(Feb 21, 2003) We would like to quote verbatim an article entitled Corporate Hackers Emerge As Good Guys (Sue Ashton-Davies 03/09/1999 Sydney Morning Herald Page 12 Copyright of John Fairfax Group Pty Ltd)
“WITH the emergence of ” ethical hacking “, the destructive side of computer programming has suddenly become respectable and is even claiming cult status as an occupation. Online businesses have long been under threat from the seamier side of the digital cognoscenti who get their thrills (and an illicit income) from drilling into organisations’ information systems. Media coverage brought hacking into sharp relief in the early ’90s, highlighting the increasing need to implement corporate security measures and security audits. But little was done, often because there were few IT consultants who had the appropriate expertise.
In the ’80s, hackers mainly tampered with dial-up modem-based systems, which were very easy targets. In recent years, however, with the rise of data networking, hackers have risen to new challenges posed by firewalls and other security systems. The extent of hacking-related corporate crime has long been unknown because most companies have been reluctant to talk about it.
But there is no doubt about the need for professional expertise inside corporations. Some experts say up to 30 per cent of companies are at risk, and most online crime is perpetrated from within organisations. The need for such expertise has given rise to a new mini industry: ethical hacking.
There are two types of “ethical hacker”. First there is the reformed hacker who claims to have changed his spots and now works for the good side to solve corporate security problems. But Dean Kingsley, security specialist and Deloitte Touche Tohmatsu partner, says most companies will understandably doubt those with a murky past. “These people come out of the disreputable part of the spectrum and companies quite reasonably suspect that because they used to do this for the joy of it why should they be trusted with the same non-disclosure and confidentiality as its other advisers,” he says.
But this is not the typical profile. Today’s ethical hacker is most likely to come from a network consulting background with a penchant for finding vulnerability in a system. Kingsley says it has taken most of the decade for ethical hacking to gain some credibility. “Now network security consultants have discovered that one of the tools in its armoury needs to be ethical hacking. We see this as offering a complete service to our clients and something that has grown out of being one of the good guys doing something about the bad guys’ techniques,” he says.
As quickly as it gains credibility, ethical hacking is gaining ground as a specialist arm of network consulting. “We are seeing that organisations are getting far more worried as security solutions get far more sophisticated and need people with that specialist expertise,” Kingsley says. “Banks used to be embarrassed to admit they had hackers on the inside, but these days organisations will talk more openly about the fact it’s one of the jobs they need doing.”
Kingsley says a typical scenario involves implementing high-risk services such as Internet banking, a natural target for hacking, where the ethical hackers are invited in to provide the final test before a system goes live. “Although they had done a fair amount of testing themselves they didn’t feel like they had a handle on the best- practice hacking.”
Like any specialist, ethical hackers come armed with the shared knowledge of being part of a global community that regularly consults with the wider world of hacking. Their qualifications are usually Microsoft Certified Systems Engineer or Cisco Certified Network Engineer, and the kit contains a battery of tests and scanners, tools considered too sophisticated and too expensive to be used by the ruthless hack.
It is proving to be a boom business for security experts whose work is to determine vulnerability and plug the holes of entry. “