Does Cybercrime Still Pay?

[InfoSec News <isn () c4i org>]

Forwarded from: Mike Gauthier <mike () a-and-m net>

http://www.newsfactor.com/perl/story/20146.html

By Lisa Gill
NewsFactor Network
December 4, 2002

It is the stuff of IT lore -- a hacker Latest News about hacker is
caught breaking into a company's systems and is given two options:
Take a job with the company or face prosecution. But are such tactics
still in use, or do malicious hackers now face nothing but a career
dead end?

"It was a trend at one time, when there weren't a lot of security
Relevant Products/Services from IBM professionals who had experiences
that didn't include brushes with law enforcement," IDC research
manager for Internet security software Charles Kolodgy told
NewsFactor.

Now, though, Kolodgy explained, companies have begun to work more
often with sensitive data from financial firms or the government, so
their staff are forbidden to have criminal backgrounds.

Education as Legit Path

In addition, the education available to would-be security gurus has
expanded greatly in the last 20 years. More professionals are earning
IT degrees and security certifications or gaining experience working
for security-focused organizations.

Kolodgy pointed to the National Security Agency's designated Centers
of Academic Excellence in Information Assurance Education programs at
top universities, including Purdue, Carnegie Mellon, George Mason
University and the University of Idaho, among others. The program's
aim is to improve IT students' education in security measures, and to
include higher education in information assurance.

Certifications Spring Up

In the realm of certification, the SANS Institute's Global Information
Assurance Certification (GIAC) and the Certified Information Systems
Security Professional (CISSP) certification also serve as credentials
for security professionals.

"The need to hire someone who has had a run-in with the law is rather
limited now because you can get much better people who don't have a
history," said Kolodgy.

Although certification can be helpful, it is not yet a requirement for
obtaining a job, said Gartner security analyst Roberta Witty. Prior
experience as a security professional is still a primary consideration
-- but experience as a hacker, with a criminal record to prove it, is
not desirable.

"How can you trust somebody who has broken the law?" Witty said. "I
certainly believe that people change stripes, but do you want to risk
your business on that one hire?"

Gray, White Hats Employable

But for those hackers without a checkered past, who spend their free
time in pursuit of weakened networks or testing out hacking methods,
there is still a future in the security industry, according to Jeff
Moss, a.k.a. The Dark Tangent and founder of DefCon, the largest
annual hacker convention in the United States.

The most recent change is that young hackers now know a job is waiting
for them after they finish college, said Moss, whereas several years
ago, such job offers were more of a surprise than the norm.

The difference, he added, is that hackers now are less likely to
reveal their illicit hobby to potential employers, much less their
handles.

"About two years ago, all the older hackers I know stopped using their
handles. Now they go by their real names," Moss told NewsFactor.
"Amongst their own group, they still use their own handles, but
publicly, when anybody asks, they may not say they're a hacker."

Who Gets Hired?

In terms of whether companies actually hire hackers, Moss said he has
hacker friends in several major companies, regardless of whether or
not such organizations claim to employ such people. In most instances,
the companies may be unaware they have hired someone who spends his or
her off-hours striving to understand security in other systems.

"Many companies will only hire white hats, or at most gray hats who
don't have anything that looks bad in their history," said IDC's
Kolodgy.

Moss agreed that companies no longer hire those with a police record.
Personally, given two candidates, one with a record and one without,
he said he would be inclined to choose the candidate sans a
conviction.

"Just because they call themselves a hacker doesn't automatically
disqualify them," Moss said. "You would want to find out if they've
gotten in trouble for it. It's a broad term."

Homeland Security Damper

That broad terminology has concerned security analysts since President
Bush signed the Homeland Security Bill last week. According to a
provision of the Cyber Security Enhancement Act, hackers could face
life in prison if their actions "recklessly" threaten others' lives.

Ryan Russell, an independent security expert and author, said he is
concerned that the government and prosecutors may use their new power
to intimidate accused hackers into agreeing to plea bargains. But it
is not likely that the new legislation will deter hackers and thus
reduce the pool of security professionals-to-be, he added.

"Realize that you've got people who see themselves as very anonymous,"
he said. "Hackers don't see themselves as vulnerable or as necessarily
doing something wrong, so changes in punishment tend to have little
impact on current behavior."

Career Path Concern

Moss agreed that new potential punishments probably will not have a
chilling effect on the behavior of hackers, particularly teenagers --
though it may increase the number of incidents in which they are
caught.

"It's going to take really smart, rebellious, testosterone-filled
teenagers and make them federal felons," said Moss. "Before they get
out of high school, you're going to have a bunch of these smart people
whose career opportunities [are ruined] -- they'll be flipping burgers
for the rest of their lives.

"I'm concerned about the whole new generation," he added, "if they
make a couple of bad choices and that's it for the rest of their
life."


-- 
Mike Gauthier
All-purpose lackey

"Beer is proof that God loves us and wants us to be happy." - Ben Franklin



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.