As criminal hackers become more sophisticated and ruthless, security-conscious companies are increasingly recruiting people to help fight a covert war.
On the front lines of the fight stand many “grey hat” hackers — security experts who have online street smarts but aren’t mixed up in the racket themselves. A small number may have dabbled in “black hat,” or underground hacking, in the past, but most just know how to communicate with the other side.
Dave Millier, CEO of Sentry Metrics, a Toronto-based security consulting firm and managed services provider, says that in the past two years his company has fielded an increased number of requests from organizations that want to find out what sensitive information of theirs may have fallen into the wrong hands. And it’s grey hats who are most likely to get the job.
“We’re being asked to not just do the traditional `do a penetration’ test or `do a vulnerability assessment and tell us about our network’ -- we’re also being asked to find out information. So again, it’s the intelligence category, if you will: `find out what information there is about us out in the wild.’
“What information is circulating around in the underground network, if you will, that could potentially be reputational damage, that could be being shared by the hackers, shared by the underground community to provide backdoor access to our systems? What do they know about our systems?
“In order to get access to that information, at a minimum you need to turn to a grey hat hacker, who may have access to that side of the fence.”
But as in war, there are times when you need to reach out to the enemy side directly.
“In some cases, we certainly engaged with some black hats, specifically to help out with that information gathering.”
But James Quin, an analyst at Info-Tech Research Group in London, Ont., isn’t convinced that there is much of a difference among people who wear the various “hats.”
“Were I in a position to be hiring a black or grey hat, I would always be questioning whether there was an ulterior motive for them wanting to come work for me.”
“I have worked with guys who claimed that they were white hat hackers [security experts who legally test and evaluate system security], and in their free time they’re hacking into NASA and the FBI-- just for fun and kicks. They’re not exploiting any of the information but they’re clearly doing things that are illegal.”
Quin says any company employing people who enjoy exploiting systems, for whatever reason, should be extra vigilant. Millier, however, says that he doesn’t hold his greys under particular suspicion.