Designing the Future
by Richard Thieme
Former hackers are designing the landscape of the future.
Once shaped by their interaction with a technology that now defines
the global business environment, they illuminate the contours of that
landscape for business and government clients.
But do hackers provide more value than traditional security
consultants? If so, what exactly is it?
The Professional Services Division of Secure Computing Corporation
includes a number of former “underground hackers” who work on a team
of thirty (eighteen are CISSPs) with experienced business
professionals, academics, and intelligence professionals, overseen by
John Sekevitch, vice president and general manager of professional
services.
Sekevitch strives to maintain a culture in which his unconventional
team can thrive. “He asks what we need and then provides it,” says Mike
Bednarczyk, Worldwide Director, Intrusion Services. “He creates the space
in which we can be productive.”
What do they need? The freedom to sustain a culture that thrives on
challenge, novelty, and a hunger for pushing their knowledge to the
limits. Hackers, as Edward O. Wilson wrote of the most creative scientists,
share a passion for knowledge, a tendency toward obsession, and great
daring.
“It’s the best of both worlds,” says Mark Fabro, Worldwide Director of
Professional Services. “We can feed our addiction and make a valuable
contribution at the same time.”
About the time that computer games spread to PCs, the network itself
became the game. Playing on that network designed the minds of these
young adepts. A network designed to be open, evolving, and free has
become the infrastructure of the world.
So the network had better be secure.
Enter the former hackers. They bring a unique skill set, but more than that, they bring a
mind set that enhances their value for clients. If Fritz Perls is right, that
anxiety plus oxygen equals excitement, these hackers know how to
add the oxygen. They understand how to understand a
system, and when they communicate that deeper understanding to clients, they
are not just fixing holes – they are sharing their knowledge of
how the infrastructure works.
Because the only way to learn how complex systems work is to get
inside them, hackers learn to listen carefully as they explored. They never know if
those virtual footsteps behind them are real or imagined. Which is exactly the
posture in which businesses competing in a global knowledge economy
had better operate.
“We can’t believe what we find,” said Fabro. “A large financial
organization, working with billions of dollars, uses an open system to
communicate critical information. They’re complacent because they
haven’t experienced any consequences yet.”
United by an unbridled passion for finding solutions in the security
space, the team does not try to teach a business its business – they
try to communicate their enthusiasm for seeing the system in its
entirety, expanding the client’s vision so the architectonic structure
of their enterprise comes into sharp focus.
Jeff Moss, founder of DefCon and the Black Hat Briefings, says that
hackers are not constrained by the institutional mind-set of their
clients. They’re empiricists, adds Rich Friedeman, a network security
specialist. “They look at systems as they’re used in real life.
They describe what they see, not what they have been taught to see.”
“Hackers do not follow an outline,” says Robyn Ulmer, who recently
left the DOD in search of a less constrained mind set. Ulmer was
trained as a theoretical mathematician. “They didn’t learn by
following the rules, so their minds don’t map a system the way you
move from box to box on a flow chart. They leap into the flow of the
information and swim. They leave room for possibilities.”
A large government agency asked the team to assess its current state
of security by evaluating each part of the enterprise as an individual
piece. There were numerous vulnerabilities – from telephone
systems to the intranet to the extranet. When the team issued a
report, individual departments acted predictably. They defended their
turf and blamed one another.
The team could have left it at that, but instead they suggested that
the agency look at the entire system AS a system. They showed them how
all of the vulnerabilities were interconnected. The team delivered an
actual life cycle of vulnerabilities in the system as each impacted
and led to the other. More important, the event became a catalyst for
a team-building project. Individual managers saw that the only way to
develop an integrated approach to solving security problems was to
work on the entire network – the human as well as the computer – to
think, in short, as hackers think.
Hackers have that broad perspective, according to Moss, because
they’ve been doing what they love for years. They didn’t just decide
to get interested in security. Their shared passion and the bonds
they’ve developed over the years make the team cohesive. The
network that connects them to each other and to others still in the
underground is the real source of their power.
Security professionals who try to stay abreast of developments simply by
attending conferences or following lists are always behind.
“Exploits become dangerous in days, not weeks or months,” said Fabro.
“By the time it’s the subject of a seminar, it’s old news. We have
identified exploits for clients a few hours after they surface.”
Their information is current because they stay connected to the
underground, a loose self-regulating network, which they are
constantly filtering for new recruits. They want expertise but not aberrant behavior.
They keep one another accountable and have near-zero tolerance for mistakes. This provides quality control and also intensifies the all-for-one-and-one-for-all
environment in which they thrive.
Because most of them have been at it for years, the team has
historical depth that conventional businesses often lack.
“Someone may have been in a large organization for just two or three
years,” says Fabro. “They may not even know about the flaws in their
numerous legacy systems.”
Sometimes a primitive weapon is more effective than a smart bomb. The
intrusion team once carried out a massive attack on such an
organization using war dialing, coming in through back doors that were
eight years old. That might not have been attempted by someone who
hadn’t been inside the older system and knew its weakness.
“Hackers tend to be very focused and goal oriented,” said George
Jelatis, director of security architecture services, and they expect
their clients’ enemies to be equally focused. They share an
appropriate paranoia with members of the intelligence community.
Traditional business people don’t suspect everyone who walks in or try
every single way to get into a system. But hackers do.
“Social engineering,” the exploitation of a trusting relationship to
elicit information, is often one of the weakest links in a company’s
defense. The trick is to disappear into the background so completely
that you show up as if you belonged. It doesn’t take complex hacking
tools to pull it off.
Rob Stonehouse, an information security professional, used a piece of birthday cake.
Stonehouse rode the elevator until he heard two employees discussing a
birthday party. He asked what floor it was on and arrived, smiling.
“Is this the party?” he asked, stepping onto a floor that required
security clearance. Given a piece of cake, he went to the coffee
station and photocopied company mail, gained access to the company’s
check printer, and sat happily munching at a terminal with direct
access to the company’s databases using default passwords.
Is it necessary to suspect that everyone might be a spy?
Yes, says Ray Kaplan, one of the “gray hairs” who emphasizes the depth
of experience and synergy among disciplines in the division. Kaplan
thinks a lot of companies that scoop up hackers and go into the
security business do not understand the kind of rigorous discipline
necessary to manage hackers and balance their culture with other
cultures in the company. “Older professionals can serve as hard headed
mentors to the younger hackers, bringing values, experience, and
understanding to the mix.”
The culture is a meritocracy where technical expertise is valued.
“It’s half a skill set, half a way of life,” says John Sekevitch. “They
don’t value structural authority so much as your ability to do the
job. Yes, their skepticism and questioning can border on paranoia, but
that’s precisely the personality and mind set we’re trying to develop
in our clients.”
The professionals at Secure can not name clients or elaborate on
successes but count on clients to do it for them. They work mostly
with organizations that have lots to lose, like financial institutions
and government agencies. Their reputation is fifteen years deep with
DOD and the NSA.
The feedback when a client breaks through to an aha! is often
immediate. In one case, the intrusion team hacked into a bank and
found that an external router was vulnerable. They bypassed controls
to see the entire network, including internal hosts, and immediately
informed the client. Ten minutes later the hole was plugged.
They often run into the ego of a company. Working with an
organization that was proud of their expensive firewall, they
discovered that a network that led to the internal network was on the
same network as the firewall. Because it was misconfigured it was
trivial to bypass the firewall and go inside, where they copied
documents, organizational charts, and security badges, which they wore
the next day to a meeting. The client was not amused, but got the
point.
The team does not like to define its value simply in terms of
intrusion. “We try to serve as catalysts for change by illuminating the system,”
Jelatis said. That way they can help clients broaden their vision and
develop solutions scalable to every level of the network.
“We were recently hired to do a job,” said Ulmer, “ but the way they
defined it was not what needed to be done. We could have done what
they asked, but we wanted to deliver something of more value. We
wanted to produce a deliverable that made a difference. The client
does not always know how to define that without our assistance.”
They see the entire world as their play space, but it’s not just grandiosity.
“There’s no such thing anymore as being the best in only
one country,” Fabro says. “Secure began as a division of Honeywell,
founded and funded by the NSA, which is nothing if not global. We have
thought in terms of the world since the beginning. Corporations like
Bechtel – where do they begin? what are the boundaries? The technology
itself has delivered the entire world as the space in which we must
operate.”
Turning anxiety into excitement. Living on the edge. And late at
night when a puzzle they can’t solve is driving them on, everyone
in the lab brainstorming, trying to define a security solution for a complex space,
one of them becomes aware suddenly that this select group, with its roots in the
past in the dark, is making a difference now and creating value far beyond themselves – and just for a moment, their boundaries dissolve in the flow of energy and information flashing through the system and they realize what an opportunity they have been given.
Designing the Future was originally published in Information Security Magazine, a publication of ICSA, Inc.
{ 0 comments… add one now }