Some organisations are hiring ex-hackers to help solve security woes. Now there are ways to grow your own hackers. After all, better the devil you know . . .
There was a period of time not so long ago when it was fashionable for Fortune 500 companies to pay big bucks to reformed hackers to provide sensitive security consulting services such as "ethical hacking"and vulnerability assessments. Hackers of the 1980s and 90s, once considered at best a nuisance and at worst serious criminals, suddenly took on the mantle of legitimate businessmen and got paid by big business to do what they loved most.
While some companies still rely on ex-hackers for their protection, it's a practice Eric Keser, principal, e-risk solutions at Ernst & Young, is definitely not keen to support or promote. If you want to beat the attackers, you've certainly got to learn to think like a hacker, Keser says. That's the old "set a thief to catch a thief"mentality in action, and it works. "It is only by understanding the mindset of the hacker and by having knowledge of the ever-increasing arsenal of skills and techniques available to them that security processionals can realistically hope to stay one step ahead,"Keser says.
Ernst & Young much prefers training security specialists in the methodology those hackers use, to recruiting people with a dubious past. And to back up its approach the global professional services firm is among a smattering of Australian security companies that have begun teaching security professionals how hacking is done. Keser says rather than looking to hackers to teach organisations the tricks of the trade, Ernst & Young prefers training experienced security professionals or new recruits who majored in security subjects in the methodology, control and supervision techniques that will help them get the job done.
Far better, Keser says, to train your own IT security practitioners to think like hackers, and give them the hacker's armoury of skills than to give hackers a job in your firm. Arm your own people with the necessary techniques and tools and they'll be well enough equipped to defend their systems from increasingly sophisticated attacks from outside.
Apart from anything else, when it comes to hiring ex-hackers there's a question of morality, Keser says. You have to assume you can trust your employees, or you've no business hiring them. But how do you know whether you can trust a hacker? Who knows just how "reformed"such an individual really is?
"Our concern is just the moral background of those who were, if you like, on the darker side of things. We have a little bit of a concern about suddenly deciding that it's good to work with them as a trusted party,"he says. "I think the main reason why organisations are [hiring hackers] is because they view those people as the most experienced and the most knowledgeable people in terms of conducting effective penetration tests. I guess our answer to that is, that when we conduct a penetration test ourselves for an organisation, our own experience is that most of them are relatively easy to break into. It doesn't actually take a rocket scientist to break into most organisations."
To help organisations train staff to better defend their sites, Ernst & Young's internationally acclaimed eXtreme Hacking - Defending Your Site course claims to arm IT security practitioners with the necessary skills and tools to defend their systems from increasingly sophisticated attacks from hackers. To ensure the information doesn't get into the wrong minds all participants are vetted to include only experienced professionals.
There are other companies thinking along the same lines in offering courses to help security practitioners learn the hacker's art, or at least to better defend themselves against attack. For instance, eSign recently began offering Verisign-accredited courses at its secure data centre in Melbourne. Meanwhile eSec and Foundstone are claiming to offer the "ultimate"hacking course, with Foundstone sending a crack team of trainers to Australia for the first time to teach techniques and counter measures in a hands-on lab environment. As much as anything else, the courses aim to help organisations to change their thinking about security.
"The value in thinking like a hacker is that it forces a much-needed change in mindset and attitude towards security,"says eSec senior consultant Jeff Paine.
"Instead of thinking how can I provide a better network for my users?' you ask yourself what do I need to do to protect my users and their data from theft or damage?' And that question has to be asked every single day. Looking for holes and weaknesses becomes a priority,"he says.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.