[ISN] Does Cybercrime Still Pay?

From: InfoSec News (isnat_private)
Date: Wed Dec 04 2002 - 22:56:41 PST

  • Next message: InfoSec News: "Re: [ISN] REVIEW: 'Information Security Policies, Procedures, and Standards',"

    Forwarded from: Mike Gauthier <mike@a-and-m.net>
    By Lisa Gill
    NewsFactor Network
    December 4, 2002
    It is the stuff of IT lore -- a hacker Latest News about hacker is
    caught breaking into a company's systems and is given two options:
    Take a job with the company or face prosecution. But are such tactics
    still in use, or do malicious hackers now face nothing but a career
    dead end?
    "It was a trend at one time, when there weren't a lot of security
    Relevant Products/Services from IBM professionals who had experiences
    that didn't include brushes with law enforcement," IDC research
    manager for Internet security software Charles Kolodgy told
    Now, though, Kolodgy explained, companies have begun to work more
    often with sensitive data from financial firms or the government, so
    their staff are forbidden to have criminal backgrounds.
    Education as Legit Path
    In addition, the education available to would-be security gurus has
    expanded greatly in the last 20 years. More professionals are earning
    IT degrees and security certifications or gaining experience working
    for security-focused organizations.
    Kolodgy pointed to the National Security Agency's designated Centers
    of Academic Excellence in Information Assurance Education programs at
    top universities, including Purdue, Carnegie Mellon, George Mason
    University and the University of Idaho, among others. The program's
    aim is to improve IT students' education in security measures, and to
    include higher education in information assurance.
    Certifications Spring Up
    In the realm of certification, the SANS Institute's Global Information
    Assurance Certification (GIAC) and the Certified Information Systems
    Security Professional (CISSP) certification also serve as credentials
    for security professionals.
    "The need to hire someone who has had a run-in with the law is rather
    limited now because you can get much better people who don't have a
    history," said Kolodgy.
    Although certification can be helpful, it is not yet a requirement for
    obtaining a job, said Gartner security analyst Roberta Witty. Prior
    experience as a security professional is still a primary consideration
    -- but experience as a hacker, with a criminal record to prove it, is
    not desirable.
    "How can you trust somebody who has broken the law?" Witty said. "I
    certainly believe that people change stripes, but do you want to risk
    your business on that one hire?"
    Gray, White Hats Employable
    But for those hackers without a checkered past, who spend their free
    time in pursuit of weakened networks or testing out hacking methods,
    there is still a future in the security industry, according to Jeff
    Moss, a.k.a. The Dark Tangent and founder of DefCon, the largest
    annual hacker convention in the United States.
    The most recent change is that young hackers now know a job is waiting
    for them after they finish college, said Moss, whereas several years
    ago, such job offers were more of a surprise than the norm.
    The difference, he added, is that hackers now are less likely to
    reveal their illicit hobby to potential employers, much less their
    "About two years ago, all the older hackers I know stopped using their
    handles. Now they go by their real names," Moss told NewsFactor.
    "Amongst their own group, they still use their own handles, but
    publicly, when anybody asks, they may not say they're a hacker."
    Who Gets Hired?
    In terms of whether companies actually hire hackers, Moss said he has
    hacker friends in several major companies, regardless of whether or
    not such organizations claim to employ such people. In most instances,
    the companies may be unaware they have hired someone who spends his or
    her off-hours striving to understand security in other systems.
    "Many companies will only hire white hats, or at most gray hats who
    don't have anything that looks bad in their history," said IDC's
    Moss agreed that companies no longer hire those with a police record.
    Personally, given two candidates, one with a record and one without,
    he said he would be inclined to choose the candidate sans a
    "Just because they call themselves a hacker doesn't automatically
    disqualify them," Moss said. "You would want to find out if they've
    gotten in trouble for it. It's a broad term."
    Homeland Security Damper
    That broad terminology has concerned security analysts since President
    Bush signed the Homeland Security Bill last week. According to a
    provision of the Cyber Security Enhancement Act, hackers could face
    life in prison if their actions "recklessly" threaten others' lives.
    Ryan Russell, an independent security expert and author, said he is
    concerned that the government and prosecutors may use their new power
    to intimidate accused hackers into agreeing to plea bargains. But it
    is not likely that the new legislation will deter hackers and thus
    reduce the pool of security professionals-to-be, he added.
    "Realize that you've got people who see themselves as very anonymous,"
    he said. "Hackers don't see themselves as vulnerable or as necessarily
    doing something wrong, so changes in punishment tend to have little
    impact on current behavior."
    Career Path Concern
    Moss agreed that new potential punishments probably will not have a
    chilling effect on the behavior of hackers, particularly teenagers --
    though it may increase the number of incidents in which they are
    "It's going to take really smart, rebellious, testosterone-filled
    teenagers and make them federal felons," said Moss. "Before they get
    out of high school, you're going to have a bunch of these smart people
    whose career opportunities [are ruined] -- they'll be flipping burgers
    for the rest of their lives.
    "I'm concerned about the whole new generation," he added, "if they
    make a couple of bad choices and that's it for the rest of their
    Mike Gauthier
    All-purpose lackey
    "Beer is proof that God loves us and wants us to be happy." - Ben Franklin
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Dec 05 2002 - 02:20:52 PST