The Dark Side of White Hat Hacking: Being "Owned" By White Hat
Hackers
By: Anonymous
I've attended a number of security conferences and conventions this
year,
and as I wandered around through all of the vendor exhibits, seminars,
and
training sessions I discovered that a lot of companies are offering
white
hat hacking services. Marketing types have further sanitized the term
and
now the politically correct offering is referred to as "ethical
hacking".
While I am all for people making a buck, doing so by cashing in on the
security hype is not necessarily a good thing. I have seen dozens of
incidents of poor frightened middle management folks scrambling to get
their sites "fixed" before the inevitable hack attack after listening
to
the security gurus at the various booths and podiums. Of course those
fixes are only owned by the security vendors and consulting firms.
I consider myself fortunate that I at least know a little bit about
security and can see through some of the hype. Usually I know what I
want
technically when looking for security tools, and I just start zoning
out
when the marketing drivel starts. But the average Joe/Mary middle
manager
in the IT department has no idea or clue about what is hype and what is
not, and that is where my concern is.
So I've collected my thoughts and am submitting this article to you,
the
weary middle manager. As I am currently involved in heavy contract
negotiations with three firms competing with each other tooth and nail
for
my employer's business, I submit it anonymously. Maybe my experiences
will
give you some insight. And as for you hackers out there, take this to
your
weary boss and demand a raise and a promotion.
The "White Hack" Methodology
The biggest purveyors of what I'd call questionable ethical hacking
come
in the form of large respected accounting or information services
consulting firms. While some firms are better than others, in fact I've
personally dealt with some firms are actually okay, a lot of them are
absolute cash vampires. These hungry firms will usually offer you a
vast
array of services from penetration testing to security policy
development.
Most of these firms have hired up slick hackers who "know the basics",
and
can usually gain access to most systems through conventional hacking
means. They usually operate like this:
- You are told that danger is everywhere, and that to properly test
your
security and see your limits, you need to have an outside firm hack
your
system for you. Your regular administrators cannot possibly do this
penetration test, because they "know too much" about the system, or
they
are not up on the latest "attack methods".
- The sales pitch for doing the penetration will involve pointing out
some of the high profile hacks that have recently made the papers.
The
odds are good that the firm's pitch person will hint at "how" the
hacks
are done, implying they are "in the know" about the latest hacking
techniques.
- You pay for a penetration test. The fee is huge (the bigger firms
command six figure fees), and they totally get into your company's
systems. If your site is protected enough to prevent them from
gaining
access, then you are probably smart enough to not need an outside
firm
to confirm your security posture.
- The report they produce outlines not only how they got it, but
illustrates every conceivable hole in your systems. The report is
usually a gigantically huge document with an "Executive Summary" that
is
in itself a good 50 pages long. It is also a very scary report.
Sometimes on a security scale of one to five you are lucky if you get
a
two. Per this report, bad things could happen at any second.
- You are now faced with the "reality" of a system that is riddled with
holes. It is implied you have MASSIVE problems and that your current
staff, while competent in basic administrative issues, cannot handle
the
wild and wooly world of information security.
- You are told the most important thing you need is a comprehensive
security policy. While a security policy is a good thing to have, it
is
only a piece of what you need.
- You will be offered either a rewrite of an existing policy or a
completely new security policy by the firm. If they are aggressive
they
will start the pitch to do this during their executive briefing after
the penetration test. The fee will be another huge amount, and it
will
be "obvious" that the only people smart enough to develop your new
policy are the ones that did the penetration test. After all, who
knows
your systems better? Obviously not your own staff, because the
outside
firm's hackers got in.
- It will take weeks of meetings and interviews with your systems
people
for a policy to be developed. All this time will be billable.
- The firm will leverage your own people's knowledge with their
boilerplate policies to develop your new security policy.
- If you thought the report on the penetration test was big and
complex,
wait until you get the new security policy. No single person could
ever
implement it. It will be huge - most of it tangled with a lethal
combination of legalese and techno-jargon.
- For a fee, the firm will offer to implement it. This is another huge
fee, but who better to implement it than the people who wrote it? The
implementation will take many billable manhours.
- Once implemented, for it to "work" you need to periodically
"re-assess"
your posture and perform checklist audits to ensure compliance. Guess
who will offer up these services (for another huge fee)? By this time
you've probably given someone from the firm a permanent desk in your
company. To use the hacker vernacular, you are "owned". The firm by
now
knows your budgets, your spending habits, who the decision makers
are,
who are their allies, and who are their enemies.
Can you see the pattern? A consulting firm's job is not to protect your
company, a consulting firm's job is to make money selling protection
from
demons, real or imagined. A good consultant doesn't sell one job, they
sell a relationship that involves many jobs.
