To catch a thief | Ethical hackers are on the front lines in the war on cyber crime
David Jacquet is a hacker. He's highly skilled at breaking into networks, and often targets Maine's community banks, probing their firewalls to exploit vulnerabilities and gain access to their systems. If he succeeds, he could defile the bank's website, try to access customers' bank accounts, or simply use a company computer to play an online role-playing game.
But while Jacquet is a hacker, he's not a criminal. In fact, companies enlist Jacquet, owner of Red Cell Security in Scarborough, to hack into their networks as a test of the security measures they have in place. It's called penetration testing. Once he's tried all the tricks of the hacker trade, Jacquet reports back to the company — say, a bank — and outlines any vulnerabilities he found in the security or its software. Then, he'll provide information to help the company patch its security system before a malicious hacker has the chance to exploit the same holes.
Jacquet is an ethical hacker, or what in hacker culture is called a "white hat," like the good guys in old western movies. Malicious hackers, who use their skills for nefarious deeds, are known as "black hats." And though hacking is a felony in the United States, it's legal if a hacker does it under contract and stays within the "rules of engagement," as Jacquet calls them.
Once feared by businesses, hackers — ethical ones, at least — are now on the front lines in the war on cyber crime. Highly publicized cases like the TJX Cos. fiasco, when black hats between 2005 and December 2006 stole more than 45 million credit card numbers of customers of department stores such as T.J. Maxx and Marshalls, have boosted demand for experts who can pinpoint problems before they're exploited.
Businesses are uploading increasing amounts of sensitive data to networks and databases within reach of malicious hackers. Customer credit card numbers. Bank records. Social security numbers. All of these are juicy targets for hackers. Because the spoils have increased, hackers have become more and more sophisticated. In 2005, the proceeds from cyber crime for the first time exceeded the proceeds from the sale of illegal drugs, according to a U.S. Treasury spokesperson quoted by Business Week in November 2006. At the same time, it's become easier for novice hackers to give it a go as techniques and programs hackers use to crack a system's security are readily available for download on the Internet.
In the face of such threats, many businesses have realized the best way to fight malicious hackers and prevent potential security breaches is to hire someone who will think like a hacker, but will be on their side. Ethical hackers performing penetration tests have become a recognized cost of doing business for many companies, especially ones in regulated industries such as financial and insurance companies.
Brave new world
The development of the Internet has created a raft of opportunities for businesses, but also has presented them with an entirely new set of challenges — namely, how to keep confidential information secure. Before, few companies worried about how to protect such information. "The risk was very small," says Andrew Robinson, who in 1990 founded NMI InfoSecurity Solutions in Portland, which he says was the first information security firm in Maine and one of the first in the country.
But now, most businesses are connected to the Internet, and the risks of losing confidential information have increased exponentially. "When connected to the Internet, [businesses] expand their network to the rest of the world," Robinson says.
Robinson can remember talking about the idea of an ethical hacker as early as 1992 or 1993, but he says the profession didn't come into its own until the late 1990s. But rather than businesses becoming enlightened to the risks hackers posed and adopting measures to protect themselves, much of the demand for ethical hackers has been driven by regulatory compliance, says John Pironti, a computer security expert and chief intelligence risk strategist at Getronics, an IT services firm in Billerica, Mass.
The first to feel the tightening regulations were financial institutions, which were required to employ tighter data security measures in 1999 with the passage of the federal Gramm-Leach-Bliley Act, which, among other things, required financial institutions to use tighter measures, such as employing a monitoring system to detect any attack on a system, to ensure the safekeeping of customer information. The Sarbanes-Oxley Act, passed in 2002, enhanced data security standards for publicly traded companies. And in 2004, the major credit card companies created the Payment Card Industry Data Security Standard, called PCI DSS, to help companies that process credit cards prevent fraud and hacking. Companies that don't comply with the PCI DSS risk losing the ability to process credit card payments.
Many of these federal mandates address large corporations, but Jacquet says even small businesses should think about information security as a legitimate business function, and one that's as important as finances and customer service, rather than an IT afterthought. (Jacquet says that there's no set price for hiring an ethical hacker, but costs can run $175 or more an hour for some services.)
The argument he often hears from business owners is that because they are a small business in Maine they don't think they're any kind of target for malicious hackers. "Every time I hear that I have to stop them right there," he says. "[Black hats] do not care where you live or what you do — you are a target."
One step ahead
The tools and techniques for security and hacking are constantly changing: When a hacker finds a way to get around a firewall, a new security patch is created to close that hole. But the next day, another hacker may find another way into a company's system. As a result, network security is a constant struggle and requires vigilance on the part of businesses, especially those with sensitive information, says Jeff Vachon, senior vice president of bank administration at Saco & Biddeford Savings Institution, which began using ethical hackers seven years ago. "You try to at least stay a half step ahead of the bad guys," he says.
To stay in the lead, ethical hackers will trawl hacker websites, looking for the most recent tools and techniques black hats are employing to crack a system. If an ethical hacker knows how a malicious hacker may try to crack your system, he can help an organization take preemptive measures to prevent a security breach.
But businesses also have to look inward to protect their systems. Jacquet says as many as 80% of attempted security breaches occur from the inside, whether by a disgruntled or dishonest employee. As a result, he'll get set up in a company's system and see what kind of confidential or sensitive files or databases he's able to access. He also steps away from a computer and hacks people and places. (For more on this, see "Hacking reality," this page.)
When Jacquet successfully hacks into a system — he says he's posted a 90% success rate in the last three months — he often jokes with his clients: "I have good news and I have bad news," he will say. "The bad news is I hacked you. The good news is I hacked you."
Business networks are being probed by hackers constantly. While more sophisticated teams of hackers go after the large banks and major corporations, wannabe hackers can download programs and set them to automatically probe IP addresses looking for vulnerabilities.
Kevin Heatley, head of IT at Gorham Savings Bank, says his bank's firewall is getting probed thousands of times a week by these sort of attempts. Some may be innocent, but the majority are not, he says. About five times a week he says there are major attempts. But, so far, the firewall has not been compromised, he says. "You're seeing more attempts," he says. "They increase year over year because there's more people trying it. And that makes it more important to stay up on patches and make sure you have no holes out there."
The way Vachon views it, hackers aren't going away. So, he says, it's Saco & Biddeford Savings' job to make it as difficult for "the bad guys" as possible, and hopefully make the bank a more challenging target than its peers. "They're going after the easiest targets they can get their hands on," he says. "As opposed to staying ahead of hackers, you're staying ahead of your peers. The ones who let their guard down are more likely to get hit. [Malicious hackers] will go for the lowest lying fruit."
But Jacquet says no system is ever 100% secure. "The only secure network is one you turn off," he says. "Our job is not to eradicate risk or eliminate risk. Our job is to bring risk down to an acceptable level."
And as businesses rely more and more on automated systems, the stakes have grown, says Vachon. "Any type of service interruption is not acceptable anymore, and could bring your business crumbling," he says.
Businesses do take certain risks, however, when they allow an ethical hacker to try and break into their system, Robinson says. Software systems can be unpredictable. No one knows how they might respond to a poke here or a poke there, Robinson at NMI InfoSecurity Solutions says. "But again they have two choices. Let the white hats test or you will find out when the bad guys find them."
No one sees this struggle to keep businesses' data safe from hackers as ending any time soon. "It's an ongoing and seemingly never-ending battle," says Heatley at Gorham Savings Bank. "As there are advances in hacking, there are advances in the tools to fight them. It's good versus evil."
Most Recent
Most Recent
Comments