LINUX SECURITY --- October 03, 2000 Published by ITworld.com, the IT problem-solving network http://www.itworld.com/newsletters ********************************************************************* HIGHLIGHTS * Would you hire a reformed hacker to manage your company's security? ********************************************************************* Hire a Hacker? by Rick Johnson Should you hire a hacker or even a reformed ex-hacker? There is such high demand for qualified security engineers in today's market that managers continually ask this question and are scrambling for employees with any type of security background. Not a wise move. Lets look back in history at the Web designer boom of the 90's. A Web site was the hot, new "must have" for the technology minded company. Everyone who had ever viewed the source of a Web page quickly added "Webmaster" to his or her resume resulting in managers being burned hiring Web designers who had bits of knowledge but no solid, well-rounded background. The security field faces the same problems today. Simply because someone lists "former hacker" on their resume does not guarantee they have the needed skills. Now, I am not badmouthing the ex-hacker genre out there, especially since I came from the same background. The skills an individual with these experiences possesses are more valuable than any amount of book learning. There is no substitute for practical experience. The key is finding someone who knows right from wrong and agrees that some lines just cannot be crossed. It is all a matter of ethics and trust. Should you trust someone simply because you watched their story unfold on the evening news? These days, the media is trying to glorify the entire world of hacking. In the past, they billed your typical hacker as a pimply-faced, introverted 15-year old. In reality, most are more grown up and lead normal lives. Recently they have turned Kevin Mitnick into the spokesperson for the entire hacking world. Now don't get me wrong, I feel Mr. Mitnick is very qualified and his views about security are truly innovative; however, he is no different from many others out there, save the FBI chose to make an example of him. Personally, I would rather hire the hacker who is not famous. For every one who ends up on the news, there are at least ten who were skilled enough to avoid the spotlight and the police. Actually, I am hiring a very qualified security engineer who fits this profile. This person has a solid resume, good ethics and verifiable skills. Granted, they walked the line between good and evil, but they ended up with a white hat. Even so, this person will still undergo a rigorous background check and must sign a non-disclosure agreement. It is simply the right thing to do. Resources Should you hire a hacker to solve your security woes? If you're not careful, you can get more than you bargained for. Here's how to do it right. http://www.itworld.com/jitw/linsec_nl/cma/ett_content_article/0,2849,1_102 2,00.html Would you hire a hacker? Some hackers have questionable histories and some are squeaky clean, but all have what many employers consider to be a crucial element of good security: "the love of the game." http://www.itworld.com/jitw/linsec_nl/cma/ett_article_frame/0,2848,1_1036, 00.html Linux security classes ISS founder is a cracker in a white hat http://www.itworld.com/jlw/linsec_nl/lw-2000-06/f_lw-06-iss.html ************************************************************************ About the author ---------------- Rick Johnson is currently the Manager of Security Services for FusionStorm, a remote managed services company. When not writing, he heads the development team for PMFirewall, an Ipchains Firewall and Masquerading Configuration Utility for Linux. Rick can be contacted via email at rick@pointman.org or on the web at http://www.pointman.org. *********************************************************************
<<attachment: winmail.dat>>