Hiring a hacker to assess the security risk of an organisation is something that fewer than 64% of ISO's are willing to consider. That's hardly surprising when the risks are analysed alongside the statistics; viruses & hackers cost businesses worldwide somewhere in the region of $US1.5 trillion. That said, organisations that are unwilling to hire a hacker face one increasing problem; hiring a hacker is not always a conscious decision.
So let's begin by setting the scene. A hacker is by definition a slang term. Adopted feverously by the media after the release of the movie War Games in the early 1980's; it refers to those who invade, destroy, steal or modify data or programs on someone else's computer. Hackers gain access to computer systems or networks that they are otherwise unauthorised to access. These malicious hackers may be skilled (elite) or unskilled (script-kiddies) and have many different motivations.
The skilled elite number a handful; they are able and willing to analyse arbitrary software, systems or technologies to find flaws that may be exploited to gain access to those systems or data, or to destroy them. These are the inventors within the hacking scene, and have been responsible for tools to access others' systems; be they web, database or other servers, and conceal their tracks; to break cryptographic systems such as passwords, Pay TV, DVD encryption, wireless network security, telephony... the list goes on and includes almost all of the elements underlying modern telecommunications and computer systems. These flaws are increasingly being integrated with worm and virus technologies to a devastating effect.
The unskilled - the script kiddies, typically 'point and shoot' with the tools produced by the elite. Whether malicious or not, this army of the semi-knowledgeable are responsible for countless incursions in data systems, web-site defacements and system outages.
A hacker's motivations lead to further categorisations, which may relate to the skilled or unskilled; 'hactivists' with political, moral or anarchistic drives, cyber terrorists, organised crime groups, those involved in corporate and industrial espionage and even government intelligence agencies. Whilst the flaws may have been discovered and the tools produced through a drive of curiosity, frequently the results of that work are used nefariously both by the original authors and others with malicious intent.
Determining the actual cost to business from hacking is difficult as interpretations of data and definitions vary enormously. However, from the amount of surveys conducted many now believe that the actual cost (worldwide) lies around $U.S 1.5 trillion.
Although the figures published do range vastly, the message from all of them is universal: hacking is on the rise and so too is its impact. Regrettably, this increase is unlikely to go away as more and more people gain access to the Internet. With the wealth of information instantly available, users have now become technologically savvy and are immediately presented with feasible opportunities to acquire money, power and fame instantaneously. Predictably, for some the temptation proves too much to resist and they begin hacking. In addition to this though, is the fact that organisations are getting better at monitoring their systems for attacks, and consequentially are getting better at noticing problems.
Establishing how many users turn to hacking again is not easy. According to Dr Peter Tippett, chief technologist at security specialist Trusecure, there are about 1,000,000 'script kiddies' and the elite hacker community numbers around 11,000. Still many crimes go undetected; a commonly held view in the information security community is that only about 1/10th of all the crimes committed against, and using corporate computer systems, go undetected. And, even if they are detected, they may not be reported. In fact, surveys indicate that only about 10% are, as organisations fear that the potential for negative publicity is too great to warrant the risk of diminished business.
Unfortunately, the situation is likely to remain the same, as currently there are no incentives for organisations to report an incident, although both the US and UK governments are trying to encourage more to participate. Exasperated by the expediency of this though, some organisations have now decided to take the matter into their own hands. In November 2003, Microsoft created a $5 million fund to provide rewards for information leading to the arrest of those responsible for the viruses and worms that are causing them damages in reputation and revenues. Working with the FBI, the U.S. Secret Service and Interpol, they have offered a bounty of $250,000 to help them capture the perpetrators of the SoBig virus and Blaster worm.
The Solution: Hacker Reformation
Although the situation still appears bleak and very reactionary, there is potentially encouraging news: many hackers do actually reform. Some go on to start their own businesses or are now employed by information security consultancies that are involved in providing ethical hacking services, the term used to highlight vulnerabilities in an organisation's systems so that preventative action can be taken.
