[ISN] Newest IT Job Title: Chief Hacking Officer

From: InfoSec News (isnat_private)
Date: Thu May 30 2002 - 01:36:52 PDT

  • Next message: InfoSec News: "[ISN] Hacker breaks into electronics site"

    By Jay Lyman
    NewsFactor Network 
    May 29, 2002 
    Companies seeking to ensure they are as impervious as possible to the
    latest computer viruses and to the Internet's most talented hackers
    often find themselves in need of - the Internet's most talented
    Some of these so-called "white-hat" hackers hold high positions in
    various enterprises, including security companies, but analysts told
    NewsFactor that they rarely carry the actual title "chief hacking
    officer" because companies tend to be a bit skittish about the
    Still, some security pros -- such as Aliso Viejo, California-based
    Eeye Security's Marc Maiffret -- do carry the "CHO" title, and few
    argue the point that in order to protect themselves from the best
    hackers and crackers, companies need to hire them.
    Hidden Hiring
    SecurityFocus senior threat analyst Ryan Russell told NewsFactor that
    while only a handful of companies actually refer to their in-house
    hacker as "chief hacking officer," many companies are hiring hackers
    and giving them titles that are slightly less indicative of their less
    socially acceptable skills.
    "A large number of people who used to do that sort of thing end up
    working in security," Russell said. "There are some companies out
    there specifically saying, 'We do not hire hackers, we are against
    that,' but really they are [hiring them]."
    Russell said that while there is definitely an increased emphasis on
    security since last year's disastrous terrorist attacks, deflation of
    the dot-com bubble has resulted in consolidation among security
    personnel and a reduction in the number of titles that are obviously
    associated with hacking.
    Born To Hack
    Russell noted that hackers legitimately working in IT are usually
    involved in penetration testing.
    While companies are uncomfortable hiring IT security personnel with
    prior criminal records, there are advantages to hiring an experienced
    hacker, even if the individual has used an Internet "handle"  
    associated with so-called "black-hat" hackers.
    Still, Russell said, "I think in very few cases do people with the
    reputation of a hacker or black-hat [get hired]."
    One such person who was hired is Cambridge, Massachusetts-based
    security company @Stake's chief scientist, Peiter "Mudge" Zatko -- a
    well-known hacker and security expert who has briefed government
    officials, addressed industry forums and authored an NT password
    auditing tool.
    Regular Workers
    Regardless of whether they wear a white hat or a black one, Russell
    said it takes more than good hacking skills to land a legitimate job.
    "You want someone who does [penetrations] for a living," Russell said
    of penetration testers. "You want them to be good at giving you the
    information you need."
    Russell added that while some hackers hold chief technical officer or
    equivalent positions, the rule of fewer managers and more employees
    means there are probably more hackers working in regular jobs than in
    Checking References
    Forrester (Nasdaq: FORR) analyst Laura Koetzle told NewsFactor that
    companies will not hire anyone convicted of a computer crime, but they
    will seek out hackers, particularly for penetration testing.
    "They won't have a title of chief hacking officer, and they haven't
    necessarily broken any laws, but they're still skilled at this stuff,"  
    she said.
    Koetzle said many companies avoid the issue of checking the
    backgrounds of former hackers by using services firms, such as
    PricewaterhouseCoopers or Deloitte & Touche, to hire such personnel.
    Extortion and Employment
    But hiring hackers can backfire.
    Russell said cases of extortion range from blatant attempts at
    blackmail -- demanding money to prevent disclosure of customer data or
    security vulnerabilities -- to more subtle efforts, wherein hackers
    find holes, offer a fix and add a request for a job.
    According to Koetzle, despite the desire to keep security breaches
    quiet, companies must resist attempts on the part of potential
    hacker-hires to extort money or work in computer security.
    "I would strongly caution against dealing with that type of hacker,"  
    Koetzle said. "It absolutely does happen, but it's absolutely the
    wrong thing to do."
    Right or wrong, however, it seems that the person best equipped to
    ferret out a hacker is another hacker. So, as unsavory as it may seem,
    the better the hacker, the more likely he or she is to join the square
    working world as chief hacking officer.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu May 30 2002 - 04:23:54 PDT