Changing Sides: Hackers Turned Security Gurus
Ethical hacking is a practice that is as old as the security business. How better to find a hole in your security than to try and hack it yourself? The process of ethical hacking seems like it should almost be second nature to a security expert. After all, how can you protect a network if you don’t know every layer that it’s built on?
Thinking about this process would then beg the question, “Would an ex-hacker have an advantage over the strict white-hat techie with classroom experience?”
An ex-hacker security expert would think so. “Being able to understand the hacker mindset is probably the biggest benefit. If I were trying to break into this system, how would I go about that? If I know these people are running a firewall with IDS, how would I evade that?” asked Brad Causey of Zero Day Consulting.
“For a security professional that’s never really been in the ditches with the hackers, it’s pretty difficult for those guys to understand. They throw an INMAP scan at it, and they say, ‘Oh, all the ports are closed, everything must be secure.’ But you have to ask yourself, is a hacker going to give up that easily? Probably not if there is something valuable on the other side of that firewall. It’s a matter of understanding how you would have gotten around that in the field if you were truly attacking that system for some sort of personal or monetary gain. When your actually doing this stuff for a monetary gain, you’re going to learn how each piece of new software works and where to exploit it. You’re going to go out and download it and reverse-engineer it. The average white-hat guys who came out of college and got a few security certifications are relying on tools. This is all an automated process to them. Coming from a hacking background, we had to learn to do everything by hand.”
Causey described his past as innocent at the start. “I originally started out hacking game servers during the teenage years. That escalated into credit card accounts and other personal information. We did movies, MP3s and other media stuff as well. Pretty much anything you could imagine any average low-life doing.
“I got out of that years ago when I joined the Air Force in 2000 and decided to straighten up. Then I realized what kind of market there would be for a security guy. If there’s this many of us out here causing this many problems, eventually somebody’s going to be looking for us. That guy is going to be making a salary and I’m not. It just makes good business sense. Now I have a job where I still get to do the fun stuff, but now I look for hackers instead.”
With this information in hand, it sounds like ex-hackers would be the perfect candidates for all the available security jobs out there. There are many long-time white-hat security experts, however, that would be quick to argue against that idea.
“Hackers become ‘security gurus’ because they believe it lends credibility and sanction to their previous lives. They feel they’re best qualified to be security gurus because they have experience breaking in and logically should know how to defend against those sorts of things,” said Bobby Rogers, senior security analyst at DSD Laboratories. “I can’t disagree with this any more strongly than I do, for several reasons. Being able to exploit vulnerability, or socially engineer a less-than-bright person, or run a hacker script doesn’t make you a good security person. Being a good security person sometimes requires those skills, to be sure, but it also requires knowledge of defense in depth, security principles, risk management and the laws that govern our lives. It also requires a dedication to protection of information against evil, a commitment to the ‘good’ side of the force, if you will. Being a good thief or a good murderer doesn’t mean you’ll be a good cop. The attitudes, morals, motivations and even skill sets are different.”
Rogers added, “Most security professionals don’t start out as a security person. They evolve after a few years of getting good experience as computer technicians, then help-desk folks, then system administrators,and finally specialized in security. So, they have the background that is necessary to understand the how’s and why’s of security. They’ve earned their wings as well. ‘Hackers’ don’t always have that background.”
This difference of opinion also extends to how each of these experts stays current with the new tricks and latest trends in hacking circles. In keeping touch with his attained skills, the ex-hacker might keep in touch with his old haunts to get the latest information throughout the hacker circles.
“Three or four times a day, I’m going out to a collection of several hacker sites where I might have membership or where I might have friends that still operate, and I try to get a handle on what they are coming out with,” Causey said. “If I know people are hammering really hard on the new version of Adobe, I’m going to do the exact same thing and look for vulnerabilities and beat them to the punch. Most of those guys get out there on an IRC chat room somewhere and talk about the new program that they’re planning on tearing apart, and if I know what they are looking at, I can prepare myself that much better.”
Returning to old haunts does not mean that the ex-hacker is any less dedicated to security than the next security tech. “If I learn about someone working against a potential exploit in a particular piece of software we might have in our enterprise environment, the first thing I’m going to do is start verifying versioning numbers and contact the vendor. A good example of this was when I learned about a vulnerability in the GFX server. The first thing I did was try to break into it. I found the exploit and immediately reported it to my boss, and we were able to filter that at the host level before it became a problem. We secured the exploit before the vendor even had a patch for it.”
For a straight white-hat techie, the process of keeping tabs of the hacker community is a continual process as well. “I read, read and read,” Rogers said. “Books, articles, blogs, the latest security updates and reports: Read it all. Knowledge is the best tool you can have. The other tools, of course, firewalls, scanners, IDS boxes and so forth are important as well, no matter what brand or version. Even a powerful, great tool is useless in the hands of a fool that doesn’t know how to use it. Training and knowledge are the best tools. If you have those, all the other tools are easy to use.”
Regardless of the process, the most important thing for a security expert is a keen eye for details, a strong moral base and access to a wealth of information daily. Although they might have different means for securing their system and keeping tabs on the enemy, the end goal is still the same for both the ex-hacker and the white-hat techie — the air-tight security of their networks and operating systems.