|Some highly respected organizations are starting to help fill the security certification void.|
One major reason for the popularity of ex-hackers as network watchdogs is this: How else can a person demonstrate security skills? You can't exactly invite job candidates to an interview and ask them to attack somebody's network while you observe. In other areas, certifications play a key role in establishing bona fides. But security has lagged. "This industry has a long way to go before certifications really help a lot," says Richard Moxley of Blackbird Technologies.
But now some highly respected organizations are trying to fill this void by offering certifications.
ICSA.net (www.icsa.net), based in Reston, Va., recently began offering two certifications for IT professionals: the ICSA.net Certified Network Security Administrator (ICNSA) and the ICSA.net Certified Network Security Engineer (ICNSE). The names are a mouthful, but ICSA.net, with an outstanding reputation in the security field, is well positioned to impose standards on the network security field. ICNSA classes are being offered now worldwide, while ICNSE classes are set to begin in Q3 2000.
The Computer Security Institute (www.gocsi.com), based in San Francisco, offers many vendor-neutral courses and certifications that are highly regarded by experts.
Naturally, almost all major security vendors offer training and certifications in their own products.
It's clear that protecting the corporate network and data information is a top priority for information technology departments. In its most recent Computer Crime and Security Survey, the San Francisco-based Computer Security Institute found over $265 million worth of security breach-related losses at 273 organizations, most of them large corporations or government agencies. And while insiders are still the most likely culprits, more and more breaches are coming from outside the firewall. Blame for this trend, of course, falls squarely on the rising importance of the Internet. Guarding the crown jewels, then, is obviously a vital chore. But how?
Several factors have conspired to make hackers look like prize catches as security consultants. There's an IT worker shortage on (in case you hadn't noticed), and as the network grows in importance and complexity, nearly every organization fears--correctly, in most cases--that it's vulnerable and that the major reason it hasn't been cracked is dumb luck. Stir in recent highly publicized attacks that crippled such sites as eBay and CNN, and the logic seems sound: Why not make allies of the very folks who've demonstrated they know how to do this stuff? The Federal Bureau of Investigation itself has made 21-year-old John Vranesevich, a college dropout and a former hacker, its chief undercover investigator in the fight against criminal hacking.
On the other hand, there's the fox-and-henhouse concern: Many IT managers have legitimate questions about the wisdom of trusting security to those who've built expertise and fame breaching it. And there's an ethical question, too: Even if hiring hackers is the best way to protect yourself, is it right to reward somebody for messing with others? Moreover, experts say that many who seek to cash in on hacker cachet are mere "script kiddies"--unskilled punks who attack sites by running scripts they dig up at Web sites or elsewhere.
Exploring these issues will teach you a lot about the choices involved--whether you ought to hire a hacker and what measures to take if you decide to do so. Know your terms
The term "hacker" is a broad one. For many, the first image that comes to mind is that of an amoral 16-year-old sitting in his bedroom, listening to death-metal on headphones, and crashing sites for giggles. Unfair though it may be, the image lives on--thanks in no small part to breathless stories in daily newspapers and on television magazine shows.
The truth is more complex. As the Web site of @Stake Inc., a security company, puts it, "To say all hackers are criminals is like saying all locksmiths are felons. Hacking is a skill, just like picking locks. It's how the skill is applied that matters." @Stake has reason to stress this point: The Cambridge, Mass.-based company recently merged with Boston-based L0pht Heavy Industries Inc., a security collective with deep hacker roots.
"When I say 'hacker,' I mean it in the old sense of the word," says Richard Moxley, vice president of technology at Blackbird Technologies Inc., a security consulting firm in Fairfax, Va. "Someone with a genuine technical curiosity, someone who likes to poke around under the hoodwith the enthusiasm and interest that defined early hackers."