Dominique Karg2013-06-19T08:35:21-04:00Dominique Karghttp://www.huffingtonpost.co.uk/author/index.php?author=dominique-kargCopyright 2008, HuffingtonPost.com, Inc.HuffingtonPost Blogger Feed for Dominique KargGood old fashioned elbow grease.Why Hire a Hacker?tag:www.huffingtonpost.com,2013:/theblog//3.28828092013-03-18T19:00:00-04:002013-05-18T05:12:01-04:00Dominique Karghttp://www.huffingtonpost.com/dominique-karg/
If you need a flat head screwdriver to remove a screw, would you use a cross head? Of course you wouldn't - it wouldn't work for one reason. Similarly, if you needed to dig a hole would you use a spoon? While you'd get the job done the time wasted could be better invested elsewhere. It's only natural to use the tool that's been perfectly designed for the job yet, for some reason, when it comes to securing the corporate infrastructure, many are frightened by the idea of hiring a hacker. I believe they're missing out.
In a previous article I discussed the term 'ethical hacker' and, while I don't intend on regurgitating the theme here, it is worth just reminding you that I believe you should call a spade a spade and a hacker a hacker - ethics is irrelevant. I also define a hacker as 'someone who thinks a certain way about technology'. For that reason, if you want to make sure your systems are secure then the best way is to test their strength and that would be best done by someone 'who thinks a certain way about technology'.
That said, not all hackers are the same so here are the skills, I believe, a hacker should display:
Out of the Box
My hacker definition sums this up perfectly. Rather than looking at how something should work, a hacker will approach it from a different angle. He won't try your 'security doors' to make sure they're locked, but instead push on the wall around it to see if the bricks hold up and if the windows have glass - does the putty hold them in place.
'No' isn't in his vocabulary
Tenacity is another key skill a hacker must possess - someone who doesn't take 'no' for an answer. Take a locked door - there are a number of ways of 'opening' it and a hacker will keep trying until he manages it. Of course the easiest way is to locate the key but, if one isn't on hand, then can the lock be picked? Can it be drilled? What about cutting the lock out altogether? I think the phrase from a legendary film - 'You're only supposed to blow the bloody doors off' perfectly encapsulates a hacker's enthusiasm to get the job done.
Morals of an alley cat
Now, before everyone starts baying for my blood, I don't for one minute advocate paying a criminal for his services - unless they're rehabilitated and you're into second chances. However, a hacker needs to think and act like a criminal or what's the point. Criminals don't play by the rules and being afraid to push the boundaries is why a lot of companies end up experiencing breaches.
Porridge for breakfast
While I've said there's no reason why a rehabilitated hacker shouldn't be employed, it does raise serious concerns - primarily, why did they get caught? Professional hackers will pride themselves on their skill at infiltrating systems, undetected, and will certainly not want to leave an electronic 'fingerprint'. A criminal conviction shouldn't be seen as a 'qualification' but rather testament that perhaps they're not up to the job!
A big head
An egotistical hacker isn't necessarily a brilliant hacker - in fact quite the reverse is often true. I've sat and listened to far too many people claiming responsibility for something that I've known they didn't do - often because I was in fact responsible, but that's for another time.
There are a number of reasons why bragging is a bad trait in a hacker:
• they should be able to prove their ability rather than just talk about it
• if they're loose lipped they could inadvertently expose the organisation to ridicule
• a hacker likes nothing better than ridiculing someone else's inadequacy
At the end of the day, someone who has the skill and tenacity to get the job done is the perfect fit for any organisation. Don't let a 'name' come between you and the opportunity to secure the perfect asset for your business.]]>Hacker to Business Owner - Spotting Innate Talent in Otherstag:www.huffingtonpost.com,2013:/theblog//3.28828082013-03-15T06:28:52-04:002013-05-15T05:12:01-04:00Dominique Karghttp://www.huffingtonpost.com/dominique-karg/ Blue Sky Thinking
In a classroom environment, children who question teachers are labelled as trouble makers, and those that take things apart as delinquent. But surely that's exactly what's needed in today's world?
Rather than a workforce of followers, I like to hire people who think outside the box, question everything and challenge the rulebook - as long as it's legal. Let's face it, if Columbus hadn't sailed out to check, perhaps many would still believe the world was flat.
As a hacker, my instinct is not just to try what I know works but look for ways so that it doesn't. As a businessman I recognise that just because something's always been done a certain way doesn't necessarily make it right. I need to constantly evolve, and ensure my business does too, if we're both to survive.
What About the Box?
The same is true for technology. It too is continually evolving and employees who are scared of change are going to hinder utilising these advancements.
