Hackers for hire: Page 2

The pros and cons of hiring hackers Pros Diverse systems skills Insatiable curiosity Expertise in "social engineering" Cons Potential lack of discipline May lie about expertise Criminal record may preclude hiring or security clearance

So whether you seek to hire hackers or ban them from the premises, your first chore is to decide specifically who you're hiring (or banning). People convicted of computer crimes? People who've not been convicted but brag about committing such crimes? People who don't brag, but rather hint? People who've been members of certain groups or attended certain events?

Welcome to the world of hacking, where very little is black and white.

The pros

Many IT organizations and security consulting firms that make use of hackers' services do so because it's a "challenge to establish the technical credentials of their experts," says Moxley. "I guess the hiring thought process is, 'This individual must be capable of breaking into systems because he's been arrested for it.'" While he's "not without sympathy" for organizations that believe they need to go this route, Moxley stresses that Blackbird Technologies, like many other firms, does not hire people with a criminal background. On a practical note, many clients require a security clearance and/or background check. Moreover, "that's not the right way to hire the kind of people we're looking for," Moxley says.

Having very strict security restrictions in place is the reason Paul Raines had problems when he was trying to hire a consulting firm to hack his organization. Raines, vice president of electronic security at the Federal Reserve Bank of New York, has rules about such penetration tests. Rule one: During any such test, Federal Reserve IT workers sit in. Just to make sure. The consultants balked. "They wouldn't allow someone to look over their shoulder," Raines says. Result? "Even though they passed all the background checks, we said no."

Raines says it's a risk to hire hackers to do penetration tests--but you can minimize those risks by taking some simple, pragmatic steps, and the expertise may prove invaluable.

In particular, true hackers are likely to be experts in the ways of "social engineering," convincing employees to do foolish things that compromise security. It's well understood that people are the weak link in corporate security. Skilled social engineers can convince workers to divulge their passwords to a complete stranger over the telephone; boldly walk through cubicles, posing as a new support guy while reading dozens of such passwords that are carelessly written on sticky notes; and engage in a little "Dumpster diving," searching trash for sensitive data. These are the everyday lapses that compromise security, and an experienced hacker is most likely to understand them.

Moreover, while the basic skills required to safeguard networks can be taught to any solid IT pro, there's a certain curiosity--an insatiable need to know what's behind a locked door, a fascination with puzzles, an ego that won't rest until it tops the other guy--that hackers and former hackers have in spades. And hackers are likely to have valuable breadth in their experience; they tend to possess at least a nodding familiarity with multiple operating systems, network design, protocols, and encryption tools. Hiring managers will understand how rare such diverse knowledge is.

The cons

"Anybody who hires a hacker is an idiot," says Ira Winkler, never one to mince words. Winkler is founder and president of the Internet Security Advisers' Group, a Severna Park, Md.-based consulting and management business. He wrote Corporate Espionage: What It Is, Why It Is Happening in Your Company, What You Must Do About It.

"When you hire a hacker," Winkler says, "What are you hiring? Of the people claiming to be hackers, maybe one-tenth of 1% are really skilled. The rest are script kiddies."

Why such fibbing? First, there's the romanticized image of the fearless, against-the-grain hacker popularized by the media (call this the "War Games" factor). "It's the mystique of the hacker," Winkler says. "All you need is body piercings and a bad haircut, and people think of you as a genius."

Second, security is a hot, lucrative field. So any script kiddy who ever cracked a site may be tempted to embellish his deeds in order to land a job. And there's a reason they're called script kiddies. Experts stress that most of today's hacks are made possible not by razor-sharp technical skills, but rather by poorly protected networks that are vulnerable to rote, mechanistic attacks. "What do teenagers have that others don't?" Winkler points out. "Time on their hands."