White hat, gray hat, black hat

For a long time, most computer network crackers hacked a system for the same reason George Mallory climbed Mt. Everest: "Because it's there."

But that's no longer the only reason or even the dominant one. More hackers now follow the philosophy frequently attributed to Willie Sutton, a bankrobber during the 1930s. According to legend, when asked why he robbed banks, Sutton replied matter-of-factly: "It's where the money is."

During the past six years, malicious black-hat hackers have changed from script kiddies who deface Web sites and spread worms to earn glory within the hacker community to professionals sponsored by foreign governments and organized crime. They target specific government and industry victims and commit real crimes, sometimes for significant financial gain.

"We're now seeing sociopaths intent on doing...more devious and sophisticated stuff," said Dragos Ruiu, chief organizer of the PacSec, CanSecWest and EUSecWest hacker conferences, which annually draw hundreds of hackers worldwide.

But in general, hackers secure their computers better than the rest of the computing community. Government and industry can learn from their hacking techniques and protection skills to improve information technology security, experts say. In addition, government can learn from two other groups: the paid professionals — known as white hats — who research vulnerabilities to protect employers' and customers' data and the unaffiliated tinkerers — known as gray hats — who alert users to vulnerabilities.

Government and industry have always learned security techniques from hackers, whether they realize that or not. For example, penetration testing, which is a search for security holes in a computer system, is a common hacker practice that the federal government is using more often, said Steven Manzuik, security product manager at eEye Digital Security. The company provides penetration testing, vulnerability assessment and proactive security services to the Defense Department and federal intelligence agencies.

Penetration testing is a good way to demonstrate actual risk and secure systems by patching or applying other protections, Manzuik said. DOD has come to appreciate the value of penetration testing and now has a solid schedule and process in place for it, he said.

Because the federal government is a huge target for hackers for political and financial reasons, agency officials have started issuing information security regulations based in part on consultations with — and learning lessons from — hackers, said Mark Loveless, a senior security analyst at BindView and a hacker for 25 years.

The Graham-Leach-Bliley Act of 1999, Health Insurance Portability and Accountability Act, Federal Information Security Management Act of 2002, and Sarbanes-Oxley Act of 2002 all require fortification of computer networks to protect information based on real-life hacker attacks, Loveless said. He added that following federal regulations can make it easier to fix many common vulnerabilities.

Military officials have learned the fastest from hackers and are starting to pay serious attention to software policies to bolster their security, Ruiu said. Civil agencies are the most vulnerable because they don't have money for adequate IT security, let alone improvements to it, he said.

DOD and intelligence agencies enjoy talking with hackers who do not have malicious intentions, and the two groups often tip each other off about developments and discoveries, Loveless said. Information analysis and intelligence gathering units are particularly willing to learn from attacks to plug holes in their security, said Marc Maiffret, founder and chief hacking officer at eEye.

But not all government agencies listen to hackers, Loveless said. Old-school agents in the FBI and the Secret Service don't trust hackers because they consider many of them to be criminals.

Hackers' importance as teachers, though, is increasing. As software insecurity remains the norm, the number of targets increases and the stakes involved in losing control of financial and confidential data rises, experts say.

'Millions of monkeys'

A common bond among hackers is curiosity. "What if I try this?" and "What can I do to make it do what I want?" are two hacker mantras, said Martin Roesch, founder and chief technology officer of Sourcefire, a provider of intrusion-prevention systems. But that unrelenting, inquisitive skepticism, sometimes bordering on paranoia, yields superior quality assurance.

"Everything you forget, they will find," Roesch said. "It's like the proverbial millions of monkeys typing on typewriters. They have infinite resources and infinite time to find weaknesses in your system."

Another hacker tenet is always follow the path of least resistance, said Matthew Gray, founder of and CTO at Newbury Networks. In doing so, hackers use network engineers' desire for efficiency against them to design more effective and stealthy attacks.

This path of least resistance is often through the front door, said Paul Proctor, research vice president of security and risk at Gartner. Attackers hack only enough to insert malicious payloads that contain keystroke and network sniffers and other means to collect information they can use to fool the system into thinking the attackers are legitimate users. Once they get that, they can come and go as they please without scrutiny.

