Would you turn to the dark side?

Should you hire a hacker to assess your security risk? CW360.com examines the pros and cons of using an ethical hacker.

Should you hire a hacker to assess your security risk? CW360.com examines the pros and cons of using an ethical hacker.

Breakdown services and police authorities use the skills of former thieves to break into cars for stranded motorists. So surely it is logical that IT managers should hire hackers to assess the status of their security systems. What better way to check out how vulnerable your system is to attack than to employ somebody who would normally be doing so anyway, but with a darker intent?

The fact that high-profile hacking attacks are on the increase is evidence that the problem is not going away - and that conventional means of combating cybercrime are not enough. The hackers and crackers of this world always seem to be one step ahead. All the more reason to get them on-side then.

A solution is needed and if it is not forthcoming from within the system, it must come from outside. In this classic poacher-turned-gamekeeper scenario, it makes sense to employ someone like convicted German hacker Kim Schmitz as a security consultant.

Schmitz, the man who once hacked his way into a German bank to give chancellor Kohl a negative bank balance, claims Nasa and the Pentagon among his scalps. On his release from prison, he was swamped with offers of consultancy work from German companies, desperate to shore up their IT security systems against outside attack.

Within a week, Schmitz had crossed the tracks and was advising Lufthansa on security. Later, he recruited a team of hardcore hackers and set up his own data protection firm Dataprotect.

Cool response
But it is doubtful whether a hacker would have received such a warm response from the IT sector in the UK. It has often been said that, while IT directors in the UK have finally come round to the importance of security, the decision makers have yet to follow and are not up to speed on the potential threats posed by hackers.

Only last month, foreign secretary Robin Cook spoke out on the threat posed by cybercrime, warning that hackers "could cripple the nation more quickly than a military strike". And when the Government starts talking about a problem, then the situation must be very grave indeed.

One fundamental issue in the hiring of a hacker is ethics. After all, hackers are criminals. And in the UK, the inclusion of cybercrime in the Terrorism Act 2000 means that hackers can now be treated as terrorists.

But even in the hacker world, there are good and bad guys. Ethical or "white hat" hackers highlight vulnerabilities in a system by conducting penetration tests and vulnerability assessments. The difference between them and their less scrupulous "black hat" colleagues is that they alert the owners to prevent potential damage.

Some schemes, such as IT Health Check, run by the Communications-Electronics Security Group and the Defence Evaluation & Research Agency, teach ethical hacking skills to arm people in the war against hacking.

In a recent cybercrime survey conducted by Articon-Integralis, which polled the senior directors of 800 FTSE companies, 64% of people said that they would not employ a former hacker as a consultant at their company.

However, in the study, 81% of respondents believed that top hackers had the same skills as their IT professional counterparts. Interestingly enough, 43% believed they would earn more as a hacker than in their current employment.

UK-based security consulting and integration firm Logical sees its refusal to hire "reformed" hackers as one of the cornerstones of its ethical hacking services. The company views its stance as an emerging trend among e-security consultancies and corporate IT departments.

In an internal summary on ethical hacking, Logical says, "Such a move is fraught with danger as the level of security flaws they become exposed to on their clients' behalf can be staggering. With a hacker on the staff, client confidence must always be in question."

Besides, as the company points out, ethical hackers need more than hacking skills in their arsenal. Ethical hackers have to stay abreast of developments in areas such as software patches and need a detailed understanding of the systems and business operations that they have been employed to guard.

Ivor Lloyd, chairman of the BCS' security committee, is also against employing and recommending hackers, especially those with criminal records, but supports ethical hacking.

"We would welcome professional ethical hackers onto the BCS security register," Lloyd says. "Ethical hacking [penetration testing] is an extremely useful form of testing the defences of computer systems from unauthorised access."

Lloyd believes that hacking is all pervasive within the industry, so you might as well make use of ethical hackers, who have inside knowledge of the system architecture and its configuration. He is quick to point out that systems need to be brought up to date and properly configured and that ethical hacking exercises are purely a method of testing systems and not a replacement for security.

The BCS' security register has a code of conduct which prevents it from recognising "unethical" hackers. The wording of the code states that, to be registered, you have to be "a fit and proper person", which is not what it feels a conventional hacker is.

Unsurprisingly, some ethical hackers do not have lily-white CVs and hail from the other side of the tracks. One example is Mathew Bevan, who went by the name of "Kuji" in his hacking days. When charges of hacking into US defence sites were dropped, Bevan joined Tiger Computer Security as a security consultant and has recently been chosen by Nintendo and TV channel E4 to head up their viral marketing campaigns.

Peter Sommer, a research fellow at the London School of Economics, who specialises in computer crime, emphasises the need for caution when addressing security issues such as hiring hackers.

"It is not simply a question of ethics but more a case of being prudent and sensible about what it is you're trying to do," Sommer says.

It is essential to be aware of what results you don't want to get as well as what you are expecting, says Sommer. You need to work out formal rules of engagement to ensure that your defences are probed in an orderly fashion.

