• OTW

Why Hackers Make the Best InfoSec Engineers


At first blush, the idea of putting a hacker in charge of your information security might seem absurd or, at least, ill-advised. Who would even think of putting someone who is skilled and knowledgeable in how to breach my network in charge of protecting it? Isn't that comparable to the proverbial fox guarding the hen house?

Contrary to your first instinct, many firms are now finding that individuals with a background in hacking are actually more adept at stopping attempted intrusions in their network than those with more traditional information security backgrounds. As someone who employs both, I'd like to share why I think hackers are far better at securing your network.

Hackers Focus on How to Break Things

One of the most significant differences--in my experience--between traditional information security folks and hackers is that hackers are always thinking about how to break things. Traditional information security personnel are focused how to make things work, such as the firewall, IDS, and other security devices. The hacker is always thinking, "How can I break those devices?".

This type of thinking has implications beyond the obvious. In order to break things, you usually must have an intimate understanding of how they work. This understanding goes beyond how to configure a device or application and goes more toward a fundamental understanding of the underlying workings of the device and the system. This can be invaluable in making your network more resistant to attack.

Hackers Think Creatively

To be an effective hacker, you must think creatively. In most cases, there is no cookbook or textbook for hacking. The hacker must think creatively about the way things work to find vulnerabilities that can be exploited. Most security engineers have never been challenged in this way.

Hackers are Persistent

Almost by definition, a hacker must be persistent. There is obviously no simple or single way to gain entry to a system or network. Hackers must often have to resort to plans B, C, D, and beyond, to be successful. This type of activity breeds a "never give up" mentality that is so useful in deploying information security defenses.

Hackers are Problem Solvers

Once again, the hacker mentality requires well-honed, problem-solving skills. Hackers are routinely challenged with seemingly intractable problems--such as your patched and hardened systems. Only through excellent analytical skills can they develop ways to get around your defenses. These skills have proven invaluable in my experience, when employed on the other side of the Maginot Line.

Hackers Tend to Focus on Practical Hands-On Experience vs. Formal Education

Hackers education tends to be more hands-on and practical and less formal. Hackers tend to be driven by their passion for computing and systems and this passion can at times be insatiable and...in some cases, insufferable. If you can harness this passion for your defensive strategies, you will likely be rewarded admirably.

It also means that, in many cases, these individuals have been hacking from an early age. This often means that by age 25, they may already have 15 years of practical experience.

Hackers Have Scripting Skills

In most information security environments, some simple scripts can go a long way in making life simpler and, therefore, more secure. Any hacker worth their salt has developed scripting skills, usually with Python, Perl or at least simple BASH scripts for developing tools that take advantage of a network or system vulnerability. As this might seem like a very basic IT skill, I have worked with many information security professionals without this most fundamental and simple skill set that is second nature for most hackers.

Finding A Qualified Hacker

Finding a qualified hacker for your information security department may be more difficult than one might suspect. There are a number of well-known hackers that come at high price, but finding a entry-level or mid-level hacker can be daunting, especially if hacking is a foreign discipline to you, as it is to most information security managers.

One way to identify entry-to-mid level hackers is to look for certifications. The CEH (Certified Ethical Hacker) certification is the granddaddy in this field, but is NOT highly regarded. It does not require any knowledge of Linux, scripting and no actual hacking/exploitation skills. As a result, many people with this certification know ABOUT hacking, but don't actually have the skills unique to hackers that I have found so valuable in information security.

There are few certifications that are much better reflection of true hacking skills and knowledge. These include the GPEN and OSCP, which require something resembling true hacking skills to acquire. In addition, the White Hat Hacker (www.white-hat-hacker.com) certifications of CWA, CWE and CWP represent hacking certifications from entry to intermediate to professional-level where the applicant must know hacking and demonstrate their skills on a live target system.

In addition, Hackers Arise has also begun a service known as "Hackers for Hire". This service matches up certified and knowledgeable hackers for jobs anywhere in the world.

If you can find the right hacker and harness their skill and passion, you will likely be well-served to employ them and their unique skill set to your information security team.


1,193 views