White hat, gray hat, black hat

Hackers can teach government and industry valuable IT security lessons

For a long time, most computer network crackers hacked a system for the same reason George Mallory climbed Mt. Everest: "Because it's there."

But that's no longer the only reason or even the dominant one. More hackers now follow the philosophy frequently attributed to Willie Sutton, a bankrobber during the 1930s. According to legend, when asked why he robbed banks, Sutton replied matter-of-factly: "It's where the money is."

During the past six years, malicious black-hat hackers have changed from script kiddies who deface Web sites and spread worms to earn glory within the hacker community to professionals sponsored by foreign governments and organized crime. They target specific government and industry victims and commit real crimes, sometimes for significant financial gain.

"We're now seeing sociopaths intent on doing...more devious and sophisticated stuff," said Dragos Ruiu, chief organizer of the PacSec, CanSecWest and EUSecWest hacker conferences, which annually draw hundreds of hackers worldwide.

But in general, hackers secure their computers better than the rest of the computing community. Government and industry can learn from their hacking techniques and protection skills to improve information technology security, experts say. In addition, government can learn from two other groups: the paid professionals — known as white hats — who research vulnerabilities to protect employers' and customers' data and the unaffiliated tinkerers — known as gray hats — who alert users to vulnerabilities.

Government and industry have always learned security techniques from hackers, whether they realize that or not. For example, penetration testing, which is a search for security holes in a computer system, is a common hacker practice that the federal government is using more often, said Steven Manzuik, security product manager at eEye Digital Security. The company provides penetration testing, vulnerability assessment and proactive security services to the Defense Department and federal intelligence agencies.

Penetration testing is a good way to demonstrate actual risk and secure systems by patching or applying other protections, Manzuik said. DOD has come to appreciate the value of penetration testing and now has a solid schedule and process in place for it, he said.

Because the federal government is a huge target for hackers for political and financial reasons, agency officials have started issuing information security regulations based in part on consultations with — and learning lessons from — hackers, said Mark Loveless, a senior security analyst at BindView and a hacker for 25 years.

The Graham-Leach-Bliley Act of 1999, Health Insurance Portability and Accountability Act, Federal Information Security Management Act of 2002, and Sarbanes-Oxley Act of 2002 all require fortification of computer networks to protect information based on real-life hacker attacks, Loveless said. He added that following federal regulations can make it easier to fix many common vulnerabilities.

Military officials have learned the fastest from hackers and are starting to pay serious attention to software policies to bolster their security, Ruiu said. Civil agencies are the most vulnerable because they don't have money for adequate IT security, let alone improvements to it, he said.

DOD and intelligence agencies enjoy talking with hackers who do not have malicious intentions, and the two groups often tip each other off about developments and discoveries, Loveless said. Information analysis and intelligence gathering units are particularly willing to learn from attacks to plug holes in their security, said Marc Maiffret, founder and chief hacking officer at eEye.

But not all government agencies listen to hackers, Loveless said. Old-school agents in the FBI and the Secret Service don't trust hackers because they consider many of them to be criminals.

Hackers' importance as teachers, though, is increasing. As software insecurity remains the norm, the number of targets increases and the stakes involved in losing control of financial and confidential data rises, experts say.

'Millions of monkeys'

A common bond among hackers is curiosity. "What if I try this?" and "What can I do to make it do what I want?" are two hacker mantras, said Martin Roesch, founder and chief technology officer of Sourcefire, a provider of intrusion-prevention systems. But that unrelenting, inquisitive skepticism, sometimes bordering on paranoia, yields superior quality assurance.

"Everything you forget, they will find," Roesch said. "It's like the proverbial millions of monkeys typing on typewriters. They have infinite resources and infinite time to find weaknesses in your system."

Another hacker tenet is always follow the path of least resistance, said Matthew Gray, founder of and CTO at Newbury Networks. In doing so, hackers use network engineers' desire for efficiency against them to design more effective and stealthy attacks.

This path of least resistance is often through the front door, said Paul Proctor, research vice president of security and risk at Gartner. Attackers hack only enough to insert malicious payloads that contain keystroke and network sniffers and other means to collect information they can use to fool the system into thinking the attackers are legitimate users. Once they get that, they can come and go as they please without scrutiny.

Nine times out of 10, vigilante gray hats, black hats and cybercriminals follow the path of least resistance, Proctor said. But most government and industry cyberprotectors try to thwart the primary method gray hats use: burrowing into the system code to find flaws. Gray hats, however, pose almost no real risk to computer security because they don't act maliciously, he said.

A failure of imagination

An obstacle to blocking hackers is the implementation of IT security by network engineers instead of software developers and engineers, said John Viega, founder of and CTO at Secure Software. On the other hand, most hackers are software engineers or use software engineering tools built by software experts. Thus, the primary defenders of IT assets have different perspectives, skills and experiences from the attackers, Viega said.

This compounds the problem that most organizations consider IT security only when they are under attack, said Roger Thornton, founder of and CTO at Fortify Software. Few organizations look at their IT capabilities in terms of the risk they face from black hats and cybercriminals, he said.

This failure of imagination to ask what would happen if hackers could access their information is the main stumbling block to effective security, Thornton said. "Anything that government and industry learn from hackers must be seen through the lens of their own risk management needs," Proctor said.

Another problem is that government and industry have fallen for the negative hacker stereotypes shown on film and television, and are not using valuable, available assets.

"Not every hacker is a cracker," which is the old slang for a black hat, Maiffret said.

Organizations should invite more white and gray hats to their conferences, Maiffret said. Many government and commercial organizations, such as Microsoft, have already heeded that advice and even pay to be sponsors at hacker conferences.

Because talented Internet security professionals, such as hackers, are tough to find and hire, "the greatest defense against hackers is that you can make a mighty good living on the right side of the fence," Thornton said.

Government and industry hire white and gray hats who want to have their fun legally, which can defuse part of the threat, Ruiu said. But it's impossible to reach every potential attacker through a job advertisement, he said.

Many hackers are willing to help the government, particularly in fighting terrorism. Loveless said that after the 2001 terrorist attacks, several individuals approached him to offer their services in fighting al Qaeda.

Hiring black hats, however, is a bad idea. Bruce Murphy, vice president of worldwide security services at Cisco Systems, said he does not hire black hats because they do not appreciate or respect standard business processes and structures.

"Somebody with questionable moral judgment isn't someone you want to have control of your networks," said Avi Rubin, a professor of computer science at Johns Hopkins University. A disgruntled hacker with inside knowledge of a company's networks could create a nightmare scenario, he said.

Besides, white hats have closed the skill gap between themselves and gray and black hats, said Amit Yoran, president of Yoran Associates and former national cybersecurity director. What the white hats need to learn, he said, is how to sell IT security more persuasively to bureaucracies that still may not see the need for it.

More important than the presence of hackers is emulating their skeptical attitude, Maiffret said. Most large organizations do not cultivate the maverick mind-set needed for quality hacking and computer security, he said.

"Part of the hard thing in government is that you're not really meant to question how things work," he said, adding the same goes for large companies. "You're expected to take orders and do things...[but] that's what [hackers] are here for, to question."

Organizations must encourage employees to question everything about the technology they use, he said.

Putting lessons to work

The guiding principle for government and commercial IT has been to increase productivity and decrease cost, without much thought about security, Proctor said.

Savings are powering the federal government's insistence that contractors and integrators use commercial software. The drive "is like nothing I've ever seen in my life," said Michael Armistead, vice president of products at Fortify Software.

Thornton warned that any commercial solution must account for the organization's risk profile, especially risks presented by black hats. Those responsible for implementing commercial products should audit them, line by line if necessary, to see if they provide adequate security. If they don't, the hackers will.

Even with the security emphasis since the 2001 terrorist attacks, Thornton and other experts agree that government and industry are not changing fast enough to thwart evolving threats from black hats.

But government and industry have attributes that, if used hacker-style, could potentially help them defeat malicious hackers.

Government has the advantage of central coordination and the ability to quickly enforce best practices and standards enterprisewide, Ruiu said. It can also share information quickly and effectively — faster, in fact, than industry and the balkanized hacker community.

Industry has the advantages of being able to speedily implement changes and act pragmatically, Ruiu said. If it employs the hacker mind-set while developing products, it would produce software and hardware more resistant to attacks in the first place.

Government and industry need research units to discover vulnerabilities, or they should work with someone who has them, Maiffret said. They need to dissect software to find every weakness, just like hackers worldwide do.

Until such widespread changes occur, the public and private sectors can protect themselves the way hackers do, said Michael Cantey, a network systems administrator at the Florida Department of Law Enforcement's Computer Crime Center. He said they should learn as much as they can about what's on their systems, how those systems operate and how to fix as many flaws as possible. They can stay current on basic security measures and set up a multilayered defense that goes beyond the perimeter to inside essential systems.

The only long-term way to effectively hinder or prevent hacker attacks is to show the same persistence, skepticism and vigilance that hackers do, Roesch said. After all, he said, "the million monkeys are working relentlessly, every day, all day."

5 things feds and industry can learn from hackers

1. Keep your knowledge and tools current. Hackers write software tools that help them probe and control their targets. Anyone can download those tools for free, analyze them and use them.

2. Know your systems intimately to know immediately when they are attacked. Maintain current inventories of all hardware and software. Proactively defend in depth, with multiple layers of security governed by continually audited and updated policies.

3. Improve communications channels. News of the discovery of an exploit travels fast through hackers' informal social network. Government and industry officials must improve communication with one another if they want to better defend their networked systems.

4. Follow the path of least resistance. First protect against credentialed attacks, in which a hacker manipulates a system to acquire legitimate access.

5. Always question technology — how it is set up, how it works and how it can improve security. The right attitude produces better security than products or tools.

— Michael Arnone

Back to school

"You have to attack your own system in order to understand how hackers are attacking your system and how to defend against them," said Avi Rubin, right, a professor of computer science at Johns Hopkins University.

Rubin teaches a graduate course in which teams of students create their own systems and then gives them to their teammates to hack. The best students can't find the back doors in average students' systems, he said, and no one can find them in the best students' systems. The exercise helps them build the skills they will need to defend networks against even the most persistent attackers.

But don't ask software developers to test their own software because most of them don't learn about security and are unaware of even the most common attacks, said Michael Armistead, vice president of products at Fortify Software.

Armistead said he wants to ask developers, "Do you guys realize you're complicit in every single hacking attack there is?" Any hacker's cookbook, including the classic "Smashing the Stack for Fun and Profit" by Elias Levy, starts with a directive telling would-be hackers to look for weaknesses created by developers.

Armistead and other cybersecurity experts agree that curricula at universities and technical schools must reflect the need to design security from the outset — the way hackers protect their own systems — and not add it on as an afterthought.

— Michael Arnone

Hacker haberdashery

All hackers research vulnerabilities in software and write tools to find and exploit them, said Paul Proctor, research vice president of security and risk at Gartner. Based on their behavior, they are commonly categorized by what color "hat" they wear, like characters from the Old West.

  • White hats are paid professionals hired by government and industry. They research vulnerabilities to protect employers' and customers' data, networks and other information technology assets. Like sheriffs and other law enforcement personnel, white hats work within the rules of their organization and federal, state and local laws.
  • Gray hats are unpaid tinkerers who find flaws to improve security for everyone. The best and brightest hackers are gray hats because their passion for tinkering drives their excellence, Proctor said. Gray hats don't break the law, but they don't have to comply with the rules of any organization, hence their gray status.
  • What separates black hats from other hackers — and makes them criminals — is that they break the law and feel justified doing it, Proctor said. Some seek to increase their fame in the hacker community, while others want to prove at any cost that their targets' security is vulnerable. Black hats wreak havoc not only by their own actions but also by drawing attention to weaknesses that they and cybercriminals can exploit.
  • Cybercriminals perpetrate the worst crimes but technically aren't hackers because they don't do original research, Proctor said. They are paid to use existing tools and techniques to steal confidential personal, government or industry information, particularly financial data. Cybercriminals work for foreign governments, organized crime or independently.

— Michael Arnone

Featured

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above