Hacker Scene
The Dark Side of White Hat Hacking: Being "Owned" By White Hat Hackers
By: Anonymous
I've attended a number of security conferences and conventions this year, and as I wandered around
through all of the vendor exhibits, seminars, and training sessions I discovered that a lot of
companies are offering white hat hacking services. Marketing types have further sanitized the term
and now the politically correct offering is referred to as "ethical hacking". While I am all for
people making a buck, doing so by cashing in on the security hype is not necessarily a good thing. I
have seen dozens of incidents of poor frightened middle management folks scrambling to get their
sites "fixed" before the inevitable hack attack after listening to the security gurus at the various
booths and podiums. Of course those fixes are only owned by the security vendors and consulting
firms.
I consider myself fortunate that I at least know a little bit about security and can see through
some of the hype. Usually I know what I want technically when looking for security tools, and I just
start zoning out when the marketing drivel starts. But the average Joe/Mary middle manager in the IT
department has no idea or clue about what is hype and what is not, and that is where my concern is.
So I've collected my thoughts and am submitting this article to you, the weary middle manager. As I
am currently involved in heavy contract negotiations with three firms competing with each other
tooth and nail for my employer's business, I submit it anonymously. Maybe my experiences will give
you some insight. And as for you hackers out there, take this to your weary boss and demand a raise
and a promotion.
The "White Hack" Methodology
The biggest purveyors of what I'd call questionable ethical hacking come in the form of large
respected accounting or information services consulting firms. While some firms are better than
others, in fact I've personally dealt with some firms are actually okay, a lot of them are absolute
cash vampires. These hungry firms will usually offer you a vast array of services from penetration
testing to security policy development. Most of these firms have hired up slick hackers who "know
the basics", and can usually gain access to most systems through conventional hacking means. They
usually operate like this:
- You are told that danger is everywhere, and that to properly test your security and see your
limits, you need to have an outside firm hack your system for you. Your regular administrators
cannot possibly do this penetration test, because they "know too much" about the system, or they are
not up on the latest "attack methods".
- The sales pitch for doing the penetration will involve pointing out some of the high profile hacks
that have recently made the papers. The odds are good that the firm's pitch person will hint at
"how" the hacks are done, implying they are "in the know" about the latest hacking techniques.
- You pay for a penetration test. The fee is huge (the bigger firms command six figure fees), and
they totally get into your company's systems. If your site is protected enough to prevent them from
gaining access, then you are probably smart enough to not need an outside firm to confirm your
security posture.
- The report they produce outlines not only how they got it, but illustrates every conceivable hole
in your systems. The report is usually a gigantically huge document with an "Executive Summary" that
is in itself a good 50 pages long. It is also a very scary report. Sometimes on a security scale of
one to five you are lucky if you get a two. Per this report, bad things could happen at any second.
- You are now faced with the "reality" of a system that is riddled with holes. It is implied you
have MASSIVE problems and that your current staff, while competent in basic administrative issues,
cannot handle the wild and wooly world of information security.
- You are told the most important thing you need is a comprehensive security policy. While a
security policy is a good thing to have, it is only a piece of what you need.
- You will be offered either a rewrite of an existing policy or a completely new security policy by
the firm. If they are aggressive they will start the pitch to do this during their executive
briefing after the penetration test. The fee will be another huge amount, and it will be "obvious"
that the only people smart enough to develop your new policy are the ones that did the penetration
test. After all, who knows your systems better? Obviously not your own staff, because the outside
firm's hackers got in.
- It will take weeks of meetings and interviews with your systems people for a policy to be
developed. All this time will be billable.
- The firm will leverage your own people's knowledge with their boilerplate policies to develop your
new security policy.
- If you thought the report on the penetration test was big and complex, wait until you get the new
security policy. No single person could ever implement it. It will be huge - most of it tangled with
a lethal combination of legalese and techno-jargon.
- For a fee, the firm will offer to implement it. This is another huge fee, but who better to
implement it than the people who wrote it? The implementation will take many billable manhours.
- Once implemented, for it to "work" you need to periodically "re-assess" your posture and perform
checklist audits to ensure compliance. Guess who will offer up these services (for another huge
fee)? By this time you've probably given someone from the firm a permanent desk in your company. To
use the hacker vernacular, you are "owned". The firm by now knows your budgets, your spending
habits, who the decision makers are, who are their allies, and who are their enemies.
Can you see the pattern? A consulting firm's job is not to protect your company, a consulting firm's
job is to make money selling protection from demons, real or imagined. A good consultant doesn't
sell one job, they sell a relationship that involves many jobs.
