http://www.forbes.com
2.8.99
Designing the future: How a group of former hackers is helping to keep
corporate America safe
Sponsored by By Richard Thieme
Former hackers are designing an increasing amount of the corporate
computer network landscape of the future. Skeptics might rightly ask what,
if any, benefit they provide beyond what could be gotten from a
traditional security consultant.
At least one company believes strongly that the benefits are significant.
The Professional Services group of San Jose, Calif.-based Secure Computing
Corp. (SCUR) specializes in evaluating the information security of large
corporations, agencies and governments. Professional Services includes a
number of former "underground hackers" who work on a 42-person team,
commonly referred to as a "tiger team." Twenty-six members of the group
are CISSPs (Certified Information Systems Security Professionals), and
there are also experienced business and intelligence professionals, as
well as academics, at offices in Seattle, Toronto, Minneapolis, Raleigh,
Washington, D.C., London, Sydney and Tokyo. It's all overseen by John
Sekevitch, vice president and general manager of Professional Services.
Trading on the Nasdaq exchange, Secure Computing is one of a handful of
firms that have sprouted in the last decade or so to help businesses
combat the increasing threat of having their computer networks breached.
(In the last few years, hacker attacks on corporations have cost several
hundred million dollars.) Investors, too, are taking note of this growing
industry, having pushed Secure's stock up from $6.38 to a recent $23.
Sekevitch's group is typically hired by large security-conscious
organizations to determine their level of risk. His goal is to maintain a
culture in which his unconventional team of computer specialists can
thrive. "He asks what we need and then provides it," says Mike
Bednarczyk, worldwide director of Intrusion Services, a Seattle-based
division of Professional Services. "He creates the space in which we can
be productive."
Clients are typically large manufacturers, government agencies, or are in
the financial and health care industries. Despite the size and global
reach of their clients, the IT people talk to each other, and Professional
Services is usually hired on the strength of a verbal recommendation.
About 25% of the time, an intrusion or significant loss is the reason for
the call. But 75% of their clients enlist their services before an
intrusion or loss. Then the team usually begins by drafting the
architecture, development and deployment of the entire network. That's
where seeing things as a whole pays off.
"Hackers do not follow an outline."
The former hackers are well paid. "The hacker joke," says Jeff Moss,
founder of DefCon and the Black Hat Briefings, the annual security
conference, is that if you work for a corporation when you're 20, you're a
loser, but if, by 30, you don't, you're a loser."
"When you make good money and can be immersed in what you love, you'd be
crazy to go elsewhere," says Mark Fabro, worldwide director of
Professional Services. "Besides, we're learning something working together
that no grad school offers. The value that creates for us--and for
clients--is significant."
About the time that computer games spread to PCs, the network itself
became the game. Playing on that network shaped the minds of these young
adepts. A network designed to be open, evolving and free has become the
infrastructure of the world. So that network had better be secure.
"We discovered and repaired vulnerabilities for a financial giant that if
left unattended would have meant immense losses to their reputation plus a
loss of at least 25 million dollars," says Fabro. We've helped some of the
country's largest companies plug holes that would have been devastating,
had the information found its way to the wrong hands."
Professional Services' global scope enables the team to evaluate a company
in one country from another country, which adds value by enabling a
company to see itself through the eyes of a distant enemy--and to arrive
inside its systems by the routes that enemy would take. Which is exactly
the way in which businesses competing in a global knowledge economy had
better operate. "We can't believe what we find," says Fabro. "A large
financial organization, working with billions of dollars, uses an open
system to communicate critical information. They're complacent because
they haven't experienced any consequences yet."
In an effort to educate a client about its system, rather then tell it how
to run its business, Professional Services team tries to communicate their
enthusiasm for seeing the system in its entirety, expanding the client's
vision so the architectural structure of their enterprise comes into sharp
focus. Jeff Moss says that hackers are not constrained by the
institutional mind-set of their clients. They're empiricists, adds Rich
Friedeman, a network security specialist based in Chicago. "They look at
systems as they're used in real life. They describe what they see, not
what they have been taught to see."
"Hackers do not follow an outline," says Robyn Ulmer, who recently left
the Department of Defense in search of a less constrained mindset. Ulmer
was trained in theoretical mathematics at Purdue University. "They didn't
learn by following the rules, so their minds don't map a system the way
you move from box to box on a flow chart. They leap into the flow of the
information and swim. They leave room for possibilities."
Here's an example of a recent contract: A large government agency asked
the team to assess its current state of security by evaluating each part
of the enterprise as an individual piece. There were numerous
vulnerabilities--from telephone systems to the intranet to the extranet.
When the team issued a report, individual departments acted predictably.
They defended their turf and blamed one another.
The team could have left it at that, but instead they suggested that the
agency look at the entire system as one whole system. They showed the
government agency how all of the vulnerabilities were interconnected. The
team delivered an actual life cycle of vulnerabilities in the system as
each impacted and led to the other. More important, the event became a
catalyst for a team-building project. Individual managers saw that the
only way to develop an integrated approach to solving security problems
was to work on the entire network--the human as well as the computer--to
think, in short, as hackers think.
