An article published by Security Magazine online by McAfee Chief Security Officer Brent Conran earlier this month has created a storm of controversy in the infosec community.  Posted under the category ‘Cyber Safety’ and entitled ‘Why Not to Hire an Ethical Hacker’, the article itself doesn’t really give any reasons why you shouldn’t hire an ethical hacker, at best it seems to wander into a bunch of weak definitions of hackers, but the potential impact is nonetheless worrisome.  The security industry is built from trust, of leadership and consistent best practices, and that’s exactly why there’s a real problem with the article, it seems to suggest that the hiring of ethical hackers is somehow a weak or insecure practice.  Nothing could be further from the truth. Ethical hackers are the infosec community and the practice has long been a fundamental component of a thoroughly secured enterprise.

The article itself may be some kind of link bait – Security Magazine has a wide readership that brings in all types of roles and it asks you to register and give up a bunch of info.  (There is a non-registration version on PasteBin).

That being said, when you consider the title and that the level of reader that would most likely read an article regarding the hiring of ethical hacker would be high level CSO or CISO, it’s quite possible it was written just to find out what decision makers are interested in the topic.  Whether this was written by Conran himself or not, his name is still on it and his word is attached to this article.

As the CSO of a major security company, every single thing that is written by him or attributed to him enters the public consciousness.  The simple fact is there is a possibility that a poorly informed decision maker could take this article that passingly besmirches the ethical hacker community as somehow sound advice, and take on security research alone.

Strange, wandering and off-topic

Let’s look at some ‘highlights’ of this strange article:

When it comes to hacking, it’s black or white. Or grey. There are white hat hackers, black hat hackers and those who live in-between, in the grey area. White hat hackers are ethical computer hackers or security experts who specialize in penetration testing to make sure a system is truly secure. Black hat hackers, on the other hand, violate security for malicious purposes and generally for personal gain. Grey hat hackers live somewhere in the middle, often breaking into a system or network only to inform the owner that there is a vulnerability.

We have some horribly constructed definitions here, though that’s open for some debate, it is somewhat basic.  This leads the knowledgeable reader to the conclusion that this article may have been written by someone else because Conran has an exceptional history of industry spokesmanship, in just about every type of media.  The bad advice continues:

The choices are many: hire a white hat hacker, benefit from the work of a grey hat hacker, or take a walk on the grey side and do some research yourself (taking all due precautions). The results, regardless of how this is done, is to better protect data and the enterprise. By learning how the bad guys operate, you can better defend yourself against them and in the process build a stronger network and systems.

This is how the article ends, with at best weak conclusions, and it never gets around to explaining its deceptive title. It does discuss rather ancient concepts of ‘black hat’ and ‘grey hat’ hackers, followed by the following statement:

“security experts do just this; they want to tap into the knowledge of the grey hat hacker, but would never let them on the network to do penetration testing.”

Between that statement and the title, you should be somewhat unsettled.  It unfairly casts mistrust upon a dedicated and skilled community that actually helps the security of companies across the industry. Whether we are talking about red teams, software testers, penetration testers, whatever you want to call them there are many tremendously responsible and trustworthy groups out there validating security, uncovering gaps, and way, way more.

Security services under fire

It is especially troubling right now because the industry is under fire with the famous Target breach of 2013 and the fallout that is playing out right now.  Just last week, Target openly threw credit-card security firm Trustwave under the proverbial bus, alleging in a lawsuit that Trustwave missed on their responsibilities to comply with industry regulations and failed to detect the breach early enough to stop it.  Trustwave has defended itself in a statement by its CEO that the claims are without merit, and that everything that is characterized in terms of services within the suit are completely wrong.  Yes, whatever comes out as the final play by play on the Target fiasco without a doubt, things were missed.

Is a correction on the way?

The timing of the Conran article could not have been at a worse time.  It is misleading, irresponsible and flat out wrong on every level possible.  McAfee may be changing names soon, but this statement is destined to follow it.  The company also has its own Advanced Programs Group that is basically a ‘white hat’ ethical hacker team, one has to wonder what they might be feeling regarding this article.  ‘Why Not to Hire an Ethical Hacker’ must be corrected or deleted immediately.

photo: purpleslog via photopin cc