Thread: Is hiring hackers worth the cost?

http://techupdate.zdnet.com/techupda...856786,00.html

I think it IS worth the cost, especially these days....BUT THE COMPANY HAS TO STAY CURRENT AFTERWORD

Well if you spend a total of 20,000 dollars for a hired hacker and he fixes all your bugs and glitches tells you what you need and then implements it . But that saves 25,000 dollars worth of data...well you do the math.

Actually, I find it pretty good having IT under the VP of Finance here at my office. All corporate spending goes thru the Finance guys, and it's best to have them part of our department because they're a great ally. We get more than our fair share of funding because the IT director gets to ask the Finance VP directly for the cash needed to run our toys.

If IT was a full department of their own, you could imagine having to wrangle with finance just as if you were another department (engineering, quality, etc).

Just be glad most of us aren't under engineering or we'd never be getting proper funding for projects.

If You Look AT Microsoft/LINUX As A car Once We Have Purchased Our New
Vehicle/OS Like Everyone Else After We Get It Home Cant We All Open
The Hood/Binaries To See What Makes It Tick?
Would A Unique Yet Compatible OS Thwart AnY Security Breech Or
Does The Security Compromise Allways Come From Communication Protocol?

I disagree with the hire them becouse they're hackers mentality. I do agree with hiring someone becouse of their abilities.

Let me clarify.

I have an issue with hiring some kid off the street just becouse he/she got press about his/her latest exploit or attack. The reason for this is if you hire someone to perform penetration testing upon your network you need to be able to trust them. If the trust isn't there then you can't allow the proper access in order to perform the testing nor can you allow them to work unsupervised. You end up monitoring the tester and that's not truly possible if your tester is as good as they should be. A truly good tester will be performing zero day attempts and hitting you supposedly where you don't know your vulnerabilities are so watching them 100% of the time just isn't feasible.

Ok...now that I've said that and I've braced myself for the flame barrage I'm sure to get I have to next say I agree with it. As we all know security is only as good as its weakest link and finding that hole is essential. The level you take it to is dependent upon the data you're protecting and the resources available to you for spending. I could go off on a whole different tangent here about if you can't afford to protect your infrastucture properly then you should close up shop but I'll resist temptation.

Now, if you get authorization to spend the dollars, you need to do several things minimally:
Get references
Talk to the person doing the testing directly
Ask what methods they plan on using and ask what they plan on implementing to limit unintentional damage to the network.
Ask what they plan on doing with the data after they are finished testing.

Personally, and this hasn't been tested in a legal sense yet as I've not had my hind end hauled into court yet but I have everyone involved sign a contract. I promise not to reveal details of anything discovered except to authorized personal, not to destroy or release data and adhere to the times set up for testing only.

Oh....and get cash in advance.

Sorry for the ramblings here....got a bit long winded...

TC