In the classroom children need to embrace exploration and excite in the discovery, not run from the prospect. As we continue to rely on technology, for even the most basic of functions in the workplace, the ability to look at a problem from every conceivable angle, to discover a working alternative, is a necessity.
Does this mean we need a shake-up of the examinations our children take? Who knows, I certainly don't claim to be informed enough to make that judgement. What I do know is the curriculum and teaching practices need revolutionising to ensure technology isn't just used for other subjects, but learned in its own right.
Play to your Strengths
When playing video games as a child, I would always look for ways to 'break' the code to secure myself additional ammo, extra units or create different guises. There will be some who see it as cheating, but is it? Surely I'm just using my skills effectively. For me, the fun of the game is beating the game designers. If it gives me an edge then shouldn't that be applauded rather than something to be ashamed of?
Transferring this to my career, I wouldn't have got very far if I gave up at the first hurdle. Similarly, I wouldn't have made many sales if I stopped with the first no. What we need our youth to value is tenacity, not just an A*.
Learning from Living
I'd be the first to put my hand up and say I 'dropped out' of university but that doesn't make me a failure. In fact, quite the opposite - I have a fire in my belly and a passion for security that I've used to get where I am today. As an employer it means I don't just look at a CV to see what grades a person had when they left full time education, but what they've done with them since.
As parents we can become fixated on the grades our children achieve and, yes they are important, but they're not everything. Perhaps what we also need is a 'common sense' examination. I've interviewed a few 'Grade A / 1:1' students over the years who struggle to function in the 'normal' working world. Surely the education system has failed them!
While I wouldn't advocate every primary school child be given a computer and then taught how to break into government databases (although I also don't see the harm as it would certainly keep these establishments on their toes), I do think inquisitiveness should be actively encouraged rather than seen as an evil that needs to be quashed. If a child has a natural talent - be it football, mathematics or even breaking code, this should be the focus rather than the elements of the subject that are likely to appear on the examination paper.
We need employees who are willing to stand up for what they believe and question what they think is wrong. Perhaps then rogue bankers won't cripple our financial institutions, nor think it's a valid defence for doing so. In my experience, the best person for the job is someone with passion - certainly the best security professionals are those that are passionate about security. Of course, the basics are important but so is creativity and flair.
Just like I recognised my skills as a hacker from an early age, now as an employer I recognise the skilled individuals within my workforce and deploy them appropriately. What I think is important is passion, creativity, morality and tenacity. As long as these score an A* then that's the main qualification I'm looking for from future employees.]]>Modern Day Pirates Lay Down Their Cutlasses and Get Digitaltag:www.huffingtonpost.com,2012:/theblog//3.21750192012-11-22T06:55:06-05:002013-01-22T05:12:01-05:00Dominique Karghttp://www.huffingtonpost.com/dominique-karg/
Another example is our oceans. Once a dangerous place with bands of pirates sailing the seas looking for vulnerable vessels to board and plunder, today modern day bandits have swapped the seas to surf the internet looking for victims to pillage. While our children play in virtual worlds, cyber criminals parley virtually, working together to develop their digital weapons.
With more computers worldwide, especially in economies where even "light" cybercrime(such as farming gold for World of Warcraft) is a welcome option to spending 12+ hours a day in a factory, what is the truth about cybercrime?
Safe Seas
I often get asked whether one country is considered a greater, or lesser, target from another. Unfortunately, cyber security cannot be encased in typical physical or political boundaries - such as countries, companies or even social groups. While it's fair to say that the resilience to attacks, awareness of exposure and certain political/economical factors might have an affect on a company's security exposure,it certainly wouldn't make it completely immune.
Permission to Come Aboard
While it's true that anyone is at risk of a cyber attack, Governments, major corporations and companies with valuable IP are far more likely to be targeted by computer related attacks than companies without obvious valuable digital assets (valuable for people outside of the company, an accounting system is always valuable for the company running it).
That said, while criminals will unleash malware to worm its way into an intended victim, most worms don't make a distinction between one organisation, or industry sector, from another. For this reason, while an attack may initially be targeted at a particular Government or sector, there is no reason why the worm would stop there.
Pirate Law
Legislation, to some extent, will have an affecton an organisation's exposure to computer-based threats. Statistically, countries where there are stronger laws against misuse of computer systems by employees tend to be in better shape than those where there are none. That said, it doesn't stop a lawless society launching an attack against organisations where regulation is tight. Similarly, if the headlines are to be believed, powerful leaders such as President Barack Obama are not adverse to playing dirty either!
