Entry No.36f

IT Writers Awards

A combination of corporate paranoia, the skills shortage, and the suddenly booming e-commerce market has made hacking a profitable game. 

The security specialists of the IT world are among the industry’s best paid. It is not unusual to find a pimply-faced 21-year-old commanding a salary in the range of $120,000 a year – especially if (predominantly) he happens to be good at breaking down the often insubstantial barriers of corporate firewalls.

Ethical hacking – or white hacking as it is called – is but a single weapon in the corporate arsenal that companies have loaded-up with in their fight against unauthorised network access.

But as a weapon, it’s a mighty big stick. The white hacker’s job can be lethal when it comes to, say, a network administrator seeking to increase an annual security budget.

Hiring a twenty-something to bust down the corporate network doors and access the company’s financials system is a great way to get the chief executive’s attention. (Unfortunately, it’s also a great way to give the chief executive a heart-attack, because generally-speaking, the white hacker does not fail).

The term white hacking was born simply because the term “hacking” had been hijacked by the tabloid media. So now we have white hackers and black hackers. The terms are interchangeable these days with white hats and black hats. (Despite the somewhat graphical nature of our cover photograph, white hats should not be confused with the pointy-headed KKK variety).

In Australia, the white hacker community has grown substantially in the past two years – and is currently in the midst of phenomenal growth. Whether it is the most useful of security procedures is debatable.

But white hacking is useful, if only because it can be used effectively to scare the living daylights out of management. That is, if complacency is a problem, a white hat can help. 

Put it this way; one of the bigger specialist security agencies in Australia, IT Audit and Consulting (ITAC), has done “many hundreds” of authorised hacks over the past couple of years, according to its founder and managing director, Stephen James.

In that time, the company has “never failed to gain entry” to the target-client’s systems, James says.

That 100 per cent record is a scary thought, given that the electronic commerce market – whether in the consumer markets or business-to-business (B2B) – will live or die by the strength of IT security systems, and the trust that the electronic medium can generate with customers.

Consumer’s are already gun-shy about purchasing stuff online for fear that their credit cards might be transported all over the Internet on an electronic shopping-spree.

Admittedly, James concedes humbly, although his ethical hacking team has been able to penetrate target systems, they have been detected on a grand total of about five percent of occasions (yes, just five percent of penetrations).

It’s enough to make a chief executive weep. Chief executives, according to ITAC’s James, have been living in a false bubble of security for years. They assume, wrongly, that because they spend loads of money in hiring MIS people – that their technical problems are over.

But skills shortages aside, security is increasingly a heavily specialised area of the IT discipline. The average network administrator or MIS manager is going to know generally what his company needs in terms of security – but that doesn’t mean they will be qualified to ensure those security precautions are running at optimum performance levels.

If the security software vendor has done a poor implementation of their product, for example, the chances are that your MIS people won’t know. They – like the long suffering chief executive – will take it on faith that having actually paid the substantial sums to have security systems put in place, that those systems will actually work.

It is extremely difficult to get empirical evidence in Australia, but ethical hacking organisations contacted by InformationWeek agree that the so-called white hat market has probably grown at a slightly faster rate than the Internet. And now that the e-business market has taken off, following the completion of various Y2K and GST projects, the spend in IT security has increased considerably.

ITAC’s James laments the fact that there are few statistics available in Australia about the incidence of hacking.

To extrapolate from the US however, we know that IT security services – that is, services like penetration, security audits, awareness training and strategic security policy design – will generate about US$7.5 billion this year, and will continue to grow at a compound 40 percent annually.

InformationWeek’s cover pin-up boy, Rick Redman – mean as he looks – is precisely the product of the security boom. He’s out there, from an IT bunker in Atlanta, seeking holes in some of the largest corporate and military sites in the US as a security engineer at specialists Metases.

Metases is a spin-off of the independent researcher The Meta Group, employs 65 people full-time, has 75 full-time clients that run the gamut of financial institutions to government sites to healthcrae providers.

“It’s definitely a growing industry, both in demand and in supply,” according to GartnerGroup US-based analyst John Pescatore. “We’re seeing a lot of user demand and an enormous number of companies starting up in this space.”  

It’s the same in Australia. ITAC has been around for five years, founded by James initially as a one-man show. But in the past two years, things have really taken off. Forty percent of the company’s work is with governments – including those across the Asia-Pacific region.

Shake Communications has experienced similar growth. It’s not just start-ups that are tapping this rich security vein. Big Five consultants and service providers like IBM, Unisys and Getronics are increasingly involved, as it has become increasingly clear to the growing numbers of companies operating in the online world that security is a specialist issue.

IBM Australia Security Privacy Services managing consultant Peter Watson founded the company’s local white hacker and security audit services operation 18 months ago, and reports extravagant growth.

Watson said the penetration services market has boomed not just because of the growing connectivity of the networked economy, but because so much of the business future will rely on the success of online commerce.

He points to three basic motivators within the hacker community. First, there is the hacker who just wants to deface a Web site. They’re a pain, he says, and while some are politically motivated, he says most are simply teenagers who want to “tag” something – to identify themselves as part of the underground hacker crowd.

