Security News > 2001 > February > 'I Hired a Hacker': A Security Manager's Confession

'I Hired a Hacker': A Security Manager's Confession
2001-02-27 00:20

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO58018,00.html [I have to wonder what kind of message this sends, Hack a network, Get a job, Lately this trend is becoming the norm over the exception. -WK] By MATHIAS THURMAN February 26, 2001 The new security department hire must be good because he's already broken into the system. I'm sitting at my desk, having a cup of coffee and a toasted bagel when I notice this young, blond, pimply-faced kid standing outside my cube with this smirk on his red, puffy-cheeked face. I ask him what I can do for him, and he hands me a piece of paper with a Web site address written on it. It looks like an address that a customer would use to access the application that we host. I ask what this is all about and he introduces himself as one of our company's application developers. He explains that he likes to "kinda hack a little bit" on the side and how he "discovered this" while playing around at home. I take the Web address, type it into my browser, hit Enter and a list of customer names, addresses, phone numbers and credit card numbers appears on screen. Uh-oh. This information is normally supposed to be accessible only through a series of authentications, but the address bypassed the authentication mechanisms and displayed the data. The kid goes on to explain to me how the application programming interface (API) isn't configured properly and how many other pages can be displayed by bypassing the authentication screens. I thank him for the information, take a few notes on the details of the authentication API and then begin to interview him. He's just 23 years old and has been playing with Linux since he was 14, started programming at 16 (for fun, he says) and has had part-time and full-time jobs as a Unix and Windows NT administrator and as an application developer for the past six years. He has no college education (but has just enrolled), and security is his hobby. Eureka! I've hit the jackpot. A perfect fit for my plan to conquer the world. Even better, the application development project he has been working on was finished and he had been expressing an interest in security for some time. To make a long story short, I put in a request to have this kid transferred into my group. He's Unix-savvy, bright, articulate and, best of all, he knows our business very well. He's been working as a developer for almost two years and therefore has an extreme in-depth knowledge of the application we host and sell to customers. As many readers probably know, security professionals are extremely difficult to find. In my experience, there are many of what I call "articulate incompetents": those who make great managers but can't do the keystroking if their lives depended on it. They can address a variety of audiences and wow them with security lingo and pontifications on security best practices and the ramifications of weak security. But ask them to install and configure a firewall-to-firewall virtual private network and they don't have a clue. In a large or consulting organization, security professionals of that type will fare well and are often needed. In a start-up environment, however, even the manager needs to get his hands dirty. What's difficult is finding a mix of well-rounded individuals with good communication skills and some business sense, combined with years of hands-on Unix, Windows NT, programming and, most important, hacking skills. Yes, that's right, hacking skills. I've been involved in many hiring processes and in my experience hackers make the best employees on a security team. They're dedicated, disciplined, savvy and very technical. Yes, I sometimes have funny feelings about these folks, but as long as they pass a full background check and they have a reputable resume, I'm comfortable. I believe that 98% of the people in this world are genuinely good. Most hackers, when faced with the opportunity to take advantage of a weakness and exploit it for some fiduciary gain, will shy away. Take a look at most of the "hacked" Web pages out there. The verbiage is that of an adviser: "This Web site hacked by [whomever]," or "Your security sucks. Your original home page is here [link to page]." Yeah, it's embarrassing and makes you feel violated, but most hackers will stop after they've hacked the Web page. Don't get me wrong, I would never hire anyone who I felt was a criminal. I've got a fairly good sense about people, and I haven't made a hiring decision I've regretted. Anyway, that's my 2 cents on today's hackers and why I usually don't have a problem hiring them. Shopping Spree Begins I spent the rest of the day on the phone with vendors, placing my initial requests for security software. I decided to go with Atlanta-based Internet Security Systems Inc.'s (ISS) RealSecure intrusion-detection software (IDS). I've used this tool before, and the only problem I had was with bandwidth. When selecting an IDS product, you have to make sure that the tool will continue to be effective at the upper limits of your network bandwidth. In our case, the aggregate bandwidth never exceeds 8M bit/sec., even though we're on a 100M bit/sec. switched architecture. But there comes a point at which an IDS will start dropping packets. Some folks call this "sampling mode." In any case, I don't want my IDS to miss anything, so I'm very picky about performance. I've done a lot of work testing IDS performance in a very controlled environment. And, being a start-up, we can't afford the $10,000-per-month outlay for an outsourced monitoring service. RealSecure is easily configurable out of the box, and the alerts are meaningful enough that, with moderate training, I can leverage our operations center personnel to react appropriately when something goes bump in the night. In addition to RealSecure, I went ahead and placed an initial request for ISS's Internet Scanner and Database Scanner products. Like RealSecure, I've used them in the past and have been extremely satisfied. I feel that ISS's scanner, in conjunction with some free tools like the Nessus security scanning software and the Nmap port scanner, will be 98% effective in discovering any potential or glaring holes in our infrastructure. The biggest problem with scanners is the corrective action necessary to fix the discovered vulnerabilities. It's always a challenge to get the system administrators to make changes to live production systems. As a security manager, you have to put on the hard hat and start acting as a threat broker and change agent. I usually like to demonstrate the vulnerability associated with the recommended corrective action. When I can show the hack, folks are more receptive and more willing to implement change. I also started getting quotes for SecurID tokens from RSA Security Inc. in Bedford, Mass.; a Tripwire file integrity checking software from Tripwire Inc. in Portland, Ore.; and the latest commercially supported version of the SSH secure session software from F-Secure Corp. in Espoo, Finland. Next time, I'll explain in detail my awesome IDS testing experience. It was actually fun for all of us . . . well . . . except the vendor. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".


News URL

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO58018,00.html