On Monday, somebody systematically called your firm's phone
numbers until he found a forgotten but active modem and entered your
system through it. On Wednesday, he scoured your Web site's
firewall for cracks and slipped through them. On Friday, he called your
switchboard and fooled a staff member into revealing a network login and
The only thing good about all of this is that at least you got your
money's worth. You paid for these things to happen; you just
employed ethical hacking, an unconventional service long used by
companies to protect information technology assets from hostile
Companies hire ethical hackers to probe their own defenses for
vulnerabilities by employing the same methods that hackers, thieves,
vandals and spies would use. If they find any weaknesses, they report
them to their clients and advise them on ways to eliminate those
vulnerabilities, and increase enterprisewide IT security.
Ethical hacking is also called "penetration testing" and
"intrusion testing" or "red teaming," a term used
when the U.S. government began hacking its own systems in the 1970s. In
the 1980s, telecommunications companies--a frequent target of budding
cybervandals who could gain street credibility by messing with the local
phone company--began using ethical hacking as well. Banks caught on in
the 1990s, and later in that decade, most e-commerce firms depended on
ethical hacking as a critical security measure, since a single
interruption or intrusion could cause massive financial problems.
There are dozens of ethical hacking firms currently open for
business, ranging from one-man freelance operations to large IT firms.
According to Edward Skoudis, New York-based Predictive Systems'
vice president of security strategy, ethical hacking has continued to
grow as an industry despite the recent dot-corn implosion. He notes that
many other industries, such as general-purpose retailers, financial
services firms, petroleum companies, the automobile industry and other
heavy industrial manufacturers have begun employing ethical hackers as
What goes into an ethical hacking depends on the range of services
required, the size of the client and how much that client is willing to
pay. Typical services include:
External network hacking. This includes scanning the target's
Web server, firewall and routers for vulnerabilities from an external
source. This is the most commonly provided ethical hacking service.
Internal network hacking. This involves deploying a team to the
target site, where they conduct penetration testing on the
company's servers and routers, using its own equipment. This is a
good test for defending against disgruntled employees, industrial
saboteurs (although uncommon) or anyone else who might try to intrude
upon a company's network from within.
Application testing. A growing arena for the ethical hacking
industry, application testing is aimed specifically at clients who have
developed their own software, such as custom Web-based voting and
polling programs or online stores and payment programs. Just about any
software that is not delivered shrink-wrapped falls under the custom
application category. Comparatively, scanning Web servers for
vulnerabilities is fairly easy since they are all relatively uniform.
When scanning custom applications, however, the ethical hacker must
reverse engineer the program and analyze every line of code.
Wireless LAN assessment. This is another increasingly common
service because many firms employ wireless networks within their
facilities. Such networks enable laptop users to move their computers
from office to office while remaining connected to the local network.
The downside is passersby outside the facility can use that same
wireless technology to log in to the company's network without the
company knowing it. The most common way to perform a wireless LAN
assessment is to conduct "war driving"--physically traveling
around the target facility in search of wireless access points.
War dialing. This is an old hacking technique where a hacker breaks
into a network by calling phone numbers in the hopes of hitting an
unsecured modem the target has accidentally left active or forgotten.
Automated programs enable hackers to dial thousands of numbers in a
matter of moments. The technique almost always works and is one of the
tests ethical hackers run that usually turns up an intrusion alert.
When an open modem is detected, it is disconnected or secured to
eliminate the threat it poses. Another method for blocking war dialing,
used by the U.S. government, is erecting a PBX firewall on the network.
Social engineering. Like war dialing, social engineering is a
simple but effective technique. An intruder calls someone within the
target company and convinces him or her to give up sensitive IT
information over the phone. This is what happened when hackers recently
vandalized the Web site of al-Jazeera, the Arabic news network. After
calling al-Jazeera's registrar and impersonating IT professionals,
they requested the company's Web hosting information so they could
redirect the site to a new server. Shortly after an al-Jazeera staff
member gave up the information, the Web site suffered repeated hacks
that embarrassed the company and seriously impeded its online
Ethical hackers test against this vulnerability by performing
social engineering of their own to highlight what ruses the
client's personnel will fall for--and what it needs to educate
Trashing. This is another old hacker trick in which intruders comb
through the garbage of a target company in search of documents that
contain important IT data, such as access numbers and passwords. Not all
ethical hackers perform trash testing, which borders on breaking into
the client's facilities. Many firms choose to stick exclusively
with technology testing. Since some companies (such as financial
institutions) employ armed guards, trashing carries with it the
possibility of a tragic misunderstanding between the ethical hacker and
his or her client's security personnel. Those ethical hacking firms
that do "trash" their clients often use subcontractors for the
job and coordinate extensively with the client company so that security
guards do not mistake an intrusion test for something more sinister.
