Understanding the mindset of a hacker and the likes of one may be useful to counter security attacks, but companies still object to hiring former, or even reformed, black hats.
According to Paul Ducklin, chief technical officer at Sophos, a good antivirus researcher or someone who works to weed out malicious code would need "far greater" skills than a black hat--a hacker who exploits IT security flaws for the primary purpose of inflicting damage.
Unlike security professionals, black hats "don't have to support their product [or] be absolutely reliable", Ducklin told ZDNet Asia during a recent visit to Singapore. "They don't have to worry about whether they meet any particular deadlines, and they don't have to worry about everyone else's malicious code."
"I don't know why people think if you can trot out 10 or 20 or 100 viruses, you would be great at actually producing some antivirus technology that can deal with 200,000 different bits of malware," he added.
Ducklin said: "Let's say that you're shot during a mugging [incident]. As you drift into unconsciousness, would you find yourself saying 'Gosh, I hope the surgeon who operates on me used to be a street criminal because he must really understand gunshot wounds well if he actually shot the people?' You wouldn't think that."
He noted that there are currently many former black hats who are "really, really smart" and "with a bit of nurturing and guidance", were able to transform into good security researchers.
"But all other things being equal, I'm not sure if I would hire someone who acquired the knowledge without having acquired it legally," Ducklin said.
Similarly, Mark Bregman, Symantec's senior vice president and chief evangelist, does not believe in hiring former black hat hackers or the equivalent, even if they are or claim to have reformed.
SIG^2
Bregman added that hiring a person with a black hat history or encouraging "criminal-type hacker" behavior would be challenging for companies, particularly because he may not know where to draw the line between what is deemed ethical and unethical behavior.
Aloysius Cheang, regional director for technology practice at IT services provider PIPC, agreed that "being an ex-hacker does provide certain insights into the working of a hacker's mind". However, there are other aspects of a good security consultant, such as his ability to manage risks, added Cheang, who is also the president of the Special Interest Group in Security and Information Integrity (SIG^2) in Singapore.
In addition, the candidate's "integrity and capacity for being discreet with his clients' information" is also important, he told ZDNet Asia in an e-mail interview. If the employee cannot obtain this assurance or trust, even if he does find some critical security issues in the corporate network, a couple of problems could arise, he said. First, it is likely that no one would believe him, Cheang said. Second, he could exploit the security flaw for his own benefit, he added.
No special policies or clauses
Should a company decides to hire reformed black hat hackers as security consultants, it should "slowly ease them" into roles that are not mission-critical, allowing them to gain an adequate level of trust before letting them access critical corporate data, Cheang said.
"There should not be any explicit policies that discriminates these former black hats, just like there should not be any policies that caters specifically to ex-convicts," he said.
"Rather, the manager in charge of these [employees] should be careful in how he eases them into the jobs, giving [them] time to prove their worth and trustworthiness before allocating sensitive tasks to them," he said. "Unless the clients--internal and external--and the manager himself feel they can trust these former hackers, it will be difficult to work with them."
Play video
» Ultimate virtualization blade
Ducklin's argument is flawed. "Ducklin said: "Let's say that you're shot during a mugging [incident]. As you drift into unconsciousness, would you find yourself saying 'Gosh, I hope the surgeon who operates on me used to be a street criminal because he must really understand gunshot wounds well if he actually shot the people?' You wouldn't think that."" The knowledge required to write a virus and the knowledge required to know how to stop a virus are somewhat closely related. Knowing how to heal a body after a gunshot is quite different to knowing how to fire a gun. I can see the point Ducklin was trying to make, but he ought to be more careful in his wording.
Posted by anonymous on Saturday, September 30 2006 08:54 AM