http://www.newsfactor.com/perl/story/17940.html By Jay Lyman NewsFactor Network May 29, 2002 Companies seeking to ensure they are as impervious as possible to the latest computer viruses and to the Internet's most talented hackers often find themselves in need of –- the Internet's most talented hackers. Some of these so-called "white-hat" hackers hold high positions in various enterprises, including security companies, but analysts told NewsFactor that they rarely carry the actual title "chief hacking officer" because companies tend to be a bit skittish about the connotation. Still, some security pros -- such as Aliso Viejo, California-based Eeye Security's Marc Maiffret -- do carry the "CHO" title, and few argue the point that in order to protect themselves from the best hackers and crackers, companies need to hire them. Hidden Hiring SecurityFocus senior threat analyst Ryan Russell told NewsFactor that while only a handful of companies actually refer to their in-house hacker as "chief hacking officer," many companies are hiring hackers and giving them titles that are slightly less indicative of their less socially acceptable skills. "A large number of people who used to do that sort of thing end up working in security," Russell said. "There are some companies out there specifically saying, 'We do not hire hackers, we are against that,' but really they are [hiring them]." Russell said that while there is definitely an increased emphasis on security since last year's disastrous terrorist attacks, deflation of the dot-com bubble has resulted in consolidation among security personnel and a reduction in the number of titles that are obviously associated with hacking. Born To Hack Russell noted that hackers legitimately working in IT are usually involved in penetration testing. While companies are uncomfortable hiring IT security personnel with prior criminal records, there are advantages to hiring an experienced hacker, even if the individual has used an Internet "handle" associated with so-called "black-hat" hackers. Still, Russell said, "I think in very few cases do people with the reputation of a hacker or black-hat [get hired]." One such person who was hired is Cambridge, Massachusetts-based security company @Stake's chief scientist, Peiter "Mudge" Zatko -- a well-known hacker and security expert who has briefed government officials, addressed industry forums and authored an NT password auditing tool. Regular Workers Regardless of whether they wear a white hat or a black one, Russell said it takes more than good hacking skills to land a legitimate job. "You want someone who does [penetrations] for a living," Russell said of penetration testers. "You want them to be good at giving you the information you need." Russell added that while some hackers hold chief technical officer or equivalent positions, the rule of fewer managers and more employees means there are probably more hackers working in regular jobs than in management. Checking References Forrester (Nasdaq: FORR) analyst Laura Koetzle told NewsFactor that companies will not hire anyone convicted of a computer crime, but they will seek out hackers, particularly for penetration testing. "They won't have a title of chief hacking officer, and they haven't necessarily broken any laws, but they're still skilled at this stuff," she said. Koetzle said many companies avoid the issue of checking the backgrounds of former hackers by using services firms, such as PricewaterhouseCoopers or Deloitte & Touche, to hire such personnel. Extortion and Employment But hiring hackers can backfire. Russell said cases of extortion range from blatant attempts at blackmail -- demanding money to prevent disclosure of customer data or security vulnerabilities -- to more subtle efforts, wherein hackers find holes, offer a fix and add a request for a job. According to Koetzle, despite the desire to keep security breaches quiet, companies must resist attempts on the part of potential hacker-hires to extort money or work in computer security. "I would strongly caution against dealing with that type of hacker," Koetzle said. "It absolutely does happen, but it's absolutely the wrong thing to do." Right or wrong, however, it seems that the person best equipped to ferret out a hacker is another hacker. So, as unsavory as it may seem, the better the hacker, the more likely he or she is to join the square working world as chief hacking officer. - ISN is currently hosted by Attrition.org To unsubscribe email email@example.com with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu May 30 2002 - 04:23:54 PDT