discussion on the use of white hat hackers within a company
|I've attended a number of security conferences and conventions this year, and as I wandered around through the entire vendor exhibits, seminars, and training sessions I discovered that a lot of companies are offering white hat hacking services. Marketing types have further sanitized the term and now the politically correct offering is referred to as "ethical hacking". While I am all for people making a buck, doing so by cashing in on the security hype is not necessarily a good thing. I have seen dozens of incidents of poor frightened middle management folks scrambling to get their sites "fixed" before the inevitable hack attack after listening to the security gurus at the various booths and podiums. Of course the security vendors and consulting firms own those fixes.
I consider myself fortunate that I know a fair bit about technology security and can see through some of the hype. Usually I know what I want technically when looking for security tools, and I just start zoning out when the marketing drivel starts. But the average Joe/Mary middle manager in the IT department has no idea or clue about what is hype and what is not, and that is where my concern is.
So I've collected my thoughts and am submitting this article to you. Maybe my experiences will give you some insight. And as for you hackers out there, take this to your weary boss and demand a raise and a promotion!
The "White Hack" Methodology
The biggest purveyors of what I'd call questionable ethical hacking come in the form of large respected accounting or information services consulting firms. While some firms are better than others, in fact I've personally dealt with some firms that are actually okay, a lot of them are absolute cash vampires. These hungry firms will usually offer you a vast array of services from penetration testing to security policy development. Most of these firms have hired up slick hackers who "know the basics", and can usually gain access to most systems through conventional hacking means. They usually operate like this:
- You are told that danger is everywhere, and that to properly test your security and see your limits, you need to have an outside firm hack your system for you. Your regular administrators cannot possibly do this penetration test, because they "know too much" about the system, or they are not up on the latest "attack methods".
- The sales pitch for doing the penetration will involve pointing out some of the high profile hacks that have recently made the papers. The odds are good that the firm's pitch person will hint at "how" the hacks are done, implying they are "in the know" about the latest hacking techniques.
- You pay for a penetration test. The fee is huge (the bigger firms command six figure fees), and they totally get into your company's systems. If your site is protected enough to prevent them from gaining access, then you are probably smart enough to not need an outside firm to confirm your security posture.
- The report they produce outlines not only how they got it, but illustrates every conceivable hole in your systems. The report is usually a gigantically huge document with an "Executive Summary" that is in itself a good 50 pages long. It is also a very scary report. Sometimes on a security scale of one to five you are lucky if you get a two. Per this report, bad things could happen at any second.
- You are now faced with the "reality" of a system that is riddled with holes. It is implied you have MASSIVE problems and that your current staff, while competent in basic administrative issues, cannot handle the wild and wooly world of information security.
- You are told the most important thing you need is a comprehensive security policy. While a security policy is a good thing to have, it is only a piece of what you need.
- You will be offered either a rewrite of an existing policy or a completely new security policy by the firm. If they are aggressive they will start the pitch to do this during their executive briefing after the penetration test. The fee will be another huge amount, and it will be "obvious" that the only people smart enough to develop your new policy are the ones that did the penetration test. After all, who knows your systems better? Obviously not your own staff, because the outside firm's hackers broke in.
- It will take weeks of meetings and interviews with your systems people for a policy to be developed. All this time will be billable.
- The firm will leverage your own people's knowledge with their boilerplate policies to develop your new security policy.
- If you thought the report on the penetration test was big and complex, wait until you get the new security policy. No single person could ever implement it. It will be huge - most of it tangled with a lethal combination of legalese and techno-jargon.
- For a fee, the firm will offer to implement it. This is another huge fee, but whom better to implement it than the people who wrote it? The implementation will take many billable man-hours.
- Once implemented, for it to "work" you need to periodically "re-assess" your posture and perform checklist audits to ensure compliance. Guess who will offer up these services (for another huge fee)? By this time you've probably given someone from the firm a permanent desk in your company. To use the hacker vernacular, you are "owned". The firm by now knows your budgets, spending habits, decision makers, their allies, and their enemies.
Can you see the pattern? A consulting firm's job is not to protect your company; a consulting firm's job is to make money, selling protection from demons, real or imagined. A good consultant doesn't sell one job; they sell a relationship that involves many jobs.
White Hack System Cleansing
Let's look at that first option. The best place to look for that expertise is within your own company ranks. Of course you cannot simply make one of the system administrators the security guy, they probably already have enough to do as it is. No, you need to form a group within your company to handle security full time. Start by asking around. Ask who the "security" guy is. Did some pierced and tattooed computer geek bring this article to your attention? Odds are you probably have some oddball coder or analyst who is a closet hacker, or they know who one is. Find out whom the system engineers hate. If it is someone who keeps forwarding them "tips" on security from Internet security mailing lists, particularly if they are re-edited to match your company's environment, you've found your man/woman.
Once you've found your company hacker, hire their friends. Pay them well. And get a team leader over them that can rein them in, speak their language, and handle the interfacing with the rest of the company. If you're worried about hiring hackers, go ahead and perform background checks if you wish, but realize that hackers are no different from anyone else, and probably have as jaded a background as anyone other person in your company.
Some companies won't hire hackers to do computer work, but never perform background checks on the temps working in the Accounts Payable department. In reality the risk of hiring a bad employee is no greater when hiring a hacker. In fact, if the hacker's job is to find holes in systems full time, they will probably be too busy loving every second of their job to do bad things to you, so you may have less risk than you think.
Okay, assume they don't know everything, send then to some of those training classes and teach your people how to perform penetration tests. Dozens of companies offer courses including a few of those large firms. Ask for references and try to speak to administrators who took the classes, not their bosses. Better yet, ask your hackers where they should go to get training. They will know.
Give your hackers the tools they need. Most of what they need will involve fast computers, and they should be able to download most of the hacker tools required to do their job for free off of the Internet. But if they need specific commercial tools, such as scanners, intrusion detection systems, firewalls, get them what they need.
This solution of building your own team has several advantages - they are employees, not billable consultants. They will learn and KNOW your systems inside and out. It will cost less money than those huge fees.
Asking The Devil To Dance
Okay, so if you do NOT want to go that route, then you may need to handle one of the big firms. Consider promoting an internal employee or hiring a hacker as a consultant just to keep the big firm in line. It helps to have a level technical head to be able to see through the hype. While it may seem like an extra expense, it will at least keep them from billing you for every little thing. You will not be sold on things you can do yourself.
This is not an article against penetration tests, it is against the way they are conducted and used as entry points into Accounts Payable records by large money-hungry firms. It is also _not_ a statement against large fees - huge fees can and will be expected from some smaller organizations. Penetration tests are good for waking up upper management, and if conducted by sharp hackers they can be excellent points of reference. So if you are in the market for some type of outside testing, here are a few things to keep in mind:
- Do you want to test to find ALL holes, or just the common ones that 99% of the typical access attempts will involve? Unless told, the big firms will document every conceivable hole, including the theoretical ones or the ones rarely seen in the wild. If that is what you want, fine. Just get that information up front.
- Where are your threats coming from? If you perceive the scariest threats from ex-employees or current disgruntled ones, then you probably do NOT need to go outside your own company for a penetration test.
- Balance risk assessment and threat. If 90% of your data is only valuable for three days, then does a sustained four-week penetration test make sense? Let's put it another way - if your security can turn away 100% of bad guys that try for 5 minutes to get in, 95% of bad guys that try for 5 hours, and 90% of bad guys that try for 5 days, is that good enough? Is that what you want tested? You may be able to simply run ISS' Internet Scanner to get the testing you need. By the same token, do you want all of the exotic stuff tested for as well? If you are being charged $300K for someone to run a commercial scanner against your site you are being ripped off.
- Do you simply want to perform a fire drill? Tell the firm if that is the case. Larger firms may even turn YOU down at that point.
Always ask to be taught self-sufficiency. If a firm states they have to do it themselves to maintain control, show them the door. It should be no big deal to have a couple of your employees watch and learn. No single firm "owns" the skills, and they all are capable of teaching security tricks and techniques.
There are some firms out there who are quite capable of performing penetration tests, and that is all they do. Find firms who agree with the philosophy that security engagements are not a lifetime commitment. These firms do exist, and they are worth tracking down. Consider smaller firms. If you are worried about hiring a rag-tag bunch of misfits, enlist a lawyer to nail down a contract you feel comfortable with. Ask for references.
Hopefully you have gained some insight into how a few of these large firms operate, and maybe you can secure your company a little more cost effectively. Better yet, it gives you the opportunity to take advantage of a very sophisticated and technologically advanced resource - the wily hacker. Who better to have on your side?