Re: Question. (Was re:hacker's intro)
Peter Stephenson (pstephen@versalink.com)
Thu, 15 Feb 1996 12:44:34 -0500
At 09:42 PM 2/13/96 +0000, you wrote:
>I was just wondering who you thought found any of the holes in the first
>place? It sure as hell isn't down to all you so called security consultants!
>We use hackers in tiger teams because they use unconventional methods. How
>many of you would go trashing or try some social engineering to gain access
>to a system?
>I'd guess close to none..
In any tiger team assignment our consultants use *all* those techniques
including trashing, social engineering, physical intrusion, etc. There are,
however, fewer tiger team assignments for us than analysis assignments. The
punishment, so to speak, should fit the crime. It is not appropriate to use
those techniques if the assignments don't justify or include the requirements.
>How many hackers......more like *all*
>System security is much more than applying patches.....it requires a
>pro-active approach...password's are a good example.
>How do you know your password's are un crackable? Answer, try and crack them
>yourself! There is a lot to be learnt from hackers because however secure
>you think your system is they *will* find a way in!
I can't imagine any security professional *not* recommending that passwords
be cracked periodically to ensure that users are employing strong passwords.
This is not the hacker's sole perogotive.
There is an interesting point emerging here that may possibly be far more on
topic for this list than the childish carping about the morality of this
"reformed hacker". What, exactly, is the consultant's role in helping the
client: A)respond to an intrusion, B)prevent an intrusion and (most on
topic) C) detect an intrusion in process and respond?
As a consultant for over 15 years, I confront that constantly. Even though
none of my staff includes convicted crackers, there isn't one of my senior
consultants, myself included, who isn't a "hacker" in the traditional
(pre-media hype) sense. In fact, I wouldn't dream of hiring a senior
consultant who didn't fit that profile. The ability to perform a good hack
is a job requirement for serious security consultants. Otherwise, the
consultant isn't good for much beyond writing sterile policies and resetting
forgotten passwords. Clients expect that a security consultant can
understand and manage the same technologies that the bad guys use against
them as well as the more mundane issues of security architectures, policies,
standards, risk assessment, etc.
A year ago we did relatively few intrusion tests. Today we do them
regularly. We also have formalized structured test procedures that we also
use. It all depends upon what the client wants. But, if called upon to do
so, we can mount a "hacker attack" with vigor, skill and effectiveness. I
don't think I would trust a convicted criminal on such a team, but, given
appropriate supervision and controls, I'm not sure I wouldn't. I've never
faced the question in a real situation.
--P
Peter Stephenson, Division President, InfoSEC Technologies
division of Sanda International Corp.
Headquarters Operations Center
401 Pinehurst Drive 590 Lipoa Parkway Ste 208
Rochester Hills, MI 48309 Kihei, Maui, HI 96753
(810) 650-2699 phone World Wide Web:
http://www.versalink.com
pstephen@versalink.com