Security Scene Errata: Penetration Teams

Devil's Advocate:

Often times you read about computer security companies operating Tiger Teams, consisting of security professionals and/or 'white hat' hackers. Their primary duty is to try to break into customer networks to test the security.

A problem arises though, when these big companies have a professional image to maintain. They can't be seen as hiring 'hackers' sometimes, or if they can let that term slip, they must qualify it with 'ethical' or 'white hat' hackers. In the past year or two, these claims have gotten completely absurd and backfired on some companies.

In the struggle to keep the corporate image, some of the press about these teams has lead to outright lying about who they hire. The question brought forth from this is, who exactly is lying? Is it the penetration team managers that don't know who they hire? Or do they know they hire hackers and lie to the masses to protect the image?

There are two major claims these companies make:

"We don't hire hackers..."

"We only hire white hat/ethical hackers..."

Lets apply common sense here, and not directly speak of the companies or their claims. Lets look at two examples of hackers applying for a job with one company and the potential results.

Joe White Hat applies to Large Security Firm. He is applying for a position as a penetration tester. On his resume and in interviews he only talks about his experience as a network admin, doing security for his friends, and other white hat type stuff. He has no criminal record.
John Black Hat applies to Large Security Firmm. he is applying for a position as a penetration tester. On his resume and in interviews he only talks about his experience as a network admin, doing security for his friends, and running his own network for a small group of friends. He has no criminal record.

As a hiring manager, who do you hire? Who is really ethical? Who has broken into other networks before? How do you know?

Every hacker I know can dress in a shirt and tie and play corporate. Fitting in with other employees is nothing more than a new way of Social Engineering.

So, now you have corporations telling you they only hire ethical hackers. Do we believe them? I sure don't. I know members of various teams that work at IBM, KPMG, E&Y, Axent, and countless other security firms, large and small. I know they are either ex-hackers, or STILL active and their fellow employees have absolutely no clue. Knowing that, I doubt the companies' claims even more. Not only are they lying, they have no clue they are doing it. That doesn't give me a warm fuzzy when considering them for possible consulting work.

Bigger Devil's Advocate:

All hiring practice aside, lets consider who we want to hire. Our objective is to hire a team to do a real world scenario attack on our network. We want to see what hackers would be capable of doing if they targeted our network. Lets say we are considering two companies. The first makes the claim they hire no hackers at all, that their team is security professionals. The second makes no claims about their team or background. Meeting each team, I get the impression that the first team is indeed security types, with no real hacking background. The second team comes across as a few hackers and a few security professionals.

Who would I hire?

The second team. Without a doubt in my mind. Several reasons why I would make this decision:

Experience. Regardless of the ligtimacy of their experience, the second team employs people directly familiar with hacking and breaking into machines. That experience is what I am looking for to reach the "real world attack" it is supposed to simulate.
Even if they have shady pasts, they are working for a legitimate company with a solid reputation. If the company trusts them, they must be able to function in a business environment, meet expectations, etc. A company wouldn't hire malicious unstable kids knowingly.
The company has business insurance. The company should have checks and balances to verify that no harm is done. The company should offer the client a chance to witness the work.

Add all that up, and hiring a team with hackers is no worse than hiring an unqualified team that has never broken into anything before. Experience counts in today's world.