It takes a thief: ethical hackers test your defenses.
Computer services industry (Services)
Computer hackers (Services)
Internet (Safety and security measures)
Coffin, Bill
Pub Date:
Name: Risk Management Publisher: Risk Management Society Publishing, Inc. Audience: Trade Format: Magazine/Journal Subject: Business; Human resources and labor relations; Insurance Copyright: COPYRIGHT 2003 Risk Management Society Publishing, Inc. ISSN: 0035-5593
Date: July, 2003 Source Volume: 50 Source Issue: 7
Event Code: 360 Services information Computer Subject: Internet security; Computer services industry; Hacker
Geographic Scope: United States Geographic Code: 1USA United States

Accession Number:
Full Text:
On Monday, somebody systematically called your firm's phone numbers until he found a forgotten but active modem and entered your system through it. On Wednesday, he scoured your Web site's firewall for cracks and slipped through them. On Friday, he called your switchboard and fooled a staff member into revealing a network login and password.

The only thing good about all of this is that at least you got your money's worth. You paid for these things to happen; you just employed ethical hacking, an unconventional service long used by companies to protect information technology assets from hostile cyber-intruders.

Companies hire ethical hackers to probe their own defenses for vulnerabilities by employing the same methods that hackers, thieves, vandals and spies would use. If they find any weaknesses, they report them to their clients and advise them on ways to eliminate those vulnerabilities, and increase enterprisewide IT security.

Ethical hacking is also called "penetration testing" and "intrusion testing" or "red teaming," a term used when the U.S. government began hacking its own systems in the 1970s. In the 1980s, telecommunications companies--a frequent target of budding cybervandals who could gain street credibility by messing with the local phone company--began using ethical hacking as well. Banks caught on in the 1990s, and later in that decade, most e-commerce firms depended on ethical hacking as a critical security measure, since a single interruption or intrusion could cause massive financial problems.

There are dozens of ethical hacking firms currently open for business, ranging from one-man freelance operations to large IT firms. According to Edward Skoudis, New York-based Predictive Systems' vice president of security strategy, ethical hacking has continued to grow as an industry despite the recent dot-corn implosion. He notes that many other industries, such as general-purpose retailers, financial services firms, petroleum companies, the automobile industry and other heavy industrial manufacturers have begun employing ethical hackers as well.

Standard Services

What goes into an ethical hacking depends on the range of services required, the size of the client and how much that client is willing to pay. Typical services include:

External network hacking. This includes scanning the target's Web server, firewall and routers for vulnerabilities from an external source. This is the most commonly provided ethical hacking service.

Internal network hacking. This involves deploying a team to the target site, where they conduct penetration testing on the company's servers and routers, using its own equipment. This is a good test for defending against disgruntled employees, industrial saboteurs (although uncommon) or anyone else who might try to intrude upon a company's network from within.

Application testing. A growing arena for the ethical hacking industry, application testing is aimed specifically at clients who have developed their own software, such as custom Web-based voting and polling programs or online stores and payment programs. Just about any software that is not delivered shrink-wrapped falls under the custom application category. Comparatively, scanning Web servers for vulnerabilities is fairly easy since they are all relatively uniform. When scanning custom applications, however, the ethical hacker must reverse engineer the program and analyze every line of code.

Wireless LAN assessment. This is another increasingly common service because many firms employ wireless networks within their facilities. Such networks enable laptop users to move their computers from office to office while remaining connected to the local network. The downside is passersby outside the facility can use that same wireless technology to log in to the company's network without the company knowing it. The most common way to perform a wireless LAN assessment is to conduct "war driving"--physically traveling around the target facility in search of wireless access points.

War dialing. This is an old hacking technique where a hacker breaks into a network by calling phone numbers in the hopes of hitting an unsecured modem the target has accidentally left active or forgotten. Automated programs enable hackers to dial thousands of numbers in a matter of moments. The technique almost always works and is one of the tests ethical hackers run that usually turns up an intrusion alert.

When an open modem is detected, it is disconnected or secured to eliminate the threat it poses. Another method for blocking war dialing, used by the U.S. government, is erecting a PBX firewall on the network.

Social engineering. Like war dialing, social engineering is a simple but effective technique. An intruder calls someone within the target company and convinces him or her to give up sensitive IT information over the phone. This is what happened when hackers recently vandalized the Web site of al-Jazeera, the Arabic news network. After calling al-Jazeera's registrar and impersonating IT professionals, they requested the company's Web hosting information so they could redirect the site to a new server. Shortly after an al-Jazeera staff member gave up the information, the Web site suffered repeated hacks that embarrassed the company and seriously impeded its online operations.

Ethical hackers test against this vulnerability by performing social engineering of their own to highlight what ruses the client's personnel will fall for--and what it needs to educate itself against.

Trashing. This is another old hacker trick in which intruders comb through the garbage of a target company in search of documents that contain important IT data, such as access numbers and passwords. Not all ethical hackers perform trash testing, which borders on breaking into the client's facilities. Many firms choose to stick exclusively with technology testing. Since some companies (such as financial institutions) employ armed guards, trashing carries with it the possibility of a tragic misunderstanding between the ethical hacker and his or her client's security personnel. Those ethical hacking firms that do "trash" their clients often use subcontractors for the job and coordinate extensively with the client company so that security guards do not mistake an intrusion test for something more sinister.

