The use of the term "hacker" to denote a computer expert with bad intentions is a misnomer. A hacker is anyone with a high level of computer expertise, no matter how he or she uses it. Hackers come in three varieties: Black, white and gray. Black, of course, are malicious; white are good hackers; and gray, as the name implies, jump between the two camps. USA Today looks at penetration ("pen") testers, who also are called ethical hackers. They increasingly are being hired by corporations and security companies to see what is working and what isn't. The piece provides a good roundup. The most interesting passage in the piece involves the relative success of hacking from inside and outside the client's office. The expert says he is successful virtually 100 percent of the time in gaining access to 80 percent to 90 percent of a company's internal systems from inside. Conversely, strong perimeter defenses reduce his success rate to 20 percent to 30 percent if he starts from the other side of the firewall. If nothing else, this shows that attention to perimeter defense over the past few years has been successful.
The potential benefits and significant problems of penetration testing are both on full view in this SC Magazine article, which reports on National Institute of Standards and Technology (NIST) recommendations that such procedures be a regular tool of federal agencies. The advantages are obvious: Pen testing can help find and patch vulnerabilities before criminals or terrorists do.
The downside is that training people to do this is akin to weapons training: There is no guarantee the knowledge won't be turned on its source. Indeed, much of the article describes the oversight that must be exercised over such operations and the people who perform them. NIST recommends that outsiders be used to make sure that people who work for an agency don't downplay problems and to reduce the risks of disgruntled ex-employees mounting an attack. The recommendations will be finalized at the end of this month and published in March, the story says.
Clearly, this is an interesting and hot field. It seems that pen testing quality varies, and that the field is likely to see much competition. This is a good overview of ethical hacking at Free Information Technology Tips. First, the writer describes the contract, which is called a "get out of jail free" card because it releases the hacker from criminal liability. This is necessary because much of what an ethical hacker does is felonious. It is very important that an organization consult attorneys before engaging an ethical hacker. One obvious issue: If a company indemnifies a hacker against prosecution, would the organization still be liable if a client brings a suit if the hacker makes a mistake and data is lost?
The piece describes three things he or she tries to find: what information a hacker can get their hands on, what can be done with that information and whether the organization automatically would know if a "real" hacker launched an attack.
This look at ethical hacking in general and one practitioner, David Jacquet, at Mainebiz traces the rise of ethical hacking and ably explains why these folks are in demand. The nagging question concerns the demarcations between white, gray and black. The world of hacking is so specialized and arcane, how can organizations know for certain that the hacker they are inviting to attack their networks truly is ethical? How do organizations know that all the vulnerabilities found were reported to the customer?
Presumably, it's a matter of reputation and trust. At the same time, it's a rather difficult assumption to make.