• Technology
  • eCFO

Fear of the Black Hats

Increasingly, companies are hiring hackers to test their network firewalls. This may not be such a good idea.

Call it a sign of the times. In September 2000 the Secure Digital Music Initiative, or SDMI (www.sdmi.org), an industry association based in San Diego, California, posted this notice on its Web site: “Here’s an invitation to show off your skills, make some money, and help shape the future of the online digital music economy. The [SDMI] is a multi-industry initiative, working to develop a secure framework for the digital distribution of music. SDMI-protected content will be embedded with an inaudible, robust watermark or use other technology that is designed to prevent the unauthorized copying, sharing, and use of digital music.

“We are now in the process of testing the technologies that will allow these protections. … So here’s the invitation: Attack the proposed technologies. Crack them. … If you can remove the watermark or defeat the other technology on our proposed copyright protection system, you may earn up to $10,000.”

As of press time, no one had collected the 10 grand — although in October 2000, a group of researchers from Xerox PARC, Princeton University, and Rice University claimed to have cracked the code. But SDMI’s invitation was no publicity stunt. The fact is, paying outsiders to expose holes in encryption technology and network firewalls is fast becoming commonplace in the corporate universe. And on the face of it, such an approach makes sense. After all, who knows more about network vulnerabilities than hackers?

Certainly, traditional approaches to safeguarding computer systems — passwords, encryption algorithms, and the like — don’t seem to be working. In early September 2000, Englewood, Colorado-based Western Union Financial Services Inc. reported that crackers (cyber- intruders) had made off with the credit card and debit card numbers of nearly 16,000 online customers — not exactly a ringing endorsement for the safety of online shopping.

According to the San Francisco-based Computer Security Institute’s (www.gocsi.com) annual Computer Crime and Security Survey, released in March 2000, more than 90 percent of the study’s 643 respondents reported security breaches over the past 12 months. Of this group, 42 percent were able to quantify their losses. Total damage? A tidy $266 million, or almost $1 million per company.

And that’s only the tip of the iceberg. Analysts say the actual damage caused by hackers is impossible to calculate because many break- ins are never discovered. And many companies, keen to avoid bad publicity, don’t report hack attacks. In 1994 a 29-year-old Russian broke into Citibank’s network and made off with $10 million. The incident didn’t become public until a year later — although Citibank claimed it knew about the break-in all along and was just playing cat-and-mouse with the hacker who masterminded the caper.

Still, a number of industry-watchers have started to question whether hiring hackers to test network security is such a clever idea. Obviously, rewarding script kiddies, hackers, and other digital pranksters with lucrative consulting contracts doesn’t qualify as exemplary corporate citizenship. “Nice people don’t do it,” insists William Hugh Murray, an executive consultant to professional services firm Deloitte & Touche (www.us.deloitte.com), in Connecticut. “You should be engaging certified information system security professionals who have at least three years’ experience, pass a rigorous exam, and are committed to ethical standards.”

Discuss

Your email address will not be published. Required fields are marked *