Last week’s SANS newsletter caught my eye for an interesting story mentioned in it – “Wireless Hacking Braggarts Avoid Jail Time”. It links to a story in the Cleveland Plain Dealer about two security consultants who were caught in a FBI sting for wirelessly stealing data from a fake defense contractor.
These two fellows were approached with a great offer – $100,000(!) – to grab some files wirelessly and discreetly. The FBI got the idea of approaching them after they mentioned in an article in Crain’s Cleveland Business that they had broken into several networks wirelessly, and that companies should hire them to protect their networks. Whoops!
This brings up a tricky question about infosec in general – in a business environment that is only slowly becoming aware to the issue of security, how does one generate new business? It can seem tempting to ‘demonstrate’ the cost of bad security to a client – and cold-calling a business with information about their vulnerabilities is a sure way to wreck that relationship. The responsibilities of a security professional are to clearly communicate the importance of a strong security posture and to let that information speak for itself.
These two guys took the exactly wrong approach to selling computer security – becoming the ‘bad guys’ that they’re supposed to be protecting clients against! In the security field, more than many others, the line between ‘good guy’ and ‘bad guy’ can be blurry. An infosec professional who is only using commercial tools isn’t really getting in the head of a ‘bad guy’ – because the bad guys are using open source tools, not the expensive Foundstone package. We’ve got to get in the minds of the threats in order to defend against the them.
This is where professional programs like CEH have value. This program teaches security professionals both the tools of the ‘bad guys’, and the ethics required to use them properly. The temptation of a quick payday may be lurking for some people, but it’s good to see that the FBI and other government organizations are actively watching out for these type of people.
As Spiderman said – “With great power, comes great responsibility”. Security professionals need to keep this at the forefront of their mind at all times. We’d probably be better off by not wearing tights and a mask, though!