Should you hire a hacker to assess your security risk? CW360.com
examines the pros and cons of using an ethical hacker.
Breakdown services and police authorities use the skills of former
thieves to break into cars for stranded motorists. So surely it is
logical that IT managers should hire hackers to assess the status
of their security systems. What better way to check out how
vulnerable your system is to attack than to employ somebody who
would normally be doing so anyway, but with a darker intent?
The fact that high-profile hacking attacks are on the increase is
evidence that the problem is not going away - and that conventional
means of combating cybercrime are not enough. The hackers and
crackers of this world always seem to be one step ahead. All the
more reason to get them on-side then.
A solution is needed and if it is not forthcoming from within the
system, it must come from outside. In this classic
poacher-turned-gamekeeper scenario, it makes sense to employ
someone like convicted German hacker Kim Schmitz as a security
consultant.
Schmitz, the man who once hacked his way into a German bank to give
chancellor Kohl a negative bank balance, claims Nasa and the
Pentagon among his scalps. On his release from prison, he was
swamped with offers of consultancy work from German companies,
desperate to shore up their IT security systems against outside
attack.
Within a week, Schmitz had crossed the tracks and was advising
Lufthansa on security. Later, he recruited a team of hardcore
hackers and set up his own data protection firm Dataprotect.
Cool response
But it is doubtful whether a hacker would
have received such a warm response from the IT sector in the UK. It
has often been said that, while IT directors in the UK have finally
come round to the importance of security, the decision makers have
yet to follow and are not up to speed on the potential threats
posed by hackers.
Only last month, foreign secretary Robin Cook spoke out on the
threat posed by cybercrime, warning that hackers "could cripple the
nation more quickly than a military strike". And when the
Government starts talking about a problem, then the situation must
be very grave indeed.
One fundamental issue in the hiring of a hacker is ethics. After
all, hackers are criminals. And in the UK, the inclusion of
cybercrime in the Terrorism Act 2000 means that hackers can now be
treated as terrorists.
But even in the hacker world, there are good and bad guys. Ethical
or "white hat" hackers highlight vulnerabilities in a system by
conducting penetration tests and vulnerability assessments. The
difference between them and their less scrupulous "black hat"
colleagues is that they alert the owners to prevent potential
damage.
Some schemes, such as IT Health Check, run by the
Communications-Electronics Security Group and the Defence
Evaluation & Research Agency, teach ethical hacking skills to
arm people in the war against hacking.
In a recent cybercrime survey conducted by Articon-Integralis,
which polled the senior directors of 800 FTSE companies, 64% of
people said that they would not employ a former hacker as a
consultant at their company.
However, in the study, 81% of respondents believed that top hackers
had the same skills as their IT professional counterparts.
Interestingly enough, 43% believed they would earn more as a hacker
than in their current employment.
UK-based security consulting and integration firm Logical sees its
refusal to hire "reformed" hackers as one of the cornerstones of
its ethical hacking services. The company views its stance as an
emerging trend among e-security consultancies and corporate IT
departments.
In an internal summary on ethical hacking, Logical says, "Such a
move is fraught with danger as the level of security flaws they
become exposed to on their clients' behalf can be staggering. With
a hacker on the staff, client confidence must always be in
question."
Besides, as the company points out, ethical hackers need more than
hacking skills in their arsenal. Ethical hackers have to stay
abreast of developments in areas such as software patches and need
a detailed understanding of the systems and business operations
that they have been employed to guard.
Ivor Lloyd, chairman of the BCS' security committee, is also
against employing and recommending hackers, especially those with
criminal records, but supports ethical hacking.
"We would welcome professional ethical hackers onto the BCS
security register," Lloyd says. "Ethical hacking [penetration
testing] is an extremely useful form of testing the defences of
computer systems from unauthorised access."
Lloyd believes that hacking is all pervasive within the industry,
so you might as well make use of ethical hackers, who have inside
knowledge of the system architecture and its configuration. He is
quick to point out that systems need to be brought up to date and
properly configured and that ethical hacking exercises are purely a
method of testing systems and not a replacement for security.
The BCS' security register has a code of conduct which prevents it
from recognising "unethical" hackers. The wording of the code
states that, to be registered, you have to be "a fit and proper
person", which is not what it feels a conventional hacker is.
Unsurprisingly, some ethical hackers do not have lily-white CVs and
hail from the other side of the tracks. One example is Mathew
Bevan, who went by the name of "Kuji" in his hacking days. When
charges of hacking into US defence sites were dropped, Bevan joined
Tiger Computer Security as a security consultant and has recently
been chosen by Nintendo and TV channel E4 to head up their viral
marketing campaigns.
Peter Sommer, a research fellow at the London School of Economics,
who specialises in computer crime, emphasises the need for caution
when addressing security issues such as hiring hackers.
"It is not simply a question of ethics but more a case of being
prudent and sensible about what it is you're trying to do," Sommer
says.
It is essential to be aware of what results you don't want to get
as well as what you are expecting, says Sommer. You need to work
out formal rules of engagement to ensure that your defences are
probed in an orderly fashion.
Sommer likens the idea of hiring hackers with that of security
firms hiring ex-SAS soldiers. Most people don't need the level of
skills that the SAS teaches its soldiers and chances are they need
other skills that those people cannot provide. In both cases, image
takes preference over practicalities.
And although a hacker can identify weaknesses in a system, it is
doubtful whether he or she will provide a solution to those
problems. A further problem that Sommer identifies is that many
testing techniques assume that attacks will come from outside the
company and not, as is often the case, from inside.
Rob Graham, chief technical officer of security firm Network ICE,
questions the whole existence of this "fanciful secret world of
elite hackers".
"Hackers, the hacker community and elite secrets are really myths
created by the media because they sell," says Graham. "I don't
believe in them any more than I believe in the tooth fairy."
This whole issue of hiring hackers is obviously something that
grates with him.
"I have to regularly respond to questions as to whether we employ
'hackers'," Graham says. "One answer implies we are stupid, the
other implies we are evil. I just smile knowingly and keep
quiet."
He also questions the employability of these hackers and reckons
that there are probably many people who could hack into the
Pentagon or CIA Web site using tools downloaded from the Internet
but who could not execute simple coding exercises without a
reference manual.
Another man who questions the idea of hiring hackers is Richard
Boothroyd, a principal consultant at ICL with responsibility for
cybercrime. Like Graham, he also doubts whether the hacking
community is significantly large and bemoans the media gloss
surrounding their image. Boothroyd also points out the ethical
issues behind such a decision.
From a practical view, a convicted hacker would not get security
clearance, which is vital for carrying out the ICL's projects. He
also feels that the company's customers would be nervous about the
idea of hiring hackers.
Although Boothroyd admits that finding highly skilled staff for
ICL's security practice is a big headache, he doubts whether
employing hackers is the answer.
"These people cause a lot of damage," Boothroyd says. "We're
romanticising these people out of all proportion. What we should be
doing is de-romanticising them - they're cyberpunks."
He also questions whether these people are needed. "There are
people out there, who can do equally as good or better," Boothroyd
says, the only difference being that they're batting for the good
side.
And therein lies the crux of the matter. The skills to combat the
hackers and reduce the level and scale of attacks are out there but
they are not being used. Many companies still seem to believe that
the firewall they installed a few years ago is a panacea and does
not need updating or changing.
All too often, security is merely an afterthought and, once a
solution is installed, quickly forgotten. But these measures are
more out of sight than oversight. A key element in the hacker's
mindset is the willingness and necessity to move with the times and
embrace new technology. Refusing to follow suit and update your
security is like leaving your front door open. And if the Pentagon
can get hacked then your run-of-the-mill dotcom, hiding behind a
flimsy firewall, had better watch out.
Other methods for combating hackers do exist. One way of protecting
yourself from the unwelcome attentions of hackers is by using
software such as Vigilante's network security testing product
Securescan.
A more elaborate method is the Honeynet project. Unlike
conventional honeypots, which also act as lures for hackers,
Honeynet places a network behind a firewall and a system within
that configuration to act as the bait or "honey". The aim is to
create a more realistic environment to attract hackers, to observe
them at work and learn their methods. The scheme was set up by a
collection of 30 security professionals "to learn the tools,
tactics, and motives of the black hat community, and share those
lessons learned".
Disseminating information on hacking can be a major problem. Some
companies have been reluctant to report attacks fearing that they
will highlight and publicise security weaknesses in their systems.
So it is not surprising that they can be reluctant to get together
and collaborate in the war against hackers.
However, earlier this year, 19 companies in the US high-tech
sector, including Microsoft, Oracle and Intel, joined forces to
form an anti-hacking powerhouse. The Information Technology
Information Sharing and Analysis Centre, run by Atlanta-based
Internet Security Systems, acts as a forum to disseminate ideas and
information relating to threats from hackers and viruses.
Hiring a hacker is not always a conscious decision. As many
"reformed" hackers are now involved in providing security
consultancy services, companies may be hiring hackers without
realising it. And as Graham wonders, just how many of those
"techies" in the backrooms of your company were at some time, or
may still be, part of the hacker community?
But if you do decide to hire an "ex-hacker", you should be aware
that you could be helping to create a rise in incidences of
hacking, warns Simon Rogerson, director of the Centre for Computing
and Social Responsibility at De Montfort University. As he points
out, promising a pot of gold for hackers who go legit is a funny
way to combat the underlying problem. It could well give off the
wrong signals to those considering dabbling in the black hat
arts.
Tips when hiring hackers
- Don't assume that attacks can only come from outside - many
come from inside the organization
- A hacker might be able to identify the problem but can they
provide a solution?
- Many hackers are just one-hit wonders, they may not be able to
offer the additional skills you need
- Do you really need the level of hacking skills they can
bring?
- Can a leopard change its spots? Putting a hacker in charge of
your security is like hiring a burglar to guard a bank.
Things to consider when vulnerability testing- Make sure that you set out some formal rules of engagement
before embarking on a penetration test
- Consider what you do not want as well as what you do: set out
the limits clearly
- Penetration tests can cause damage - make sure the ethical
hacker is insured and that you are protected through a formal
contract
- Ensure that the security infrastructure is properly set up
before the test starts
- Penetration tests and risk analysis are not a replacement for
security, merely a method of checking it.