Nine times out of 10, vigilante gray hats, black hats and cybercriminals follow the path of least resistance, Proctor said. But most government and industry cyberprotectors try to thwart the primary method gray hats use: burrowing into the system code to find flaws. Gray hats, however, pose almost no real risk to computer security because they don't act maliciously, he said.

A failure of imagination

An obstacle to blocking hackers is the implementation of IT security by network engineers instead of software developers and engineers, said John Viega, founder of and CTO at Secure Software. On the other hand, most hackers are software engineers or use software engineering tools built by software experts. Thus, the primary defenders of IT assets have different perspectives, skills and experiences from the attackers, Viega said.

This compounds the problem that most organizations consider IT security only when they are under attack, said Roger Thornton, founder of and CTO at Fortify Software. Few organizations look at their IT capabilities in terms of the risk they face from black hats and cybercriminals, he said.

This failure of imagination to ask what would happen if hackers could access their information is the main stumbling block to effective security, Thornton said. "Anything that government and industry learn from hackers must be seen through the lens of their own risk management needs," Proctor said.

Another problem is that government and industry have fallen for the negative hacker stereotypes shown on film and television, and are not using valuable, available assets.

"Not every hacker is a cracker," which is the old slang for a black hat, Maiffret said.

Organizations should invite more white and gray hats to their conferences, Maiffret said. Many government and commercial organizations, such as Microsoft, have already heeded that advice and even pay to be sponsors at hacker conferences.

Because talented Internet security professionals, such as hackers, are tough to find and hire, "the greatest defense against hackers is that you can make a mighty good living on the right side of the fence," Thornton said.

Government and industry hire white and gray hats who want to have their fun legally, which can defuse part of the threat, Ruiu said. But it's impossible to reach every potential attacker through a job advertisement, he said.

Many hackers are willing to help the government, particularly in fighting terrorism. Loveless said that after the 2001 terrorist attacks, several individuals approached him to offer their services in fighting al Qaeda.

Hiring black hats, however, is a bad idea. Bruce Murphy, vice president of worldwide security services at Cisco Systems, said he does not hire black hats because they do not appreciate or respect standard business processes and structures.

"Somebody with questionable moral judgment isn't someone you want to have control of your networks," said Avi Rubin, a professor of computer science at Johns Hopkins University. A disgruntled hacker with inside knowledge of a company's networks could create a nightmare scenario, he said.

Besides, white hats have closed the skill gap between themselves and gray and black hats, said Amit Yoran, president of Yoran Associates and former national cybersecurity director. What the white hats need to learn, he said, is how to sell IT security more persuasively to bureaucracies that still may not see the need for it.

More important than the presence of hackers is emulating their skeptical attitude, Maiffret said. Most large organizations do not cultivate the maverick mind-set needed for quality hacking and computer security, he said.

"Part of the hard thing in government is that you're not really meant to question how things work," he said, adding the same goes for large companies. "You're expected to take orders and do things...[but] that's what [hackers] are here for, to question."

Organizations must encourage employees to question everything about the technology they use, he said.

Putting lessons to work

The guiding principle for government and commercial IT has been to increase productivity and decrease cost, without much thought about security, Proctor said.

Savings are powering the federal government's insistence that contractors and integrators use commercial software. The drive "is like nothing I've ever seen in my life," said Michael Armistead, vice president of products at Fortify Software.

Thornton warned that any commercial solution must account for the organization's risk profile, especially risks presented by black hats. Those responsible for implementing commercial products should audit them, line by line if necessary, to see if they provide adequate security. If they don't, the hackers will.

Even with the security emphasis since the 2001 terrorist attacks, Thornton and other experts agree that government and industry are not changing fast enough to thwart evolving threats from black hats.

But government and industry have attributes that, if used hacker-style, could potentially help them defeat malicious hackers.

Government has the advantage of central coordination and the ability to quickly enforce best practices and standards enterprisewide, Ruiu said. It can also share information quickly and effectively — faster, in fact, than industry and the balkanized hacker community.

Industry has the advantages of being able to speedily implement changes and act pragmatically, Ruiu said. If it employs the hacker mind-set while developing products, it would produce software and hardware more resistant to attacks in the first place.

Government and industry need research units to discover vulnerabilities, or they should work with someone who has them, Maiffret said. They need to dissect software to find every weakness, just like hackers worldwide do.

Until such widespread changes occur, the public and private sectors can protect themselves the way hackers do, said Michael Cantey, a network systems administrator at the Florida Department of Law Enforcement's Computer Crime Center. He said they should learn as much as they can about what's on their systems, how those systems operate and how to fix as many flaws as possible. They can stay current on basic security measures and set up a multilayered defense that goes beyond the perimeter to inside essential systems.

The only long-term way to effectively hinder or prevent hacker attacks is to show the same persistence, skepticism and vigilance that hackers do, Roesch said. After all, he said, "the million monkeys are working relentlessly, every day, all day."

5 things feds and industry can learn from hackers

1. Keep your knowledge and tools current. Hackers write software tools that help them probe and control their targets. Anyone can download those tools for free, analyze them and use them.

2. Know your systems intimately to know immediately when they are attacked. Maintain current inventories of all hardware and software. Proactively defend in depth, with multiple layers of security governed by continually audited and updated policies.

3. Improve communications channels. News of the discovery of an exploit travels fast through hackers' informal social network. Government and industry officials must improve communication with one another if they want to better defend their networked systems.

4. Follow the path of least resistance. First protect against credentialed attacks, in which a hacker manipulates a system to acquire legitimate access.

5. Always question technology — how it is set up, how it works and how it can improve security. The right attitude produces better security than products or tools.

— Michael Arnone

Back to school

"You have to attack your own system in order to understand how hackers are attacking your system and how to defend against them," said Avi Rubin, right, a professor of computer science at Johns Hopkins University.

Rubin teaches a graduate course in which teams of students create their own systems and then gives them to their teammates to hack. The best students can't find the back doors in average students' systems, he said, and no one can find them in the best students' systems. The exercise helps them build the skills they will need to defend networks against even the most persistent attackers.

But don't ask software developers to test their own software because most of them don't learn about security and are unaware of even the most common attacks, said Michael Armistead, vice president of products at Fortify Software.

Armistead said he wants to ask developers, "Do you guys realize you're complicit in every single hacking attack there is?" Any hacker's cookbook, including the classic "Smashing the Stack for Fun and Profit" by Elias Levy, starts with a directive telling would-be hackers to look for weaknesses created by developers.

Armistead and other cybersecurity experts agree that curricula at universities and technical schools must reflect the need to design security from the outset — the way hackers protect their own systems — and not add it on as an afterthought.

— Michael Arnone

Hacker haberdashery

All hackers research vulnerabilities in software and write tools to find and exploit them, said Paul Proctor, research vice president of security and risk at Gartner. Based on their behavior, they are commonly categorized by what color "hat" they wear, like characters from the Old West.

  • White hats are paid professionals hired by government and industry. They research vulnerabilities to protect employers' and customers' data, networks and other information technology assets. Like sheriffs and other law enforcement personnel, white hats work within the rules of their organization and federal, state and local laws.
  • Gray hats are unpaid tinkerers who find flaws to improve security for everyone. The best and brightest hackers are gray hats because their passion for tinkering drives their excellence, Proctor said. Gray hats don't break the law, but they don't have to comply with the rules of any organization, hence their gray status.
  • What separates black hats from other hackers — and makes them criminals — is that they break the law and feel justified doing it, Proctor said. Some seek to increase their fame in the hacker community, while others want to prove at any cost that their targets' security is vulnerable. Black hats wreak havoc not only by their own actions but also by drawing attention to weaknesses that they and cybercriminals can exploit.
  • Cybercriminals perpetrate the worst crimes but technically aren't hackers because they don't do original research, Proctor said. They are paid to use existing tools and techniques to steal confidential personal, government or industry information, particularly financial data. Cybercriminals work for foreign governments, organized crime or independently.

— Michael Arnone

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.