Security Does Not Come Cheap
The cost of ethical hacking varies widely depending on the services
provided. An Internet connection scan might take two weeks of work for a
team of one to two people, depending on the size of the client firm.
This alone can cost between $10,000 and $25,000. More involved intrusion
testing can cost much more, as can testing for a large organization.
Whether such costs are justified depends entirely on the financial
risks the client faces from electronic intruders, Skoudis says. A
company that maintains a Web connection so its workers can send files to
each other and maintain e-mail might not merit such elaborate testing,
since a major hack will probably only cause IT staff headaches. The
extra costs of this might match the expense of an ethical hacking that
could have helped prevent the attack, but this is uncommon.
Conversely, e-commerce companies can easily lose more than $25,000
in lost sales if their online presence is disturbed for as little as six
hours. In such cases, ethical hacking clearly is worth its cost.
There are also intangible factors to consider, such as business
reputation. In December 2000, for example, thieves stole thousands of
customers' credit card numbers from the online databases of
software retailer Egghead.com. According to industry analysts at the
time, the Egghead.com intrusion exemplified companies' widespread
lack of server security. Moreover, the company could not immediately
tell how many credit card numbers had been stolen, indicating that the
firm did not have a real-time auditing system in place. These
revelations embarrassed the already troubled firm, which went out of
business in late 2001.
Clearly, not every company that can be hacked will be, and those
that are will not necessarily go bankrupt. For firms that have a
substantial IT presence and much to lose from an intrusion, however,
ethical hacking might be the best way to prevent losses.
Ethical Hacking's Limitations
Ethical hacking is not a cure-all. "It tells you what the bad
guys will be able to see if they hack you," Skoudis explains.
"A penetration test can find some of those flaws in advance. Not
all, but some. It presents you with a realistic view of your
system's current vulnerabilities."
Ethical hacking shows what a firm's vulnerabilities are at the
moment the hack was executed. The next day, there might be new
vulnerabilities if the firm upgrades or modifies its system, or if a
hacker or researcher discovers a new kind of security hole to exploit.
In addition, an ethical hacker's assessment is only one
security expert's view of the situation. What constitutes a major
security risk to an ethical hacker might be a minor business risk to the
client. For an ethical hacking to be effective, the findings need to be
mapped to the client's business risks. The results need to be
integrated into an overall risk management program.
"Ethical hacking has, in the past, been the exclusive realm of
security geeks," Skoudis says. "But risk managers are taking
an increasing interest in it, and it is evolving into true risk
management rather than a laundry list of vulnerabilities."
A good example of this is a recent ethical hack Predictive
consulted for a midsized financial institution that allowed its
customers to transfer funds between various online accounts. During an
application test, Predictive discovered a flaw in the way in which users
were being tracked. If more than one user was logged in at the same
time, any of those users could access another user's account by
guessing the account number. The probability of making an accurate guess
was one in ten thousand, but a sophisticated hacker could design a
custom application that would crunch those numbers in minutes, so the
security risk was significant. Predictive learned that the client's
problem lay in the application's "session identifier"
number as opposed to a personal identification number for users, a small
difference. Predictive pointed out the problem to its client and helped
it patch the hole.
Because of the timely intervention of the ethical hacking in this
case, the client lost no money. That is perhaps the toughest thing for
ethical hackers, and risk managers, to live down when they must justify
the value of their services. "If you do your job perfectly,"
says Skoudis, "then you fix the problem before the bad guys know
it's there. But then you have no numbers to show for it."
After deciding to employ an ethical hacker, the next challenge is
deciding which company to hire. According to Edward Skoudis of
Predictive Systems, organizations should keep a few things in mind when
shopping for ethical hacking consultants:
* Honesty is the best policy. Some clients fear that ethical
hackers might be tempted to steal from them. This is rare. Most hackers
can make a better living hacking ethically than as a criminal. Great
skill and luck is needed to successfully be a criminal hacker since it
is so easy to be detected and caught. For most, stealing from paying
clients is hardly worth jeopardizing an otherwise safe and lucrative
* Check references. Look for a firm that has been in business for a
while and has solid references, especially in your industry. The firm
you hire must speak your language, and map security risks to your
business risk. Some firms will not want to give references out of
respect for past clients' confidentiality, but if you press them,
they will usually provide some.
* Hiring practices. Look at a firm's hiring record, especially
with regard to hiring ex-convicts. Many ethical hackers have dabbled in
criminal hacking at one time or another, and undoubtedly some of them
have been prosecuted for it. It is up to you to make an ethical call on
whether or not to hire a convicted ethical hacker.
* Know what you want. It pays to decide beforehand the scope of
intrusion testing you require. If you search for firms through a
competitive bidding process, you will get multiple responses that will
be impossible to compare because they will offer different scopes of
service. Have your own services in mind to make an informed pricing
Bill Coffin is Risk Management Magazine's managing editor.