White hat, gray hat, black hat
Hackers can teach government and industry valuable IT security lessons
- By Michael Arnone
- Oct 03, 2005
For a long time, most computer network crackers hacked a system for the same reason George Mallory climbed Mt. Everest: "Because it's there."
But that's no longer the only reason or even the dominant one. More hackers now follow the philosophy frequently attributed to Willie Sutton, a bankrobber during the 1930s. According to legend, when asked why he robbed banks, Sutton replied matter-of-factly: "It's where the money is."
During the past six years, malicious black-hat hackers have changed from script kiddies who deface Web sites and spread worms to earn glory within the hacker community to professionals sponsored by foreign governments and organized crime. They target specific government and industry victims and commit real crimes, sometimes for significant financial gain.
"We're now seeing sociopaths intent on doing...more devious and sophisticated stuff," said Dragos Ruiu, chief organizer of the PacSec, CanSecWest and EUSecWest hacker conferences, which annually draw hundreds of hackers worldwide.
But in general, hackers secure their computers better than the rest of the computing community. Government and industry can learn from their hacking techniques and protection skills to improve information technology security, experts say. In addition, government can learn from two other groups: the paid professionals known as white hats who research vulnerabilities to protect employers' and customers' data and the unaffiliated tinkerers known as gray hats who alert users to vulnerabilities.
Government and industry have always learned security techniques from hackers, whether they realize that or not. For example, penetration testing, which is a search for security holes in a computer system, is a common hacker practice that the federal government is using more often, said Steven Manzuik, security product manager at eEye Digital Security. The company provides penetration testing, vulnerability assessment and proactive security services to the Defense Department and federal intelligence agencies.
Penetration testing is a good way to demonstrate actual risk and secure systems by patching or applying other protections, Manzuik said. DOD has come to appreciate the value of penetration testing and now has a solid schedule and process in place for it, he said.
Because the federal government is a huge target for hackers for political and financial reasons, agency officials have started issuing information security regulations based in part on consultations with and learning lessons from hackers, said Mark Loveless, a senior security analyst at BindView and a hacker for 25 years.
The Graham-Leach-Bliley Act of 1999, Health Insurance Portability and Accountability Act, Federal Information Security Management Act of 2002, and Sarbanes-Oxley Act of 2002 all require fortification of computer networks to protect information based on real-life hacker attacks, Loveless said. He added that following federal regulations can make it easier to fix many common
Military officials have learned the fastest from hackers and are starting to pay serious attention to software policies to bolster their security, Ruiu said. Civil agencies are the most vulnerable because they don't have money for adequate IT security, let alone improvements to it, he said.
DOD and intelligence agencies enjoy talking with hackers who do not have malicious intentions, and the two groups often tip each other off about developments and discoveries, Loveless said. Information analysis and intelligence gathering units are particularly willing to learn from attacks to plug holes in their security, said Marc Maiffret, founder and chief hacking officer at eEye.
But not all government agencies listen to hackers, Loveless said. Old-school agents in the FBI and the Secret Service don't trust hackers because they consider many of them to be criminals.
Hackers' importance as teachers, though, is increasing. As software insecurity remains the norm, the number of targets increases and the stakes involved in losing control of financial and confidential data rises, experts say.
'Millions of monkeys'
A common bond among hackers is curiosity. "What if I try this?" and "What can I do to make it do what I want?" are two hacker mantras, said Martin Roesch, founder and chief technology officer of Sourcefire, a provider of intrusion-prevention systems. But that unrelenting, inquisitive skepticism, sometimes bordering on paranoia, yields superior quality assurance.
"Everything you forget, they will find," Roesch said. "It's like the proverbial millions of monkeys typing on typewriters. They have infinite resources and infinite time to find weaknesses in your system."
Another hacker tenet is always follow the path of least resistance, said Matthew Gray, founder of and CTO at Newbury Networks. In doing so, hackers use network engineers' desire for efficiency against them to design more effective and stealthy attacks.
This path of least resistance is often through the front door, said Paul Proctor, research vice president of security and risk
at Gartner. Attackers hack only enough to insert malicious
payloads that contain keystroke and network sniffers and other means to collect information they can use to fool the system
into thinking the attackers are legitimate users. Once they get
that, they can come and go as they please without scrutiny.
Nine times out of 10, vigilante gray hats, black hats and cybercriminals follow the path of least resistance, Proctor said. But most government and industry cyberprotectors try to thwart the primary method gray hats use: burrowing into the system code to find flaws. Gray hats, however, pose almost no real risk to computer security because they don't act maliciously, he said.
A failure of imagination
An obstacle to blocking hackers is the implementation of IT security by network engineers instead of software developers
and engineers, said John Viega, founder of and CTO at Secure Software. On the other hand, most hackers are software engineers or use software engineering tools built by software experts. Thus, the primary defenders of IT assets have different perspectives, skills and experiences from the attackers, Viega said.
This compounds the problem that most organizations consider IT security only when they are under attack, said Roger Thornton, founder of and CTO at Fortify Software. Few organizations look at their IT capabilities in terms of the risk they face from black hats and cybercriminals, he said.
This failure of imagination to ask what would happen if hackers could access their information is the main stumbling block to effective security, Thornton said. "Anything that government and industry learn from hackers must be seen through the lens of their own risk management needs," Proctor said.
Another problem is that government and industry have fallen for the negative hacker stereotypes shown on film and television, and are not using valuable, available assets.
"Not every hacker is a cracker," which is the old slang for a black hat, Maiffret said.
Organizations should invite more white and gray hats to their conferences, Maiffret said. Many government and commercial organizations, such as Microsoft, have already heeded that advice and even pay to be sponsors at hacker conferences.
Because talented Internet security professionals, such as hackers, are tough to find and hire, "the greatest defense against hackers is that you can make a mighty good living on the right side of the fence," Thornton said.
Government and industry hire white and gray hats who want to have their fun legally, which can defuse part of the threat, Ruiu said. But it's impossible to reach every potential attacker through a job advertisement, he said.
Many hackers are willing to help the government, particularly in fighting terrorism. Loveless said that after the 2001 terrorist attacks, several individuals approached him to offer their services in fighting al Qaeda.
Hiring black hats, however, is a bad idea. Bruce Murphy, vice president of worldwide security services at Cisco Systems, said he does not hire black hats because they do not appreciate or respect standard business processes and structures.
"Somebody with questionable moral judgment isn't someone you want to have control of your networks," said Avi Rubin, a professor of computer science at Johns Hopkins University. A disgruntled hacker with inside knowledge of a company's networks could create a nightmare scenario, he said.
Besides, white hats have closed the skill gap between themselves and gray and black hats, said Amit Yoran, president of Yoran Associates and former national cybersecurity director. What the white hats need to learn, he said, is how to sell IT security more persuasively to bureaucracies that still may not see the need for it.
More important than the presence of hackers is emulating their skeptical attitude, Maiffret said. Most large organizations do not cultivate the maverick mind-set needed for quality hacking and computer security, he said.
"Part of the hard thing in government is that you're not really meant to question how things work," he said, adding the same goes for large companies. "You're expected to take orders and do things...[but] that's what [hackers] are here for, to question."
Organizations must encourage employees to question everything about the technology they use, he said.
Putting lessons to work
The guiding principle for government and commercial IT has been to increase productivity and decrease cost, without much thought about security, Proctor said.
Savings are powering the federal government's insistence that contractors and integrators use commercial software. The drive "is like nothing I've ever seen in my life," said Michael Armistead, vice president of products at Fortify Software.
Thornton warned that any commercial solution must account for the organization's risk profile, especially risks presented by black hats. Those responsible for implementing commercial products should audit them, line by line if necessary, to see if they provide adequate security. If they don't, the hackers will.
Even with the security emphasis since the 2001 terrorist attacks, Thornton and other experts agree that government and industry are not changing fast enough to thwart evolving threats from black hats.
But government and industry have attributes that, if used hacker-style, could potentially help them defeat malicious
Government has the advantage of central coordination and the ability to quickly enforce best practices and standards enterprisewide, Ruiu said. It can also share information quickly and effectively faster, in fact, than industry and the balkanized hacker community.
Industry has the advantages of being able to speedily implement changes and act pragmatically, Ruiu said. If it employs the hacker mind-set while developing products, it would produce software and hardware more resistant to attacks in the first place.
Government and industry need research units to discover vulnerabilities, or they should work with someone who has them, Maiffret said. They need to dissect software to find every weakness, just like hackers worldwide do.
Until such widespread changes occur, the public and private sectors can protect themselves the way hackers do, said Michael Cantey, a network systems administrator at the Florida Department of Law Enforcement's Computer Crime Center. He said they should learn as much as they can about what's on their systems, how those systems operate and how to fix as many flaws as possible. They can stay current on basic security measures and set up a multilayered defense that goes beyond the perimeter to inside essential systems.
The only long-term way to effectively hinder or prevent hacker attacks is to show the same persistence, skepticism and vigilance that hackers do, Roesch said. After all, he said, "the million monkeys are working relentlessly, every day, all day."