According to Shane MacDougall, there are pros and cons to hiring a hacker. MacDougall is a partner at Canadian security consultancy Tactical Intelligence, a hacker at the DEFCON Hacking Conference, and last year's winner of Social-Engineer.org's The Schmooze Strikes Back hacking contest.
More Insights
Webcasts
- 5 Ways Decision Management Leads to Greater Customer Value
- Does America's Next "Road to Prosperity" lie in Rural Sourcing?
White Papers
More >>Reports
More >>"Every IT department needs to hire an ethical hacker," says MacDougall. But his advice comes with a warning: "You really do need to check the background on who these people are, who they've been hanging with, and who their crews are." MacDougall offers these tips for hiring a hacker that's right for your IT shop:
Ensure a good fit. No two hackers' skill sets are exactly the same. For this reason, MacDougall recommends that you carefully consider why you need to hire someone in the first place.
For example, if your company is focused on programming, MacDougall says, "Somebody who has a lot of background in breaking applications is a desired skill." On the other hand, a network operations center might look for a network ninja who is handy with lots of network sniffing tools. Finally, if your company needs a systems administrator, a hacker who has broken into systems and who knows how to find the holes within various servers and where vulnerabilities exist might be the best bet. "They're all very unique jobs and they all take very unique skill sets," says MacDougall.
[ Read more about the government's use of malware for security purposes. See Was U.S. Government's Stuxnet Brag A Mistake? ]
Be prepared to embrace open source. Most hackers are open source enthusiasts--a plus for companies who need to stretch IT resources. "It's advantageous to have someone who is familiar with open source tools because they're a lot easier to deploy in a lot of organizations, and it can make a company a lot more agile in terms of software development and network administration," says MacDougall.
Still, for hackers to put their open source skills to good use, MacDougall says, "It's critical that senior management has bought into open source or that you have a visionary CTO or CIO who says open source is the way we want to go." Without this leap of faith on the part of an IT leader, according to MacDougall, a hacker's open source prowess will simply go to waste.
Limit time spent underground. One of the most impressive things a hacker can bring to the table is access to an elite--and often underground--network of IT whiz kids. But while this brain trust can prove useful, MacDougall warns, "If the hacker is involved in the underground scene and frequents a lot of forums and IRC chats, you still need to be very cautious. You can get a lot of blowback."
For example, MacDougall points to the hacker who spends hours plumbing forums for tidbits on "zero-day" attacks. "I have to seriously question the value of spending all that time underground," he says. Rather, simply paying for services that track traffic and monitor data logs frees up a hacker for more important tasks.
Revel in the D.I.Y. spirit. Years spent breaking down systems and cracking passwords teach hackers a thing or two about being resourceful. This is just the type of scrappiness that cost-conscious IT shops will appreciate. After all, says MacDougall, "A lot of freeware and open source programs can let small IT teams do a lot on a fairly small budget."
Test for authenticity. Checking references isn't always an option when it comes to hiring a hacker. "It's a judgement call," warns MacDougall. "You have to tread very carefully, especially if that someone professes to be a hacker--a good hacker is never going to tell you that they're a hacker. How many bank robbers introduce themselves as a bank robber?" Instead, MacDougall advises using online hacker challenges to test a prospect's breaking and cracking skills.
Black Hat USA Las Vegas, the premiere conference on information security, features four days of deep technical training followed by two days of presentations from speakers discussing their latest research around a broad range of security topics. At Caesars Palace in Las Vegas, July 21-26. Register today.