Great, but the question that begs to be asked is can these reformed hackers now be trusted to act ethically? Well the answer is possibly, simply because for the majority of hackers that have been caught, their change of heart usually derives from the realisation that they can now encounter many of the same benefits they enjoyed as hackers, namely fame, power and financial reward, but this time legally. A reformed hacker himself, Lex Luthor founder of hacking group Legion of Doom now believes that older hackers have adopted this philosophy out of necessity, for "the risks of exploring and learning about telephone and computer networks in a less than legitimate fashion outweigh the benefits."
This may certainly be true of convicted German hacker Kim Schmitz. Schmitz, the man who once hacked his way into a German bank to give chancellor Kohl a negative bank balance, has NASA and the Pentagon amongst his clients. On release from prison, he was swamped with offers of consultancy work from German companies, desperate to protect their IT security systems against outside attack. Within a week, Schmitz was labelled "poacher turned gamekeeper "and was advising Lufthansa on security. He later recruited a team of hardcore hackers and set up his own data protection firm, Dataprotect.
But Schmitz is not alone; the US in particular has seen dozens of start up security consultancies founded by hackers. For example, members of L0pht Heavy Industries, a renowned group of Boston-area hackers merged with consultancy @stake; Chris Wysopal (adopted handle "Weld Pond") remains their VP of research and development. Kevin Mitnik (adopted handle, "The Condor"), one of the world's most infamous hackers and computer felons, spent five years in prison yet went on to join the Advisory Board of ClearBit Systems and co-founded Defensive Thinking. Then there's Mathew Bevan, (adopted handle "Kuji") who although avoiding conviction, followed suit by joining Tiger Computer Security and was recently chosen by Nintendo and TV channel E4 to head up their viral marketing campaigns. Similarly, Marc Maiffret who founded eEye Digital Security is another; and the list goes on.
Remarkably for many, especially here in the UK, these consultancies have been extremely successful despite their hacking backgrounds. In a recent cybercrime survey conducted by Articon-Integralis, which polled the senior directors of 800 FTSE companies, 64% said that they would not employ a former hacker as a consultant at their company.
The main reason for this reaction is possibly due to the recent changes in the UK's Terrorism Act 2000; incorporating cybercrime, hackers are now treated as terrorists. It could also be because UK organisations are less trusting that long-term reformation has actually taken place? Or perhaps it's simply because we don't need to as the majority of UK consultancies can vouch that they have not dabbled in the dark art?
Who knows? But one thing is certain: the UK is most definitely less tolerant to those who have spent former years hacking. UK organisations not only want assurance that their systems will be protected but also increasingly the assurance that those who are assessing them are trustworthy. In fact, the DTI revealed this 2 years ago in its Information Security Breaches Survey when it cited integrity as a major influencing factor when it came to choosing a security supplier. Interestingly also, schemes such as CLAS and CHECK run by CESG (the UK Government's arm for Information Assurance) are increasingly becoming mandatory requirements for many organisations commissioning ethical hacking services.
The IT Health CHECK scheme offers training in ethical or 'white-hat' hacking, the terms usually used to describe the services that highlight vulnerabilities in an organisation's systems. Through penetration testing and vulnerability assessments, suppliers of ethical hacking services are able to differentiate themselves from the 'black-hat' hackers as they alert their clients to prevent potential damage. CHECK is particularly unique; its admissions policy is restricted to UK Nationals and all entrants have to be security cleared in preparation for performing IT Health checks for the UK government. As a result, by conducting thorough investigations into an applicant's past, it ensures that only the most upright citizens are incorporated into the scheme. CLAS, a partnership linking the unique Information Assurance knowledge of CESG with the expertise and resources of the private sector, is similar in its admissions policy too.
Yet, while both schemes have obvious merits for those hiring, there comes one fatal flaw. Those that have never been caught hacking can and do get through. It's hardly surprising really when some of the hacker profiles are re-examined - remember the 'script kiddies' and those that integrate seamlessly into society without suspicion, and consider how many security consultants performing ethical hacking services were at sometime, or still are a part of the hacker community?
The Differences in Approach: Using Hackers
Although many security consultancies have strict policies against hiring former lawbreakers, they acknowledge the fine line between the law-abiding and the so-called 'curious' security specialist. As a result, finding a security supplier without a few 'curious' types on the payroll is becoming difficult as many are either prepared to turn a blind eye or are controversially liberal in their attitude.
One such company is the £11.4bn computer services firm Computer Sciences Corp. (CSC). Bill Pepper is their UK Director of Security Risk Management and recruits IT employees at universities. He is happy to openly publicise his view, "If they haven't done any hacking, they haven't done a decent IT course."
He adds, "Anecdotes indicate that they try to get into exam marking systems and then some say, 'let's see what I could do in the wider world'." But Pepper considers that these are usually the actions of the curious rather than the destructive.
Yet, harnessing the skills of hackers is a challenge and can be extremely risky. Some will argue that breakdown services and the police may use the skills of former thieves to break into cars for stranded motorists, yet they are never given the realm to do so unsupervised.
Others may argue the Old Dutch proverb - "it takes a thief to catch a thief" or in this case, "a hacker to catch a hacker". However, the fact is; the old adage actually means that in order to trace the steps of a thief and find the clues and evidence needed to catch and convict a thief an individual needs to be able to think like a thief. The more they know about the tools and tricks used by thieves and exactly how they work the better they will be at catching a thief. Indeed it's easier to teach someone with ethics to think like a thief than to have a thief act ethically!
Internationally based security consultancy Corsaire, believe that suppliers of ethical hacking services play a dangerous game in recruiting those with unethical pasts and that the emerging acceptance of this is irresponsible. Glyn Geoghegan, Principal Consultant at Corsaire comments, "What really matters to clients is that when you're analysing a company for its dirty and dangerous secrets, that information will remain undisclosed. Hacking is a temptation and a vice to some, with a hacker (or ex-hacker) on board, client confidentiality and integrity would always be in question."
Peter Sommer, a research fellow at the London School of Economics, who specialises in computer crime, emphasises the need for caution when addressing security issues such as hiring hackers. He says, "It is not simply a question of ethics but more a case of being prudent and sensible about what it is you're trying to do."
Geoghegan agrees, "If you want quick access to underground techniques and potentially unreleased exploit code, then there is a possible win, but there's a high risk associated. If they have access to such information then they may be engaged in illegal activities and playing the information trading game. Placing them in front of client data would be a very foolish thing to do."
He continues, "If they truly are 'ex' hackers then you may gain access to an innate level of knowledge or ability, or legacy code and techniques. But 99% of the hacking population just use the same information we have access to, plus a little more from their own group. Furthermore, although hacking is intellectually challenging and for some can lead to the odd accidental foray or curiosity driven incident, for the most part, the skills required for our job are not the skills required for a hacker. You must understand how to violate security, but you must also be able to provide real solutions and mitigations to those risks."
To conclude, the niche for security suppliers that provide 'real' hackers is an odd one, and unreliable. Hackers are only looking for one way in; security consultants are trying to find them all, and provide solutions. Even if hackers do find a way in, it's rare they have the knowledge of the system architecture and its configuration to be able to recommend a solution to the problem. Security consultants on the other hand have much broader knowledge. They understand the multiple layers of security and how to effectively integrate it into an organisation's business to mitigate risk. So rather than dabbling in a game of Russian roulette it would appear best advice to take the stance that hackers are not employed, for as Geoghegan puts it, "people pay us to reduce their risk, not to add to it".
When it comes to using ex-hackers it appears there will always be a grey area in which exceptions will be made. If the person is skilled, reliable and provably trustworthy then some impropriety in the past will probably be overlooked, but that will usually be assessed on an individual basis. As for the policy for using ex-hackers, most would agree it should always be an internal one, for broadcasting that information – "the unspoken dirty little secret", would almost certainly guarantee commercial suicide.
Jane Frankland is Commercial Director, Corsaire