No room for excessive trust

By on
No room for excessive trust

Would you let a convicted fraudster look after your financial affairs? Leave your wallet in a room with a known former thief? Give matches to an ex-arsonist? Perhaps feel comfortable knowing that an ex-terrorist hijacker just boarded an aeroplane with you?<

If the answer is yes to any of these questions, you might well want to give an ex-hacker the opportunity to get to know your IT network. I think it shows quite a bit of front to advertise yourself as an ex-hacker, using phrases such as "when I was hacking" and "before I was caught." But the point is that when you take on someone like that, you are taking on risk.

In our profession we have a duty of care to employ people who will do the right thing. In our company, we make sure staff are properly vetted and security cleared for good measure. Penetration testers tend to be intelligent people with an intricate knowledge of IT systems, and during a security assessment a degree of trust is imparted to them. In reality, this trust could easily be abused.

These days, the profession is mature enough that there are plenty of well-qualified, talented pentesters with sound ethics. Indeed, there are now excellent training courses available in the subject, some accredited by universities.

One well-known former hacker who spent time in prison was asked why he did it. He said that back in the days when computers were expensive to get hold of, people like him used to find out about network security by examining the live systems of companies, but with the current comparative affordability of computers, it is possible to set up a testing lab on a shoestring budget. Hopefully, he is going to go straight now, but will we ever really know?

I'd never allow an ex-hacker to work for our company on principle alone. Nor should you.

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?