VideoWhile this sort of war-gaming can yield dramatic results, ethical hacking comes with its own set of risks. The biggest danger? Security firms often employ hackers. And as industry watchers note, all hackers are not created equal. In fact, there are so many types of hackers in the virtual universe that the code-writing community groups them into three categories.
So-called black-hat hackers commit illegal hacks for personal gain or notoriety. White hats, by contrast, frequent hacker chat boards and conferences and practice breaking into their own or corporate systems — but only with permission. Gray-hat hackers fall into, well ... a gray area. Like black hats, they illegally break into systems or servers, but they notify companies about the break-ins and generally don't interfere with business processes.
If all this seems imprecise, you're on to something. Like most people, hackers don't usually wear hats — and if they do, they're not likely to wear one indicating criminal intent. A self-professed white hat might be a black hat at heart. Legitimate gray hats may come across a challenge so irresistible that they engage in black-hat activity. The scenarios — and color schemes — are endless.
Not surprisingly, managers at security firms that do hire hackers may not go out of their way to broadcast the fact. This can put companies that rely on security consultancies at risk. Mike Higgins, president of Centerville, Virginia-based security firm Para-Protect Inc. (www.para-protect.com), advises corporate managers to ask consultants specifically whether they hire hackers.
But even if executives at a security consultancy say their experts fall into the white-hat category, it's no guarantee. Experts say an employee's definition of white hat may not jibe with an employer's definition. "I know of several cases in which people were black hat and said they went white hat, but really didn't," says IBM's Safford. "They tend to keep [black-hat activity] on the side, so it doesn't affect what they are doing for security firms' customers."
Indeed, the security industry itself seems to be divided over hiring hackers for ethical hacking. Some consultancies refuse to hire programmers with any hacking experience. These specialists argue that during an ethical hack, corporate secrets can be exposed — even for just a second. For a hacker with black-hat experience, that brief access could prove very profitable. Para-Protect, for one, does not hire hackers. The company also keeps tabs on break-in teams during ethical hacks. "We have a zero tolerance policy," says Higgins. "We monitor everything our employees do."
Safety Dance
Even companies that hire hackers have widely divergent policies. Some security consultants say they hire only white-hat hackers. Others hire any qualified person who doesn't have a criminal record. Some knowingly hire black hats. Joseph Nowland, Network Security Technologies' (www.netsec.net) vice president of corporate services, says the Herndon, Virginia, firm, funded by E-Trade and Softbank, "never hires convicted criminals" and that all its employees pass thorough background checks before they are hired.
"We also submit personnel for Department of Defense clearance investigations," says Nowland. And while some of NetSec's engineers maintain "sources of vulnerability information" — such as chat rooms — "they all sign strict agreements with the company that outline their obligations for ethical conduct," says Nowland.
Staying involved in the scene can be lucrative. Most consultancies charge a minimum of $10,000 for an ethical hack into a corporate network. Such prices may scare off some potential customers. Corey Schou, a professor and the dean of information systems programs at Idaho State University (http://security.isu.edu), says the decision to conduct an ethical hack often depends on a company's financial wherewithal, as well as its appetite for risk. "It turns out 80 percent of the problems with your system may be found anyway," notes Schou. "The other 20 percent may be found by ethical hacks. The challenge is to constantly balance the risk against the cost."
In the end, even if a security firm performs an ethical hack, it may not plug all the gaps in a network. The problem at Western Union, for instance, was caused by human error, not faulty network safeguards. And determined black-hat hackers have been known to pry passwords out of unsuspecting IT staffers and secretaries — over the phone (see "Once More Into the Breach," below). Despite advances in security technology in recent years, it seems human beings are still the wild cards in the safety dance. "It costs money to finance an ethical hack," explains Schou. "But it can also cost money if the ethical hacker isn't as ethical as you'd hoped."
Karen J. Bannan is a contributor to CFO.
Once More Into the Breach
To crack a client's computer system, a security consultant's break-in team searches for chinks in network armor, such as unpatched openings in software and operating systems. Ethical hackers can also gain network access by guessing default password settings and uncovering open ports. In addition, security specialists seek out unsecured trusted relationship default settings — network tunnels designed for a company's business partners.
Reader Comments» Post a comment