Don't hire DefCon hackers

[InfoSec News <isn () C4I ORG>]

http://www.globetechnology.com/archive/gam/News/20000808/ROUTS.html

VICTOR KEONG

Tuesday, August 8, 2000

> From all over the world, they make the annual pilgrimage to Las Vegas.
They have names such as Mudge, Null and Dark Tangent. Tattooed,
pierced, tie-dyed and ready to brag, they wear motorcycle boots,
leather and even kilts in the hot July desert sun.

They are, by far, the smartest group of misfits you will ever
encounter. Some of them have IQs that can boil water, others have
technical and programming skills that can put almost any system
administrator to shame, and if you run a computer network, they can be
your worst nightmare. Welcome to DefCon 8.0.

For all their ability, though, businesses should be wary of succumbing
to the temptation of hiring the enemy to guard their systems, as there
are better options available.

The most unconventional of conventions, DefCon 8.0 was the annual
meeting ground for dozens of the computer underground's most elite and
notorious hackers. Driven by a belief that information should be
freely available to all, they spend their time creating devious and
elegant methods of cracking computer security. Any barrier to the free
access of information is a challenge. And they take the challenge
seriously. As in previous DefCon gatherings, the hacking community
flushed out significant system vulnerabilities and exploit methods.

Some say hackers believe that as much system vulnerability information
as possible should be disclosed in hopes that responsible users will
employ it to protect their companies from being attacked. But are
their technological feats more self-serving? The counterargument is
that many disclosures of security holes are "rock-throwing" incidents
done by companies or individuals to attack dominant vendors such as
Microsoft Corp., or for the purposes of self-promotion, financial gain
or ego gratification.

Often, such disclosures give not-so-skilled malicious attackers
(dubbed "script kiddies") point-and-click tools that they can use to
easily take down Web sites.

Keeping up with the latest hacking exploits and system vulnerabilities
can be a daunting task for a business's already overworked system
administrators. Most information technology departments are currently
faced with the challenge of managing the staffing and processes
required for establishing and maintaining the security posture for
large enterprise networks.

A very important aspect of this activity is the overall security
monitoring and advisory management function. This requires technically
skilled staff who need to be focused on the technical details of
implementing and managing network security.

Fortunately, testing for security vulnerabilities isn't limited to the
black leather-wearing crowd with The Matrix-inspired nicknames. There
are safer, mainstream alternatives. A continuing, qualified security
advisory service is what corporations should look for from consulting
firms. Dedicated technical resources will focus on identifying and
qualifying serious, relevant network vulnerabilities as opposed to
hacker-driven noise.

Keeping up with the best of the computer underground may not require a
visit to the tattoo artist just yet.

Victor Keong is a senior manager in the secure e-business group at
Deloitte & Touche, and is the firm's global leader for network attack
and penetration services.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".