Information Security News: Newest IT Job Title: Chief Hacking Officer

[InfoSec News <isn () c4i org>]

http://www.newsfactor.com/perl/story/17940.html

By Jay Lyman
NewsFactor Network 
May 29, 2002 

Companies seeking to ensure they are as impervious as possible to the
latest computer viruses and to the Internet's most talented hackers
often find themselves in need of –- the Internet's most talented
hackers.

Some of these so-called "white-hat" hackers hold high positions in
various enterprises, including security companies, but analysts told
NewsFactor that they rarely carry the actual title "chief hacking
officer" because companies tend to be a bit skittish about the
connotation.

Still, some security pros -- such as Aliso Viejo, California-based
Eeye Security's Marc Maiffret -- do carry the "CHO" title, and few
argue the point that in order to protect themselves from the best
hackers and crackers, companies need to hire them.

Hidden Hiring

SecurityFocus senior threat analyst Ryan Russell told NewsFactor that
while only a handful of companies actually refer to their in-house
hacker as "chief hacking officer," many companies are hiring hackers
and giving them titles that are slightly less indicative of their less
socially acceptable skills.

"A large number of people who used to do that sort of thing end up
working in security," Russell said. "There are some companies out
there specifically saying, 'We do not hire hackers, we are against
that,' but really they are [hiring them]."

Russell said that while there is definitely an increased emphasis on
security since last year's disastrous terrorist attacks, deflation of
the dot-com bubble has resulted in consolidation among security
personnel and a reduction in the number of titles that are obviously
associated with hacking.

Born To Hack

Russell noted that hackers legitimately working in IT are usually
involved in penetration testing.

While companies are uncomfortable hiring IT security personnel with
prior criminal records, there are advantages to hiring an experienced
hacker, even if the individual has used an Internet "handle"  
associated with so-called "black-hat" hackers.

Still, Russell said, "I think in very few cases do people with the
reputation of a hacker or black-hat [get hired]."

One such person who was hired is Cambridge, Massachusetts-based
security company @Stake's chief scientist, Peiter "Mudge" Zatko -- a
well-known hacker and security expert who has briefed government
officials, addressed industry forums and authored an NT password
auditing tool.

Regular Workers

Regardless of whether they wear a white hat or a black one, Russell
said it takes more than good hacking skills to land a legitimate job.

"You want someone who does [penetrations] for a living," Russell said
of penetration testers. "You want them to be good at giving you the
information you need."

Russell added that while some hackers hold chief technical officer or
equivalent positions, the rule of fewer managers and more employees
means there are probably more hackers working in regular jobs than in
management.

Checking References

Forrester (Nasdaq: FORR) analyst Laura Koetzle told NewsFactor that
companies will not hire anyone convicted of a computer crime, but they
will seek out hackers, particularly for penetration testing.

"They won't have a title of chief hacking officer, and they haven't
necessarily broken any laws, but they're still skilled at this stuff,"  
she said.

Koetzle said many companies avoid the issue of checking the
backgrounds of former hackers by using services firms, such as
PricewaterhouseCoopers or Deloitte & Touche, to hire such personnel.

Extortion and Employment

But hiring hackers can backfire.

Russell said cases of extortion range from blatant attempts at
blackmail -- demanding money to prevent disclosure of customer data or
security vulnerabilities -- to more subtle efforts, wherein hackers
find holes, offer a fix and add a request for a job.

According to Koetzle, despite the desire to keep security breaches
quiet, companies must resist attempts on the part of potential
hacker-hires to extort money or work in computer security.

"I would strongly caution against dealing with that type of hacker,"  
Koetzle said. "It absolutely does happen, but it's absolutely the
wrong thing to do."

Right or wrong, however, it seems that the person best equipped to
ferret out a hacker is another hacker. So, as unsavory as it may seem,
the better the hacker, the more likely he or she is to join the square
working world as chief hacking officer.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.