White hat, gray hat, black hat
Date: October 04, 2005Source: FCW.COM
By:
... to question."
Organizations must encourage employees to question everything about the technology they use, he said.
Putting lessons to work
The guiding principle for government and commercial IT has been to increase productivity and decrease cost, without much thought about security, Proctor said.
Savings are powering the federal government's insistence that contractors and integrators use commercial software. The drive "is like nothing I've ever seen in my life," said Michael Armistead, vice president of products at Fortify Software.
Thornton warned that any commercial solution must account for the organization's risk profile, especially risks presented by black hats. Those responsible for implementing commercial products should audit them, line by line if necessary, to see if they provide adequate security. If they don't, the hackers will.
Even with the security emphasis since the 2001 terrorist attacks, Thornton and other experts agree that government and industry are not changing fast enough to thwart evolving threats from black hats.
But government and industry have attributes that, if used hacker-style, could potentially help them defeat malicious hackers.
Government has the advantage of central coordination and the ability to quickly enforce best practices and standards enterprisewide, Ruiu said. It can also share information quickly and effectively — faster, in fact, than industry and the balkanized hacker community.
Industry has the advantages of being able to speedily implement changes and act pragmatically, Ruiu said. If it employs the hacker mind-set while developing products, it would produce software and hardware more resistant to attacks in the first place.
Government and industry need research units to discover vulnerabilities, or they should work with someone who has them, Maiffret said. They need to dissect software to find every weakness, just like hackers worldwide do.
Until such widespread changes occur, the public and private sectors can protect themselves the way hackers do, said Michael Cantey, a network systems administrator at the Florida Department of Law Enforcement's Computer Crime Center. He said they should learn as much as they can about what's on their systems, how those systems operate and how to fix as many flaws as possible. They can stay current on basic security measures and set up a multilayered defense that goes beyond the perimeter to inside essential systems.
The only long-term way to effectively hinder or prevent hacker attacks is to show the same persistence, skepticism and vigilance that hackers do, Roesch said. After all, he said, "the million monkeys are working relentlessly, every day, all day."
Add comment
Email to a Friend
