If you're hiring a hacker, stick with the pros

By Published on .

Upgrading your Web site from billboard to store? Better make sure all the locks work.

While some may think hiring a few MIT hackers to attempt a break-in will do the job, Internet security is becoming a real industry, often with players who have a background in the military or law enforcement.

Larry Dietz, VP, Zona Research, a Redwood City, Calif., market researcher, estimates the market for consulting services at $192.5 million in 1996, and "information security is a growing piece" of that industry, he says.

That comes in response to an increasing problem, according to the Computer Security Institute in San Francisco, which does an annual survey with the FBI, asking large companies and government agencies about losses from computer theft.

"Some 70% of the folks surveyed last year said they suffered losses," says Richard Power, editorial director for CSI. "They estimated $110 billion in losses within the last 12 months. That will go up as more business is done online."

Big-league players

To combat that, the security industry has been growing -- and the players have moved beyond the profile of a college hacker, Mr. Power says. All of the Big Six accounting firms offer security consulting, as do IBM Corp., military contractors SRI International and SAIC and firewall maker Trusted Information Systems.

There are also specialty firms emerging, such as Reliable Software Technologies Corp. and WheelGroup Corp., says Ellen Carney, an industry analyst for Dataquest, San Jose, Calif.

She thinks Zona's estimates of the security industry's size are low and plans to deliver a report on the subject for her clients.

The actual break-in attempt goes by the name of a security audit or penetration analysis, says Mr. Power.

No matter what you call it, experts say, be careful whom you hire to tap into your system.

To prevent theft, Mr. Power says, hire a cop and not a safecracker -- and, he says, do it right away. Anyone with major exposure to the Internet should have a sense of urgency about getting an audit done, he adds.

Expect to pay $8,000 to $10,000 per server for a good analysis, says Jeff Payne, president of Reliable Software Technologies, Sterling, Va., a 5-year-old company whose WhiteBox product suite can check new software before it goes online.

A good analysis will require testing of both the front door and the security procedures inside your company, he adds. "You don't just padlock the door -- that's crunchy on the outside and chewy in the middle."

However, the big danger may come from insiders, says Nicole Vanderbilt, a senior analyst with Jupiter Communications, New York. A recent theft of credit card data at ESPN SportsZone was done by an employee, she says, not an outsider.

"That can happen anywhere," she warns.

Find all weaknesses

WheelGroup, San Antonio, Texas, also offers security audits. Its flagship product, NetRanger, can detect intrusions in progress.

WheelGroup calls its analysis a Security Posture Assessment. The result is a report detailing all your potential vulnerabilities, says spokes-man Doug Webster, both from outside hackers and insiders, with suggestions for fixing each hole.

"Finding one way to break in isn't valuable," he says. "You want to find all the ways to break in."

Just because a hacker proves he can get into your system doesn't mean you patch it and go on. When you find a good consultant, you might want to consider putting them on retainer so they can stay on top of potential problems.

Most Popular
In this article: