technical document ref# imho_exp.html
issue date: 30 Oct 2002
by techtolink technical division

Need Security? Get A Real Expert

    when a company contracts with a computer security expert to investigate breaches in its information systems, the company is opening all its information resources to that individual. When the media--including television, radio, or a magazine like this one--quote an IS security expert, those news organizations are putting their reputations on the line.

    But just how good are these security experts? With the rash of recent network security problems, experts seem to be crawling out of the woodwork, espousing their opinions on computer and network insecurity. In many cases, they are spreading the FUD factor: Fear, Uncertainty, and Doubt. And, in some instances, former hackers are being hired by major companies as security advisers.

    That any business would use these people as consultants makes one wonder if they also hire arsonists as fire marshals or convicted burglars as security guards. Some of these security experts have a hard enough time staying out of jail; others recommend illegal "remedies" for finding and solving computer security problems.

    While it's true that people who have exploited information systems vulnerabilities in the past know where those specific vulnerabilities lie, they're not the only ones with this knowledge. Their method of becoming well-known security experts usually involves getting caught by a law-enforcement worker and becoming famous for at least 15 minutes, publicizing your own agenda (a la hacker Kevin Mitnick's "social engineering"), or otherwise violating the trust needed to perform vital security services.

    And just because someone is well-known in one area doesn't mean he or she has a clue in another area. Reformed hackers may know the ins and outs of a particular program or system but have no idea about the continuity of operations associated with business processes. These people also may not be aware of the legal and ethical ramifications of some of their security solutions. Would you give full access to your vital systems to someone who may not understand the implications of what he or she is doing?

    Ironically, the hackers-cum-experts aren't even the cream of the crop; the good ones will not be found out or caught, and quite possibly won't be detected. These experts who brag about their past accomplishments are simply demonstrating their ineptitude by their inability to avoid detection. Would you want someone who has demonstrated incompetence to have full access to your vital systems?

    There are ways to become well-qualified and trustworthy in the computer security field that don't involve breaking into someone's network. A proven track record--one that can be verified--with a reputable computer security company is one indication of devotion to the cause. Not all government organizations are behind the curve technologically, so a comprehensive background check can be valuable tool for companies looking at prospective security consultants. Another mark of a bona fide security expert is certification as an Information Systems Security Professional (CISSP) or Auditor (CISA); this shows companies that a person has expertise in a variety of security and business areas.

    But perhaps the most important consideration for a company or publication looking to contract with a security expert is a dose of common sense--don't take anything said at face value. Just because someone says something can be done doesn't mean it can--or can't. As Ronald Reagan said, "Trust, but verify." True professionals will be able to support everything they say, and will likely be able to provide that proof in a written report.

    Be advised, however, that even the best computer security expert may not be willing to tell you how this verification was obtained--security experts have secrets, too. In any case, each system vulnerability identified should be accompanied by a list of impact assessments and countermeasures. It's much easier to break something than to fix it; a hacker may know how to break into a network but not have a clue about how to clean up the mess.

    Information systems security is too important to be ignored, as it has been in the past to the sorrow of those who have done so. And it's absolutely too important to be left in the hands of incompetent publicity-seekers. You have to do it, so do it right.