Profile of an Ethical Hacker

Feb. 16, 2005 — -- Almost every day in the United States, savvy, determined hackers attempt to break into computer networks and pilfer valuable information. But here's the good news: Some of them are professionals, being paid to test the safety of the same computer systems you may be using regularly.

They are "ethical hackers," computer security experts hired by companies hoping to avoid costly holes in their information networks. While the term "ethical hacker" has been in use at least since the 1980s, it has only been a job description since the mid-to-late 1990s -- and it seems to be an increasingly common one at the moment, as computer security becomes a booming business. Research firm IDC, of Framingham, Mass., estimates worldwide computer security revenues will expand from $19 billion in 2002 to $45 billion in 2007.

That means more opportunities for ethical hackers, especially at major industry players. Take Joshua Lackey, a senior ethical hacker at IBM, who is based in Tucson, Ariz., and can sum up his job in one crisp sentence: "We'll go out and break into your computers."

Like many people in the field, Lackey had a personal interest in the subject before it became his profession.

"I've always been interested in security, always had that bent of mind," says Lackey, who joined IBM in 1999, as he was finishing his Ph.D. in mathematics at the University of Oregon.

Not that there is one dominant career path for ethical hackers, though; one of Lackey's IBM colleagues is a former CIA agent.

"I think the one thing we have in common is that there is a little different approach when you're a security guy," says Lackey. "Somehow breaking things is a little more ingrained than getting things to work."

Authorized to Hack

In the world of technology, breaking things, or at least attempting to do so, is also an integral part of getting them to work. Many contracts IBM inks with large clients require a security audit, involving an authorized visit to the firm by a team of hackers using agreed-upon "rules of engagement." For what Lackey calls a "premium hack," an IBM team might take two weeks to do the job.

In the last few years, the surge in use of wireless computer networks has been a particular focus for Lackey and some of his IBM colleagues. Traditional wired local area networks, of the kind probably used in your office, are essentially limited to the computers hooked up to the network. Local wireless networks revolve around access points computers can detect on their own. But since wireless network capabilities are now frequently built into computers, even machines sitting in offices may seek out access points. Lackey and his colleagues will often take access points -- which can be bought in stores -- and set up shop in the parking lot outside a client's headquarters to see how quickly they can penetrate a company's information system.

Employees who telecommute or use a laptop computer at a public wireless access point -- in an airport, coffee shop or another location -- can also put valuable company information at risk. Given the existence of an access point, skilled hackers can monitor the flow of packets of information being sent over wireless networks, and, if a computer is not using encryption technology, potentially view the actual data being sent as well.

"When you're on a wireless network," says Lackey, "you should just sort of assume that everyone around you, given the will and the technical ability, could look at your packets."

The Importance of Encryption Software

Lackey suggests wireless network users can help prevent hackers from looking at their actual data by using layers of encryption and beefing up the security on their individual machines -- something many of them take for granted. Lackey and his IBM colleagues have stories of executives who are unaware their computers can seek wireless networks or of employees who do not even bother to change the default computer password assigned by the manufacturer.

In fact, computer security extends beyond the machine itself. Some ethical hackers, if authorized, will also try distinctly low-tech methods of obtaining the same information -- like "social engineering," the effort to see if they can obtain valuable data through contact with unwitting employees, and old-fashioned pilfering.

"One time, we were auditing this place in Canada, and we literally took these monitors off this desk and walked out the building with them, just to see if anybody would try to stop us," recalls Lackey. "And they didn't."

Still, Lackey suggests users of wireless networks should be reassured that wireless hacking can only take place within limited physical boundaries. "In one sense, [wireless] might be more secure, since the only people you're worried about are your neighbors, or people around you at the airport."

That matters, because the phenomenon of hacking has changed over the years, from a local hobby to an international business. Nowadays, teenage computer whizzes are less the issue than illegal syndicates.

"What we're finding is that it's less of the interested kid who's just sort of poking around anymore, and it's really more organized crime figures, who just want steady income, and they actually go out and hire unethical hackers to do things for them," Lackey says.

No Security Is Perfect

The recent use of "phishing," for instance, in which thieves seek bank-account verification data by sending e-mails to unsuspecting victims, is a wired phenomenon. Similarly, the installation of spyware on computers is done remotely, over wired networks. Security consultants recommend consistent upgrades of anti-virus and anti-spyware programs, as well as education about scams, to reduce vulnerability to hacking -- although the threat cannot really be eliminated for good.

Indeed, computer security experts do not promise to make any network, wired or wireless, absolutely impenetrable. "There is no 100 percent," asserts Lackey.

Instead, the best approach for most computer users is to put up barriers that deter hackers and reduce their financial incentives. In the meantime, illicit hackers, ethical hackers and security researchers will keep battling to gain the upper hand in security.

"In one sense it really is just an arms race," says Lackey. "A vulnerability is discovered, we fix it. Then something different comes out. That's just how it all works. Things break, we fix them. Everything gets a little bit better as time goes on."