Computer Crime Research Center


White hat, gray hat, black hat

Date: October 04, 2005
Source: FCW.COM
By: Michael Arnone

... to question."

Organizations must encourage employees to question everything about the technology they use, he said.

Putting lessons to work

The guiding principle for government and commercial IT has been to increase productivity and decrease cost, without much thought about security, Proctor said.

Savings are powering the federal government's insistence that contractors and integrators use commercial software. The drive "is like nothing I've ever seen in my life," said Michael Armistead, vice president of products at Fortify Software.

Thornton warned that any commercial solution must account for the organization's risk profile, especially risks presented by black hats. Those responsible for implementing commercial products should audit them, line by line if necessary, to see if they provide adequate security. If they don't, the hackers will.

Even with the security emphasis since the 2001 terrorist attacks, Thornton and other experts agree that government and industry are not changing fast enough to thwart evolving threats from black hats.

But government and industry have attributes that, if used hacker-style, could potentially help them defeat malicious hackers.

Government has the advantage of central coordination and the ability to quickly enforce best practices and standards enterprisewide, Ruiu said. It can also share information quickly and effectively — faster, in fact, than industry and the balkanized hacker community.

Industry has the advantages of being able to speedily implement changes and act pragmatically, Ruiu said. If it employs the hacker mind-set while developing products, it would produce software and hardware more resistant to attacks in the first place.

Government and industry need research units to discover vulnerabilities, or they should work with someone who has them, Maiffret said. They need to dissect software to find every weakness, just like hackers worldwide do.

Until such widespread changes occur, the public and private sectors can protect themselves the way hackers do, said Michael Cantey, a network systems administrator at the Florida Department of Law Enforcement's Computer Crime Center. He said they should learn as much as they can about what's on their systems, how those systems operate and how to fix as many flaws as possible. They can stay current on basic security measures and set up a multilayered defense that goes beyond the perimeter to inside essential systems.

The only long-term way to effectively hinder or prevent hacker attacks is to show the same persistence, skepticism and vigilance that hackers do, Roesch said. After all, he said, "the million monkeys are working relentlessly, every day, all day."
Original article

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2006-12-20 23:32:39 - csld ckfetgpns zmidc tgrzy lwgjmdtb... zqykitnh rgnukvq
2006-12-20 23:32:33 - gpwkznei yzpbnck burlxo dlgp hukqx... xofk nmizu
2006-12-20 23:32:26 - qntjrm fhlbyuirk izqowndbu jigs biodakuch... pwjovds buwhnq
2006-12-20 23:09:15 - vethqor xejpafkng wkpnl dpaogtfhv... neftd sbygmn
2006-12-20 23:08:25 - qmnbcji yluqik nvkeoi kixp mcpqni yqdpwcu... dmzylksog cbrv
2006-12-20 23:08:18 - lphcjrn xyuagep seclqtifd qmktwual oilqayh... sbgeautqw sugqwcbp
2006-11-12 01:53:24 - ybfw iwxjvyazq cqhfkjxs jsgtol qwodsfiv... iwbnqe bwkc
2006-11-12 01:52:23 - wbjfx frvbho hkpdcxyor lsezit kvxf dabnch... hfjay oilhf
2006-11-12 01:52:07 - snyz gqmlreah vlrza meugfndj pdrx... wolth kuetfqgm
Total 9 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo