232 ◾ Security Strategy: From Requirements to Reality
security, it’s diffi cult to understand how this organization has anything more to off er than those
staff ed by experienced white-hats. e question becomes one of trust. Which is more trustworthy,
a company run by a convicted criminal or a company run by certifi ed security professionals?
Misplaced trust can prove disastrous. e best way to deal with this risk is to have an ironclad
way to monitor what people are doing and to validate that those activities are appropriate for their
assigned duties. is includes technical activities, as well as personal behaviors such as moods,
attitudes, and interactions with other people. Ideally, this level of technical and supervisory moni-
toring should be standard practice for all employees because they all represent an insider threat.
When you hire a former black-hat, technical and supervisory monitoring is mandatory; unfortu-
nately many organization are not equipped to do this competently. is can be less of an issue if
the activities of the individual can be limited or isolated—for example, they do not have access to
internal systems or resources. Separation of duties is another alternative. In this scenario, a person
is not given enough authority to accomplish a high-risk transaction by themselves; rather, the
transaction requires the participation of another party to be completed.
Another potential challenge is connectivity. If your operations are designed to be clandestine,
it will be necessary to develop a means of hiding the identity of your organization and operatives.
is may involve the development of custom code or the engagement of external services. is is
equally true for some of the tools you may require for these activities.
Hiring gray-hats has its own challenges. How much trust can you put in someone who is will-
ing to break the law on the pretense that it achieves a greater good? Such logic is questionable at
best; it is seldom necessary to actually compromise a system to demonstrate that a fl aw exists. If
the goal is to be able to prove there is an exploitable fl aw, the better course would be to wait until
after you have notifi ed the system owner. If they don’t believe you, then you have an opportunity
to demonstrate the exploit to them. Take this scenario, for example: A gray-hat discovers a fl aw
in a system at a law fi rm. After compromising the system, he runs a directory listing of the fi les
he can access and sends it to one of the partners of the fi rm. When the partner looks at the list of
fi les, he comes unglued because this “well-intended” gray-hat has just compromised the integrity
of thousands of pieces of evidence!
Another consideration has to do with a person’s willingness to extend gray-hat logic beyond
information security. Suppose such a person discovered a business practice within the organization
that he considers “injurious” to the public. Could you trust this person to abide by the nondisclo-
sure agreement, when he is perfectly willing to violate the law for “the greater good”? Again, it is
hard to justify that thinking to your customers, stakeholders, and partners if you do not have a
strong way of monitoring their activities. (See Chapter 9 for further discussion on monitoring and
compliance.)
Another challenge to reconnaissance is corroborating the information gleaned from hacker
communities. e information may be incomplete, inaccurate, or overstated, making it diffi cult
to determine what, if any, response is needed and, if needed, what is appropriate. A similar issue
is true of any hacking tools sourced from a black-hat community; they must be checked for mali-
cious code before they can be used. If hackers are willing to put attack code on their websites, they
are certainly willing to put it in the software they build.
Trust is the main issue involved with the hiring of hackers. White-hat (ethical) hackers are
considered trustworthy, but “reformed” black-hat hackers are generally considered to be unwise
hires. As suggested earlier, it’s hard to justify hiring a former criminal to maintain the security
of your own or your customer’s information. is is equally true of gray-hats because of the
questionable logic behind breaking the law on the pretense of achieving a greater good. A high
level of technical and supervisory monitoring is the only sensible way to address these risks, but
TAF-K11348-10-0301-C012.indd 232TAF-K11348-10-0301-C012.indd 232 8/18/10 3:11:56 PM8/18/10 3:11:56 PM