- The Washington Times - Tuesday, August 8, 2006

In a world that relies increasingly upon the integrity of computer networks, the power of a hacker is growing exponentially. Because of the Internet’s growth, many companies are buying into the idea that it takes a hacker to stop a hacker. In short, companies are hiring ethical “white hat” hackers to find system vulnerabilities before their criminal counterparts can exploit them.

“What a lot of our customers pay us to do is essentially hack. They want us to find the holes,” said Mark Curphey, the vice president of Foundstone Professional Services Inc., a Mission Viejo, Calif.-based division of security giant McAfee Inc. “Since the dawn of the dot-com era, security became a huge issue for people.”

With information such as Social Security numbers, credit-card numbers and bank records making the move online, Mr. Curphey added, ethical hacking has thrived.

“We’re seeing a lag between the skill sets,” Mr. Curphey explained. “If we look back to the year 2000, nine times out of 10 we were able to successfully break into our clients’ servers. They’ve understood to secure their networks, [but] today we’re able to break into about nine out of 10 Web sites.”

“Virtually every major corporation has that sort of testing done these days,” he said. “It’s certainly the norm in corporate America.”

Indeed, Mr. Curphey added, it’s a business so lucrative that it is being outsourced abroad.

Adding to the trend’s popularity — besides rates running up to and above $350 an hour — is Scotland’s University of Abertay Dundee, which announced in June their new three-year degree course in ethical hacking and countermeasures.

For trainees in the Washington area, four-day courses are offered by the InfoSec Institute in Laurel and five-day courses are offered by the District-based New Horizons Computer Learning Center. Furthermore, online courses are available throughout the year by InfoSec.

Gus Fritschie, the director of security assessments and engineering at SeNet International in Fairfax, described ethical hacking as a reaction to the cyber-crime that has become more pervasive.

“A lot of times, especially in management, they view security as something of an afterthought,” he said.

Drawing on his experiences after three years at SeNet, Mr. Fritschie briefly described the process of ethical hacking: “We’re going to go in, run a large amount of scans … to figure out all the vulnerabilities that a server might have.”

He mentioned two different approaches to white-hat hacking: penetration testing and vulnerability assessments. Penetration testing, he said, is “where you see hacking skills” applied to individual holes in the system.

Still, it is far from all-encompassing: “It won’t identify all the potential vulnerabilities that a company might have,” Mr. Fritschie said. “There might be five different vulnerabilities that a hacker might exploit … a vulnerability assessment is needed to assess all the possible vulnerabilities.”

These assessments, he explained, are done by automated programs, which can yield false-positives. “That’s where white-hat hackers come in,” he said. “It takes a lot of real-world practice … to interpret the results correctly and to manually attempt these exploits.”

The testing, Mr. Fritschie explained, is either external or internal testing.

“External tests are performed from the Internet, without access to a client’s network,” he said. “It gives you a true picture of what a hacker from outside the organization could do.”

“Internally, you have a greater level of access, like that of an inside user,” he added, saying his team spends most of their time with internal tests. “Seventy to 80 percent of all computer intrusion comes from inside users. They could be disgruntled; they could have a lot more time on their hands; they could just be curious.”

Some of the weapons in a white-hat hacker’s arsenal include war-dialing, which locates forgotten or unauthorized dial-up modems, reviews of firewalls and routers, assessments of Web applications and even “social engineering,” testing the company’s vulnerability to real-world insertions before a cyberspace invasion.

“You try to see how much information can be gained. You call up the help desk, pretending to be an employee, trying to see if you can get their password,” explained Mr. Fritschie. “You try to get physical access into the building … you sometimes have to use disguises — dress up as a janitor.”

However, these questionable techniques are far from revealing any sort of criminal predisposition. Both Mr. Curphey and Mr. Fritschie stressed the role of background checks in both of their respective organizations’ hiring. “We ensure everyone has a perfectly clean record,” Mr. Curphey added. “They need to eat, sleep and breathe security. These are the people you want on your side against the bad guys.”

“A lot of times the media uses the term ‘hacking’ in a bad way, and it can be if you train the wrong people … [who] can do a lot of bad stuff with the things you teach them,” added Mr. Fritschie. “It counts a lot about the people you hire … [and] we go through a great pain to make sure we perform a background investigation.”

With rules such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, and the Gramm-Leach-Bliley Act, entities ranging from Fortune 500 firms to government organizations are being held liable to protect their servers’ integrity, allowing ethical hacking to grow even further.

“It’s a widely held considered best practice that a third party perform this kind of work at least once a year,” said Mr. Fritschie. “I’ve seen it in certain cases done on a quarterly basis.”

“There’s a lot of automated tools that are out there that are marketed to help people find these problems,” Mr. Curphey added. “But you can’t automate everything. The human brain is still the best tool for anyone to work with.”

LOAD COMMENTS ()

 

Click to Read More

Click to Hide