Print this article | Return to Article | Return to CFO.com
Increasingly, companies are hiring hackers to test their network firewalls. This may not be such a good idea.
Karen Bannan, eCFO
December 15, 2000
Call it a sign of the times. In September 2000 the Secure Digital Music Initiative, or SDMI (www.sdmi.org), an industry association based in San Diego, California, posted this notice on its Web site: "Here's an invitation to show off your skills, make some money, and help shape the future of the online digital music economy. The [SDMI] is a multi-industry initiative, working to develop a secure framework for the digital distribution of music. SDMI-protected content will be embedded with an inaudible, robust watermark or use other technology that is designed to prevent the unauthorized copying, sharing, and use of digital music.
"We are now in the process of testing the technologies that will allow these protections. ... So here's the invitation: Attack the proposed technologies. Crack them. ... If you can remove the watermark or defeat the other technology on our proposed copyright protection system, you may earn up to $10,000."
As of press time, no one had collected the 10 grand — although in October 2000, a group of researchers from Xerox PARC, Princeton University, and Rice University claimed to have cracked the code. But SDMI's invitation was no publicity stunt. The fact is, paying outsiders to expose holes in encryption technology and network firewalls is fast becoming commonplace in the corporate universe. And on the face of it, such an approach makes sense. After all, who knows more about network vulnerabilities than hackers?
Certainly, traditional approaches to safeguarding computer systems — passwords, encryption algorithms, and the like — don't seem to be working. In early September 2000, Englewood, Colorado-based Western Union Financial Services Inc. reported that crackers (cyber- intruders) had made off with the credit card and debit card numbers of nearly 16,000 online customers — not exactly a ringing endorsement for the safety of online shopping.
According to the San Francisco-based Computer Security Institute's (www.gocsi.com) annual Computer Crime and Security Survey, released in March 2000, more than 90 percent of the study's 643 respondents reported security breaches over the past 12 months. Of this group, 42 percent were able to quantify their losses. Total damage? A tidy $266 million, or almost $1 million per company.
And that's only the tip of the iceberg. Analysts say the actual damage caused by hackers is impossible to calculate because many break- ins are never discovered. And many companies, keen to avoid bad publicity, don't report hack attacks. In 1994 a 29-year-old Russian broke into Citibank's network and made off with $10 million. The incident didn't become public until a year later — although Citibank claimed it knew about the break-in all along and was just playing cat-and-mouse with the hacker who masterminded the caper.
Still, a number of industry-watchers have started to question whether hiring hackers to test network security is such a clever idea. Obviously, rewarding script kiddies, hackers, and other digital pranksters with lucrative consulting contracts doesn't qualify as exemplary corporate citizenship. "Nice people don't do it," insists William Hugh Murray, an executive consultant to professional services firm Deloitte & Touche (www.us.deloitte.com), in Connecticut. "You should be engaging certified information system security professionals who have at least three years' experience, pass a rigorous exam, and are committed to ethical standards."
Beyond moral concerns, giving outsiders a free hand to probe a network can be a risk management nightmare. Hackers may know about Trojan horses and back doors, but they generally know precious little about competitive advantage periods, ROI, or E-commerce strategy. Notes Fred Rica, a partner in the technology risk services unit at PricewaterhouseCoopers (www.pwcglobal.com/us/): "Most ex-hackers don't understand the complex business issues surrounding the integration of security solutions within global enterprises and E- business environments."
What's more, it's nearly impossible to suss out the true intention of hackers-turned-advisers. That sort of uncertainty can leave a network wide open to theft, fraud, or worse — extortion. "It doesn't make sense to hire an ex-hacker," says Dave Safford, manager of the Global Security Analysis Lab at IBM Research (www.researc h.ibm.com/net_security/gsalpub.html), in Hawthorne, New York. "It's like hiring a convicted arsonist as fire marshal."
To keep from getting burned, many corporations instead hire outside security firms to test their firewall security. Called ethical hacking, the process is intended to help system administrators pinpoint weaknesses in networks. In addition, ethical hacking enables IT managers to gauge response time to an attack — crucial in the fight against cybercrime. According to Bruce Schneier, co-founder of Counterpane Internet Security (www.counterpane.com), a managed security monitoring company in San Jose, California, network operators typically have about 10 minutes to respond to an attack before serious damage can be done.
While this sort of war-gaming can yield dramatic results, ethical hacking comes with its own set of risks. The biggest danger? Security firms often employ hackers. And as industry watchers note, all hackers are not created equal. In fact, there are so many types of hackers in the virtual universe that the code-writing community groups them into three categories.
So-called black-hat hackers commit illegal hacks for personal gain or notoriety. White hats, by contrast, frequent hacker chat boards and conferences and practice breaking into their own or corporate systems — but only with permission. Gray-hat hackers fall into, well ... a gray area. Like black hats, they illegally break into systems or servers, but they notify companies about the break-ins and generally don't interfere with business processes.
If all this seems imprecise, you're on to something. Like most people, hackers don't usually wear hats — and if they do, they're not likely to wear one indicating criminal intent. A self-professed white hat might be a black hat at heart. Legitimate gray hats may come across a challenge so irresistible that they engage in black-hat activity. The scenarios — and color schemes — are endless.
