|The pros and cons of hiring hackers
Having very strict security restrictions in place is the reason Paul Raines had problems when he was trying to hire a consulting firm to hack his organization. Raines, vice president of electronic security at the Federal Reserve Bank of New York, has rules about such penetration tests. Rule one: During any such test, Federal Reserve IT workers sit in. Just to make sure. The consultants balked. "They wouldn't allow someone to look over their shoulder," Raines says. Result? "Even though they passed all the background checks, we said no."Raines says it's a risk to hire hackers to do penetration tests--but you can minimize those risks by taking some simple, pragmatic steps, and the expertise may prove invaluable. In particular, true hackers are likely to be experts in the ways of "social engineering," convincing employees to do foolish things that compromise security. It's well understood that people are the weak link in corporate security. Skilled social engineers can convince workers to divulge their passwords to a complete stranger over the telephone; boldly walk through cubicles, posing as a new support guy while reading dozens of such passwords that are carelessly written on sticky notes; and engage in a little "Dumpster diving," searching trash for sensitive data. These are the everyday lapses that compromise security, and an experienced hacker is most likely to understand them. Moreover, while the basic skills required to safeguard networks can be taught to any solid IT pro, there's a certain curiosity--an insatiable need to know what's behind a locked door, a fascination with puzzles, an ego that won't rest until it tops the other guy--that hackers and former hackers have in spades. And hackers are likely to have valuable breadth in their experience; they tend to possess at least a nodding familiarity with multiple operating systems, network design, protocols, and encryption tools. Hiring managers will understand how rare such diverse knowledge is. The cons "Anybody who hires a hacker is an idiot," says Ira Winkler, never one to mince words. Winkler is founder and president of the Internet Security Advisers' Group, a Severna Park, Md.-based consulting and management business. He wrote Corporate Espionage: What It Is, Why It Is Happening in Your Company, What You Must Do About It. "When you hire a hacker," Winkler says, "What are you hiring? Of the people claiming to be hackers, maybe one-tenth of 1% are really skilled. The rest are script kiddies." Why such fibbing? First, there's the romanticized image of the fearless, against-the-grain hacker popularized by the media (call this the "War Games" factor). "It's the mystique of the hacker," Winkler says. "All you need is body piercings and a bad haircut, and people think of you as a genius." Second, security is a hot, lucrative field. So any script kiddy who ever cracked a site may be tempted to embellish his deeds in order to land a job. And there's a reason they're called script kiddies. Experts stress that most of today's hacks are made possible not by razor-sharp technical skills, but rather by poorly protected networks that are vulnerable to rote, mechanistic attacks. "What do teenagers have that others don't?" Winkler points out. "Time on their hands."