Although the practice has been going on for quite some time, the subject of whether or not you should hire reformed hackers as security consultants has been receiving alotta press. This seems to be a very touchy issue, and there are strong opinions on both sides. Being that this issue has been generating so much heat, I wanted to take the opportunity to contribute to both sides of the issue from my point of view.
Before I get started, I want to get a few things out of the way.
My honest opinion on hacking, I always get at least a few opinions from assosiates describing my misuse of the word 'hacker'.
In actuality, the term hacker refers to someone who likes to tinker with hardware or software in an effort to enhance its capabilities including reverse engineering. The media and popular culture have twisted the words' meaning into someone who breaks into computer systems. For the purposes of this blog, I will use the word hacker to refer to someone who breaks into computer systems.
Another thing that I want to get out of the way is a little confession. I myself was a grey hat hacker. For a period of time in the late 1980s and early 1990s, when a coupler was the rage of necessity, I was involved in numerous co-operative hacks. Because I could, at the time, and it just seemed like the riskiest safe thing to do. I have long refrained from the practice. Today, I have a small concern in a U.K. based security research firm. One of the major services that is offered is security penetration testing which is my specialty and allows me the priviledge to work from anywhere.
Basically, this means that for a fee, we can attempt to hack into a company’s network and then present the company with a report detailing the existing security holes and how those holes can be eliminated.
The reason why I am telling you this is because I want to be completely honest and up front. It would probably appear as though there may be a conflict of interest.
Being that I value my integrity, I am going to discuss both sides of the issue even though I would personally benefit from only discussing the positive aspects of hiring consultants.
The positive aspects of hiring security consultants, now that I’ve got that out of the way, its time to get on with my points.
First, I want to refer to the positive aspects of hiring former hackers as security consultants. The most obvious advantage is that they have real world experience. There are some things that you just can’t learn from a book. Books do a good job of explaining basic theoretical techniques. However, I can tell you from firsthand experience that every breach seek is different because every network is different. It’s rare for to be able to use a single technique to gain full access to a network. Often one has to combine multiple techniques or apply techniques in a different way than normal to compensate for various network defenses. Only someone with real world experience can efficiently go from using one technique to another as required by the present situation.
Another positive aspect to hiring data security consultants is that staying up with the latest security exploits and countermeasures is a full time job. In most companies, the IT staff has an acceptable level of security knowledge, but they must focus most of their attention on the day to day responsibilities of keeping the network up and running. A good security consultant focuses almost solely on security and consequently has a level of security knowledge that goes far beyond that of most other IT professionals.
The Negative Aspects of Hiring Hackers
Now that I have brought up some of the positive aspects to hiring data security consultants, I want to take some time to skim the negatives. By far the biggest negative is the question of trust. Think about it for a moment. The main premise of security is deciding who you trust and then locking out everyone else. When you hire a former hacker as a security consultant, you are basically trusting the sanctity of your network to a former potential criminal. If you think about it, that’s a lot like letting someone who was convicted of burglary stay in your home when you aren’t there. If you are concerned with your network’s security, it sounds crazy to trust it to such.
As you think about how much you trust a former hacker, you must also consider the impact that a decision to hire the person will have on your customers and shareholders. What would your customers think if they knew that you were using a former hacker to test the security of a database that contains their credit card numbers.
One other negative aspect to using hackers as security consultants has to do with the way that many security consultants operate in general. I would personally never run my consulting business in this way, but I have been around enough security consultants to know how the game is played.
A security consultant’s job isn’t to secure your network, but rather to make your company completely dependant on them. Security consultants will typically offer you a free evaluation of your network’s security. Once the evaluation is complete, they will show you a report documenting thousands of potential vulnerabilities. They try to make it seem as though it is urgent for you to secure your network. However, they make it clear that your IT staff shouldn’t be trusted to patch the vulnerabilities since they weren’t even aware that the vulnerabilities existed. As a part of the sales pitch, the consultant will discuss some of the more high profile hacks that have been in the media lately. They will compare those hacks to your network. The consultant will probably even tell you how the company that got hacked is teetering on the edge of bankruptcy because they have lost customers and because the hack did so much internal damage.
Once the consultant has convinced you that you have a huge problem, they will offer to fix the problem for a huge fee. Developing the new security policy typically requires dozens of meetings with the IT staff and all of these meetings are billable. Once the new policy has been designed, it will take the consultant weeks to implement it. Again, all of the consultant’s time is billable.
Once the new policy has been implemented, the consultant will probably insist on doing a check up several times a year. The problem is that by now, the consultant probably has their own desk in your office. They know your budget, your spending habits, and what they can say that will make you spend more money. They also know that the new security policy that they have implemented is so complex that no one understands it but them. This means that you are now completely dependant on the consultant for your security needs. If you need to make a change to the security policy, the only way that you will be able to do it is usually by calling the consultant.
I personally believe that hiring former hackers to evaluate your security is worthwhile (if I didn’t believe that I wouldn’t play with a security consultation firm). At the same time, I absolutely believe that if you are going to hire a former hacker (or any security consultant for that matter) then you need to take some steps to prevent yourself from getting ripped off and to prevent your company’s security from being exploited. Here are a few things that you can do to keep from being victimized by a security consultant.
Don’t completely outsource your security needs. Completely outsourcing security will cost your company a fortune and is unlikely to make your network any more secure than if you just had your security evaluated by a consultant a few times a year.
Don’t give a security consultant anything that you don’t have to. For example, never give a security consultant the Administrative password. Remember that you are paying the consultant to look for holes in your network. If major security holes exist, the hacker might be able to get administrative access on their own, but you shouldn’t just hand it to them.
Use a variety of consulting firms, and let the consultants know that you will not be using them exclusively. Different consultants have different skill sets and it is likely that one consultant will catch a security problem that another missed. This doesn’t mean that the consultant who missed the problem is incompetent. It just means that the two consultants have different skill sets. Another reason for using multiple consulting firms is that it prevents you from being put in a position in which your company is completely dependant on a specific firm.
Finally, decide how much protection your network really needs. No computer system is ever completely secure, and your company can spend an astronomical amount of money pursuing total security. To avoid spending too much money on security consultants, set realistic goals of what you want the consultant to do for you.