White Hack System Cleansing
Let's look at that first option. The best place to look for that
expertise
is within your own company ranks. Of course you cannot simply make one
of
the system administrators the security guy, they probably already have
enough to do as it is. No, you need to form a group within your company
to
handle security full time. Start by asking around. Ask who the
"security"
guy is. Did some pierced and tatooed computer geek bring this article
to
your attention? Odds are you probably have some oddball coder or
analyst
who is a closest hacker, or they know who one is. Find out whom the
system
engineers hate. If it is someone who keeps forwarding them "tips" on
security from Internet security mailing lists, particularly if they are
re-edited to match your company's environment, you've found your
man/woman.
Once you've found your company hacker, hire their friends. Pay them
well.
And get a team leader over them that can rein them in, speak their
language, and handle the interfacing with the rest of the company. If
you're worried about hiring hackers, go ahead and perform background
checks if you wish, but realize that hackers are no different from
anyone
else, and probably have as jaded a background as anyone other person in
your company.
Some companies won't hire hackers to do computer work, but never
perform
background checks on the temps working in the Accounts Payable
department.
In reality the risk of hiring a bad employee is no greater when hiring
a
hacker. In fact, if the hacker's job is to find holes in systems full
time, they will probably be too busy loving every second of their job
to
do bad things to you, so you may have less risk than you think.
Okay, assume they don't know everything, send then to some of those
training classes and teach your people how to perform penetration
tests.
Dozens of companies offer courses including a few of those large firms.
Ask for references and try to speak to administrators who took the
classes, not their bosses. Better yet, ask your hackers where they
should
go to get training. They will know.
Give your hackers the tools they need. Most of what they need will
involve fast computers, and they should be able to download most of the
hacker tools required to do their job for free off of the Internet. But
if
they need specific commercial tools, such as scanners, intrusion
detection
systems, firewalls, get them what they need.
This solution of building your own team has several advantages - they
are
employees, not billable consultants. They will learn and KNOW your
systems
inside and out. It will cost less money than those huge fees.
Asking The Devil To Dance
Okay, so if you do NOT want to go that route, then you may need to
handle
one of the big firms. Consider promoting an internal employee or hiring
a
hacker as a consultant just to keep the big firm in line. It helps to
have
a level technical head to be able to see through the hype. While it may
seem like an extra expense, it will at least keep them from billing you
for every little thing. You will not be sold on things you can do
yourself.
This is not an article against penetration tests, it is against the way
they are conducted and used as entry points into Accounts Payable
records
by large money-hungry firms. It is also _not_ a statement against large
fees - huge fees can and will be expected from some smaller
organizations.
Penetration tests are good for waking up upper management, and if
conducted by sharp hackers they can be excellent points of reference.
So
if you are in the market for some type of outside testing, here are a
few
things to keep in mind.
- Do you want to test to find ALL holes, or just the common ones that
99%
of the typical access attempts will involve? Unless told, the big
firms
will document every conceivable hole, including the theoretical ones
or
the ones rarely seen in the wild. If that is what you want, fine.
Just
get that information up front.
- Where are your threats coming from? If you perceive the scariest
threats
from ex-employees or current disgruntled ones, then you probably do
NOT
need to go outside your own company for a penetration test.
- Balance risk assessment and threat. If 90% of your data is only
valuable
for three days, then does a sustained four week penetration test make
sense? Let's put it another way - if your security can turn away 100%
of
bad guys that try for 5 minutes to get in, 95% of bad guys that try
for
5 hours, and 90% of bad guys that try for 5 days, is that good
enough?
Is that what you want tested? You may be able to simply run ISS'
Internet Scanner to get the testing you need. By the same token, do
you
want all of the exotic stuff tested for as well? If you are being
charged $300K for someone to run a commercial scanner against your
site
you are being ripped off.
- Do you simply want to perform a fire drill? Tell the firm if that is
the case. Larger firms may even turn YOU down at that point.
Always ask to be taught self-sufficiency. If a firm states they have to
do it themselves to maintain control, show them the door. It should be
no
big deal to have a couple of your employees watch and learn. No single
firm "owns" the skills, and they all are capable of teaching security
tricks and techniques.
There are some firms out there who are quite capable of performing
penetration tests, and that is all they do. Find firms who agree with
the
philosophy that security engagements are not a lifetime commitment.
These
firms do exist, and they are worth tracking down. Consider smaller
firms.
If you are worried about hiring a rag-tag bunch of misfits, enlist a
lawyer to nail down a contract you feel comfortable with. Ask for
references.
Hopefully you have gained some insight into how a few of these large
firms operate, and maybe you can secure your company a little more cost
effectively. Better yet, it gives you the opportunity to take advantage
of
a very sophisticated and technologically advanced resource - the wily
hacker. Who better to have on your side?
EOF