Make your mark by stopping hackers

I remember being excited when I was asked to use a sledgehammer to tear down a covered garage that wasn’t approved by the city. It had been standing beside my girlfriend’s house for years. You could tell it was built intelligently and with love. The supporting beams were twice as thick as required by code, and every nail and screw was driven straight. The lumber itself was top shelf, not a knot or bend in it.

I have a hard time driving a nail straight — yet it took me less than an hour to turn the structure into a crumpled pile of lumber. In the security world, something similar happens every day when hackers tear down whole networks and systems.

[ Master your security with InfoWorld’s interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]

In reality, hacking is easy once you know what you’re doing. Defending is hard. If you want to truly impress the world, develop systems and applications that will be used by a lot of people while being resistant to easy hacking. Anyone can knock down a garage. But build one that can’t be taken down by a blockhead swinging a heavy sledgehammer, and you’ve done something.

Hacking is all too easy Hacking is as easy as 1-2-3: Locate target. Identify software and version. Research possible vulnerabilities. Attack. Compromise. In my nine years as a penetration tester, I broke into every company I was hired to test, all in one hour or less (apart from one project that took three hours). These targets included banks, hospitals, energy companies, media firms, and three-letter government agencies.

I’m not even that good at hacking. On a scale 1 to 10, I’m probably a 5. When I worked at Foundstone and led an Ultimate Hacking class, I taught hundreds of students, in a matter of days, how to break into the average company with minimal effort.

That’s not to say all forms of hacking is child’s play. I had one buddy, who I rank nearly a 10 on the hackometer; he coded his own BSD drivers and was a hospital IT manager at age 16, but he was so bored with penetration testing that he always came up with little challenges for himself.

For one, he considered the pen test a failure if it resulted in a firewall entry. He coded his own hacking tools because he didn’t like the noise the traditional tools created. Whatever the goal, he set his bar higher, and whenever he was paid to hack a company, he proved his mettle by hacking related companies that had b-to-b access to the client. He wanted to demonstrate to all involved parties what a good hacker could do.

That said, the world’s best computer security minds try to prevent malicious hacking. Working on the side of good offers an opportunity to work alongside the best and brightest in the industry. Further, the person who is most instrumental in building a more secure computer world will probably be world famous, for doing what so many others have tried to do and failed.

Security heroes today As it stands, a few people that can churn out very secure code, although even they aren’t perfect. Dr. Daniel J. Bernstein quickly comes to mind. He’s the sole coder behind the very secure DBJDNS and Qmail, among his many programming projects. He taunts vendors to deliver more secure software, but he also walks the walk. Despite being around for well over a decade, both products have suffered only one discovered vulnerability each — while all their competitors suffered from dozens.

Created by Theo de Raadt in 1995, OpenBSD is a free, open source variant of BSD and easily the most secure, popularly used operating system available today. It is known for having only two remotely exploitable holes ever in the default installed software. Though people rightly argue that most users will install other nondefault software with many holes, no other base OS comes even close. I run OpenBSD on my honeypot network, on my forensic/pen testing laptop, and as my home firewall (using the OpenBSD packet filter). If you want an indisputably tough firewall that allows only what you tell it to — and no more — try the packet filter.

At Microsoft, my current employer, there are dozens of expert defenders who blow me away with their computer security ideas. These include Michael Howard, Kim Cameron, David LeBlanc, Crispin Cowin, Steve Lipner, Aaron Margosis, and Robert Hensing. Say what you will about a particular Windows software vulnerability, which is a factor of dozens of systems, I’ll put any of these guys against anyone you can offer.

Dr. Niels Provos, inventor of open source honeypot software, Honeyd, is an incredible asset at Google. Bruce Schneier continues to put out cutting-edge thinking and has forgotten more about computer security than I’ll ever learn. I don’t think I’d be half the professional I am without reading his writing. I consider Lance Spitzner the father of the modern-day honeypot. Dr. Dorothy Denning led the way with anomaly detection. I probably wouldn’t even be in the field if not for the books written by Ross Greenberg (“Flushot”) and Clifford Stoll (“The Cuckoo’s Egg”).

Paul Ferguson is a router and malware extraordinary. He brought me into the world of disassembling and testing computer viruses in the days of Fidonet — that is, before the Internet. He’s still going strong two decades later for Trend Micro. Lenny Zeltser, Dr. Eric Cole, Jason Fossen, Ed Skoudis, Dr. Eugene Schultz, and Stephen Northcutt, over at SANS, are in a higher echelon of instructors that cannot be duplicated. Eric taught me things about securing IIS more than 10 years ago that I still don’t see anywhere else. Stephen has been a mentor, and he continues to see what really needs to be done to improve computer security years before anyone else does. He is truly visionary like Bruce Schneier.

Any list of computer security experts I come up with is bound to leave out dozens of people whom I (and the world) respect and admire. Every little step forward is built on the backs of giants.

Why participate in malicious hacking when you can spend your time bettering this world and making it a far safer place to compute for everyone. If you don’t improve others’ lives with your life while on earth, what’s the reason for your existence?

The people I’ve mentioned are brilliant. They are my heroes. They build the garages that others can’t break down so easily.

Think you’re smart? Then hack the hackers! Build a better defense.

This story, “Make your mark by stopping hackers,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.