In the never-ending fight to protect corporate data, security managers find that old enemies are quickly becoming valued employees.
|Some highly respected organizations are starting to help fill the security certification void.|
One major reason for the popularity of ex-hackers as network watchdogs is this: How else can a person demonstrate security skills? You can't exactly invite job candidates to an interview and ask them to attack somebody's network while you observe. In other areas, certifications play a key role in establishing bona fides. But security has lagged. "This industry has a long way to go before certifications really help a lot," says Richard Moxley of Blackbird Technologies.
But now some highly respected organizations are trying to fill this void by offering certifications.
ICSA.net (www.icsa.net), based in Reston, Va., recently began offering two certifications for IT professionals: the ICSA.net Certified Network Security Administrator (ICNSA) and the ICSA.net Certified Network Security Engineer (ICNSE). The names are a mouthful, but ICSA.net, with an outstanding reputation in the security field, is well positioned to impose standards on the network security field. ICNSA classes are being offered now worldwide, while ICNSE classes are set to begin in Q3 2000.
The Computer Security Institute (www.gocsi.com), based in San Francisco, offers many vendor-neutral courses and certifications that are highly regarded by experts.
Naturally, almost all major security vendors offer training and certifications in their own products.
It's clear that protecting the corporate network and data information is a top priority for information technology departments. In its most recent Computer Crime and Security Survey, the San Francisco-based Computer Security Institute found over $265 million worth of security breach-related losses at 273 organizations, most of them large corporations or government agencies. And while insiders are still the most likely culprits, more and more breaches are coming from outside the firewall. Blame for this trend, of course, falls squarely on the rising importance of the Internet. Guarding the crown jewels, then, is obviously a vital chore. But how?
Several factors have conspired to make hackers look like prize catches as security consultants. There's an IT worker shortage on (in case you hadn't noticed), and as the network grows in importance and complexity, nearly every organization fears--correctly, in most cases--that it's vulnerable and that the major reason it hasn't been cracked is dumb luck. Stir in recent highly publicized attacks that crippled such sites as eBay and CNN, and the logic seems sound: Why not make allies of the very folks who've demonstrated they know how to do this stuff? The Federal Bureau of Investigation itself has made 21-year-old John Vranesevich, a college dropout and a former hacker, its chief undercover investigator in the fight against criminal hacking.
On the other hand, there's the fox-and-henhouse concern: Many IT managers have legitimate questions about the wisdom of trusting security to those who've built expertise and fame breaching it. And there's an ethical question, too: Even if hiring hackers is the best way to protect yourself, is it right to reward somebody for messing with others? Moreover, experts say that many who seek to cash in on hacker cachet are mere "script kiddies"--unskilled punks who attack sites by running scripts they dig up at Web sites or elsewhere.
Exploring these issues will teach you a lot about the choices involved--whether you ought to hire a hacker and what measures to take if you decide to do so. Know your terms
The term "hacker" is a broad one. For many, the first image that comes to mind is that of an amoral 16-year-old sitting in his bedroom, listening to death-metal on headphones, and crashing sites for giggles. Unfair though it may be, the image lives on--thanks in no small part to breathless stories in daily newspapers and on television magazine shows.
The truth is more complex. As the Web site of @Stake Inc., a security company, puts it, "To say all hackers are criminals is like saying all locksmiths are felons. Hacking is a skill, just like picking locks. It's how the skill is applied that matters." @Stake has reason to stress this point: The Cambridge, Mass.-based company recently merged with Boston-based L0pht Heavy Industries Inc., a security collective with deep hacker roots.
"When I say 'hacker,' I mean it in the old sense of the word," says Richard Moxley, vice president of technology at Blackbird Technologies Inc., a security consulting firm in Fairfax, Va. "Someone with a genuine technical curiosity, someone who likes to poke around under the hoodwith the enthusiasm and interest that defined early hackers."
|The pros and cons of hiring hackers
ProsDiverse systems skills
Expertise in "social engineering"
Potential lack of discipline
May lie about expertise
Criminal record may preclude hiring or security clearance
So whether you seek to hire hackers or ban them from the premises, your first chore is to decide specifically who you're hiring (or banning). People convicted of computer crimes? People who've not been convicted but brag about committing such crimes? People who don't brag, but rather hint? People who've been members of certain groups or attended certain events?
Welcome to the world of hacking, where very little is black and white. The pros
Many IT organizations and security consulting firms that make use of hackers' services do so because it's a "challenge to establish the technical credentials of their experts," says Moxley. "I guess the hiring thought process is, 'This individual must be capable of breaking into systems because he's been arrested for it.'" While he's "not without sympathy" for organizations that believe they need to go this route, Moxley stresses that Blackbird Technologies, like many other firms, does not hire people with a criminal background. On a practical note, many clients require a security clearance and/or background check. Moreover, "that's not the right way to hire the kind of people we're looking for," Moxley says.
Having very strict security restrictions in place is the reason Paul Raines had problems when he was trying to hire a consulting firm to hack his organization. Raines, vice president of electronic security at the Federal Reserve Bank of New York, has rules about such penetration tests. Rule one: During any such test, Federal Reserve IT workers sit in. Just to make sure. The consultants balked. "They wouldn't allow someone to look over their shoulder," Raines says. Result? "Even though they passed all the background checks, we said no."
Raines says it's a risk to hire hackers to do penetration tests--but you can minimize those risks by taking some simple, pragmatic steps, and the expertise may prove invaluable.
In particular, true hackers are likely to be experts in the ways of "social engineering," convincing employees to do foolish things that compromise security. It's well understood that people are the weak link in corporate security. Skilled social engineers can convince workers to divulge their passwords to a complete stranger over the telephone; boldly walk through cubicles, posing as a new support guy while reading dozens of such passwords that are carelessly written on sticky notes; and engage in a little "Dumpster diving," searching trash for sensitive data. These are the everyday lapses that compromise security, and an experienced hacker is most likely to understand them.
Moreover, while the basic skills required to safeguard networks can be taught to any solid IT pro, there's a certain curiosity--an insatiable need to know what's behind a locked door, a fascination with puzzles, an ego that won't rest until it tops the other guy--that hackers and former hackers have in spades. And hackers are likely to have valuable breadth in their experience; they tend to possess at least a nodding familiarity with multiple operating systems, network design, protocols, and encryption tools. Hiring managers will understand how rare such diverse knowledge is. The cons
"Anybody who hires a hacker is an idiot," says Ira Winkler, never one to mince words. Winkler is founder and president of the Internet Security Advisers' Group, a Severna Park, Md.-based consulting and management business. He wrote Corporate Espionage: What It Is, Why It Is Happening in Your Company, What You Must Do About It
"When you hire a hacker," Winkler says, "What are you hiring? Of the people claiming to be hackers, maybe one-tenth of 1% are really skilled. The rest are script kiddies."
Why such fibbing? First, there's the romanticized image of the fearless, against-the-grain hacker popularized by the media (call this the "War Games" factor). "It's the mystique of the hacker," Winkler says. "All you need is body piercings and a bad haircut, and people think of you as a genius."
Second, security is a hot, lucrative field. So any script kiddy who ever cracked a site may be tempted to embellish his deeds in order to land a job. And there's a reason they're called script kiddies. Experts stress that most of today's hacks are made possible not by razor-sharp technical skills, but rather by poorly protected networks that are vulnerable to rote, mechanistic attacks. "What do teenagers have that others don't?" Winkler points out. "Time on their hands."
|Best practices for hiring hackers
Hire hackers for discrete, well-defined projects
Clear hires and contracts with your legal department
Insist on being present during penetration tests
Don't start with mission-critical sites
Perform tests at noncritical hours, if possible
Don't substitute hackers for systematic auditing
So when somebody boasts of their hacking prowess, they may really be saying they have nothing better to do than sit in their room and bang away at firewalls. "They're relying either on known holes or massive computing power," says Raman Sud, vice president of engineering at Burlington, Mass.-based PurchasingCenter.com, a portal for maintenance and janitorial supplies. Sud does not hire hackers. "That's a shotgun solution," he says. "You need a long-term strategy."
Hiring managers should heed the experts' rule of thumb: The harder a job applicant tries to portray himself as an ultra-hip member of the hacker underground, the more skeptical you should be of his credentials. Action plan
So who do you hire to protect your data? The road forks; you either decide you'll hire hackers or decide you won't. Either way, here are some suggestions: If you hire hackers...
Probe, question, check, and double-check credentials. Set aside stereotypes and think about what type of hacker you want in your organization. Are you willing (or empowered) to hire people convicted of computer crimes, gambling that their expertise offsets their previous mistakes? Or will you ban on the convicted but hire folks whose backgrounds indicate they've done their share of hacking?
Either way, pull in the lawyers. The earlier the better. "When setting up a penetration test, bring the legal people in before contract negotiations," advises Raines of the Federal Reserve Bank of New York. Your legal department may want to kibosh the whole idea, in which case you'll have to do some fancy footwork to gain buy-in. More likely, they'll add helpful clauses to your contract.
|Raman Sud, VP of engineering at PurchasingCenter.com, has a no-hacker policy. "That's a shotgun solution," he says.|
Finally, PurchasingCenter.com's Sud suggests that if you invite a hacker into your organization, "Hire them for a specific task--not as part of a long-term plan." If you ban hackers...
You still need somebody to guard the crown jewels. "The best security people I've ever seen are just smart network administrators who took the time to research security," Winkler says. Easier said than done, because such employees tend to be overworked, with many fires to fight. But when experience is in short supply, training is always an option. "Find highly skilled system and network administrators," Winkler advises. "Give them the time and training they need to become proficient in security."
Moxley of Blackbird Technologies agrees. He says it's best to hire someone who's worked as a systems administrator, a network engineer, or a software developer, "but always had a side interest in security." Skilled, curious IT people can learn the security craft with relative ease, experts say.
Time is always hard to come by, and that situation shows no sign of easing up; skilled IT workers are always in demand all over the organization. In the past, the training was scarce as well. But thanks to an increasing menu of certification programs, that's changing (see sidebar, "Securing certification
Experts agree that paying attention to the basics is your best bet. Perform periodic audits. Stay current with updates issued by the Computer Emergency Response Team. Leverage your vendors' security teams. PurchasingCenter.com's chief vendor is Exodus Communications Inc., a Santa Clara, Calif.-based Internet hosting and services company. "They have a security team that we make use of," Sud says.
In the final analysis, a solid, systematic security program, backed by top management, is the best way to fight security breaches. No matter who you hire for the job, they need time, training, and a clear mission. // Steve Ulfelder is a freelance writer who lives in Southboro, Mass. You can contact him at firstname.lastname@example.org.