Although the practice has been going on for quite some time, the subject of whether or not you should hire reformed hackers as security consultants has been receiving a lot of press lately. This seems to be a very touchy issue, and there are strong opinions on both sides. Being that this issue has been generating so much heat, I wanted to take the opportunity to discuss both sides of the issue.
Before I Begin
Before I get started, I want to get a few things out of the way up front. First of all, every time that I write any type of article on hacking, I always get at least a few E-mails from readers describing my misuse of the word "hacker". In actuality, the term hacker refers to someone who likes to tinker with hardware or software in an effort to enhance its capabilities. The media and popular culture have twisted the word's meaning into someone who breaks into computer systems. For the purposes of this article, I will use the word hacker to refer to someone who breaks into computer systems.
Another thing that I want to get out of the way is a little confession. I myself am a grey hat hacker. For a period of time in the late 1980s and early 1990s, I was involved in numerous illegal hacks. I was an angry teenager at the time, and it just seemed like the thing to do. Around 1992 however, I came to my senses and decided to go legitimate. I have refrained from illegal hacking ever since. Today, I am the half owner of a security research firm. One of the services that this company offers is security penetration testing. Basically, this means that for a fee, we can attempt to hack into a company's network and then present the company with a report detailing the existing security holes and how those holes can be eliminated.
The reason why I am telling you this is because I want to be completely honest and up front with my readers. If you were to read this article and then found out later on that I own a security consulting firm, it would probably appear as though I have a conflict of interest. Being that I value my journalistic integrity, I am going to discuss both sides of the issue even though I would personally benefit from only discussing the positive aspects of hiring grey hat hackers as consultants.
The Positive Aspects of Hiring Grey Hat Hackers
OK, now that I've got that out of the way, its time to get on with my discussion. First, I want to talk about the positive aspects of hiring former hackers as security consultants. The most obvious advantage to hiring former hackers is that they have real world hacking experience. There are some things that you just can't learn from a book. Books do a good job of explaining basic hacking techniques. However, I can tell you from firsthand experience that every hack is different because every network is different. It's rare for a hacker to be able to use a single technique to gain full access to a network. Often hackers have to combine multiple techniques or apply techniques in a different way than normal to compensate for various network defenses. Only someone with plenty of real world hacking experience can efficiently go from using one technique to another as required by the present situation.
Another positive aspect to hiring reformed hackers as security consultants is that staying up with the latest security exploits and countermeasures is a full time job. In most companies, the IT staff has an acceptable level of security knowledge, but they must focus most of their attention on the day to day responsibilities of keeping the network up and running. A good security consultant focuses almost solely on security and consequently has a level of security knowledge that goes far beyond that of most other IT professionals.
The Negative Aspects of Hiring Grey Hat Hackers
Now that I have discussed some of the positive aspects to hiring former hackers as security consultants, I want to take some time and discuss the negatives. By far the biggest negative is the question of trust. Think about it for a moment. The main premise of security is deciding who you trust and then locking out everyone else. When you hire a former hacker as a security consultant, you are basically trusting the sanctity of your network to a former criminal. If you think about it, that's a lot like letting someone who was convicted of burglary stay in your home when you aren't there. If you are concerned with your network's security, it sounds crazy to trust it to a criminal.
As you think about how much you trust a former hacker, you must also consider the impact that a decision to hire the person will have on your customers and shareholders. What would your customers think if they knew that you were using a former criminal to test the security of a database that contains their credit card number?
One other negative aspect to using hackers as security consultants has to do with the way that many security consultants operate in general. I would personally never run my consulting business in this way, but I have been around enough security consultants to know how the game is played.
A security consultant's job isn't to secure your network, but rather to make your company completely dependant on them. Security consultants will typically offer you a free evaluation of your network's security. Once the evaluation is complete, they will show you a report documenting thousands of potential vulnerabilities. They try to make it seem as though it is urgent for you to secure your network. However, they make it clear that your IT staff shouldn't be trusted to patch the vulnerabilities since they weren't even aware that the vulnerabilities existed. As a part of the sales pitch, the consultant will discuss some of the more high profile hacks that have been in the media lately. They will compare those hacks to your network. The consultant will probably even tell you how the company that got hacked is teetering on the edge of bankruptcy because they have lost customers and because the hack did so much internal damage.
Once the consultant has convinced you that you have a huge problem, they will offer to fix the problem for a huge fee. Developing the new security policy typically requires dozens of meetings with the IT staff and all of these meetings are billable. Once the new policy has been designed, it will take the consultant weeks to implement it. Again, all of the consultant's time is billable.
Once the new policy has been implemented, the consultant will probably insist on doing a check up several times a year. The problem is that by now, the consultant probably has their own desk in your office. They know your budget, your spending habits, and what they can say that will make you spend more money. They also know that the new security policy that they have implemented is so complex that no one understands it but them. This means that you are now completely dependant on the consultant for your security needs. If you need to make a change to the security policy, the only way that you will be able to do it is usually by calling the consultant.
I personally believe that hiring former hackers to evaluate your security is worthwhile (if I didn't believe that I wouldn't own a security consultation firm). At the same time though, I absolutely believe that if you are going to hire a former hacker (or any security consultant for that matter) then you need to take some steps to prevent yourself from getting ripped off and to prevent your company's security from being exploited. Here are a few things that you can do to keep from being victimized by a security consultant.
Don't completely outsource your security needs. Completely outsourcing security will cost your company a fortune and is unlikely to make your network any more secure than if you just had your security evaluated by a consultant a few times a year.
Don't give a security consultant anything that you don't have to. For example, never give a security consultant the Administrative password. Remember that you are paying the consultant to look for holes in your network. If major security holes exist, the hacker might be able to get administrative access on their own, but you shouldn't just hand it to them.
Use a variety of consulting firms, and let the consultants know that you will not be using them exclusively. Different consultants have different skill sets and it is likely that one consultant will catch a security problem that another missed. This doesn't mean that the consultant who missed the problem is incompetent. It just means that the two consultants have different skill sets. Another reason for using multiple consulting firms is that it prevents you from being put in a position in which your company is completely dependant on a specific firm.
Finally, decide how much protection your network really needs. No computer system is ever completely secure, and your company can spend an astronomical amount of money pursuing total security. To avoid spending too much money on security consultants, set realistic goals of what you want the consultant to do for you.