A central point for collection of information that relates to computer security. Including, but not limited to, security advisories from the major vendors, major data breaches, “phishing” alerts, commentary regarding staffing levels. etc. etc.
The New Whitehat
September 11, 2010 at 7:43 pm #110551
From Real Security Blog
Author: Jim Tiller
Date: Thursday 26 August 2010 at 6:03 pm
The changing landscape of security is ushering in a new type of whitehat
Look around you. From an information security perspective things are getting very interesting. Laws and regulation are expanding and growing teeth, geopolitical hacking is commonplace, information privacy – or the lack thereof – dominates society, identity theft is an accepted risk we now have insurance for, digital espionage is an old hat, hackers are sophisticated and highly organized – and virtually impossible to stop, and the threat of cyberwar looms. All of which was the basis of campfire tales to scare CEO’s into buying newfangled firewalls in the early 90’s. Who’d thunk we’d be wading neck deep in a nightmare we only speculated about two decades ago?
Yea, things are different and it’s going to get even more interesting in the next decade. What does all this have to do with whitehat hackers?
Ok, let’s stroll down memory lane for a second. Before regulations and as the Internet was not much more than animated GIFs, security was G3… guns, gates, guards. For those companies dipping their toes into the ether security was a distant concern, except for the security-minded folk. Connecting to the Internet was seen as a threat while exec’s saw opportunity – both were dead right. But promoting the need for security was based on speculative arguments, worst case scenarios, and other “what if’s” that fell on deaf ears. To make a point, penetration testing was born. A concept based on if they don’t think it’s possible – we’ll prove it… and it’s been pretty much that way ever since.
Then came regulations, such as HIPAA and GLBA that started to tap into the concept of security and the value of information in the late 90’s. Alongside was the introduction of security standards, most notably BS-7799, which is the grand’pa of the big ones today… the 27000 series. During this time ethical hacking experienced a lull… a form of commoditization. Tools flooded the market to perform automated scanning and the concept became simply a part of the security program.
As we moved into the 21st century, ethical hacking became organized; groups formed in consulting companies that employed only skilled testers, provided them with tools and methods, and kept them together – focused on a single aspect of security. As businesses matured, so did the testing process. Application testing became a specific part of testing, OWASP evolved from a few smart guys to a global community of smart guys and the foundation of many base requirements. Finding vulnerabilities and exploiting them to determine potential impact and risk seemed to be reaching a zenith.
However, the art of penetration testing didn’t stop developing under the umbrella of conformity and business cards. Mostly because whitehats, at least the really good ones, have blackhat DNA… it’s in their blood to keep pushing. This ushered in reverse engineering malware, researching vulnerabilities, targeted tools development, and experimentation in new technologies. Of course, the gears of commerce kept turning and we also experienced a rush of training and certification. Tools to help newbies do what only the best could do a year before, downloadable hacking platforms, like BackTrack (which is pretty kewl BTW, makes Knoppix look older than it is), turned every techo-weenie into a whitehat overnight. The market is flooded with whitehats.
So, what we have is a security environment where the ability to peer through the rabbit hole, think like a hacker, and pull apart systems to expose vulnerabilities is growing in importance and scale. But here’s the problem and why change is coming.
First, we have three different types of whitehats: 1) the really good ones, 2) the really lame ones, and 3) the really lame ones that think their good and somehow convince everyone they’re great, but I digress, but will focus on the first group. Even the good ones, and for completely understandable reasons, do not always have the “big picture” in mind. To be really good you have to pretty much stay in the loop, trenches, frontlines, whatever you want to call it – it’s a mindset. Moreover, it’s a natural mindset – always questioning technology, people, and authority – non-conformists… it’s what makes them great. Of course when I say lacking big picture, I don’t mean they’re invalids… they get it, and most are experts in other areas in life, such as brewing beer, playing an instrument, or business. I guess what I’m saying is most of the good ones are good because they don’t participate in certain areas… they tend to dismiss the seemingly illogical, impractical, or far reaching theory outside of the domain of technology. They’re brutally intelligent, but their thought-framework can also be a hindrance. Moving forward horizons must be broadened and the entire spectrum of possibility must be taken into account. The relatively finite focus of today’s really good whitehats is simply not enough when one looks into the future.
I’ve had the pleasure of meeting and getting to know what I think is the future of whitehats – super-gurus. There are some already out there. I must refrain providing names, I’m not sure that’s ok. Nevertheless, if you’re looking for them, it’s likely you won’t find them. Not because they’re incognito, it’s because you’re looking in the wrong places. You’re looking for the regular good ones, not the super-gurus. These guys connect the dots – technically, logically, politically, theoretically, organizationally, and in business. They have applied the root of their greatness and prowess to all things in our cyber existence. I know this is coming off oddly, but these are important characteristics to recognize. However, these are very rare individuals and we’re going to see this group actually grow because of a reversal of capability development. Most whitehats come from a technical background and the super-gurus have found a way to move beyond those boundaries. Moving forward, we’re going to see super-gurus come from a non-technical background… believe it or not.
Here’s an example. A friend of mine has been in the security space for a while. Before security he’d worked in a number of different industries and in different job functions. He’s a very well-rounded professional, highly intelligent, well-read and educated, thoughtful, and experienced. His role in security was mostly around business risk, policy, compliance, and the other non-technical aspects of security and management. However, several years ago he decided he wanted to know more about testing and quietly started getting good. He started playing with tools, getting certifications, performing tests, and learning programming and putting what he learned to work. Now, I’m not saying he’s a super-guru, but he will be one day… he is one of the early folks to move from non-technical to technical – a bit backwards.
Many whitehats come from a technical background and rarely have the opportunity or the desire to become fully steeped in the business, management, and non-technical side. Moreover, if they do migrate to the “darkside” it’s usually within the security industry – the language doesn’t change. However, folks like my friend, come from decades of diverse industry experience… military, government, politics, healthcare, manufacturing, consulting, financial and doing things that may not have anything to do with security.
So, while we’ll see more super-gurus surface in the existing whitehat community, I suspect the demand for more well-rounded, deeply thoughtful, and broadly experienced individuals that also have “hacker-like” DNA will actually come from the other side of the tracks. This is not to say the existing and emerging whitehats are not valuable, far from it and you’re one you can expect a fruitful career. However, the ability to see the “big picture” will be a huge differentiating factor, greatly elevating the bar of expectations.
Why is this big picture thing so important?
Again, look around. Cybercrime, cyberwar, espionage, organized hacker communities, and many other things do not have finite boundaries – they blur into one another. It’s going to become increasingly difficult to point in one direction and have a unique target or quantifiable “enemy”. You can’t touch one thing without exposing a web of interactions across people, technology, business, politics, and government. Someone with a hacker-mindset and skills combined with strategic visibility, knowledge, and, frankly wisdom is what will be needed to realize true security in the future.
OK… to sum all this up…
Ethical hacking as evolved a great deal and is a well-founded industry. There are a lot of existing and emerging capabilities in the industry and all will have more work than they can handle. However, security is becoming increasingly complex and includes many things well beyond technology. Although there are several super-guru whitehats out there that meet the need, they exist because they pushed way past the traditional technological-roots envelope. Given how difficult this is, few emerging from the technical domain will be able to reach that level. Nevertheless, there are others in the security industry that has comprehensive work experience and a hacker-mindset that when augmented with technical hacking skills will make them a highly attractive force in the industry – especially the government.
You must be logged in to reply to this topic.