Second, Watson guesses that there are a surprising large number of people that hack in order to expose security as an IT issue. Whether they are doing it because they are disgruntled about their own corporate attitudes, Watson doesn’t say, but he reckons these hackers are attempting to use the media to embarrass organisations – and genuinely feel they are “not doing anything malicious”.

Most dangerous, Watson said, is the third group. These are the organised element, “and they are the criminal element”.

“It may be for personal gain, they may have been hired for some political motivation, or it might be some kind of industrial espionage. But this is a serious group of people,” Watson said.

Given that the white hacker community is so new, those already involved in the business are not short on advice to would be users of security services.

Shake’s Johnson, for example, said because the market is so new in this country, organisations should be very selective about who they hire to perform penetration exercises.

Johnson claims there are more than a couple of outfits in this country offering white hacker services – rather than what would be considered the full range of security protective services – with some of them merely swap black hats for white hats before they set up shop. A security check on these consultants would not be out of order, Johnson said.

In Australia, the security industry has been around long enough to have spawned more than a few start-up companies with credible track records – for those businesses which can’t afford an IBM or a Big Five consultant.

Shake Communications started as a security consultancy offering a database of system vulnerabilies and software flaws. The company then sold a weekly subscription service of the latest security problems that had turned up, offering full descriptions, work-arounds or patch procedures.

“That business absolutely took off – in a really big way – so that we ended up with master distributors all over the world,” Johnson said.

“It also kind of shook the security market up. Because previously customers had simply been trusting their security vendors – where we were posting a database archiving precisely how all the holes in their software worked,” he said.

“Obviously, that didn’t make the security vendors particularly happy. But it highlighted how naive the market was even just a few years ago. And growth has almost come straight on the back of that.”

The company now runs the SecuritySearch.net portal, sending out a weekly ‘vulnerability report’, as well as doing the penetration and security audit work on the side.

ITAC’s James’ puts the growth in the security market down to a combination of increased connectivity – globally – and money.

“There has been a lot of budget freed up after Y2K,” James said.

“And from now on, we should continue to see a dramatic increase in the IT security spend riding on the back of e-commerce. Because you can’t have one without the other,” he said.

For James, the most depressing thing about the white hat hacking gig is that his 100 per cent success rate is usually based on coming across the same simple security errors or flaws again and again. Like leaving default setting on software alone.

“The frightening thing that we’ve found is that we keep seeing the same errors. Awareness is often a big problem,” James said.

The trick for security conscious organisations is to have top-to-bottom security policies in place. I interviewed James two years ago, at which time he said the easiest way to hack a company was through physical means. At one stage (under a strict, no-production contract), he walked into the offices of a multinational, unplugged a server containing everything he could possibly need to get into the system, and walked out with it under his arm.

So much for the security of firewalls. And thus the reason for companies seeking help in security design policies, and security awareness programs – from the software-driven to the physical.

“The trouble for a lot of companies is that IT staff are so pushed – they have so little time because they are too busy meeting implementation project deadlines – that security is getting treated like an afterthought,” James said.

“Other companies have the wrong mix of security people. They might have fantastic technical skills, but not the right kind,” he said.

“Or it may be the total opposite. They could have excellent security technical skills, but don’t have the real-world business management skills that put all of that into perspective.”  

There is another story behind white hacking security issues which runs analogous to the open source software movement.

That is, there are security conscious IT professionals out there who spend their own time logging the incidence of security problems – identifying holes or bugs in software, and posting it to well-identified security database sites for the free access of all.

The 2600 group is a kind of hacker organisation, although in recent times there has been controversy about whether all its membership is pulling in the same direction. There have been accusations that some members of 2600 – which is a very informal collection of people who meet occasionally – are actually black hats.

Organiser of  2600 Australia Grant Bayley suggests that some of the members are probably not as much white knights as the organisation would like to think. In fact, Bayley and some others split with the organisation (despite Bayley maintaining his role as organiser) to form WireTapped.net, which is a free resource to all security managers. It documents security problems in a huge range of software. Judging by the number of downloads the sites boast – tools, patches and fixes are free – which range from about 8 Gb to 10 Gb per day, the site is well utilised.

Bayley is an important member of the Australia security movement in his dual roles with 2600 and WireTapped, generally acting as a conduit between the various parties of what is an essentially tight-knit group.

He laments the lack of reporting in Australia. While accepting that large corporations can’t really afford to have hacker problems publicised, Bayley urges that they – at the very least – inform orgnisations like the Australian Federal Police (AFP), and AusCERT, a privately-funded organisation that tracks security concerns.

ITAC’s James agrees. “It is really starting to get very important for these companies to at least feed details to AusCERT and the AFP. It’s confidential, but what the industry needs above all else is hard knowledge.”

Back to Best Feature 
Top of page

Content Copyright © the author/publisher listed above

Design Copyright © Consensus Pty Ltd

This web-site uses frames, click here for the full picture