers generating SPDX. SPDX supports acquiring data from different sources (e.g., source code analysis, executables from producers, and analysis from third parties).  A corpus of some LF projects with SPDX source SBOMs is available.  Various LF projects are working to generate binary SBOMs as part of their builds, including Yocto and Zephyr.  To assist with further SPDX adoption, the Linux Foundation is paying to write SPDX plugins for major package managers. Of course, many programs don’t support SPDX… yet. They will. It’s the only way to make certain you know what’s really in your open-source programs and that’s become a matter of national importance.

This is not just a problem, of course, with open-source software. With open-source software, you can actually see the code so it’s easier to make an SBOM. Proprietary programs, like the recently, massively exploited Microsoft Exchange disaster, are black boxes. There’s no way to really know what’s in Apple or Microsoft software.  Indeed, the biggest supply-chain security disaster so far, the Solarwinds catastrophic failure to secure its software supply chain, was because of proprietary software chain failures.  Besides SPDX, the Linux Foundation recently announced a new open-source software signing service: The sigstore project. Sigstore seeks to improve software supply chain security by enabling the easy adoption of cryptographic software signing backed by transparency log technologies. Developers are empowered to securely sign software artifacts such as release files, container images, and binaries. These signing records are then kept in a tamper-proof public log. This service will be free for all developers and software providers to use. The sigstore code and operation tooling that will make this work is still being developed.  Before sigstore, the Linux Foundation’s earlier Core Infrastructure Initiative (CII) and its current Open Source Security Foundation (OpenSSF) have been working to secure open-source software, both in general and its components. The OpenSSF, in particular, is a broad industry coalition “collaborating to secure the open-source ecosystem.” To further ensure the integrity of supply chains, the executive order demands that agencies employ “automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code.”  The Linux Foundation oversees multiple projects to help with this besides sigstore. The LF has many projects that support SC integrity, in particular: in-toto is a framework specifically designed to secure the integrity of software supply chains.The Update Framework (TUF) helps developers maintain the security of software update systems, and is used in production by various tech companies and open source organizations.  Uptane is a variant of TUF; it’s an open and secure software update system design that protects software delivered over the air to the computerized units of automobiles.OpenChain (ISO 5230) is the International Standard for open source license compliance. Application of OpenChain requires identification of OSS components. While OpenChain by itself focuses more on licenses, that identification is easily reused to analyze other aspects of those components once they’re identified (for example, to look for known vulnerabilities). The executive order also asks: The Secretary of Commerce [acting through NIST] shall solicit input from the Federal Government, private sector, academia, and other appropriate actors to identify existing or develop new standards, tools, and best practices for complying with the standards, procedures, or criteria [including] criteria that can be used to evaluate software security, include criteria to evaluate the security practices of the developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices [and guidelines] for enhancing software supply chain security.To address this, the OpenSSF’s CII Best Practices badge project specifically identifies open-source software best practices. This focuses on security. It includes criteria to evaluate the security practices of developers and suppliers. Today, it has over 3,800 participating projects. The Linux Foundation is also working with Supply-chain Levels for Software Artifacts (SLSA) to further deal with supply chain issues. The Executive Order also requires agencies to adopt “encryption for data at rest and in transit.” Encryption in transit is already implemented on the web using the Transport Layer Security (TLS) protocol. The Internet Security Research Group (ISRG) open Let’s Encrypt project is the world’s largest certificate authority