You can never be sure your network is secure enough. After all, you're only as secure as your last patch. But while no network can ever be completely secure, being secure enough is desirable, if not legally required.

The Securities and Exchange Commission now demands that companies list security measures in their annual reports, and a certain amount of due diligence is required. Not for the first time, the actions of the network manager directly influence shareholder value.

Testing, testing

Naturally, a number of companies willing to shoulder the burden have popped up. They fall into two categories: those that offer an automated vulnerability testing service, and those that offer a more hands-on approach by penetration-testing the network. Both techniques have their advantages.

"There is a difference between a managed vulnerability assessment and a penetration test," explains Geoff Brown, director of software development at automated security tester Pansec.

"A penetration test will be exploitative. If there's a weakness in your system, it will use and exploit it. We've automated the process to the point of the exploit and no further."

One ethical hacker Network News spoke to agreed, but for different reasons.

"No-one wants to do the boring stuff: running known exploits to see if a server can be patched," he said.

"On top of this, the company you hire is going to be pretty expensive. Why not get it to do the things that need a bit more creativity and leave the drudge work to a piece of software?"

But a third method also exists: hiring 'white hat' hackers to do the job. These groups and individuals are less well known as they tend not to have access to large marketing resources, even if they wanted to publicise themselves.

Hats off to hackersWhichever approach you take, there is no guarantee that your company won't be hacked. It is also difficult to establish how good or thorough a penetration test is.

In this field, hiring and firing is done on trust and reputation as much as on technical knowledge. Most of the companies that carry out penetration testing hire white hat hackers of some sort.

The terms 'white hat' and 'black hat' are generalisations. The New Hacker's Dictionary defines a black hat as "A cracker, someone bent on breaking into the system you are protecting." A 'white hat', on the other hand is an "ally or security specialist".

The distinction between the two is easily blurred. After all, which network engineer has not been tempted to break into a system to get a job done faster?

"The analogy I would use is that if I had to fire everyone who worked for me who had broken the speed limit or tried drugs, I wouldn't have any staff left," says Robin Dahlberg, UK managing director at security specialist ISS.

It would be fair to say that the definition, from the point of view of companies involved in penetration testing, is slightly different from the New Hacker's Dictionary definition.

"It's easier to hire networking professionals and teach them to hack than it is to teach black hat ethics," points out Dahlberg.

The criminal element

Firms such as ISS and IX Security actively go out of their way to avoid hiring staff with criminal records. But possession of a clean record is no guarantee of ethical behaviour.

"I don't like hiring convicted hackers," says Christer Stafferod of IX Security. "If one of our competitors does it, customers think we all do it.

"There was a famous case here in Sweden where a company wanted to hire someone who had been arrested for cracking. They paid his legal fees during a trial. We hire people who send us CVs instead of breaking into a bank.

"Why don't all companies hire people like that?"

Ionut Ionescu, head of Exodus Communications' security division, says: "The issue of white hat versus black hat hackers is very similar to the one when you've lost your keys: should you employ a locksmith who is very good at unlocking doors, or hire a criminal who breaks into houses?"

Either way, the number of potential experts has increased over the years.

Code of conduct

While hiring security specialists with a staff roll of cleared and sanitised white hats is one avenue, companies also hire individuals and less established groups to test their security. As Kenneth de Spiegeleire, manager of security assessment services at ISS, points out: "Unfortunately, not all service providers respect the same code of conduct or rigorous testing methodology."

Toby Ben, products manager at Access Research, agrees. "I class myself among the white hats," he says. "I've been through the checks required by my employer, a security specialist.

"But if you're a company and you want to hire a prospective hacker, it's more difficult. You don't have the resources."However, Ben does see a light at the end of the tunnel. "In the short term, the best way is to go with a recognised penetration team. These teams base their entire existence on being able to do comprehensive evaluations.

"What I'd like to see is a whole generation of legitimately certified experts who have something to prove: that they are trustworthy, and that they have the skills."

