Do poachers always turn gamekeeper? Employing hackers – a look at the risks
News and information from the Advent IM team.
News and information from the Advent IM team.
Looking at some survey results recently, it struck me how the trend for employing hackers or ex hackers has really taken off. Perhaps more so in the US that the UK but Stateside trends often emerge here. With this in mind, I asked our consultants for opinions on how this works and what problems may arise if a business decides to integrate a hacker into their fold. Del Brazil gives us his thoughts here…
The prospect of employing hackers as part of a strategy for improving information security throughout an organisation is not an uncommon practice in today’s IT world. There are obviously massive benefits which are also matched with a high degree of risk. Whether an individual hacker is working alone or as part of a group the amount of damaged, whether it be reputational, financial or economic, that can be inflicted may force organisations to close or suspend trading.
A Hacker is defined in the dictionary as being ‘A person who uses computers to gain unauthorised access to data.’ There are numerous alternative definitions which also capture the slang ‘script kiddies’; however each definition makes reference to unauthorised access to data/information. There are of course ethical hackers who are individuals who are trained in the known hacker techniques and are employed by organisations who primarily provide a penetration testing or similar service but it’s the unknown techniques and tools used by general hackers that are of concern.
Throughout history various organisations or even governments have employed potential enemies to assist in defeating existing or emerging threats. Whether it be developing new technologies or reverse engineering existing technologies in order to better defend themselves against an attack. A prime example of this would be at the end of the Second World War the German scientists employed as part of the German rocket program were employed by the British and Americans to assist in further developing their own rocket programs for either military or commercial purposes.
Organisations are now of the opinion that a potential method of defeating or preventing hacking attacks is by utilising those same skills sets of hackers to introduce new or to shore up existing security measures. The rationale behind this is that if knew how an attack was likely to be carried out you should, in theory, be able to defeat the attack be ensuring that the correct level of security countermeasures are in place.
The risks associated with employing a hacker have to be seriously considered as there is a possibility that he/she may have an alternative agenda which is unknown to the employing organisation. The employed hacker may have been employed by a rival company to either acquire sensitive commercial information, reduce working capacity or even to cause the employing organisation to shut down completely. Whatever the motive of the hacker he/she is likely to ensure that any unauthorised activity takes place unnoticed with any key trigger point being activated whilst they are away from the organisation.
It has been widely recognised that vetting provides a degree of assurance that personnel are suitable for employment within their working environment; however is vetting the answer to ensuring that any potential hacker employed by an organisation is suitable for employment? It is true that vetting does provide an element of assurance in this instance; although constant monitoring and reviewing of a hacker’s performance, work and vetting status will attract additional administrative work. This coupled with the burden of employing a suitably trained person who has the ability to recognise mistakes, errors or deliberate mis-configurations by the hacker only adds to the cost of employing the hacker.
With all the aforementioned additional administrative work and resources required to ensure that the hacker is only undertaking work for which they have been commissioned to do has to be balanced against the benefits of defeating any potential hacking attack. For example would a small enterprise company with no history of any previous hacking attempts want to employ a known hacker to assist in bolstering their security measures, the answer has to be no; however a medium to larger enterprise company which is regularly targeted by hackers may wish to consider employing a known hacker to assist them in potentially defeating any potential attack.
There is an additional consideration that has to be taken into account, as each day passes the attack vectors and methodologies change and so any employed attacker may not be fully aware of every method of attack. How would an organisation support the research of a hacker without compromising themselves? It’s highly likely that any employed hacker may have to access illegal sources to further enhance or further their skills whilst also identifying new attack techniques?
It is the author’s opinion that the use of hackers, albeit a very risky practice, maybe considered an option by organisations but only after serious cost benefit analysis and as a last resort. Any introduction of known risks to an organisation needs to be seriously discussed with all relevant parties which should include outside agencies and/or specialists.
Organisations should ensure that they have a robust set of internal/external network management policies in place coupled with a program of IT Health Check (ITHCs) to ensure that any known vulnerabilities have been addressed prior to even suggesting that a hacker is employed.