Hackers have that broad perspective, according to Moss, because they've
been doing what they love for years. They didn't just decide to get
interested in security. Their shared passion and the bonds they've
developed over the years make the team cohesive. The network that connects
them to each other and to others still in the underground is the real
source of their power.
Security professionals who try to stay abreast of developments simply by
attending conferences or following lists are always behind. "Exploits
become dangerous in days, not weeks or months," says Fabro. "By the time
it's the subject of a seminar, it's old news. We have identified exploits
for clients a few hours after they surface."
Professional Services' information is current because its people stay
connected to the underground, a loose self-regulating network, which they
are constantly filtering for new recruits. Those who have converted to the
straight and narrow keep one another accountable and have near-zero
tolerance for mistakes. This provides quality control and also intensifies
the all-for-one-and-one-for-all environment in which they thrive.
The team excels at forensic analysis, the examination of log files that
let them backtrack to the source of an attack. They also go into chat
rooms and sniff around, and if laws have been broken, they provide
information to the proper authorities.
Because most of them have been at it for years, the team has historical
depth that conventional businesses often lack. "Someone may have been in a
large organization for just two or three years," says Fabro. "They may not
even know about the flaws in their numerous legacy systems."
Sometimes a primitive weapon is more effective than a smart bomb. The
intrusion team once carried out a massive attack on such an organization
using war dialing--automated scripts that dial all of the numbers in an
area--and discovered backdoors in the system that were eight years old.
Analysts with less experience, who were not familiar with the weaknesses
of older systems, might not have known how to do that. Just walk on in
Hackers tend to be very focused and goal oriented," says George Jelatis,
director of security architecture services for Professional Services, who
is based in Minneapolis, and they expect their clients' enemies to be
equally focused. They share an appropriate paranoia with members of the
intelligence community. Traditional business people don't suspect everyone
who walks in or try every single way to get into a system. But hackers do.
"Social engineering," the exploitation of a trusting relationship to
elicit information, is often one of the weakest links in a company's
defense. The trick is to disappear into the background so completely that
you show up as if you belonged. It doesn't take complex hacking tools to
pull it off.
Toronto-based Rob Stonehouse, an information security specialist with
Professional Services, used a piece of birthday cake.
Stonehouse rode the elevator until he heard two employees discussing a
birthday party. He asked what floor it was on and arrived, smiling. "Is
this the party?" he asked, stepping onto a floor that required security
clearance. Given a piece of cake, he went to the coffee station and
photocopied company mail, gained access to the company's check printer and
sat happily munching at a terminal with direct access to the company's
databases using default passwords.
Is it necessary to suspect that everyone might be a spy?
Yes, says Ray Kaplan, one of the "gray hairs," who emphasizes the depth of
experience and synergy among disciplines in the group. Kaplan thinks a lot
of companies that scoop up hackers and go into the security business do
not understand the kind of rigorous discipline necessary to manage hackers
and balance their culture with other cultures in the company. "Older
professionals can serve as hardheaded mentors to the younger hackers,
bringing values, experience and understanding to the mix," explains
Kaplan.
Is it necessary to suspect that everyone might be a spy?
The culture is a meritocracy where technical expertise is valued. "It's
half a skill set, half a way of life," says John Sekevitch. "They don't
value structural authority so much as your ability to do the job. Yes,
their skepticism and questioning can border on paranoia, but that's
precisely the personality and mind-set we're trying to develop in our
clients."
The professionals at Secure cannot name clients or elaborate on successes,
but they count on clients to do it for them. They work mostly with
organizations that have lots to lose, like financial institutions and
government agencies. Their reputation is 15 years deep with DOD and the
NSA.
The feedback when a client breaks through to an "aha!" is often immediate.
In one case, the intrusion team hacked into a bank and found that an
external router was vulnerable. They bypassed controls to see the entire
network, including internal hosts, and immediately informed the client.
Ten minutes later the hole was plugged.
The team does not like to define its value simply in terms of intrusion.
"We try to serve as catalysts for change by illuminating the system," says
Professional Services' Jelatis. That way they can help clients broaden
their vision and develop solutions scalable to every level of the network.
The group sees the entire world as their play space, but it's not just
grandiosity. "There's no such thing anymore as being the best in only one
country," Fabro says. "Secure began as a division of Honeywell, founded
and funded by the NSA, which is nothing if not global. We have thought in
terms of the world since the beginning. Corporations like construction
giant Bechtel--where do they begin? What are the boundaries? The
technology itself has delivered the entire world as the space in which we
must operate."
Turning anxiety into excitement. Living on the edge. And late at night,
when a puzzle they can't solve is driving them on and everyone in the lab
is brainstorming, trying to define a security solution for a complex
space, one of them becomes aware suddenly that this select group is making
a difference now and creating value far beyond themselves. And just for a
moment, their boundaries dissolve in the flow of energy and information
flashing through the system and they realize what an opportunity they have
been given.
Richard Thieme speaks, writes and consults on the human dimension of
technology and the workplace. He can be reached at
rtheime@thiemeworks.com.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 17:20:52 1999