'I Hired a Hacker': A Security Manager's Confession

[InfoSec News <isn () C4I ORG>]

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO58018,00.html

[I have to wonder what kind of message this sends, Hack a network, Get
a job, Lately this trend is becoming the norm over the exception. -WK]


By MATHIAS THURMAN
February 26, 2001

The new security department hire must be good because he's already
broken into the system.

I'm sitting at my desk, having a cup of coffee and a toasted bagel
when I notice this young, blond, pimply-faced kid standing outside my
cube with this smirk on his red, puffy-cheeked face. I ask him what I
can do for him, and he hands me a piece of paper with a Web site
address written on it. It looks like an address that a customer would
use to access the application that we host.

I ask what this is all about and he introduces himself as one of our
company's application developers. He explains that he likes to "kinda
hack a little bit" on the side and how he "discovered this" while
playing around at home. I take the Web address, type it into my
browser, hit Enter and a list of customer names, addresses, phone
numbers and credit card numbers appears on screen.

Uh-oh. This information is normally supposed to be accessible only
through a series of authentications, but the address bypassed the
authentication mechanisms and displayed the data. The kid goes on to
explain to me how the application programming interface (API) isn't
configured properly and how many other pages can be displayed by
bypassing the authentication screens. I thank him for the information,
take a few notes on the details of the authentication API and then
begin to interview him.

He's just 23 years old and has been playing with Linux since he was
14, started programming at 16 (for fun, he says) and has had part-time
and full-time jobs as a Unix and Windows NT administrator and as an
application developer for the past six years. He has no college
education (but has just enrolled), and security is his hobby.

Eureka! I've hit the jackpot. A perfect fit for my plan to conquer the
world. Even better, the application development project he has been
working on was finished and he had been expressing an interest in
security for some time. To make a long story short, I put in a request
to have this kid transferred into my group. He's Unix-savvy, bright,
articulate and, best of all, he knows our business very well. He's
been working as a developer for almost two years and therefore has an
extreme in-depth knowledge of the application we host and sell to
customers.

As many readers probably know, security professionals are extremely
difficult to find. In my experience, there are many of what I call
"articulate incompetents": those who make great managers but can't do
the keystroking if their lives depended on it. They can address a
variety of audiences and wow them with security lingo and
pontifications on security best practices and the ramifications of
weak security. But ask them to install and configure a
firewall-to-firewall virtual private network and they don't have a
clue. In a large or consulting organization, security professionals of
that type will fare well and are often needed. In a start-up
environment, however, even the manager needs to get his hands dirty.

What's difficult is finding a mix of well-rounded individuals with
good communication skills and some business sense, combined with years
of hands-on Unix, Windows NT, programming and, most important, hacking
skills. Yes, that's right, hacking skills. I've been involved in many
hiring processes and in my experience hackers make the best employees
on a security team. They're dedicated, disciplined, savvy and very
technical. Yes, I sometimes have funny feelings about these folks, but
as long as they pass a full background check and they have a reputable
resume, I'm comfortable.

I believe that 98% of the people in this world are genuinely good.
Most hackers, when faced with the opportunity to take advantage of a
weakness and exploit it for some fiduciary gain, will shy away. Take a
look at most of the "hacked" Web pages out there. The verbiage is that
of an adviser: "This Web site hacked by [whomever]," or "Your security
sucks. Your original home page is here [link to page]." Yeah, it's
embarrassing and makes you feel violated, but most hackers will stop
after they've hacked the Web page. Don't get me wrong, I would never
hire anyone who I felt was a criminal. I've got a fairly good sense
about people, and I haven't made a hiring decision I've regretted.
Anyway, that's my 2 cents on today's hackers and why I usually don't
have a problem hiring them.

Shopping Spree Begins

I spent the rest of the day on the phone with vendors, placing my
initial requests for security software. I decided to go with
Atlanta-based Internet Security Systems Inc.'s (ISS) RealSecure
intrusion-detection software (IDS). I've used this tool before, and
the only problem I had was with bandwidth.

When selecting an IDS product, you have to make sure that the tool
will continue to be effective at the upper limits of your network
bandwidth. In our case, the aggregate bandwidth never exceeds 8M
bit/sec., even though we're on a 100M bit/sec. switched architecture.
But there comes a point at which an IDS will start dropping packets.
Some folks call this "sampling mode."

In any case, I don't want my IDS to miss anything, so I'm very picky
about performance. I've done a lot of work testing IDS performance in
a very controlled environment. And, being a start-up, we can't afford
the $10,000-per-month outlay for an outsourced monitoring service.
RealSecure is easily configurable out of the box, and the alerts are
meaningful enough that, with moderate training, I can leverage our
operations center personnel to react appropriately when something goes
bump in the night.

In addition to RealSecure, I went ahead and placed an initial request
for ISS's Internet Scanner and Database Scanner products. Like
RealSecure, I've used them in the past and have been extremely
satisfied. I feel that ISS's scanner, in conjunction with some free
tools like the Nessus security scanning software and the Nmap port
scanner, will be 98% effective in discovering any potential or glaring
holes in our infrastructure.

The biggest problem with scanners is the corrective action necessary
to fix the discovered vulnerabilities. It's always a challenge to get
the system administrators to make changes to live production systems.
As a security manager, you have to put on the hard hat and start
acting as a threat broker and change agent. I usually like to
demonstrate the vulnerability associated with the recommended
corrective action. When I can show the hack, folks are more receptive
and more willing to implement change.

I also started getting quotes for SecurID tokens from RSA Security
Inc. in Bedford, Mass.; a Tripwire file integrity checking software
from Tripwire Inc. in Portland, Ore.; and the latest commercially
supported version of the SSH secure session software from F-Secure
Corp. in Espoo, Finland.

Next time, I'll explain in detail my awesome IDS testing experience.
It was actually fun for all of us . . . well . . . except the vendor.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".