Rough Waters
All forms of crime tend to increase in a recession so it's natural that instances of cyber crime too would increase. Cyber criminals have definitely become more active in recent years, however there are also more laws regarding cyber crimes too, which inevitably creates more criminals.
Today, we face an arms race and what is obvious is that both sides are becoming more sophisticated. The good news is that detection mechanisms are also becoming more sophisticated, and awareness is also rising. However, I'd also warn that committing cyber crimes is becoming much easier. Where you had to physically rob a bank at gunpoint or infiltrate a high security environment requiring a lot of physical skill and expensive equipment (see "Sneakers" or "War Games" for "take-it-with-more-than-one-grain-of-salt-references"), nowadays a lot of money can be made from the safety of your own home or a random cybercafe.
Here are five simple steps business owners can take to ensure they don't become a victim of cyber crime:
1) Take security seriously. Don't assume you won't get hit because you have nothing of value to attackers. Even if it's just to use your computers in order to stage larger attacks, everything is interesting.
2) Try to keep up with patches. In my humble opinion, this is the single most important thing to do in order to increase security.
3) Don't start thinking about computer security after it's too late. Get your personnel trained, increase their skills, and raise awareness of security at a company level.
4) Get help from outsiders. Most companies cannot afford a huge full-time team, but having someone from the outside come in every once in a while and assist can make a huge difference. As a personal recommendation, I'd say more isn't always better. Smaller agencies often care about what they do and a 10 page text report about *your* problems is more valuable than a 500 page report with a big name at the top.
5) Don't overdo it. Computer security companies will talk about the upcoming apocalypse to sell you their products, but it isn't as bad as it seems. Common practices, patching, common sense, some external help and continuous effort will help you raise your 'difficulty level' enough for most attackers to search for an easier target. I believe that a robust security solution needn't cost a fortune. Open source and open source based security products, combined with good old fashioned collaboration, are great alternatives.
At the end of the day, if a cyber criminal really wants to get in, he will launch an attack at your organisation. Your best bet is to detect and stop him, rather than trying to prevent all types of attacks.]]>Why Justin Bieber is the Only Hope Left for Information Securitytag:www.huffingtonpost.com,2012:/theblog//3.18178472012-08-21T19:00:00-04:002012-10-21T05:12:12-04:00Dominique Karghttp://www.huffingtonpost.com/dominique-karg/
Wanting to know more about this presence that has invaded our home, I looked at some astonishing numbers:
Justin Bieber Facebook Likes: 45,633,916 (45,633,937 by the time the page opened)
Twitter Followers: 25,580,060
The invasion was for real, and it was on my doorstep.
As a reference, Andrew Hay is considered by many to be the Bieber of Information Security. When it comes to the voice, the looks and teenie followers, he doesn't compare. Just take a look at the following stats:
Andrew Hay Facebook Likes: doesn't even have a fan page.
Twitter Followers: 4,187
Anyway, how does this relate to our favourite subject - Information Security?
We read in the news every day that we are essentially in an arms race, a race that we have failed to win or even keep up with so far. The antivirus and endpoint industry has been failing miserably for 20 years now; the "why don't we write good code for starters" technology is not there yet, and won't be until people start dying because of bad code; and then there are the categories of detection, awareness, and remediation, all of which are being hotly pursued by vendors small and large.
Where does our teeny idol Justin fit in all of this? Well, Justin Bieber holds the power to change this. We will never be able to convince those 40 million plus hormone-laden teenagers to take up IT security, share attack data, code better or help spread the gospel of security. But one word from Justin, one message to his minions and we'd have quite a few enthusiastic helpers in the fight against cybercrime. It may not be 40 million, but even if 10 million of his fans took note, then imagine the impact this could have.
Think about it for a moment. Instead of Justin saying or writing things like this during a performance or on Facebook:
"People write to me and say, 'I'm giving up, you're not talking to me.' I just write them a simple message like, 'Never give up,' you know? And it changes their life."
"I'd like to be an architect. That would be cool. I like drawing."
"I also try to read all of my fan mail. A lot of them send me candy, which I'm not allowed to eat 'cause my Mom says it might be poisonous."
He could be directing all this force to spread information security awareness, by saying things like:
"Let us not look back in anger or forward in fear, but around in awareness."
"The user's going to pick dancing pigs over security every time."
"If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees."
"Computers let you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila."
This is a wake-up call. Without a high profile spokesperson to fight in the corner of Information Security and educate younger generations, the future of the Internet as we know it will be lost too.
Now is the time for the security world to find its own Bieber, to pick up the gauntlet and raise a security conscious generation.]]>