InformationWeek

October 23, 2000

Printer ready

Vulnerabilities Beckon Some With A License To Hack

continued...page 2 of 3

More on hacking:

sidebar: Hacking For Dollars

VARBusiness: Cybercops to the rescue (10/16/00)

TechWeb: Is security in the cards? (10/13/00)

InternetWeek: Security made simple (10/2/00)

Send Us Your Feedback

Rob Clyde, VP of security management for Internet security company Axent Technologies Inc., which is being acquired by Symantec Corp., doesn't think hiring reformed hackers is a good idea. "Hiring someone to hack the corporate network isn't a decision to be taken lightly," he says.

Clyde recalls a client, a large government agency, that hired a hacker to research potential vulnerabilities within the agency's network. As expected, in a short period of time the consultant did his job and found a large number of vulnerabilities. Only this "consultant" wasn't interested in sealing the agencies' network holes so much as he was interested in collecting a steady paycheck. "Unfortunately for the agency, he only reported one or two vulnerabilities a week, stringing the agency along, and increasing his fees," Clyde recalls.

It gets worse, Clyde says. "He also posted his vulnerability findings on a number of well-known hacker sites, so all of the bad guys knew how to break into the agency, but the agency itself remained unaware of the risks," he says. The agency didn't become aware of the situation until one of its security administrators recognized one of the postings. "Their policy, after that experience, became not to hire reformed hackers," Clyde says.

While there's debate within the security industry regarding the risks of hiring reformed hackers, few may have thought of the legal ramifications. Intellectual property attorney David Daggett with the firm Preston Gates & Ellis says there are things to consider.

Tom Bartolomeo Photo by Jerry Wolford If a company hires a consultant who performs a vulnerability assessment, and "anything goes wrong, such as they get access to confidential information, or they share information they learn during the assessment, it's very likely the company will have additional legal problems if they've hired someone with a record," says Daggett. The same may hold true for anyone who has access to records that should have been kept confidential. "If it were to come out that this guy was convicted in the past, and there were commercially feasible ways for the employer to find out about the criminal record, it would be difficult for the company not to be held liable," says Daggett.

Many companies have decided not to employ reformed hackers as consultants. Tom Bartolomeo, VP of the information security division for First Union Corp. in Charlotte, N.C., is one executive who's not willing to take unnecessary chances. When First Union went looking for a security firm to perform its security posture assessment, it chose the WheelGroup Corp., which is now part of Cisco's security services.

"Almost all of their people are from government, and have information-warfare experience," Bartolomeo says. "I think that's important. It's critical that reputable people are doing this kind of work for you."

Bartolomeo says Cisco's security posture assessments have become critical to First Union's security program. "It's really an eye-opening process, especially the first time you bring them in. They come in and give you an objective view of where you stand in your information-security program."

First Union contracts with Cisco to conduct security posture assessments about every six months. Bartolomeo says the semiannual reports are key in keeping First Union secure. "It helps us keep tabs on where we are with security and where we are moving."

Bartolomeo likens his twice-yearly assessments to a doctor's visit. Just as a doctor helps patients monitor physical health, heart rate, and blood pressure, the reports help companies understand the health of their security programs, he says. "Is what I'm doing improving the security of my organization from a network perspective? Security is a constant process of assess, monitor, and test. Improve again. Then assess, monitor, and test."

Assessments also help First Union stay secure as it works to integrate the networks from the banks and brokerages the company acquires. "Every time we have an acquisition, they're bound to have different security postures than ours. Whenever you connect two networks, whoever has the lowest security denominator sets the overall security standard." Having the systems penetration-tested ensures the acquired systems meet First Union's security standards before it connects networks.

Lance Haden, manager of CiscoSecure's Consulting Services group, says many customers call hoping to verify problems they know exist. "Almost always we find they have security problems they haven't considered or would have never even looked at," he says.