Forwarded From: William Knowles <erehwon@kizmiaz.dis.org>
Experts: Use Caution With White-Hat Hackers
By Lee Bruno, Data Communications
Apr 5, 1999 (8:44 AM)
URL: http://www.techweb.com/wire/story/TWB19990405S0003
Security experts are sounding a warning about so-called ethical hackers,
the security-busters companies hire to search for vulnerabilities in their
networks. In recent interviews with Data Comm, they said it's almost
impossible to make the necessary background checks, since white-hat
applicants are sworn to secrecy by the organizations that have used their
services. And that's the perfect cover for "wannabes" who use it to hide
their inexperience.
"There are a lot of so-called security experts who really lack the
necessary qualifications," said Steph Marr, national director of
Predictive Systems, a New York-based security consultancy.
To keep from getting burned, Marr suggested checking out an applicant's
certification, making sure credentials come from an established
institution. He said these include the American Society for Industrial
Security, in Alexandria, Va., the Computer Security Institute, in San
Francisco, and the Certified Information Systems Security Professional
(CISSP) group, in Shrewsbury, Mass.
It's also important, he said, to find out what's behind these
certifications. CISSP, for instance, offers an ISC2 certification that
requires a security professional to have worked in information security
for a minimum of three years and to have passed a 250-question test.
Other experts said business acumen is as much a job requirement as
esoteric knowledge of system vulnerabilities. "A security policy that's
not firmly grounded in business practice is useless," said Chuck Williams,
chief scientist at Cylink, in Sunnyvale, Calif., a vendor of network
security gear.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
Received on Tue Apr 6 19:50:05 1999