Security Does Not Come Cheap

The cost of ethical hacking varies widely depending on the services provided. An Internet connection scan might take two weeks of work for a team of one to two people, depending on the size of the client firm. This alone can cost between $10,000 and $25,000. More involved intrusion testing can cost much more, as can testing for a large organization.

Whether such costs are justified depends entirely on the financial risks the client faces from electronic intruders, Skoudis says. A company that maintains a Web connection so its workers can send files to each other and maintain e-mail might not merit such elaborate testing, since a major hack will probably only cause IT staff headaches. The extra costs of this might match the expense of an ethical hacking that could have helped prevent the attack, but this is uncommon.

Conversely, e-commerce companies can easily lose more than $25,000 in lost sales if their online presence is disturbed for as little as six hours. In such cases, ethical hacking clearly is worth its cost.

There are also intangible factors to consider, such as business reputation. In December 2000, for example, thieves stole thousands of customers' credit card numbers from the online databases of software retailer According to industry analysts at the time, the intrusion exemplified companies' widespread lack of server security. Moreover, the company could not immediately tell how many credit card numbers had been stolen, indicating that the firm did not have a real-time auditing system in place. These revelations embarrassed the already troubled firm, which went out of business in late 2001.

Clearly, not every company that can be hacked will be, and those that are will not necessarily go bankrupt. For firms that have a substantial IT presence and much to lose from an intrusion, however, ethical hacking might be the best way to prevent losses.

Ethical Hacking's Limitations

Ethical hacking is not a cure-all. "It tells you what the bad guys will be able to see if they hack you," Skoudis explains. "A penetration test can find some of those flaws in advance. Not all, but some. It presents you with a realistic view of your system's current vulnerabilities."

Ethical hacking shows what a firm's vulnerabilities are at the moment the hack was executed. The next day, there might be new vulnerabilities if the firm upgrades or modifies its system, or if a hacker or researcher discovers a new kind of security hole to exploit.

In addition, an ethical hacker's assessment is only one security expert's view of the situation. What constitutes a major security risk to an ethical hacker might be a minor business risk to the client. For an ethical hacking to be effective, the findings need to be mapped to the client's business risks. The results need to be integrated into an overall risk management program.

"Ethical hacking has, in the past, been the exclusive realm of security geeks," Skoudis says. "But risk managers are taking an increasing interest in it, and it is evolving into true risk management rather than a laundry list of vulnerabilities."

A good example of this is a recent ethical hack Predictive consulted for a midsized financial institution that allowed its customers to transfer funds between various online accounts. During an application test, Predictive discovered a flaw in the way in which users were being tracked. If more than one user was logged in at the same time, any of those users could access another user's account by guessing the account number. The probability of making an accurate guess was one in ten thousand, but a sophisticated hacker could design a custom application that would crunch those numbers in minutes, so the security risk was significant. Predictive learned that the client's problem lay in the application's "session identifier" number as opposed to a personal identification number for users, a small difference. Predictive pointed out the problem to its client and helped it patch the hole.

Because of the timely intervention of the ethical hacking in this case, the client lost no money. That is perhaps the toughest thing for ethical hackers, and risk managers, to live down when they must justify the value of their services. "If you do your job perfectly," says Skoudis, "then you fix the problem before the bad guys know it's there. But then you have no numbers to show for it."

Hackers Wanted

After deciding to employ an ethical hacker, the next challenge is deciding which company to hire. According to Edward Skoudis of Predictive Systems, organizations should keep a few things in mind when shopping for ethical hacking consultants:

* Honesty is the best policy. Some clients fear that ethical hackers might be tempted to steal from them. This is rare. Most hackers can make a better living hacking ethically than as a criminal. Great skill and luck is needed to successfully be a criminal hacker since it is so easy to be detected and caught. For most, stealing from paying clients is hardly worth jeopardizing an otherwise safe and lucrative career.

* Check references. Look for a firm that has been in business for a while and has solid references, especially in your industry. The firm you hire must speak your language, and map security risks to your business risk. Some firms will not want to give references out of respect for past clients' confidentiality, but if you press them, they will usually provide some.

* Hiring practices. Look at a firm's hiring record, especially with regard to hiring ex-convicts. Many ethical hackers have dabbled in criminal hacking at one time or another, and undoubtedly some of them have been prosecuted for it. It is up to you to make an ethical call on whether or not to hire a convicted ethical hacker.

* Know what you want. It pays to decide beforehand the scope of intrusion testing you require. If you search for firms through a competitive bidding process, you will get multiple responses that will be impossible to compare because they will offer different scopes of service. Have your own services in mind to make an informed pricing decision.

Bill Coffin is Risk Management Magazine's managing editor.
Gale Copyright:
Copyright 2003 Gale, Cengage Learning. All rights reserved.