ORLANDO - Security managers at last week's InfoSec World conference say they're combating the risks posed by outsider attacks and insider exploits by thinking - and sometimes acting - like hackers.

JP Morgan Chase, The Hartford Financial Services Group, the Mayo Foundation and Maven Security Consulting detailed procedures that call for stealing a page from the hacker playbook. These methods include war driving on wireless LANs (WLAN), phishing to test network security and teaching hacking techniques to software developers as a form of training.

Jack Mogren, senior network security architect at Mayo, the Rochester, Minn., healthcare organization, said he war drives to find security holes in his wireless network, which will grow this year from 1,300 to 1,700 Cisco Aironet access points.

"I hop in my Jeep and drive around the buildings doing wireless scans," said Mogren, holding up an antenna based on a tin can that he bought for $18 on eBay. The setup may be simple - a laptop running NetStumbler or other WLAN sniffer software and a jerry-rigged antenna - but it's identical to what a hacker would use. And it works.

He can detect rogue access points that employees - many who are researchers - may have installed without authorization. When he finds security holes, the Mayo Foundation's IT staff takes steps to ensure the proper equipment - with the appropriate authentication and encryption controls - is put in place.

Ethical phishing catches on

The Hartford, which has 35,000 employees, also is using stealth tactics in nabbing the bad apples in its midst.

"[Y]our employees are your biggest threat," said Matthew Fiddler, assistant director for information security at The Hartford in Connecticut, who spoke on security issues. "We had one guy tunneling porn, a lot of porn - 53 megs."

Based on suspicions, The Hartford's IT staff swept the employee's desktop computer to remotely scoop up the porn evidence using the forensics tool, Encase Enterprise Edition , which can remotely monitor and capture data without the employee knowing.

"He doesn't work for Hartford anymore," Fiddler said. The advantage of using the remote data-capture tool is that it saves IT staff from traveling. "I was having to send guys out to California to do a black-bag job, but now we can do it with a WAN."