[EMAIL PROTECTED] said:
<snip>
> Back Orifice 2000 trojan or not a trojan?
I'm going to pretend you didn't try to resurrect that thread...
<more snipping>
> Gray hat hackers vs. Big 6. Someone mentioned the big 6 accounting
> firms as a reason of why you should hire gray hat hackers. The big 6
> have always lacked skilled security professionals. Of the big Six,
> Ernst & Young who had the best security talent with eXtreme team, has
> recently had a major exodus of security talent to many small security
> startups like www.ramsec.com. This departure continues to be a signal
> to avoid these firms for security: You can audit my taxes, but dont
> try to protect my network. Just because the big 6 are failures in
> security, I am not convinced that hiring gray hat hackers is a good
> thing.
Now this is the more interesting part of the argument. The big six have attempted to
muscle in on security consultantcy, reasoning that there is a need for companies
people can simply hire without worrying about credentials. Sadly, they turned out to
be rather bad at security consultantcy, and now it's difficult for people to know
where to turn. It's quite possible that companies which hire "grey-hats" are simply
attempting to get some publicity, showing that they do indeed have people who
understand some aspects of security. (This doesn't take away from the fact that some
grey hats know quite a bit about security.)
<Snip the definition argument>
> Lets say we used the 1st definition of gray hat hackers, those who are
> breaking into system without permission (and beyond script kiddiez
> since they can actually code exploits and backdoors), would you still
> hire that gray hat hacker? Would you hire them just for penetration
> testing? How about to configure your firewalls? Or to actually run and
> operate the companys security?
Penetration testing certainly, protocol/architectural analysis if they're the type of
people who've done some clever tools and found vulnerabilities in products in the
past. I'm not sure grey-hats would really be called upon to configure and run
firewalls - that's more of an admin job than a consultantcy job.
> If a gray hat can find a security flaw, does that make them effective
> at developing a security policy and rolling it out across the network
> and hundreds of servers?
Not especially. Your average grey hat shouldn't be chosen over a well trained security
consultant - Not every person who found a buffer overflow in a unix command-line
utility or some open-source software and spends time on IRC is a useful security
consultant. I'd say that l0pht are a bit exceptional, in terms of skills and ambition.
Were I the hiring sort, I wouldn't worry about hiring them.
Michael
--
The opinions in this message are my own, and not in any way representative of NET-TEL
Computer Systems Ltd.
--
Michael Owen
IT Security Engineer
NET-TEL Computer Systems Ltd.
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
