Hackers: Allies in the network security war?

Ray Geroski Tech Republic

Published: 10 May 2002 13:02 BST

An old cliche says that the enemy of an enemy is your friend. The question is, can the longtime enemies of network security suddenly become allies in the fight to keep our networks secure? Some people think so.

The case for hiring hackers was addressed in a recent article that looked at how CFOs and other executives are becoming increasingly reluctant to spend money on security until their networks have been attacked. The article noted that many companies are now paying hackers to break into their networks and produce a report assessing the network's vulnerability.

Your responses to the article indicate that despite a little hesitancy, most of you believe that hiring hackers is a good way to test security and reveal network vulnerabilities.

Hiring hackers works
One of the biggest challenges facing IT pros is making nontechnical executives understand the need for increasing security spending and the consequences of reducing spending or dismissing the issue.

Member Jim Huggy said that when he had trouble convincing his superiors that spending money on security measures was necessary, he hired hackers to break into the company network and report on the vulnerabilities. Once the company's vulnerability was confirmed by the hackers' success in breaking in, company officials became convinced of the dangers facing their network.

"The report was well received by the executives, and the dollars were spent," Huggy said.

Member ahedler compared the hiring of hackers to an inspection before buying insurance.

"[With] many types of insurance, an inspection is required before a policy can be issued."

Ahedler also pointed out that company officials would not consider doing business without physical security measures such as locks and alarm systems, so network security should be given the same level of attention.

It takes a thief
Why turn to hackers to uncover vulnerabilities? Sometimes, it takes a thief to catch a thief. As Gary Anderson pointed out, a system designer is perhaps not the best one to test the system that he or she has designed because, "He tests for success, not failure." It's difficult to see how to break into something from the outside when you're looking at things from the inside, and a designer or builder has a perspective of creation, not destruction. It only makes sense that those who spend their time breaking into things are better judges of what good security is all about.