Can you trust an ethical hacker?

[InfoSec News <isn () c4i org>]

http://www.vnunet.com/Features/1130851

By Madeline Bennett  [12-04-2002]

Bill Pepper is head of security risk management at consulting firm
CSC, a role which involves advising clients on security issues and
managing the company's so-called ethical hackers.

He has worked in information security for over 35 years, including
time with the Royal Air Force, and is currently deputy chairman of the
British Computer Society's Certificate in Information Security
Management Board.

IT Week: At your consultancy firm you use ethical hackers for testing
and security processes. What benefits does this bring?

Bill Pepper: If companies want to reduce the risk of attack, they need
to know the real vulnerability, rather than a perceived one. To
replicate a hostile hack, you need the mindset to put together the
right tools. A number of hacking tools available in the marketplace
will only replicate certain easier attacks.


So it takes skill to replicate a sophisticated hack?

The tools will help, but the skill is in identifying the hole and then
knowing what you can do. For example, to identify which sensitive
parts of the system you can access. You also need somebody to produce
a meaningful report.


How do people become ethical hackers?

Ethical hackers come from three sources: malicious hackers, bright
computer science graduates, and individuals from a systems or
administration background.


How can a firm trust a malicious hacker?

This is a guy who has been using his skills for malicious intent, then
grows out of it and wants to earn money. This type of ethical hacker
is a higher risk. You have to make sure you have done the background
checks on the individual, and concluded that he will become a
reasonable citizen.

The interviewer needs experience and a good interviewing technique.  
Once employed, the firm should provide them with the intellectual
challenge they need.


What experience would a graduate need?

Anyone who does a computer science degree will have been open to
hacking. Part of the reason for the Joint Academy Network (an academic
network) is to educate university students and teach them the skill of
exploiting weaknesses on networks. There might be bright computer
science graduates who recognise that the security field is an
interesting challenge.


And what type of systems or administration employees would be
qualified?

People from a Unix system and support background, as the internet grew
out of Unix and a lot of technology is derived from the Unix
environment. Also, those from a systems support or admin role for
Windows NT, for example. After all, it is much easier to hack
Microsoft than Unix.


Which type makes the best ethical hacker?

All three types have their advantages and disadvantages. A reformed
hacker is best for simulating a very malicious attack. The ex-Unix or
NT guys do not always have the mindset of an ex-hacker. They tend to
use less devious methods.


Are many companies keen on the idea of ethical hacking?

With the more staid organisations, there is a culture that it is not
quite right. But people are being hit because they have not used
ethical hacking. There is a changing attitude towards it.


Can companies ever really trust a malicious hacker, reformed or not?

There is always an element of risk. If an ex-malicious hacker sees a
chance to defraud the company, would he be tempted? You need to know
your staff well and keep them interested. This is an area where, if
you are not employee focused, it could go wrong very badly.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.