http://www.vnunet.com/Features/1130851 By Madeline Bennett [12-04-2002] Bill Pepper is head of security risk management at consulting firm CSC, a role which involves advising clients on security issues and managing the company's so-called ethical hackers. He has worked in information security for over 35 years, including time with the Royal Air Force, and is currently deputy chairman of the British Computer Society's Certificate in Information Security Management Board. IT Week: At your consultancy firm you use ethical hackers for testing and security processes. What benefits does this bring? Bill Pepper: If companies want to reduce the risk of attack, they need to know the real vulnerability, rather than a perceived one. To replicate a hostile hack, you need the mindset to put together the right tools. A number of hacking tools available in the marketplace will only replicate certain easier attacks. So it takes skill to replicate a sophisticated hack? The tools will help, but the skill is in identifying the hole and then knowing what you can do. For example, to identify which sensitive parts of the system you can access. You also need somebody to produce a meaningful report. How do people become ethical hackers? Ethical hackers come from three sources: malicious hackers, bright computer science graduates, and individuals from a systems or administration background. How can a firm trust a malicious hacker? This is a guy who has been using his skills for malicious intent, then grows out of it and wants to earn money. This type of ethical hacker is a higher risk. You have to make sure you have done the background checks on the individual, and concluded that he will become a reasonable citizen. The interviewer needs experience and a good interviewing technique. Once employed, the firm should provide them with the intellectual challenge they need. What experience would a graduate need? Anyone who does a computer science degree will have been open to hacking. Part of the reason for the Joint Academy Network (an academic network) is to educate university students and teach them the skill of exploiting weaknesses on networks. There might be bright computer science graduates who recognise that the security field is an interesting challenge. And what type of systems or administration employees would be qualified? People from a Unix system and support background, as the internet grew out of Unix and a lot of technology is derived from the Unix environment. Also, those from a systems support or admin role for Windows NT, for example. After all, it is much easier to hack Microsoft than Unix. Which type makes the best ethical hacker? All three types have their advantages and disadvantages. A reformed hacker is best for simulating a very malicious attack. The ex-Unix or NT guys do not always have the mindset of an ex-hacker. They tend to use less devious methods. Are many companies keen on the idea of ethical hacking? With the more staid organisations, there is a culture that it is not quite right. But people are being hit because they have not used ethical hacking. There is a changing attitude towards it. Can companies ever really trust a malicious hacker, reformed or not? There is always an element of risk. If an ex-malicious hacker sees a chance to defraud the company, would he be tempted? You need to know your staff well and keep them interested. This is an area where, if you are not employee focused, it could go wrong very badly. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Apr 16 2002 - 03:45:25 PDT