Security clearance

This is a fine idea. At present, it is possible to hire individuals with security clearance from the Defence Establishment Research Agency (Dera), which carries out research on anything from the material used in uniforms to nuclear weapons for the Ministry of Defence. But hiring someone who has a Dera clearance costs.

Besides which, as one white hat Network News spoke to puts it, the sheer monotony of some penetration testing can leave white hats kicking their heels.

"If you think of the sort of people who are intelligent enough to do really good penetration testing, it's pretty clear they will be bored by routine stuff like examining for unpatched systems. They may well look at other things instead, like weaknesses in commonly used software, such as Outlook, which would allow someone with knowledge to penetrate a PC."

Effectively, he argues, anyone creative enough to look at new penetration tests may well be distracted by a particularly elegant or interesting exploit and move off at a tangent.

Following the script

For this reason, several companies have developed systems that run standard exploits and scripts that are used by the majority of crackers on a company's systems. Such tests can be run regularly - in the case of some customers, at least once a day, producing a rolling test of the latest security holes.

This is a cheap and possibly less fallible way of searching for known exploits on large networks.

"There is always an issue regarding expenses," says Stafferod. "The thing is, if you look at the automated systems out there today, they are pretty good.

"But when we are out with a client, 15 per cent of the time is spent with standard software. The other 85 per cent is knowledge from our consultants and their custom tools. The problem with the automated tools is that they can produce false positives."

Prices start at about £6,000 for a standard penetration test. It seems cheap, until you are hit by the fallout from such a test.

"When you go in for security testing, be prepared to rip everything out and start again from scratch," says the systems administrator we spoke to. "If your systems are inherently insecure, you have no option."

He goes on to point out that not knowing - and saving money in the short term - can mean that your company is broken into, causing massive losses to productivity, reputation and profit, things which are not so easily placed on a profit and loss sheet.

The curse of the shareholder lawsuit

In addition, there is the legal cost involved. Shareholder lawsuits are a particular curse for companies with a stock market listing in the US, and failing to show sufficient diligence in securing against loss is a very good excuse for lawyers to get their pens out.

"It's an interesting question, and I couldn't comment on it from a legal standpoint - that's not my area," says Dave Brunswick, director of European technical services for Tumbleweed.

"You're giving someone carte blanche to have a go, and you need to understand the implications of that. You need to deal with a firm that is reputable."

However, there is one other option. In some cases, mutual support between companies, departments and individual members of staff can produce more protected systems.

"Capture the flag, I suppose," says the systems administrator we talked to. He is referring to a popular pastime amongst hackers at DefCon, where two groups try to break into each other's computers.

"It depends on the company and the people involved. It certainly helps if the staff of each company know each other and have a friendly rivalry going.

"Possibly a better example is of departments hacking departments. It's a very good way of both getting to know each other's abilities and understanding each other's work."

Again, this is only good up to a point. As he makes clear, such protection is only as good as the people doing the hacking.

The white stuff

White hat hackers are worth hiring because they provide part of a decent security assessment. However, establishing which white hats to hire is another issue entirely. Established firms can and do offer a form of indemnity; the quality of their product is more or less guaranteed. More to the point, in doing their work, they are also putting their reputation on the line in one of the most public ways possible.

But it is clear that hiring white hats is not the end of the problem at all. If anything, a penetration test is just the start of a constant battle to ensure security.

THE ACHILLES HEEL OF SECURITY

Rather than going through all the hassles of cracking a system by brute force, it is much easier to attack its weakest part. While computers are, by their nature, logical, human beings are not.

"The easiest way into an organisation is social engineering," says Dave Brunswick, director of European services for Tumbleweed. "It's important not to take a completely paranoid approach to this. Too many passwords and procedures can be counterproductive."

In the past, banking systems have been insecure, paradoxically enough because of too high a level of security. There were so many passwords that people forgot them easily. So you could walk into a branch of a bank, look through the teller's window and see, in many cases, a Post-It note stuck above the monitor with that day's password written on it.

Social engineering is still a favoured way for many crackers to break into a system. It's worth bearing in mind that the level of security given to a system is only as good as the awareness of the staff.