for TLS certificates. In addition, the LF Confidential Computing Consortium is dedicated to defining and accelerating the adoption of confidential computing. Confidential computing protects data in use, at rest, and in transit by testing them in a hardware-based Trusted Execution Environment. These secure and isolated environments prevent unauthorized access or modification of applications and data. Of course, there always will be bugs. To address these the CII Best Practices badge passing criteria requires that OSS projects specifically identify how to report vulnerabilities to them. More broadly, the OpenSSF Vulnerability Disclosures Working Group is working to help “mature and advocate well-managed vulnerability reporting and communication” for OSS.  For example, while most widely used Linux distributions, especially Red Hat, have a robust security response team, not everyone does. The Alpine Linux distribution, which is widely used in container-based systems, until recently didn’t have one. The Linux Foundation and Google funded various improvements to Alpine Linux, including a security response team. Biden’s executive order also called on everyone to focus on “critical software.” The Linux Foundation has been doing this for some time. The Linux Foundation and the Laboratory for Innovation Science at Harvard (LISH) recently released the Vulnerabilities in the Core, a Preliminary Report and Census II of Open Source Software. This, like the name says, analyzed critical and vulnerable open-source software. This report is being updated.  The CII also identified many important projects and assisted them in becoming more secure. These include small but vital projects — aka the all-important program supported by one person working out of their farmhouse in Nebraska including OpenSSL (after Heartbleed), OpenSSH, GnuPG, Frama-C, and the OWASP Zed Attack Proxy (ZAP). The OpenSSF Securing Critical Projects Working Group has been working to better identify critical OSS projects and to focus resources on critical OSS projects that need help. There is already a first-cut list of such projects, along with efforts to fund such aid. Thinking of security jokes, the executive order recognizes that most Internet of Things (IoT) device security bugs are never fixed. As the joke goes the “S in IoT is for security.” The responsibility for that lies with IoT vendors who sometimes don’t even provide options to update their software, never mind actually issuing security patches. While the Linux Foundation can’t do that, Linux Foundation members can and do supply secure software and operating systems. These include: The Linux kernel itself, which is used by many IoT devices.  The Yocto project, which creates custom Linux-based systems for IoT and embedded systems. Yocto supports full reproducible builds.  EdgeX Foundry, which is a flexible open-source software framework that facilitates interoperability between devices and applications at the IoT edge, and has been downloaded millions of times.  The Zephyr project, which provides a real-time operating system (RTOS) used by many for resource-constrained IoT devices and is able to generate SBOM’s automatically during build. Zephyr is one of the few open-source projects that is a CVE Numbering Authority. The seL4 microkernel, which is the most assured operating system kernel in the world; it’s notable for its comprehensive formal verification. Finally, the Linux Foundation is already addressing the call for a consumer software labeling program [that reflects] a baseline level of security practices with several projects. Besides the aforementioned OpenSSF’s CII Best Practices badge project, these are: Put it all together, and the Linux and open-source community are already well on their way to meeting the demands of this new security order. Much more needs to be done, but at least the framework is in place.  This is essential work. The Linux Foundation would welcome your help with it.  As David A. Wheeler, the Linux Foundation’s Director of Open Source Supply Chain Security, said, “We couldn’t do this without the many contributions of time, money, and other resources from numerous companies and individuals; we gratefully thank them all.  We are always delighted to work with anyone to improve the development and deployment of open-source software.” As the events of recent months have shown–indeed recent hours with the ransomware attack on Ireland’s health system–security must become job number one not just for the federal government, but for everyone. Related Stories: More

