[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Are hired hackers worth the cost?
From: InfoSec News <isn () c4i ! org>
Date: 2002-03-27 9:37:07
[Download RAW message or body]
http://www.zdnet.com.au/newstech/security/story/0,2000024985,20264250,00.htm
By Wayne Rash, Special to ZDNet
26 March 2002
COMMENTARY: There's one way to prove that security is a necessary IT
expense: hire hackers to successfully break into your own network.
CFOs are treating security as a cost item to be controlled--and in
some cases, even eliminated. That's the buzz at the recent CeBit trade
show.
Despite IT managers wanting to spend more on security, CFOs are
putting the brakes on such spending. The latest thinking, apparently,
is that the terrorist activity was more than a quarter ago, so it's
history. In other words, CFOs are seeing all those security costs on
the balance sheet--yet they're not seeing any security problems. (The
fact that increased security is heading off problems is lost on them.)
This doesn't surprise me. I've been hearing similar sentiments from
people in the US. Outside the IT community, it seems that security is
either a business impediment or an unnecessary cost. As a result, CIOs
and network managers are under constant pressure to do less, as a way
to save money and reduce inconvenience.
Unfortunately, the primary argument to unlock dollars for security
infrastructure is that you have to get attacked first. But there's one
way to prove that security is a necessary IT expense: hire hackers to
successfully break into your own network. That's right--hackers for
hire. Though it sounds like an oxymoron, a number of companies,
notably Computer Sciences Corporation of El Segundo, California,
employ hacker engineers.
These "ethical hackers" will break into your network, take it over,
and then produce a security assessment report that uncovers your
vulnerabilities. At this point, security is no longer a theoretical
issue. You can point to specific tasks you must complete to protect
your company's integrity.
Of course, hackers for hire don't come cheap. I heard from some CeBit
show attendees that a simple firewall check, for example, can cost
US$5,000.
But if your company balks at hiring a hacker and insists on reining in
the security budget, remind everyone that you'll be living on borrowed
time. Controlling costs is always important, but you can't risk
millions of dollars by being lulled into complacency.
Wayne Rash runs a product testing lab near Washington, DC. He's been
involved with secure networking for 20 years and is the author of four
books on networking topics.
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY
of the mail.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic