'Ethical hackers' becoming much in demand
Monday, May 29, 2000
By ERIKA STUTZMAN
Scripps Howard News Service
BOULDER, Colo. -- Hundreds of people spend their days trying to break into your business computer system. They'll find your vulnerable areas, peek inside, and see what kinds of confidential or proprietary information they can pick up.
And you're going to pay them to do it.
Sound scary? It's actually an exploding industry that's becoming more necessary as more computers and individuals get connected. Called "ethical hackers," or the more trendy "white hat hackers," these workers form the front line in the cyberwars, protecting your system from everything and everyone from the "love bug" to internal embezzlers.
"Companies need to have secure networks, and customers need to have confidence in their security," said Michael Puldy, an IBM executive in Boulder. "That confidence is absolutely critical in the e-business market."
Puldy is an executive with the Emergency Response Service and Business Continuity and Recovery Services -- the network security divisions of Global Solutions at IBM-Boulder.
Global Solutions, with more than 3,500 employees in Boulder, has become the fastest-growing part of IBM with more than 136,000 employees serving customers in 160 countries. Annual revenues are close to $30 billion.
IBM created the network security segment for business for internal use in 1992. Three years later, the company began offering its customers the service, which includes installing firewalls, intrusion deterrence and detection, security services, system cleanup, and research.
In 1995, 12 people worked in network security full-time. Today, IBM employs hundreds of network security workers in the United States and thousands worldwide.
In addition to computer experts, the security team has workers with backgrounds in the military and law enforcement, Puldy said.
"Our monitors encounter hacking every day," Puldy said. Luckily, most of those efforts are detected on monitors in Boulder before damage is done. "Some are just little probes, people trying to see if they can get in. Sometimes it's worse."
An important part of watching hackers is watching the trends they follow.
IBM's David Chess, a researcher in Westchester County, N.Y., would be considered an old-timer in the information security business, having scribed his first antivirus in 1988. He holds seven patents, and has written several trade articles on viruses.
Chess reports on virus trends for IBM and writes colorful, brief warnings about viruses and hoaxes (anyone remember "How to give a cat a colonic"? It was Chess who said it wasn't a virus).
Chess said the worm viruses -- Melissa, the Explore worm, and "I love you" -- are the bugs to watch.
"The 'I love you' virus was nothing new. We've seen this type of thing before," Chess said. "But it is a part of a growing trend -- this type of virus is around. We're trying to develop an immune system to it."
And as the world gets more wired, the need for ethical hackers and researchers such as Chess has expanded.
"It's growing exponentially. The more people and businesses get connected, the more we need people scanning for vulnerabilities," Puldy said.
New technologies leave people more at risk, too. Puldy said the faster cable connections could actually open files that aren't encrypted to potential snoops who share the connection.
Net security experts have many examples to support the need for their industry's growth. Consider:
The worms: May's "I love you" virus and last year's Melissa virus were fast-spreading, catching businesses unaware, wrecking files, and slowing e-mail. The "I love you" virus was the most widespread bug so far. Lloyd's of London has estimated its damage at more than $15 million.
Cyberattack: In February, e-commerce sites including Yahoo, Amazon.com, eBay, Buy.com, ZDNet.com, and E-Trade were attacked, and practically shut down, with random streams of technical babble. Electronic junk mail hit the sites, jamming them to millions of legitimate users. President Clinton met with experts from the computer industry to discuss Internet hacking.
Inside threats: There are countless tales of internal computer scams and hacks. One of the most well-known recent attacks was in March, when Abdelkader Smires was charged with attacking his former employer Internet Trading Technologies' systems with a denial-of-service attack.
If companies keep antivirus software up to date, they would be immune from about 80 percent of the hacking that is out there, Puldy said. But most companies also need to check the security of their entire systems.
The future of the Internet security industry is wide open, as more schools are starting to train students in safety issues. Purdue University this month approved a new interdisciplinary degree for master's students in information security.
"It is the first interdisciplinary information security program in the United States," said Eugene Spafford, a professor of computer sciences at Purdue. "Instead of offering the program within computer science, we are setting up a program where they can study it with criminal justice, or law enforcement, or political science."
Spafford said the industry goes beyond just the Internet.
"We need to look at the changing nature of computing, and protecting information not just in the networks, but in faxes and over the telephone and everywhere else information is transmitted," Spafford said.
Copyright © 2000 Bergen Record Corp.