Organisations should use major cyber incidents as a way to think through the core of their security strategy in order to prevent or recover better from similar attacks.”A significant cyber incident is really an opportunity; because it’s an opportunity to focus on the core issues that lead to these cyber incidents,” said Anne Neuberger, deputy national security advisor for cyber and emerging technology at the White House, speaking at the UK National Cyber Security Centre’s (NCSC) CYBERUK 21 virtual conference.Neuberger said that whether it’s something like the SolarWinds sophisticated supply chain attack, or the Colonial Pipeline ransomware incident, “we know that vulnerabilities across software and hardware can bring on larger concerns”, but that looking at the core issues can help everyone improve their security.”As we look at those issues, we look at them in the frame of them – the entities conducting the cyber hacks – and us, what we need to do to build the reliance, to be able to prevent or rapidly recover from these incidents”.SEE: Network security policy (TechRepublic Premium)Cyber criminals and other malicious hackers look for vulnerabilities to exploit to infiltrate networks, so questions need to be asked to ensure that networks are as resilient as possible against attacks.”So we turn to us – which is what we need to do about it. First and above all, shifting our thinking from incident response to how do we prevent, how do we build more reliance, how do we build more secure software?” Neuberger explained.

“How do we ensure, for example, that the systems that we use to build software have best practices like multi-factor authentication, that we’ve rolled out encryption across our government systems, so that even if an adversary steals significant information, it’s difficult for them to use that information”.What much of it comes down to, is to “ensure that technology is both secure and easier to use”, she said.”But also shift our thinking to where it needs to be, which is how do we drive prevention and more security so that we have greater resilience to these hacks,” Neuberger added.Neuberger’s comments came shortly before President Joe Biden signed an executive order in an effort to boost cybersecurity of federal government agencies in the aftermath of the Colonial pipeline ransomware attack, the SolarWinds attack and zero-days in Microsoft Exchange leaving many vulnerable to cyber attacks.It mandates that agencies have 180 days to implement multi-factor authentication, as well as encrypt data – and agencies which can’t meet the deadline will have to explain why they can’t in writing.MORE ON CYBERSECURITY More

Hacking isn’t necessarily about just having an in-depth knowledge of code: It’s about enjoying a challenge and problem-solving. While understanding the bare bones of computing and networking before working your way up are critical components of having a successful career in cybersecurity, the work opportunities vary based on your interests and the path you wish to pursue. One path you can pursue is that of ethical hacking: Learning how to think like an attacker in order to find and remediate vulnerabilities before threat actors are able to exploit gaps in enterprise systems for illicit financial gain, cyberespionage, or to cause damage. One aspect of these courses is that they focus more on offense rather than defense, and topics covered often include penetration testings, malware analysis, exploit creation, and a study of today’s modern hacking tools. Below, ZDNet has compiled a list of recommended courses to explore in the ethical hacking field.

Globally recognized

The first recommendation, and perhaps the most well-known option today, is the EC-Council’s Certified Ethical Hacker (CEH) qualification. CEHv11 teaches students about today’s modern hacking techniques, exploits, emerging cybersecurity trends and attack vectors, and how to use commercial-grade tools to effectively break into systems. Modules also include cyberattack case studies, malware analysis, and hands-on hacking challenges. Learners can also pick up a bolt-on of 24 hacking challenges over 18 attack vectors such as bash exploits, server-side request forgery (SSRF), file tampering, and blind SQL.This certification would suit a range of roles including security analysts, pen testers, network engineers, and consultants. 

$1,199 at EC-Council

Think offense, not defense

Offensive Security’s Penetration Testing with Kali Linux (PEN-200) is the organization’s foundation course in using the Kali Linux OS for ethical hacking. The vendor’s focus is hands-on learning rather than just lectures and academic study, and encourages both critical thinking and problem solving with the”Try Harder” slogan. You will need a solid grounding in network principles and an understanding of Windows, Linux, and Bash/Python will help. If you’re serious about pursuing a career in ethical hacking but are looking for somewhere to start, the OSCP will give you a qualification well-received in the cybersecurity industry. 

$999 at Offensive Security

Advanced exploitation

Another ethical hacking certification you should consider is the PEN 300 (OSEP). The course builds upon PEN 200 and offers more in-depth, advanced penetration testing training, field work instruction, and studies in perimeter attack and defense. Topics include antivirus evasion, post-exploits, how to bypass network defenses and filters, and Microsoft SQL attacks. You are awarded the OSEP once you have passed the 48-hour exam. 

$1,299 at Offensive Security

Reconnaissance and infiltration

The SANS Institute also offers courses that are likely to be of interest to anyone pursuing a career in ethical hacking. One such course is SEC560, a journey into how to perform reconnaissance as an attacker and exploit target systems to obtain initial access. SANS teaches learners about typical and less well-known methods to infiltrate systems through hands-on exercises and lab sessions. The course is affiliated to SANS partner GIAC’s Penetration Tester (GPEN) and ends with a Capture The Flag exercise to test your new skills.

$7,270 at SANS

Exploiting web apps for the enterprise

Another option to consider from the SANS Institute is SEC542, which focuses on the ethical hacking and testing of enterprise web applications.SEC542 focuses on teaching participants how to spot vulnerabilities in web explications, how to exploit them, and what tools and techniques attackers may use to compromise these types of software. The course includes hands-on exercises and instructor guidance based on a four-step process in web application penetration testing. 

$7,270 at SANS

Defined exam paths to certified status

CREST is a course provider also of note as an organization that offers professional development qualifications in information security. CREST’s certifications, accredited globally, are organized into three levels: practitioner, registered, and certified. You can take exams in subjects including cybersecurity analysis, penetration testing, web applications, threat intelligence, and incident response to reach the certified level. Prices vary. 

View Now at CREST

What roles can an ethical hacking qualification benefit?

Recruitment paths vary country-to-country, but ethical hacking courses can be of use to those who want to become penetration testers, security analysts — an umbrella term common in the field — cyberforensics, consultants, and members of red teams. 

Which is the right certification for you?

If you’re looking at a certified ethical hacking course, you should consider what course is right for you in terms of career development. Cybersecurity professionals are in high demand and while the career can be a lucrative one, you should have researched whether or not specific qualification swill benefit you in the future, whether at your current job or in a future role. 

How did we choose these certifications?

Our recommendations are based on courses that offer learners instruction in different areas of ethical hacking: whether focused on offensive security, pen testing, or the aftermath of incidents and the means to effectively investigate as a member of a cyberforensics team. 

ZDNet Recommends More

A Toshiba unit has become the latest victim of a DarkSide ransomware attack. 

more coverage

On Friday, Toshiba Tec Corp said it was struck by a cyberattack that has impacted some regions in Europe. Toshiba Tec Corp manufactures products including barcode scanners, Point-of-Sale (PoS) systems, printers, and other electrical equipment. The unit’s French subsidiary appears to have been targeted.After discovering the attack, Toshiba Tec shut down networks between Japan, Europe, and its subsidiaries to “prevent the spread of damage” while recovery protocols and data backups were implemented. The company says that an investigation has been launched into the extent of the damage and a third-party cyberforensics specialist has been pulled in to assist.  “We have not yet confirmed that customer-related information was leaked externally,” Toshiba’s unit says. However, the company did acknowledge that “it is possible that some information and data may have been leaked by [a] criminal gang.”

This group is DarkSide, cybercriminals that hit the headlines this week following the Colonial Pipeline cyberattack. DarkSide is a ransomware-as-a-service (RaaS) outfit that provides ransomware to affiliates within its network in return for a cut of any profits made by extorting victim organizations.  DarkSide affiliates employ a double-extortion tactic, in which companies first receive a demand for payment in return for a decryption key to unlock systems infected with DarkSide ransomware. If they refuse, they are then threatened with the public release of confidential data and records stolen during initial access on a leak site.  At the time of writing, DarkSide’s leak site is not accessible. The Toshiba subsidiary said that only a “minimal amount of work data had been lost,” reports Reuters.However, a cached version of the leak post, accessed by ZDNet via Kela’s Darkbeast search engine, appears to show stolen passport scans alongside project documents and work presentations.  The leak record, posted May 13, claims that over 740GB of data was stolen from Toshiba.  The ransomware operators are responsible for the attack on Colonial Pipeline last Friday. Colonial Pipeline, a company that provides roughly 45% of East Coast fuel supplies, was forced to close down its operations for close to a week following the encryption of its IT systems. The FBI and US Cybersecurity and Infrastructure Security Agency (CISA) have issued an alert and advisory on DarkSide and broader RaaS criminal operations.  Read on: Colonial Pipeline attack: Everything you need to knowZDNet has reached out to Toshiba Tec Corp and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More