NaNoWriMo-filter: White hat hackers who work for the gov, 2017 style
November 5, 2017 9:40 AM   Subscribe

Writing a book and a significant character is a white hat hacker who works for a bureaucracy. He spends most of his time doing stuff other than work but to try to understand him better I'm trying to understand - what DO white hat hackers who work for governments do these days?

Please pretend you're explaining the tech parts of this to a techy uncle who can install memory and builds his own computers but who is about 10 years out of date with programming and knows nothing about white hat hackers other than what one reads on Wired/etc. Definitely looking for something more than "protecting government websites against unauthorized access".
posted by stewiethegreat to Technology (7 answers total) 3 users marked this as a favorite
 
I know that there are all kinds of engineers (hardware at every level, software, network, router, switch, proprietary systems etc) who spend a lot of their time catching and reverse-engineering malware, not just to figure out what it's doing today but to try to anticipate what it's going to do next week/month/year. This stuff is so esoteric, there are engineers out there who are really really good at Excel because that's an incredibly popular injection/phishing vector (and there used to be an amazing blog by a guy who did work for NGOs, mostly detailing the million ways Office attachments could be used to compromise systems, and I lost it and have never been able to find it again). There's people out there figuring out how your coffee maker is going to get hacked.

I think the term you want, rather than "white hat" (you'll find people talking about things being white hat or not, but not really referring to themselves as such) is infosec, information security. You might enjoy the twitter feed of SwiftOnSecurity, who is probably not Taylor Swift but just go with it, who's not quite addressing the layperson but maybe mostly the technically savvy person who should be thinking more about infosec than they do.
posted by Lyn Never at 10:00 AM on November 5, 2017


Hello, former white-hat hacker who worked for bureaucracy(ies). I worked for a big-4 consulting firm, so I did things for clients, instead of in-house, but the work's the same.

White-hat hackers exist on a kind of continuum, depending on the nature of the company. Tech companies tend to have teams who are dedicated solely to hacking as you know it: they spend their days trying to find vulnerabilities in things like the company's website, or the systems that shuttle money around, or customer service systems, or the product itself. Non-tech companies – places like banks, retailers, b2b middlemen – tend to have teams that don't get to do a lot of that kind of thing (it's exciting!), but instead focus a lot more on regulatory and industry compliance. Some companies have people who do only this, and split "compliance" and "pen-test" (penetration testing) up, usually along CFO vs CTO/COO lines, or sometimes both will be under the CISO ("chief information security officer"), who often reports to the CIO, CTO, or COO.

In the case of pen-test work, the work usually goes like this: someone will identify (usually by working down a list, or looking at a roadmap), that a particular system should be assessed for its security. A "scope" will be determined, which will include the particular systems that are the focus of the work. After that, the group, sometimes called a "red team" or "tiger team" or somesuch, will start working on finding ways to break that system in a way that could be meaningful to the company. In the case of a large public company, the threshold could be a vulnerability that a hacker could use to steal enough money to require the company to issue an updated financial statement (the "materiality threshold"). Or a vulnerability that could be used to trick a customer into going to some other website, say. Stealing user data (c.f. Equifax) is a common target, too, because customers get upset (even if Congress doesn't care). This can involve guessing passwords, or feeding a website some data that makes it freak out and dump data, or convincing a computer to run your program (think malware). Businesses have lots of computers that talk to other computers, too, and it's fun to convince a computer to talk to you instead.

The other extreme is regulatory or compliance work. This is often derided as "box-checking" and is almost always horribly dull and seldom requires actual skill on the part of the person doing the work. Various industries and governmental regulations require that computers be configured in certain ways, or that data be stored in certain ways, or not stored at all, etc. When validating that the company is following these regulations – and it's better to have your in-house staff do that validation before the regulator finds out – the system is almost always opened up. The white-hat hacker can simply peer in, make sure the system is doing what management says it must, and move on to the next requirement. The other side of this same coin is being involved in setting up new computers so that they meet those same requirements from the very beginning (think reactive vs proactive). Because the people who know enough to break systems must necessarily know how they're configured, and people who can configure systems know where to look to break them, the skill overlap is obvious and the reason the two are conflated or conjoined.
posted by TheNewWazoo at 10:03 AM on November 5, 2017 [4 favorites]


The white-hat hacker can simply peer in, make sure the system is doing what management says it must, and move on to the next requirement. The other side of this same coin is being involved in setting up new computers so that they meet those same requirements from the very beginning (think reactive vs proactive). Because the people who know enough to break systems must necessarily know how they're configured, and people who can configure systems know where to look to break them, the skill overlap is obvious and the reason the two are conflated or conjoined.

So much this. See this list? It is a list of different technologies. Imagine going through all of the relevant lists, some by hand, some aided with tools, and make sure every single one of them is checked. If any aren't, you try and fix that. And then fix the system when it inevitably breaks.

Also, there is way more work in the validation and setting up, but everyone wants to be in the red team. The tools are cooler, and it's fun to break things.
posted by zabuni at 11:31 AM on November 5, 2017


Also, for compliance, at least in the government sector, there's enough paper that they split the job in two parts: the people who check to make sure the system is up to snuff, and the people who make the spreadsheets and fill out the forms to give to the regulators. The regulatory system, at least for some parts of government, can get kind of complicated.
posted by zabuni at 11:38 AM on November 5, 2017


Most of the folks I've met who do this type of work either work for government contractors (for example Booz Allen Hamilton) or Department of Defense. Most of them have job titles that are some variation on penetration specialist or analyst.

Maybe helpful?
https://www.dhs.gov/homeland-security-careers/dhs-cybersecurity

https://careers.boozallen.com/en-US/job/penetration-tester-senior/J3G6J272G8DYBZSPT9H
posted by forkisbetter at 3:47 PM on November 5, 2017


I used to work in the insurance industry. The big insurers have big computer networks and scads of business partners who share their data, send them files, etc. There is a ton of the boring compliance stuff mentioned upthread, but also a certain amount of testing, seeing who is trying to access the systems and other hackerish activities. I mention this because im sure it's the same with all government departments especially the military.
posted by SemiSalt at 6:04 PM on November 5, 2017


IME, "protect govvie websites" isn't a generally "whitehat job". They have other things to worry about and anyone using that description for that activity would sound weird. For real-world examples google 'the equation group' and 'office of tailored access operations' of actual something-something-hat hackers employed by the government.

Also generally, white/black/grey hats tend to be more what you do with the information than what type of information you are working with - jailbreakers have little overlap with RAT malware researchers, either one can be black or white or both. Those TAO guys - from a US Gov perspective they are good white-hat guys but for the rest of the world? Grey at best.

There is overlap, but typically "protect our webserver" falls under security analysts looking at reports from whitehat pen testers, security assessors or tools; security engineers and ISOs approving the changes to the system; with dev-ops and sysadmins guys and doing the actual fixing - changing settings, testing and deploying software fixes.

> what DO white hat hackers who work for governments do these days?

This depends because the people working for DoD Armed services will have a different outlook than Intel (CIA/NSA), then civilian law(FBI, DHS), or from Fed civilian. but possible day jobs for government "hacker", other than hack enemy things for government:

- Security Research (find new hacks, evaluate new discoveries)
- Security Monitoring (SOC - watch for hacks and abnormalities, goes with DFIR)
- Red team - physical and electronic penetration testing, infosecurity assessments (you are the Oceans 11 crew)
- Blue team - infosecurity defense engineering; source code audits (you need to stop the oceans 11 crew)
- Purple team - Red/Blue team integration (have the baddies show how they did it.)
- DFIR (Digital Forensics Incident Response) - investigation and remediation of incidents (You need prove the involvement and the activities of the oceans 11 crew after they escaped.)
posted by anti social order at 10:08 AM on November 6, 2017


« Older Books about architecture   |   Where can I buy blended, unbranded, tall-size... Newer »
This thread is closed to new comments.