More Ranting on the Issue of Dealing with Computer Criminals in Information Security
I’m still pretty keyed up concerning all that happened concerning the message that described as an ISSA International event that announced a webcast in which a convicted computer criminal will participate. I feel compelled to first praise some prominent infosec professionals such as Hal Tipton, Donn Parker, and William Murray, and Karen Worstell who did not shy away from taking and communicating a strong stand on this issue.
I also learned that the issue of what to do with so-called “former hackers” is not exactly new within the ISSA International Board, nor within individual ISSA chapters. The temptation to invite a former (or even current) member of the black hat community is ever before information security event organizers. Advertising that a “former hacker” will be speaking on how to breach security and similar topics is, after all, bound to raise the interest level and thus possibly also the number of registrations for an event. I’ve said this before, so I’ll be brief here, but I have heard “former hackers” speak on numerous occasions. On not even one of these occasions has any such speaker been interesting, informative, and/or motivating. In fact, some of the worst speakers I have ever heard in my life have been former members of the black hat community. My suspicious is that these individuals become so self-absorbed in their being recognized as being proficient in their use of “hacking” methods that they fail to realize that they need to please an audience when they speak—seriously! Additionally, their knowledge level has never impressed me. Just about a month ago I heard a very famous computer criminal speak on current attack methods. This person’s talk was pathetic—this person described attacks that used to occur in 1995, not attacks that occur today, and worst of all, this person openly made a sales pitch for his consulting services. Attending this person’s talk was a complete waste of time for me and also an insult to information security professionals.
At the same time, some information security professionals argue that it is not true that “once a hacker, always a hacker.” They are quick to point out the fact that a number of former members of the black hat community are now mainstream information security professionals. All that is needed, according to this reasoning, is for some kind of time period in which a former computer crime perpetrator separates him/ or herself from the illegal activities in which s/he used to engage. These undoubtedly well-intentioned information security professionals fail to realize, however, that trust is one of the most essential underlying enabling factors in the practice of information security. Trust and current and/or former computer criminals simply do not go together. Extending this reasoning to other, similar areas shows just how specious this reasoning is. Does the FBI hire former criminals? Do banks hire former embezzlers? Then why should former black hat community members be allowed to serve as information security professionals?
Many information security professionals have served their employers well over the years, and have conducted themselves honorably and with integrity. They may not get a lot of professional recognition for all the good they have done, however. In contrast, someone who has broken into system after system, engaged in extortion schemes with Web site owners, and the like can easily gain recognition, recognition that unfortunately may help them when they compete with honest, hardworking information security professionals for a consulting job or other opportunity. This is wrong. We must reward and favor individuals within the information security arena for their positive, not negative contributions.
Finally, if there is a former member of the black hat community who has truly repented of past deeds and does not look back, why should not that person at a minimum earn CISSP certification as concrete evidene that this person: 1) knows at least the minimum knowledge expected of an information security professional, and 2) is willing to abide by (ISC)2’s code of ethics? What absolutely appalls me is the incredibly low percentage of so-called “reformed hackers” who have stayed completely clear of CISSP certification. My strong suspicion is that the majority of these people could not pass the CISSP exam because they know as little about information security in real-life as they do about it when they give presentations.