There is an interesting article on the NetworkWorld web site by M. E. Kabay dealing with the recommendation of hiring “hackers” to help better secure your networked environment. For a moment, let’s just ignore that the term “hacker” is ill defined and there are all sorts of other words and phrases that are meant to clarify the issue like “Black Hat,” “White Hat,” “Gray Hat,” “Cracker,” “Ethical Hacker,” etc. For this blog let’s just agree that “hacker” is not an employee of yours and somebody who can break into computer resources.
On the one side is the idea that hiring hackers is a good thing because, even though they may have done bad things in the past, they actually know how to “do it.” That is, break into resources on a network. The theory is that too many security professionals have been ordained as security experts just because they work in a security IT job function and/or they have attained some number of technology oriented certifications. The argument is that just because you have the job title and certification, doesn’t make you actually good at hacking.
On the other side is the idea that hiring hackers is a bad thing because they can’t be trusted, well, because the reason they are called hackers is that they have done bad things without permission: e.g., break into systems they don’t own.
The primary authors on either side of the argument are professional and credible enough to see valid points on both sides. Unfortunately, all of that dialogue doesn’t change, what I believe is, the most important point – a point raised by one of the people who posted a response: restraint.
While it may be true that every security IT professional does not have the skills or expertise of a successful hacker – and let’s not forget that most hackers are actually not that successful and the vast majority of them copy the successes [aka “script kiddies”] of the few truly original and creative ones – one of the behavioral characteristics that most of them do have is that they feel constrained to do things in a certain professional and organized way to ensure the stability of their environment: that is, they have restraint over what they do. Most hackers have no restraint in what they do: they feel comfortable doing anything, at anytime, to achieve a goal no matter what consequences it has on the environment.
It can be argued that one needs to have exactly that kind of destructive freedom to replicate what a hacker might do. I agree, and the way to achieve that is to have protected and segregated (e.g., QA environment) environment where your trusted professionals can try anything they want: not from hiring hackers who may steal or corrupt sensitive information, leave systems less secure than when they found them, or who may infect tested systems with Trojan horse or denial of service software that will be used at a later time – when they are doing their hacking for yet another victim.
Hire a hacker? Please don’t!
Brad Johnson is Vice President of SystemExperts Corporation and has been a leader of the company since 1995. He has participated in seminal industry initiatives including the Open Software Foundation (OSF), X/Open, the IETF, and has published many articles on open systems, Internet security, security architecture, ethical hacking and web application security.