Reformed hackers bring another dimension of expertise to organisations, according to a security professional, but necessary precautions must be taken in hiring black hats, as corporate reputation and sensitive information are at stake.
Experience or knowing "the tricks of the trade", and keeping costs low, are key reasons why organisations would hire black hats — or hackers who exploit vulnerabilities in software and systems — to combat cybercrime, said Eric Chan, regional technical manager for Southeast Asia and Hong Kong at Fortinet.
"A good hacker loves the challenge of finding vulnerabilities in networks and systems, and spends countless hours perfecting his craft and is hence competent at this role," Chan explained in an email interview. "They could also be cheap to hire [compared to] computer science PhD holders."
According to Chan, a black hat is a hacker who breaks into systems for malicious and personal gains, such as using a computer to attack systems for profit or fun, or as part of a social cause. Black hats, he added, may also be driven by political motivations.
Facebook, for one, hired George Hotz, who, as a 17-year-old, unlocked Apple's iPhone in 2007 and early this year released a jailbreak for Sony's PlayStation 3 firmware version 3.55, which prompted the Japanese electronics giant to sue him, although a settlement was later reached. Hotz began working at the popular social networking platform as a software engineer on 9 May, according to ReadWriteWeb.
Trust, company ethics at stake
While it may make sense to hire hackers who do not practise responsible disclosure, recruiting black hats, especially those with criminal records, may damage the company's reputation and relationship with their clients, Chan pointed out.
The issue of trust would arise as well, in terms of whether the hacker can be trusted with confidential and sensitive information, or relied on to protect bank account information, he explained.
Chan stressed the importance of performing background checks on black hats before putting them on the payroll. The information gathering may include the potential employee's criminal history, and whether his intent had revolved around profit, politics or curiosity. His motivation for his previous hackings would indicate whether he was suitable for the organisation, he said.
In addition, a probation period should be imposed. Chan said: "Keep a close watch on the black hat during his early days with the company. This may include having a manager monitor his every move and implementing restricted access to system information."
"Hiring black hats carry significant risk, and companies should proceed with caution," he warned."There is no way firms can be sure that black hats won't act against their interests."
Sophos' Asia-Pacific head of technology Paul Ducklin, on the other hand, doesn't think it's worth the trouble. Defining a black hat as one who "deliberately or through a casual or negligent attitude breaks the law in furthering his or her online pursuits", he pointed out that organisations should instead find someone whom they can trust and who "isn't tainted by criminality".
"I think the question is not 'what complications could arise', but 'why would I want to bother in the first place'," he argued. The security expert likened organisations paying for a black hat to secure their environment to consumers getting prescriptions from a drug dealer, or people buying foreign exchange from a known currency counterfeiter.
Ducklin noted that organisations seem to be "deluded" by the notoriety surrounding criminals, and are "willing to rub shoulders with them" because they mistakenly think that black hat hacking is a victimless crime.
In addition, there is also the misconception that being a criminal hacker is more difficult, and therefore requires a higher level of skill and ability, than being a non-law-breaking penetration tester or white hat hacker, he said.
Richard George, technical director of the US National Security Agency's (NSA) information assurance directorate, drew a distinction between "hackers with skills and computer criminals" in a Reuters report this month, which highlighted NSA's plans to recruit hackers. The agency announced that it would hire 1500 people in the fiscal year ending 30 September 2011 and another 1500 next year, most of whom will be cyber experts.
The NSA director pointed out that it is possible for hackers to learn the same skills without breaking the law. The agency, he told Reuters, was an environment "where the hacker mindset [fitted] right in to work with a critical mass of people that were just like them", and NSA needed employees with the hacker skill set and hacker mindset.
Via ZDNet Asia