Deb Shinder looks at the practice of hiring former hackers to work as security professionals. When is it a good idea? Is it ever? Here are the risks.
Hack into the Department of Defense, go to prison, come out and get a high paid job as a security analyst. For a while there, it seemed this was a hot career path for geeky, rebellious teenagers who might have viewed spending four years sitting in college classrooms as not that different from being behind bars, anyway. From the point of view of the ex-con kids, it was a dream come true: they got paid - often very well - to do what they were doing anyway, for free, and didn't have to worry that the FBI would come knocking at the door (or bust it down) late some night.
From the point of view of the companies doing the hiring, who better to do penetration testing than people whose skill levels have been proven in a court of law? It seems to make sense, but the trend appears to have leveled off as many organizations have tightened their general hiring criteria in a less robust economy. However, even if your HR department isn't bringing them on staff, a close look at the employees (and owners/founders!) of that security consulting firm you're contracting with might reveal a few folks whose backgrounds include more than a few illegal activities. What are the arguments for and against allowing such people access to your network, and what are the ramifications if it goes wrong?
The obvious argument for hiring reformed black hat hackers to provide advice on network security is that, when it comes to the network intrusion game, they have real world experience in playing offense. The typical IT pro only knows about playing defense. There is a very big difference in mindset between being someone whose primary training is in protecting the network and someone who has learned, usually mostly through trial and error, all the little "tricks of the trade" for breaking into networks. A good hacker really loves the challenge and spends many, many hours perfecting his craft.
There's also the possibility that you can get the hacker to work cheap - or at least, at a lower salary than the computer science Ph.D. who's paying off $100K in student loans - and who doesn't have a felony conviction on his/her record. It's not just the lack of conventional credentials that can lower the ex-hacker's compensation expectations, though. Finding vulnerabilities in networks and systems is something that those with hacking in the blood would happily do for no compensation at all.
Even if the hacker you're considering hiring as an employee or contractor is completely reformed, having a criminal onboard may not set well with your clients. If your company has or hopes to bid on government contracts that require a security clearance, having a known hacker associated with the company could count against you.
Then there's the question of whether the hacker really is completely reformed. Maybe he's sworn off cracking DoD passwords and writing viruses, but will he be tempted to dip into your company's confidential files and take a look around, just because he can? Can you trust him not to illegally download copy protected music and movies or install warez on computers on your network in his spare time? If he gets bored, might he decide to peruse the personnel files just for fun, or whip up a "harmless" little practical joke script to turn everyone's desktop wallpaper into a graphic of the blue screen of death?
It all comes down to a question of trust. Giving a person access to your network - especially the kind of access that's required to analyze your security - is akin to giving someone access to your bank accounts. It's a position that carries a great deal of responsibility. Would you hire a former embezzler to oversee your money? Probably not, because that person has been shown to misuse that type of access in the past.
Those in favor of hiring hackers (and the hackers hoping to be hired) will argue that "it takes one to catch one." However, you don't see law enforcement agencies hiring former murderers to help them catch violent criminals or former burglars to help thwart other breakers-and-enterers. Oh, they might make use of those people as confidential informants but they would never put them into positions of trust where they would have the opportunity to commit the same crimes again.
What if your hacker hasn't reformed at all, but has merely learned to play the game in a more sophisticated way. Social engineering is the art of manipulating people, rather than or in addition to code, to gain entry into a network or system. I've always found it interesting when supposedly reformed hackers, who themselves go around preaching the dangers of social engineering, are then hired by companies in spite of the fact that they're basically telling you that what they're doing now could easily be another big social engineering ploy. Posing as a reformed hacker/consultant is a great way to gain access to networks - much better than pretending to be a phone company employee or someone from "headquarters" that you're not. Not only do you get a legitimate pass to get into the network, you also get a paycheck from your target for doing it.
The possible ramifications of having a covert hacker on the "inside" of your network range from serious to devastating. He could use your network to launch a botnet attack. He could send out malware from your location. He could even access files with your company's confidential financial data or trade secrets and sell the information to one of your competitors.
If you're in a regulated industry such as healthcare or financial services, such an insider security breach could put you in a precarious position. It would be difficult to argue that you practiced due diligence to protect your data if you knowingly and voluntarily put it in the hands of a known hacker.
You also need to consider whether the self-proclaimed hacker really has the level of skill he claims to have. After all, if he's been convicted, that means he got caught - and if he were really good, wouldn't he have been able to cover his tracks? Perhaps he's just a "script kiddie" who ripped off hacks constructed by others and used them clumsily. On the other hand, if he hasn't ever been arrested or convicted, what proof do you have that he's really a hacker at all? Maybe he's only a wannabe who talks the talk but doesn't have the programming chops to walk the walk.
Bottom line is that someone who would illegally access someone else's network may not have a strong sense of right and wrong and/or might have a problem with authority. If he had no compunction about breaking the law, why would you think he would be willing to abide by your company's policies and the rules and boundaries that you lay down for him as an employee or consultant?
It's also important to remember that "birds of a feather flock together." Hackers tend to be friends with other hackers. They learn from each other, and it's also a culture in which members get a lot of gratification out of impressing each other. Even if "your" hacker doesn't attempt to harm your network or its assets, can you be sure that he won't inadvertently let slip information about it when bragging to his hacker friends, that they might use to get in and wreak havoc?
Remember: All hackers are not created equal
In last month's Cybercrime column, Profiling and Categorizing Cybercriminals, I discussed how different cybercriminals have different motivations for committing criminal acts. If you're considering hiring a former hacker, it's a good idea to delve deeply into his background and record and try to discern exactly what category he fits into. That can give you a clue into how much of a risk you would be taking on by hiring him.
A former teenage hacker who stumbled into a federally protected network with no real intent to do harm might very well have been "scared straight" by getting caught. (On the other hand, he may also have been embittered by his experience behind bars, and he might have had his criminal tendencies reinforced in an environment where "being bad" is not looked down on but is rewarded with admiration). A more mature white collar criminal who was deliberately moving money into his own account from another or committing corporate espionage as a "hacker for hire" is likely to have a more deeply ingrained criminal mindset and attitude that's not so easily changed.
There is always some element of risk in hiring a person to do a job you don't know how to do yourself, because it makes it easy for that person to put one over on you. There is a greater risk in hiring someone who has committed illegal acts in the past - but some hackers are more of a risk than others.
Protecting your company from your own "hired gun"
If you do make the decision to hire a former hacker, take steps to protect your company from the possible consequences:
- Do a thorough background check. Don't assume that what the hacker tells you is true. Believe it or not, some people will claim to be criminals when they really aren't, if they think it will get them a high paying job that makes them look "cool" to their friends.
- Have the hacker sign an employment contract (or independent contractor agreement) that very explicitly sets boundaries and prohibits any access not specifically authorized, prohibits any use or sharing with others of information gathered in penetration testing or other parts of the job, and specifies the penalties for violation.
- Consider having the hacker covered by an employee dishonesty/fidelity bond, or if the hacker is a contractor, require that he provide proof of insurance that will reimburse you if he steals from you, defrauds you or otherwise deliberately causes a loss to your business.
- Don't give the hacker access to any more than he needs to do the job for which you've hired him. Never give him administrative passwords. If he can obtain those credentials on his own, you know you have a security problem, but you should not provide him with them.
- If the hacker leaves or when his contract work is over, change passwords (even if you think he didn't have them) and make sure strong intrusion detection/prevention controls are in place.
- Monitor network access while and after the hacker works for you and be on the lookout for any suspicious activity. Remember that the hacker may use some other user's account, not necessarily one that you've given him for his own use.
The practical reasons aside, those who set the tone for a company must examine whether hiring a hacker fits in with their own codes of ethics. Do you want to encourage the practice of profiting from one's criminal background?
On a final note, I've used the masculine pronoun throughout this column, not only because I hate the grammatically incorrect use of "they" and "them" as a singular, but also because the vast majority of black hat hackers - and especially convicted ones - are male.