An old cliche says that the enemy of an enemy is your friend. The question is, can the longtime enemies of network security suddenly become allies in the fight to keep our networks secure? Some people think so. A number of hackers have turned the tables on their hacker cronies and are being employed by organizations to identify network vulnerabilities, allowing IT departments to patch holes and persuade upper management to invest in security.
The case for hiring hackers was addressed in a recent article that looked at how CFOs and other executives are becoming increasingly reluctant to spend money on security until their networks have been attacked. The article noted that many companies are now paying hackers to break into their networks and produce a report assessing the network’s vulnerability.
Your responses to the article indicate that despite a little hesitancy, most of you believe that hiring hackers is a good way to test security and reveal network vulnerabilities.
Hiring hackers works
One of the biggest challenges facing IT pros is making nontechnical executives understand the need for increasing security spending and the consequences of reducing spending or dismissing the issue.
Member Jim Huggy said that when he had trouble convincing his superiors that spending money on security measures was necessary, he hired hackers to break into the company network and report on the vulnerabilities. Once the company’s vulnerability was confirmed by the hackers’ success in breaking in, company officials became convinced of the dangers facing their network.
“The report was well received by the executives, and the dollars were spent,” Huggy said.
Member ahedler compared the hiring of hackers to an inspection before buying insurance.
“[With] many types of insurance, an inspection is required before a policy can be issued.”
Ahedler also pointed out that company officials would not consider doing business without physical security measures such as locks and alarm systems, so network security should be given the same level of attention.
It takes a thief
Why turn to hackers to uncover vulnerabilities? Sometimes, it takes a thief to catch a thief. As Gary Anderson pointed out, a system designer is perhaps not the best one to test the system that he or she has designed because, “He tests for success, not failure.” It’s difficult to see how to break into something from the outside when you’re looking at things from the inside, and a designer or builder has a perspective of creation, not destruction. It only makes sense that those who spend their time breaking into things are better judges of what good security is all about.
Huggy agreed that hiring someone from the outside is a prudent way to audit security, comparing it to audits by accounting firms.
“Does your company use auditors … to review their books? What’s the difference in hiring an outside company or person to test [the] security of [your] systems?”
No matter how knowledgeable a security professional or administrator is, another security guru is always going to have a different perspective on issues in the field. Also, there are always new tricks and techniques in the hacker community that have not yet filtered down to security pros. Thus, perspectives from "white hat" hackers and other security pros can lend valuable insights.
Reader rock.stefano agreed that it’s wise to take advantage of others’ knowledge, no matter where it comes from. “You can’t possibly know everything about security. I’ve been doing it for 10 years, and I’m still learning. Yes, even kids from college can educate me, and there’s nothing wrong with that.”
At some point, you’ll likely have to turn to outside sources to help you improve the security of your networks, and looking to the people who work at breaking in might be the most logical answer.
The practice may have risks
However, not everyone is sold on the idea of hiring hackers. Many members raised legitimate concerns about the dangers this practice could pose and the security risks it entails.
For example, rcartright suggested that using hackers could open a company up to attack. Whether a security company of hackers is reputable or not, rcartright said that you don’t really know how much you can trust that company or its employees. They might not report some important security holes when they submit their audit, enabling them to break into your network later.
Rcartright also raised the issue of disgruntled employees. If a hacker who audited your network left the security company you hired, he or she could potentially use detailed information about your network to attack your company and make their old company look bad.
If you need to test your security measures, who can you trust to do it without opening yourself up to the risk of attack? It would obviously be better to place your trust in a reputable security auditing company than to simply hire an independent hacker or two. But even though these are valid concerns, most readers felt that the potential benefits in terms of the knowledge gained outweighed the risks associated with trusting hackers to audit company security measures.
Risks and solutions
When it comes to how companies conduct business and maintain communication, the Internet is no longer the wave of the future; it’s the here and now. This makes network security a primary concern. As the frequency and severity of network attacks occur, companies will likely be more open to turning to white-hat hackers to help them bolster their defenses.
When security company @stake began operating, it turned heads by making it known that it employed hackers to help test company networks. Its continued success indicates that the feedback of TechRepublic members on the issue accurately reflects the willingness of companies to take calculated risks to secure their data.