White Hack System Cleansing
Let's look at that first option. The best place to look for that expertise is within your own
company ranks. Of course you cannot simply make one of the system administrators the security guy,
they probably already have enough to do as it is. No, you need to form a group within your company
to handle security full time. Start by asking around. Ask who the "security" guy is. Did some
pierced and tatooed computer geek bring this article to your attention? Odds are you probably have
some oddball coder or analyst who is a closest hacker, or they know who one is. Find out whom the
system engineers hate. If it is someone who keeps forwarding them "tips" on security from Internet
security mailing lists, particularly if they are re-edited to match your company's environment,
you've found your man/woman.
Once you've found your company hacker, hire their friends. Pay them well. And get a team leader over
them that can rein them in, speak their language, and handle the interfacing with the rest of the
company. If you're worried about hiring hackers, go ahead and perform background checks if you wish,
but realize that hackers are no different from anyone else, and probably have as jaded a background
as anyone other person in your company.
Some companies won't hire hackers to do computer work, but never perform background checks on the
temps working in the Accounts Payable department. In reality the risk of hiring a bad employee is no
greater when hiring a hacker. In fact, if the hacker's job is to find holes in systems full time,
they will probably be too busy loving every second of their job to do bad things to you, so you may
have less risk than you think.
Okay, assume they don't know everything, send then to some of those training classes and teach your
people how to perform penetration tests. Dozens of companies offer courses including a few of those
large firms. Ask for references and try to speak to administrators who took the classes, not their
bosses. Better yet, ask your hackers where they should go to get training. They will know.
Give your hackers the tools they need. Most of what they need will involve fast computers, and they
should be able to download most of the hacker tools required to do their job for free off of the
Internet. But if they need specific commercial tools, such as scanners, intrusion detection systems,
firewalls, get them what they need.
This solution of building your own team has several advantages - they are employees, not billable
consultants. They will learn and KNOW your systems inside and out. It will cost less money than
those huge fees.
Asking The Devil To Dance
Okay, so if you do NOT want to go that route, then you may need to handle one of the big firms.
Consider promoting an internal employee or hiring a hacker as a consultant just to keep the big firm
in line. It helps to have a level technical head to be able to see through the hype. While it may
seem like an extra expense, it will at least keep them from billing you for every little thing. You
will not be sold on things you can do yourself.
This is not an article against penetration tests, it is against the way they are conducted and used
as entry points into Accounts Payable records by large money-hungry firms. It is also _not_ a
statement against large fees - huge fees can and will be expected from some smaller organizations.
Penetration tests are good for waking up upper management, and if conducted by sharp hackers they
can be excellent points of reference. So if you are in the market for some type of outside testing,
here are a few things to keep in mind.
- Do you want to test to find ALL holes, or just the common ones that 99% of the typical access
attempts will involve? Unless told, the big firms will document every conceivable hole, including
the theoretical ones or the ones rarely seen in the wild. If that is what you want, fine. Just get
that information up front.
- Where are your threats coming from? If you perceive the scariest threats from ex-employees or
current disgruntled ones, then you probably do NOT need to go outside your own company for a
penetration test.
- Balance risk assessment and threat. If 90% of your data is only valuable for three days, then does
a sustained four week penetration test make sense? Let's put it another way - if your security can
turn away 100% of bad guys that try for 5 minutes to get in, 95% of bad guys that try for 5 hours,
and 90% of bad guys that try for 5 days, is that good enough? Is that what you want tested? You may
be able to simply run ISS' Internet Scanner to get the testing you need. By the same token, do you
want all of the exotic stuff tested for as well? If you are being charged $300K for someone to run a
commercial scanner against your site you are being ripped off.
- Do you simply want to perform a fire drill? Tell the firm if that is the case. Larger firms may
even turn YOU down at that point.
Always ask to be taught self-sufficiency. If a firm states they have to do it themselves to maintain
control, show them the door. It should be no big deal to have a couple of your employees watch and
learn. No single firm "owns" the skills, and they all are capable of teaching security tricks and
techniques.
There are some firms out there who are quite capable of performing penetration tests, and that is
all they do. Find firms who agree with the philosophy that security engagements are not a lifetime
commitment. These firms do exist, and they are worth tracking down. Consider smaller firms. If you
are worried about hiring a rag-tag bunch of misfits, enlist a lawyer to nail down a contract you
feel comfortable with. Ask for references.
Hopefully you have gained some insight into how a few of these large firms operate, and maybe you
can secure your company a little more cost effectively. Better yet, it gives you the opportunity to
take advantage of a very sophisticated and technologically advanced resource - the wily hacker. Who
better to have on your side?
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
