TUCoPS :: Cyber Culture :: dark_s1.htm

The Dark Side of White Hat Hacking: Being "Owned" by White Hat Hackers
Hacker Scene

                  The Dark Side of White Hat Hacking: Being "Owned" By White Hat Hackers
                                                     
                                                     
                                              By: Anonymous
                                                     
    I've attended a number of security conferences and conventions this year, and as I wandered around
      through all of the vendor exhibits, seminars, and training sessions I discovered that a lot of
    companies are offering white hat hacking services. Marketing types have further sanitized the term
     and now the politically correct offering is referred to as "ethical hacking". While I am all for
   people making a buck, doing so by cashing in on the security hype is not necessarily a good thing. I
     have seen dozens of incidents of poor frightened middle management folks scrambling to get their
   sites "fixed" before the inevitable hack attack after listening to the security gurus at the various
     booths and podiums. Of course those fixes are only owned by the security vendors and consulting
                                                  firms.
                                                     
     I consider myself fortunate that I at least know a little bit about security and can see through
   some of the hype. Usually I know what I want technically when looking for security tools, and I just
   start zoning out when the marketing drivel starts. But the average Joe/Mary middle manager in the IT
   department has no idea or clue about what is hype and what is not, and that is where my concern is.
                                                     
   So I've collected my thoughts and am submitting this article to you, the weary middle manager. As I
     am currently involved in heavy contract negotiations with three firms competing with each other
    tooth and nail for my employer's business, I submit it anonymously. Maybe my experiences will give
   you some insight. And as for you hackers out there, take this to your weary boss and demand a raise
                                             and a promotion.
                                                     
                                       The "White Hack" Methodology
                                                     
      The biggest purveyors of what I'd call questionable ethical hacking come in the form of large
     respected accounting or information services consulting firms. While some firms are better than
   others, in fact I've personally dealt with some firms are actually okay, a lot of them are absolute
    cash vampires. These hungry firms will usually offer you a vast array of services from penetration
    testing to security policy development. Most of these firms have hired up slick hackers who "know
    the basics", and can usually gain access to most systems through conventional hacking means. They
                                        usually operate like this:
                                                     
      - You are told that danger is everywhere, and that to properly test your security and see your
      limits, you need to have an outside firm hack your system for you. Your regular administrators
   cannot possibly do this penetration test, because they "know too much" about the system, or they are
                                  not up on the latest "attack methods".
   - The sales pitch for doing the penetration will involve pointing out some of the high profile hacks
     that have recently made the papers. The odds are good that the firm's pitch person will hint at
      "how" the hacks are done, implying they are "in the know" about the latest hacking techniques.
    - You pay for a penetration test. The fee is huge (the bigger firms command six figure fees), and
   they totally get into your company's systems. If your site is protected enough to prevent them from
      gaining access, then you are probably smart enough to not need an outside firm to confirm your
                                            security posture.
   - The report they produce outlines not only how they got it, but illustrates every conceivable hole
   in your systems. The report is usually a gigantically huge document with an "Executive Summary" that
   is in itself a good 50 pages long. It is also a very scary report. Sometimes on a security scale of
   one to five you are lucky if you get a two. Per this report, bad things could happen at any second.
     - You are now faced with the "reality" of a system that is riddled with holes. It is implied you
    have MASSIVE problems and that your current staff, while competent in basic administrative issues,
                     cannot handle the wild and wooly world of information security.
       - You are told the most important thing you need is a comprehensive security policy. While a
              security policy is a good thing to have, it is only a piece of what you need.
   - You will be offered either a rewrite of an existing policy or a completely new security policy by
       the firm. If they are aggressive they will start the pitch to do this during their executive
    briefing after the penetration test. The fee will be another huge amount, and it will be "obvious"
    that the only people smart enough to develop your new policy are the ones that did the penetration
    test. After all, who knows your systems better? Obviously not your own staff, because the outside
                                          firm's hackers got in.
       - It will take weeks of meetings and interviews with your systems people for a policy to be
                                developed. All this time will be billable.
   - The firm will leverage your own people's knowledge with their boilerplate policies to develop your
                                           new security policy.
   - If you thought the report on the penetration test was big and complex, wait until you get the new
   security policy. No single person could ever implement it. It will be huge - most of it tangled with
                           a lethal combination of legalese and techno-jargon.
      - For a fee, the firm will offer to implement it. This is another huge fee, but who better to
     implement it than the people who wrote it? The implementation will take many billable manhours.
    - Once implemented, for it to "work" you need to periodically "re-assess" your posture and perform
     checklist audits to ensure compliance. Guess who will offer up these services (for another huge
   fee)? By this time you've probably given someone from the firm a permanent desk in your company. To
      use the hacker vernacular, you are "owned". The firm by now knows your budgets, your spending
          habits, who the decision makers are, who are their allies, and who are their enemies.
                                                     
   Can you see the pattern? A consulting firm's job is not to protect your company, a consulting firm's
     job is to make money selling protection from demons, real or imagined. A good consultant doesn't
                     sell one job, they sell a relationship that involves many jobs.
                                                     
                                       White Hack System Cleansing
                                                     
      Let's look at that first option. The best place to look for that expertise is within your own
    company ranks. Of course you cannot simply make one of the system administrators the security guy,
    they probably already have enough to do as it is. No, you need to form a group within your company
      to handle security full time. Start by asking around. Ask who the "security" guy is. Did some
    pierced and tatooed computer geek bring this article to your attention? Odds are you probably have
    some oddball coder or analyst who is a closest hacker, or they know who one is. Find out whom the
    system engineers hate. If it is someone who keeps forwarding them "tips" on security from Internet
     security mailing lists, particularly if they are re-edited to match your company's environment,
                                       you've found your man/woman.
                                                     
   Once you've found your company hacker, hire their friends. Pay them well. And get a team leader over
    them that can rein them in, speak their language, and handle the interfacing with the rest of the
   company. If you're worried about hiring hackers, go ahead and perform background checks if you wish,
   but realize that hackers are no different from anyone else, and probably have as jaded a background
                                 as anyone other person in your company.
                                                     
    Some companies won't hire hackers to do computer work, but never perform background checks on the
   temps working in the Accounts Payable department. In reality the risk of hiring a bad employee is no
    greater when hiring a hacker. In fact, if the hacker's job is to find holes in systems full time,
   they will probably be too busy loving every second of their job to do bad things to you, so you may
                                      have less risk than you think.
                                                     
   Okay, assume they don't know everything, send then to some of those training classes and teach your
   people how to perform penetration tests. Dozens of companies offer courses including a few of those
    large firms. Ask for references and try to speak to administrators who took the classes, not their
        bosses. Better yet, ask your hackers where they should go to get training. They will know.
                                                     
   Give your hackers the tools they need. Most of what they need will involve fast computers, and they
     should be able to download most of the hacker tools required to do their job for free off of the
   Internet. But if they need specific commercial tools, such as scanners, intrusion detection systems,
                                   firewalls, get them what they need.
                                                     
    This solution of building your own team has several advantages - they are employees, not billable
     consultants. They will learn and KNOW your systems inside and out. It will cost less money than
                                             those huge fees.
                                                     
                                        Asking The Devil To Dance
                                                     
     Okay, so if you do NOT want to go that route, then you may need to handle one of the big firms.
   Consider promoting an internal employee or hiring a hacker as a consultant just to keep the big firm
    in line. It helps to have a level technical head to be able to see through the hype. While it may
   seem like an extra expense, it will at least keep them from billing you for every little thing. You
                             will not be sold on things you can do yourself.
                                                     
   This is not an article against penetration tests, it is against the way they are conducted and used
      as entry points into Accounts Payable records by large money-hungry firms. It is also _not_ a
    statement against large fees - huge fees can and will be expected from some smaller organizations.
    Penetration tests are good for waking up upper management, and if conducted by sharp hackers they
   can be excellent points of reference. So if you are in the market for some type of outside testing,
                                  here are a few things to keep in mind.
                                                     
     - Do you want to test to find ALL holes, or just the common ones that 99% of the typical access
    attempts will involve? Unless told, the big firms will document every conceivable hole, including
    the theoretical ones or the ones rarely seen in the wild. If that is what you want, fine. Just get
                                        that information up front.
     - Where are your threats coming from? If you perceive the scariest threats from ex-employees or
       current disgruntled ones, then you probably do NOT need to go outside your own company for a
                                            penetration test.
   - Balance risk assessment and threat. If 90% of your data is only valuable for three days, then does
    a sustained four week penetration test make sense? Let's put it another way - if your security can
    turn away 100% of bad guys that try for 5 minutes to get in, 95% of bad guys that try for 5 hours,
   and 90% of bad guys that try for 5 days, is that good enough? Is that what you want tested? You may
    be able to simply run ISS' Internet Scanner to get the testing you need. By the same token, do you
   want all of the exotic stuff tested for as well? If you are being charged $300K for someone to run a
                      commercial scanner against your site you are being ripped off.
    - Do you simply want to perform a fire drill? Tell the firm if that is the case. Larger firms may
                                    even turn YOU down at that point.
                                                     
   Always ask to be taught self-sufficiency. If a firm states they have to do it themselves to maintain
    control, show them the door. It should be no big deal to have a couple of your employees watch and
    learn. No single firm "owns" the skills, and they all are capable of teaching security tricks and
                                               techniques.
                                                     
    There are some firms out there who are quite capable of performing penetration tests, and that is
    all they do. Find firms who agree with the philosophy that security engagements are not a lifetime
    commitment. These firms do exist, and they are worth tracking down. Consider smaller firms. If you
     are worried about hiring a rag-tag bunch of misfits, enlist a lawyer to nail down a contract you
                                feel comfortable with. Ask for references.
                                                     
    Hopefully you have gained some insight into how a few of these large firms operate, and maybe you
   can secure your company a little more cost effectively. Better yet, it gives you the opportunity to
   take advantage of a very sophisticated and technologically advanced resource - the wily hacker. Who
                                       better to have on your side?
                                                     

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH