.

ECSA/LPT - Never Hire An Ex Hacker

<<

$w33p3R

Newbie
Newbie

Posts: 30

Joined: Fri Aug 08, 2008 10:39 pm

Post Sun Sep 28, 2008 5:15 am

ECSA/LPT - Never Hire An Ex Hacker

For those that might not have taken the ECSA/LPT course, in one module it is talking about who to have on your "Tiger Team", and the one I would like to discuss is, "Never hire or have an ex hacker on your team".

The reasoning behind that practice is due to the fact the client may not feel too comfortable having an ex hacker snooping around on his network.  They want a security firm, not hackers.

I ask a question in class, "How can a white hat hacker really be effective if he has never been a black hat?"  Just trying to think like the enemy is not enough.  Where does experience come in?  Book smarts or real world experience?  Which would you prefer?

I would like to get your opinions on this.

Just a note to all the black hats that read this forum, "If you think you are going to get certified and then be accepted by the corporate world, think again.  You better not ever breathe a word that you were ever a black hat.  The only way that will happen is if they made a movie about you."
MCP, CEH
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Sun Sep 28, 2008 5:45 am

Re: ECSA/LPT - Never Hire An Ex Hacker

$w33p3R,

interesting question :)

I must admit I've never thought about this question from a corporate perspective, now you bring it up I can understand that mentality. Personally I'ev always looked at it from the 'to catch a thief' perspective.

I'd definitely agree that real-world experience trumps book-smarts, but you can get that experience whilst staying on the right side of the legal fence. Either hands on in a lab or performing the job in the real-world. Like all fields, pentest teams will often have 'trainees' and 'juniors' who have the book-smarts and are learning the ropes alongside seasoned pros.

Getting back to hiring someone who has spent time on the dark-side, I'd advise it depends entirely on the people involved. If the individual in question proves trustworthy then I can see no reason not to have that skill and knowledge as part of your time. In this case I'd suggest the ECSA/LPT's advice could be modified to 'Never advertise that you have an ex-hacker on your team'.

That said, if the client asks for crimal records, police checks etc. it's time to hold your hands-up. If you trust the individual, try explaining the situation/background to the client and they may agree. Worst case if the client still doesn't want an ex-hacker having access to their environment, you can re-assign the individual to a different job whilst the remaining team get on with the job in hand. Potentially pulling in twice the revenue ;)
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Sun Sep 28, 2008 9:12 am

Re: ECSA/LPT - Never Hire An Ex Hacker

I think there are two points to be made here.

People and organisations may be concerned about employing a so called "Ex-Hacker", as I guess there will be concerns around trust, and someone falling back into not so legal habits.

I dont think that you have to be a Black Hat to really offer any benefit. I think most people will have done something that wasnt 100% legal, speeding and technical related issues.
The skills are the same, and the difference is doing something with permission.

It makes some form of sense in my mind anyway :D
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Sun Sep 28, 2008 3:49 pm

Re: ECSA/LPT - Never Hire An Ex Hacker

2 quick points:

1. Ask a corporation hiring a pen test team, and they will tell you that they don't want to hire an ex-con. That alone should say don't have one on your team.
2. I don't expect the police to have been petty thieves, have DUIs, be murderers or child molesters in order to do their job with skill.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Mon Sep 29, 2008 11:59 am

Re: ECSA/LPT - Never Hire An Ex Hacker

don wrote:2 quick points:

1. Ask a corporation hiring a pen test team, and they will tell you that they don't want to hire an ex-con. That alone should say don't have one on your team.
Don


Don,

Do you draw any distinctions between former hackers?  I ask because I was a teenage computer hacker and have always admitted so.  I was never arrested for anything and my juvenile mischief did not carry over into adulthood.

As to whether being a former blackhat is an advantage: I don't think it is.  It's important to understand attack methods--you have to understand what you're defending against--but this knowledge can be gained in other ways.  There are numerous books on computer hacking available and many of them are quite good.  On the practical side, one can learn about attack methods from managing an IDS or honeypot, doing penetration testing, or reversing malware. 
BS in IT, CISSP, MS in IS Management (in progress)
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Mon Sep 29, 2008 1:11 pm

Re: ECSA/LPT - Never Hire An Ex Hacker

Ex-Con would mean someone who had been convicted of their crimes.

This doesnt mean that everyone who has never been caught has been a naughty boy / girl though.

I think the distinction with this all round, is to not employ someone where you feel their personality, background and criminal checks would lead you to believe they would be a risk to your organisation or any other.
<<

$w33p3R

Newbie
Newbie

Posts: 30

Joined: Fri Aug 08, 2008 10:39 pm

Post Mon Sep 29, 2008 7:03 pm

Re: ECSA/LPT - Never Hire An Ex Hacker

Well, you have to distinguish between the two types of Blackhat's:

1. The Blackhat who likes to know how things work and just wants to see if he can get past the security measures in place.

2. The Blackhat that wants to tear the hell out of your stuff and steal anything they can find.

Admittedly, both are breaking the law because they did not have permission to do so.  But is #1 as bad as #2?  No.

Now, before anyone gets on their soapbox and starts feeling all righteous, let's look at this example:

A company doesn't hire thieves, agreed?  Answer these questions to yourself:

1. Have you ever downloaded a .mp3 you didn't pay for?
2. Have you ever downloaded a movie you didn't pay for?
3. Have you ever downloaded a application you didn't pay for?
4. Ever borrow a music CD from a friend and make a copy?
5. Ever use a copy of Microsoft Windows you didn't pay for?

According to the Law, RIAA, MPAA and other orginizations, you are a thief if you have done any of the above.  Now, are you anymore employable than a blackhat?  No, you are not, even though those things I listed are socially accepted crimes.

I think most "ex blackhats" realizes that you do not bite the hand that writes your paycheck.
MCP, CEH
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Tue Sep 30, 2008 1:42 am

Re: ECSA/LPT - Never Hire An Ex Hacker

dalepearson wrote:I think most people will have done something that wasnt 100% legal, speeding and technical related issues.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Tue Sep 30, 2008 2:51 am

Re: ECSA/LPT - Never Hire An Ex Hacker

$w33p3R wrote:I think most "ex blackhats" realizes that you do not bite the hand that writes your paycheck.


I agree mostly, but if that were true universally the 'insider' threat wouldn't be an issue.

Anybody with bills/living expenses isn't going interrupt their income stream, but what happens when someone comes along with a bigger check?......

All corporate security is about managing risk. If a manager uses the services of outsiders that do something 'naughty' on the network (s)he may get away with it, if the outsiders already had history of doing the same the manager may be out the door...

It's just CYA tactics.
Last edited by RoleReversal on Tue Sep 30, 2008 2:54 am, edited 1 time in total.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Sep 30, 2008 12:48 pm

Re: ECSA/LPT - Never Hire An Ex Hacker

Yes, I do make a disctinction. But it is more like deciding the difference between pr0n and art. You may like both  ;), but you know the difference when you see it. For this reason, I can't simply say that the line is if you got caught IE a felon or ex-con. In a job interview, if you ask a candidate about dipping a toe into the dark side, you can tell the difference if they did it just for the knowledge or if there is glee in their voice about their misadventures.

Bottom line is that if you ask those who are hiring pen testers, almost all of them will tell you that there are now plenty enough professionals who have never gone to the dark side to make the decision a no brainer, so why even take that chance.

Hope this helps,
Don
CISSP, MCSE, CSTA, Security+ SME

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 3 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software