Designing the Future

by rthieme on October 11, 1999

Designing the Future

by Richard Thieme

Former hackers are designing the landscape of the future.

Once shaped by their interaction with a technology that now defines

the global business environment, they illuminate the contours of that

landscape for business and government clients.

But do hackers provide more value than traditional security

consultants? If so, what exactly is it?

The Professional Services Division of Secure Computing Corporation

includes a number of former “underground hackers” who work on a team

of thirty (eighteen are CISSPs) with experienced business

professionals, academics, and intelligence professionals, overseen by

John Sekevitch, vice president and general manager of professional

services.

Sekevitch strives to maintain a culture in which his unconventional

team can thrive. “He asks what we need and then provides it,”  says Mike

Bednarczyk, Worldwide Director, Intrusion Services. “He creates the space

in which we can be productive.”

What do they need?  The freedom to sustain a culture that thrives on

challenge, novelty, and a hunger for pushing their knowledge to the

limits. Hackers, as Edward O. Wilson wrote of the most creative scientists,

share a passion for knowledge, a tendency toward obsession, and great

daring.

“It’s the best of both worlds,” says Mark Fabro, Worldwide Director of

Professional Services. “We can feed our addiction and make a valuable

contribution at the same time.”

About the time that computer games spread to PCs, the network itself

became the game. Playing on that network designed the minds of these

young adepts. A network designed to be open, evolving, and free has

become the infrastructure of the world.

So the network had better be secure.

Enter the former hackers. They bring a unique skill set, but more than that, they bring a

mind set that enhances their value for clients. If Fritz Perls is right, that

anxiety plus oxygen equals excitement, these hackers know how to

add the oxygen. They understand how to understand a

system, and when they communicate that deeper understanding to clients, they

are not just fixing holes – they are sharing their knowledge of

how the infrastructure works.

Because the only way to learn how complex systems work is to get

inside them, hackers learn to listen carefully as they explored. They never know if

those virtual footsteps behind them are real or imagined. Which is exactly the

posture in which businesses competing in a global knowledge economy

had better operate.

“We can’t believe what we find,” said Fabro. “A large financial

organization, working with billions of dollars, uses an open system to

communicate critical information. They’re complacent because they

haven’t experienced any consequences yet.”

United by an unbridled passion for finding solutions in the security

space, the team does not try to teach a business its business – they

try to communicate their enthusiasm for seeing the system in its

entirety, expanding the client’s vision so the architectonic structure

of their enterprise comes into sharp focus.

Jeff Moss, founder of DefCon and the Black Hat Briefings, says that

hackers are not constrained by the institutional mind-set of their

clients. They’re empiricists, adds Rich Friedeman, a network security

specialist. “They look at systems as they’re used in real life.

They describe what they see, not what they have been taught to see.”

“Hackers do not follow an outline,” says Robyn Ulmer, who recently

left the DOD in search of a less constrained mind set. Ulmer was

trained as a theoretical mathematician. “They didn’t learn by

following the rules, so their minds don’t map a system the way you

move from box to box on a flow chart. They leap into the flow of the

information and swim. They leave room for possibilities.”

A large government agency asked the team to assess its current state

of security by evaluating each part of the enterprise as an individual

piece. There were numerous vulnerabilities – from telephone

systems to the intranet to the extranet. When the team issued a

report, individual departments acted predictably. They defended their

turf and blamed one another.

The team could have left it at that, but instead they suggested that

the agency look at the entire system AS a system. They showed them how

all of the vulnerabilities were interconnected. The team delivered an

actual life cycle of vulnerabilities in the system as each impacted

and led to the other. More important, the event became a catalyst for

a team-building project.  Individual managers saw that the only way to

develop an integrated approach to solving security problems was to

work on the entire network – the human as well as the computer – to

think, in short, as hackers think.

Hackers have that broad perspective, according to Moss, because

they’ve been doing what they love for years. They didn’t just decide

to get interested in security. Their shared passion and the bonds

they’ve developed over the years make the team cohesive. The

network that connects them to each other and to others still in the

underground is the real source of their power.

Security professionals who try to stay abreast of developments simply by

attending conferences or following lists are always behind.

“Exploits become dangerous in days, not weeks or months,” said Fabro.

“By the time it’s the subject of a seminar, it’s old news. We have

identified exploits for clients a few hours after they surface.”

Their information is current because they stay connected to the

underground, a loose self-regulating network, which they are

constantly filtering for new recruits. They want expertise but not aberrant behavior.

They keep one another accountable and have near-zero tolerance for mistakes. This provides quality control and also intensifies the all-for-one-and-one-for-all

environment in which they thrive.

Because most of them have been at it for years, the team has

historical depth that conventional businesses often lack.

“Someone may have been in a large organization for just two or three

years,” says Fabro. “They may not even know about the flaws in their

numerous legacy systems.”

Sometimes a primitive weapon is more effective than a smart bomb. The

intrusion team once carried out a massive attack on such an

organization using war dialing, coming in through back doors that were

eight years old. That might not have been attempted by someone who

hadn’t been inside the older system and knew its weakness.

“Hackers tend to be very focused and goal oriented,” said George

Jelatis, director of security architecture services, and they expect

their clients’ enemies to be equally focused. They share an

appropriate paranoia with members of the intelligence community.

Traditional business people don’t suspect everyone who walks in or try

every single way to get into a system. But hackers do.

“Social engineering,” the exploitation of a trusting relationship to

elicit information, is often one of the weakest links in a company’s

defense. The trick is to disappear into the background so completely

that you show up as if you belonged. It doesn’t take complex hacking

tools to pull it off.

Rob Stonehouse, an information security professional, used a piece of birthday cake.

Stonehouse rode the elevator until he heard two employees discussing a

birthday party. He asked what floor it was on and arrived, smiling.

“Is this the party?” he asked, stepping onto a floor that required

security clearance. Given a piece of cake, he went to the coffee

station and photocopied company mail, gained access to the company’s

check printer, and sat happily munching at a terminal with direct

access to the company’s databases using default passwords.

Is it necessary to suspect that everyone might be a spy?

Yes, says Ray Kaplan, one of the “gray hairs” who emphasizes the depth

of experience and synergy among disciplines in the division. Kaplan

thinks a lot of companies that scoop up hackers and go into the

security business do not understand the kind of rigorous discipline

necessary to manage hackers and balance their culture with other

cultures in the company. “Older professionals can serve as hard headed

mentors to the younger hackers, bringing values, experience, and

understanding to the mix.”

The culture is a meritocracy where technical expertise is valued.

“It’s half a skill set, half a way of life,” says John Sekevitch. “They

don’t value structural authority so much as your ability to do the

job. Yes, their skepticism and questioning can border on paranoia, but

that’s precisely the personality and mind set we’re trying to develop

in our clients.”

The professionals at Secure can not name clients or elaborate on

successes but count on clients to do it for them. They work mostly

with organizations that have lots to lose, like financial institutions

and government agencies. Their reputation is fifteen years deep with

DOD and the NSA.

The feedback when a client breaks through to an aha! is often

immediate. In one case, the intrusion team hacked into a bank and

found that an external router was vulnerable. They  bypassed controls

to see the entire network, including internal hosts, and immediately

informed the client. Ten minutes later the hole was plugged.

They often run into the ego of a company. Working with an

organization that was proud of their expensive firewall, they

discovered that a network that led to the internal network was on the

same network as the firewall. Because it was misconfigured it was

trivial to bypass the firewall and go inside, where they copied

documents, organizational charts, and security badges, which they wore

the next day to a meeting. The client was not amused, but got the

point.

The team does not like to define its value simply in terms of

intrusion. “We try to serve as catalysts for change by illuminating the system,”

Jelatis said. That way they can help clients broaden their vision and

develop solutions scalable to every level of the network.

“We were recently hired to do a job,” said Ulmer, “ but the way they

defined it was not what needed to be done. We could have done what

they asked, but we wanted to deliver something of more value. We

wanted to produce a deliverable that made a difference. The client

does not always know how to define that without our assistance.”

They see the entire world as their play space, but it’s not just grandiosity.

“There’s no such thing anymore as being the best in only

one country,” Fabro says. “Secure began as a division of Honeywell,

founded and funded by the NSA, which is nothing if not global. We have

thought in terms of the world since the beginning. Corporations like

Bechtel – where do they begin? what are the boundaries? The technology

itself has delivered the entire world as the space in which we must

operate.”

Turning anxiety into excitement. Living on the edge. And late at

night when a puzzle they can’t solve is driving them on, everyone

in the lab brainstorming, trying to define a security solution for a complex space,

one of them becomes aware suddenly that this select group, with its roots in the

past in the dark, is making a difference now and creating  value far beyond themselves – and just for a moment, their boundaries dissolve in the flow of energy and information flashing through the system and they realize what an opportunity they have been given.

Designing the Future was originally published in Information Security Magazine, a publication of ICSA, Inc.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: