Extreme Hacking

[Budke <budke () panix com>]

There are a couple benefits to the "ethical hacking" process.
a) Because of the recent press on hacking, it is somewhat buzzword 
compliant, and it will get the attention of the C*Os
b) it is very cost prohibitive to do security reviews on all systems in a 
network and in most network settings, there is a level of commonality of 
trust amongst the environment. If you break the weak link, the rest often 
fall like dominos.

For B, who's network doesn't have users that have the same password across 
boxes. How many people do you think install all the latest patches as soon 
as they are released. In many cases because of change-control procedures 
they can't.  In most cases, no one pays attention.

To say something in a slightly different way than Marcus was saying it, the 
security problems are ultimately a social problem. If you fix that the 
majority of security problems will go away.  For the people with the right 
funding, they will probably still be able to find a way into your 
systems.  But the easiest way to get info out of a company still remains 
picking up the phone or walking in there. The need for a computer is rarely 
there. It is just more glamorous.