Sommer likens the idea of hiring hackers with that of security firms hiring ex-SAS soldiers. Most people don't need the level of skills that the SAS teaches its soldiers and chances are they need other skills that those people cannot provide. In both cases, image takes preference over practicalities.

And although a hacker can identify weaknesses in a system, it is doubtful whether he or she will provide a solution to those problems. A further problem that Sommer identifies is that many testing techniques assume that attacks will come from outside the company and not, as is often the case, from inside.

Rob Graham, chief technical officer of security firm Network ICE, questions the whole existence of this "fanciful secret world of elite hackers".

"Hackers, the hacker community and elite secrets are really myths created by the media because they sell," says Graham. "I don't believe in them any more than I believe in the tooth fairy."

This whole issue of hiring hackers is obviously something that grates with him.

"I have to regularly respond to questions as to whether we employ 'hackers'," Graham says. "One answer implies we are stupid, the other implies we are evil. I just smile knowingly and keep quiet."

He also questions the employability of these hackers and reckons that there are probably many people who could hack into the Pentagon or CIA Web site using tools downloaded from the Internet but who could not execute simple coding exercises without a reference manual.

Another man who questions the idea of hiring hackers is Richard Boothroyd, a principal consultant at ICL with responsibility for cybercrime. Like Graham, he also doubts whether the hacking community is significantly large and bemoans the media gloss surrounding their image. Boothroyd also points out the ethical issues behind such a decision.

From a practical view, a convicted hacker would not get security clearance, which is vital for carrying out the ICL's projects. He also feels that the company's customers would be nervous about the idea of hiring hackers.

Although Boothroyd admits that finding highly skilled staff for ICL's security practice is a big headache, he doubts whether employing hackers is the answer.

"These people cause a lot of damage," Boothroyd says. "We're romanticising these people out of all proportion. What we should be doing is de-romanticising them - they're cyberpunks."

He also questions whether these people are needed. "There are people out there, who can do equally as good or better," Boothroyd says, the only difference being that they're batting for the good side.

And therein lies the crux of the matter. The skills to combat the hackers and reduce the level and scale of attacks are out there but they are not being used. Many companies still seem to believe that the firewall they installed a few years ago is a panacea and does not need updating or changing.

All too often, security is merely an afterthought and, once a solution is installed, quickly forgotten. But these measures are more out of sight than oversight. A key element in the hacker's mindset is the willingness and necessity to move with the times and embrace new technology. Refusing to follow suit and update your security is like leaving your front door open. And if the Pentagon can get hacked then your run-of-the-mill dotcom, hiding behind a flimsy firewall, had better watch out.

Other methods for combating hackers do exist. One way of protecting yourself from the unwelcome attentions of hackers is by using software such as Vigilante's network security testing product Securescan.

A more elaborate method is the Honeynet project. Unlike conventional honeypots, which also act as lures for hackers, Honeynet places a network behind a firewall and a system within that configuration to act as the bait or "honey". The aim is to create a more realistic environment to attract hackers, to observe them at work and learn their methods. The scheme was set up by a collection of 30 security professionals "to learn the tools, tactics, and motives of the black hat community, and share those lessons learned".

Disseminating information on hacking can be a major problem. Some companies have been reluctant to report attacks fearing that they will highlight and publicise security weaknesses in their systems. So it is not surprising that they can be reluctant to get together and collaborate in the war against hackers.

However, earlier this year, 19 companies in the US high-tech sector, including Microsoft, Oracle and Intel, joined forces to form an anti-hacking powerhouse. The Information Technology Information Sharing and Analysis Centre, run by Atlanta-based Internet Security Systems, acts as a forum to disseminate ideas and information relating to threats from hackers and viruses.

Hiring a hacker is not always a conscious decision. As many "reformed" hackers are now involved in providing security consultancy services, companies may be hiring hackers without realising it. And as Graham wonders, just how many of those "techies" in the backrooms of your company were at some time, or may still be, part of the hacker community?

But if you do decide to hire an "ex-hacker", you should be aware that you could be helping to create a rise in incidences of hacking, warns Simon Rogerson, director of the Centre for Computing and Social Responsibility at De Montfort University. As he points out, promising a pot of gold for hackers who go legit is a funny way to combat the underlying problem. It could well give off the wrong signals to those considering dabbling in the black hat arts.

Tips when hiring hackers
  • Don't assume that attacks can only come from outside - many come from inside the organization

  • A hacker might be able to identify the problem but can they provide a solution?

  • Many hackers are just one-hit wonders, they may not be able to offer the additional skills you need

  • Do you really need the level of hacking skills they can bring?

  • Can a leopard change its spots? Putting a hacker in charge of your security is like hiring a burglar to guard a bank.

Things to consider when vulnerability testing
  • Make sure that you set out some formal rules of engagement before embarking on a penetration test

  • Consider what you do not want as well as what you do: set out the limits clearly

  • Penetration tests can cause damage - make sure the ethical hacker is insured and that you are protected through a formal contract

  • Ensure that the security infrastructure is properly set up before the test starts

  • Penetration tests and risk analysis are not a replacement for security, merely a method of checking it.

Read more on Antivirus, firewall and IDS products