[ISN] Can you trust an ethical hacker?

From: InfoSec News (isnat_private)
Date: Tue Apr 16 2002 - 00:26:56 PDT

  • Next message: InfoSec News: "Re: [ISN] Cracks in the Firewall"

    By Madeline Bennett  [12-04-2002]
    Bill Pepper is head of security risk management at consulting firm
    CSC, a role which involves advising clients on security issues and
    managing the company's so-called ethical hackers.
    He has worked in information security for over 35 years, including
    time with the Royal Air Force, and is currently deputy chairman of the
    British Computer Society's Certificate in Information Security
    Management Board.
    IT Week: At your consultancy firm you use ethical hackers for testing
    and security processes. What benefits does this bring?
    Bill Pepper: If companies want to reduce the risk of attack, they need
    to know the real vulnerability, rather than a perceived one. To
    replicate a hostile hack, you need the mindset to put together the
    right tools. A number of hacking tools available in the marketplace
    will only replicate certain easier attacks.
    So it takes skill to replicate a sophisticated hack?
    The tools will help, but the skill is in identifying the hole and then
    knowing what you can do. For example, to identify which sensitive
    parts of the system you can access. You also need somebody to produce
    a meaningful report.
    How do people become ethical hackers?
    Ethical hackers come from three sources: malicious hackers, bright
    computer science graduates, and individuals from a systems or
    administration background.
    How can a firm trust a malicious hacker?
    This is a guy who has been using his skills for malicious intent, then
    grows out of it and wants to earn money. This type of ethical hacker
    is a higher risk. You have to make sure you have done the background
    checks on the individual, and concluded that he will become a
    reasonable citizen.
    The interviewer needs experience and a good interviewing technique.  
    Once employed, the firm should provide them with the intellectual
    challenge they need.
    What experience would a graduate need?
    Anyone who does a computer science degree will have been open to
    hacking. Part of the reason for the Joint Academy Network (an academic
    network) is to educate university students and teach them the skill of
    exploiting weaknesses on networks. There might be bright computer
    science graduates who recognise that the security field is an
    interesting challenge.
    And what type of systems or administration employees would be
    People from a Unix system and support background, as the internet grew
    out of Unix and a lot of technology is derived from the Unix
    environment. Also, those from a systems support or admin role for
    Windows NT, for example. After all, it is much easier to hack
    Microsoft than Unix.
    Which type makes the best ethical hacker?
    All three types have their advantages and disadvantages. A reformed
    hacker is best for simulating a very malicious attack. The ex-Unix or
    NT guys do not always have the mindset of an ex-hacker. They tend to
    use less devious methods.
    Are many companies keen on the idea of ethical hacking?
    With the more staid organisations, there is a culture that it is not
    quite right. But people are being hit because they have not used
    ethical hacking. There is a changing attitude towards it.
    Can companies ever really trust a malicious hacker, reformed or not?
    There is always an element of risk. If an ex-malicious hacker sees a
    chance to defraud the company, would he be tempted? You need to know
    your staff well and keep them interested. This is an area where, if
    you are not employee focused, it could go wrong very badly.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Apr 16 2002 - 03:45:25 PDT