Not surprisingly, managers at security firms that do hire hackers may not go out of their way to broadcast the fact. This can put companies that rely on security consultancies at risk. Mike Higgins, president of Centerville, Virginia-based security firm Para-Protect Inc. (www.para-protect.com), advises corporate managers to ask consultants specifically whether they hire hackers.
But even if executives at a security consultancy say their experts fall into the white-hat category, it's no guarantee. Experts say an employee's definition of white hat may not jibe with an employer's definition. "I know of several cases in which people were black hat and said they went white hat, but really didn't," says IBM's Safford. "They tend to keep [black-hat activity] on the side, so it doesn't affect what they are doing for security firms' customers."
Indeed, the security industry itself seems to be divided over hiring hackers for ethical hacking. Some consultancies refuse to hire programmers with any hacking experience. These specialists argue that during an ethical hack, corporate secrets can be exposed — even for just a second. For a hacker with black-hat experience, that brief access could prove very profitable. Para-Protect, for one, does not hire hackers. The company also keeps tabs on break-in teams during ethical hacks. "We have a zero tolerance policy," says Higgins. "We monitor everything our employees do."
Even companies that hire hackers have widely divergent policies. Some security consultants say they hire only white-hat hackers. Others hire any qualified person who doesn't have a criminal record. Some knowingly hire black hats. Joseph Nowland, Network Security Technologies' (www.netsec.net) vice president of corporate services, says the Herndon, Virginia, firm, funded by E-Trade and Softbank, "never hires convicted criminals" and that all its employees pass thorough background checks before they are hired.
"We also submit personnel for Department of Defense clearance investigations," says Nowland. And while some of NetSec's engineers maintain "sources of vulnerability information" — such as chat rooms — "they all sign strict agreements with the company that outline their obligations for ethical conduct," says Nowland.
Staying involved in the scene can be lucrative. Most consultancies charge a minimum of $10,000 for an ethical hack into a corporate network. Such prices may scare off some potential customers. Corey Schou, a professor and the dean of information systems programs at Idaho State University (http://security.isu.edu), says the decision to conduct an ethical hack often depends on a company's financial wherewithal, as well as its appetite for risk. "It turns out 80 percent of the problems with your system may be found anyway," notes Schou. "The other 20 percent may be found by ethical hacks. The challenge is to constantly balance the risk against the cost."
In the end, even if a security firm performs an ethical hack, it may not plug all the gaps in a network. The problem at Western Union, for instance, was caused by human error, not faulty network safeguards. And determined black-hat hackers have been known to pry passwords out of unsuspecting IT staffers and secretaries — over the phone (see "Once More Into the Breach," below). Despite advances in security technology in recent years, it seems human beings are still the wild cards in the safety dance. "It costs money to finance an ethical hack," explains Schou. "But it can also cost money if the ethical hacker isn't as ethical as you'd hoped."
Karen J. Bannan is a contributor to CFO.
Once More Into the Breach
To crack a client's computer system, a security consultant's break-in team searches for chinks in network armor, such as unpatched openings in software and operating systems. Ethical hackers can also gain network access by guessing default password settings and uncovering open ports. In addition, security specialists seek out unsecured trusted relationship default settings — network tunnels designed for a company's business partners.
If the high-tech approach doesn't work, security consultants say the human touch usually does. Ethical hackers have been known to rummage through trash bins and dumpsters to find useful info. Sometimes, hackers resort to "social engineering" — or, as it's more commonly known, lying. A hacker — often posing as an HR employee — phones a staffer, then tries to pry out information. Remarkably, Network Security Technologies and Internet Security Systems (www.iss.net) report a near 100 percent success rate with such ruses. —KJB
For Everything Else, There's Theft
As corporations beef up network security for the virtual world, hackers say it's getting easier to steal the currency of the realm — credit card numbers. These days, you can't take three steps in cyberspace without coming across illegally obtained credit card numbers, either in chat rooms, newsgroups, or Web sites.
The statistics are alarming. Visa International estimates that online fraud happens three times more frequently than offline fraud. And according to technology research firm Meridien Research Inc. (www.meridien- research.com), 10 percent of online transactions last year were fraudulent.
Such a forecast spells trouble for E-tailers. Since online purchases fall into the Card Not Present category, credit card vendors hold virtual merchants 100 percent liable for fraudulent charges. In addition to loss of revenues, E-tailers often pay transaction fees and penalties for accepting stolen numbers. By contrast, bricks-and-mortar merchants do not eat the loss for fraudulent charges — card vendors do.
This is not to say online credit fraud is inevitable. Companies such as ClearCommerce Corp. (www.clearcommerce.com), in Austin, Texas; CyberSource Inc. (www.cybersource.com), in Mountain View, California; and HNC Software Inc. (www.hnc.com), in San Diego, offer services that compare shoppers' E-mail addresses with their Internet protocol and shipping addresses. "We can see if someone else using the account has made large dollar purchases," says Tracy Wilk, vice president of product management for CyberSource, "or if they're downloading their software purchase to Poland even though their credit card bills go to California."
Despite phony plastic, James Van Dyke, senior analyst at consultancy Jupiter Research (www.jup.com), says it's important for retailers to maintain an online presence. "When PCs came out, people feared they would delete files by pressing the wrong key," he recalls. "But they realized using computers generated income. Online shopping is the same. There's more to lose than to win by not starting an online business." —KJB