CHICAGO -- There is no easy method to determine if a company's network or system is secure. Some companies hire "white hat" hackers to penetrate their systems, but security experts warn IT directors to think twice about it.
Some companies are lured by the attraction of having crackers pull out all their tricks against a system to see if security holds up. Yet, can a company trust that any information gleaned from the work would be protected? Also, how can you verify that the white hat has the necessary hacking skills?
For starters, anyone with hacking skills probably won't riddle off the systems they have broken into, said Jeff Posluns, security expert and founder of SecuritySage Consulting, who has done penetration tests for companies.
Posluns divides crackers into three classes. "Black hats" use their skills purely for their benefit. By contrast, "white hats" employ their skills to help organizations defend themselves better. Then there are "gray hats," those in the middle who use their skills to push technology with no regard for the ethics of revealing information.
Companies have a couple of avenues to consider when using someone with hacking skills to run penetration tests on their systems. Hiring a company or consultant to come in for the tests is one option. Then a company can hire someone with the skills to do the tests as an employee.
The latter approach has some disadvantages. For example, what if that employee is fired or laid off? What is to keep that person from using the knowledge they gained to harm the company?
"We actually hired onto our staff a person to hack away," said Neil Jackson, who works for a major online brokerage firm. "The experience is that we don't know what to do with the guy. If we let him go, he'll kill us. If we keep him, what other credible function can he do?"
Companies can contract someone to do penetration tests. Again, one should carefully evaluate the company or consultant who would do the work, Posluns said. Credentials, references and an explanation of their skills are very important. One should also ask what methods of penetrating testing will they be doing.
Another issue to consider is whether the "white hat" will know the footprint of your systems. Such knowledge can prevent potential downtime and allow for the testing to be targeted. For example, will the hired hacker be responsible if their activity causes a system to crash? This will need to be discussed before hand.
On the flipside, companies may not trust the hired hacker to share such sensitive information about systems. Plus a blind test is similar to what a malicious hacker would see.
Many organizations circumvent such questions by doing their own penetration tests. To be effective, one must keep up on the latest techniques. "We continually try to learn new methods and how to guard against those methods of attack," said Martin Bourque, Unix systems administrator for the information technology center at Montana State University.
The university conducts its own penetration test, subscribes to various list serves, explores hacker Web sites and conducts forensic analysis of any incidents. It doesn't see the need to hire people with hacking skills to do such work. "A university is usually more apt to produce hackers as a product of academia rather than hire them," Bourque said.