You can never be sure your network is secure enough. After all, you're only as secure as your last patch. But while no network can ever be completely secure, being secure enough is desirable, if not legally required.

The Securities and Exchange Commission now demands that companies list security measures in their annual reports, and a certain amount of due diligence is required. Not for the first time, the actions of the network manager directly influence shareholder value.

Testing, testing

Naturally, a number of companies willing to shoulder the burden have popped up. They fall into two categories: those that offer an automated vulnerability testing service, and those that offer a more hands-on approach by penetration-testing the network. Both techniques have their advantages.

"There is a difference between a managed vulnerability assessment and a penetration test," explains Geoff Brown, director of software development at automated security tester Pansec.

"A penetration test will be exploitative. If there's a weakness in your system, it will use and exploit it. We've automated the process to the point of the exploit and no further."

One ethical hacker Network News spoke to agreed, but for different reasons.

"No-one wants to do the boring stuff: running known exploits to see if a server can be patched," he said.

"On top of this, the company you hire is going to be pretty expensive. Why not get it to do the things that need a bit more creativity and leave the drudge work to a piece of software?"

But a third method also exists: hiring 'white hat' hackers to do the job. These groups and individuals are less well known as they tend not to have access to large marketing resources, even if they wanted to publicise themselves.

Hats off to hackersWhichever approach you take, there is no guarantee that your company won't be hacked. It is also difficult to establish how good or thorough a penetration test is.

In this field, hiring and firing is done on trust and reputation as much as on technical knowledge. Most of the companies that carry out penetration testing hire white hat hackers of some sort.

The terms 'white hat' and 'black hat' are generalisations. The New Hacker's Dictionary defines a black hat as "A cracker, someone bent on breaking into the system you are protecting." A 'white hat', on the other hand is an "ally or security specialist".

The distinction between the two is easily blurred. After all, which network engineer has not been tempted to break into a system to get a job done faster?

"The analogy I would use is that if I had to fire everyone who worked for me who had broken the speed limit or tried drugs, I wouldn't have any staff left," says Robin Dahlberg, UK managing director at security specialist ISS.

It would be fair to say that the definition, from the point of view of companies involved in penetration testing, is slightly different from the New Hacker's Dictionary definition.

"It's easier to hire networking professionals and teach them to hack than it is to teach black hat ethics," points out Dahlberg.

The criminal element

Firms such as ISS and IX Security actively go out of their way to avoid hiring staff with criminal records. But possession of a clean record is no guarantee of ethical behaviour.

"I don't like hiring convicted hackers," says Christer Stafferod of IX Security. "If one of our competitors does it, customers think we all do it.

"There was a famous case here in Sweden where a company wanted to hire someone who had been arrested for cracking. They paid his legal fees during a trial. We hire people who send us CVs instead of breaking into a bank.

"Why don't all companies hire people like that?"

Ionut Ionescu, head of Exodus Communications' security division, says: "The issue of white hat versus black hat hackers is very similar to the one when you've lost your keys: should you employ a locksmith who is very good at unlocking doors, or hire a criminal who breaks into houses?"

Either way, the number of potential experts has increased over the years.

Code of conduct

While hiring security specialists with a staff roll of cleared and sanitised white hats is one avenue, companies also hire individuals and less established groups to test their security. As Kenneth de Spiegeleire, manager of security assessment services at ISS, points out: "Unfortunately, not all service providers respect the same code of conduct or rigorous testing methodology."

Toby Ben, products manager at Access Research, agrees. "I class myself among the white hats," he says. "I've been through the checks required by my employer, a security specialist.

"But if you're a company and you want to hire a prospective hacker, it's more difficult. You don't have the resources."However, Ben does see a light at the end of the tunnel. "In the short term, the best way is to go with a recognised penetration team. These teams base their entire existence on being able to do comprehensive evaluations.

"What I'd like to see is a whole generation of legitimately certified experts who have something to prove: that they are trustworthy, and that they have the skills."

Security clearance