Before I start this article, I would just like to clarify that I’m not advocating the hiring of computer criminals. If you are being held ransom by someone claiming to have control of your infrastructure, and demanding payment to ‘prevent further damage or exposure’, then you need to contact the relevant authorities.
However, if you want to prevent these criminals from hijacking your systems, then perhaps a ‘hacker’ is exactly the person you need for the job. At AlienVault, we pride ourselves in working with hackers and having them as part of our team to ensure we provide the best service to our customers.
If you need a flat head screwdriver to remove a screw, would you use a cross head? Of course you wouldn’t. Similarly, if you needed to dig a hole, would you use a spoon? Although you’d get the job done, the time wasted could be better invested elsewhere.
It’s only natural to use the tool that’s been perfectly designed for the job yet, for some reason, when it comes to securing corporate infrastructure, many are frightened by the idea of hiring a hacker. I believe they’re missing out.
A hacker is a hacker – ethics are irrelevant. I define a hacker as ‘someone who thinks a certain way about technology’. For that reason, if you want to make sure your systems are secure, then the best way is to test their strength, and that would be best done by someone ‘who thinks a certain way about technology’.
That said, not all hackers are the same, so following are the skills I believe a hacker should display.
Out of the Box
My hacker definition sums this up perfectly. Rather than looking at how something should work, a hacker will approach it from a different angle. He or she won’t try your ‘security doors’ to make sure they’re locked, but instead push on the wall around it to see if the bricks hold up and if the windows have glass, does the putty hold them in place.
‘No’ Isn’t in a Hacker’s Vocabulary
Tenacity is another key skill a hacker must possess – someone who doesn’t take ‘no’ for an answer. Take, for example, a locked door: there are a number of ways of opening it, and a hacker will keep trying until he or she manages to do so. Of course, the easiest way is to locate the key but, if one isn’t on hand, then can the lock be picked? Can it be drilled? What about cutting the lock out altogether? I think the phrase from a legendary film, “You’re only supposed to blow the bloody doors off”, perfectly encapsulates a hacker’s enthusiasm to get the job done.
Morals of an Alley Cat
Now, before everyone starts baying for my blood, I don’t for one minute advocate paying a criminal for his services – unless they’re rehabilitated and you’re into second chances. Nevertheless, a hacker needs to think and act like a criminal, or what’s the point of hirning one? Criminals don’t play by the rules, and being afraid to push the boundaries is why a lot of companies end up experiencing breaches.
Porridge for Breakfast
While I’ve said there’s no reason why a rehabilitated hacker shouldn’t be employed, it does raise serious concerns – primarily, why did they get caught? Professional hackers will pride themselves on their skill at infiltrating systems, undetected, and will certainly not want to leave an electronic fingerprint. A criminal conviction shouldn’t be seen as a qualification, but rather testament that perhaps they’re not up to the job.
A Big Head
An egotistical hacker isn’t necessarily a brilliant one – in fact, quite the opposite is often true. I’ve sat and listened to far too many people claiming responsibility for something that I’ve known they didn’t do – often because I was in fact responsible, but that’s for another time.
There are a number of reasons why bragging is a bad trait in a hacker:
- They should be able to prove their ability rather than just talk about it
- If they’re loose-lipped, they could inadvertently expose an organization to ridicule
- A hacker likes nothing better than ridiculing someone else’s inadequacy
At the end of the day, someone who has the skill and tenacity to get the job done is the perfect fit for any organization. Don’t let a ‘name’ or label come between you and the opportunity to secure the perfect asset for your business.
Dominique Karg is the chief hacking officer for AlienVault. In his first job, Karg founded, within IP6 Seguridad, one of the first ethical hacking teams in Spain with him as a core leader specializing in advanced application testing techniques. He is a dedicated writer of security-related material, has presented at security conferences, contributed knowledge and code to several open-source projects, and is currently involved in the definition of Common Event Expression – the future event standard backed by MITRE.