The use of ethical hackers to test for security vulnerabilities is as old as the IT hills. But, unless there are clear goals outlining why and to what extent your organization is engaging them, the outcome could be useless information — or worse.
On the surface, ethical hacking sounds like a pretty straightforward process: You hire somebody to break into your network or application or Web servers, and report what they find. But this simple description, which does adequately explain the basic principal, masks a process that requires a great deal more thought.
Unless you first know what it is you are looking for and why you are hiring an outside vendor to hack your systems in the first place, chances are you won’t get much out of the experience, said Arian Evan, a senior security engineer at FishNet Security. Sure, you will find out your network needs to be patched or there are X number of security holes, but if that information is not relatable back to the business in some form, it’s pretty much useless.
“If you just want numbers, any of us can run a scan and give you results,” agreed Paul Klahn, FishNet’s director of assessment services.
Beyond the Numbers
To get the most from a test, putting results into a business context is imperative, said Klahn. Which holes are truly a security threat? How deep into the network can a hacker get via one of these holes? Which should be patched first?
Security holes can even be a necessary part of your infrastructure, allowing you to do business with partners, for example, so closing them up for security reasons may cause more headaches than the vulnerability. Your contractor should be able to appreciate this nuance.
Invariably, threats will be found, said Albert Decker, executive director of EDS’s Security and Privacy services, and a former ethical hacker with 25 years in the business and a 99% success rate at getting around corporate security.
“It became roughly the equivalent of ‘Can you throw this brick through a window?’ and the answer is, invariably, unless you miss the window, it will break the glass,” Decker said, commenting on his days as a hacker.
Because not much has changed since Decker was actually scanning code, the firm you hire should be able to provide you with a threat assessment and articulate remedies that take into account business needs. And, even then, the hack should be part of a larger security audit that looks at known vulnerabilities while comparing your IT governance policies and procedures against industry best practices.
The reason for this, said Jim Goddard, an ethical hacker at IBM, is simple: If you just hire a hack and do nothing else, on the day it’s complete, you are no more secure than the day before the hack began. This is because hacking provides just a snapshot of your overall security. Yes, it can provide confirmation your security is good or expose unknown threats, but it can’t tell you what those threats will be tomorrow. One configuration change and much of the hacker’s work can be negated, agreed Decker.
“The use of hackers is essentially a point-in-time test for a continuous problem,” said Decker. “It’s only giving you one very narrow slice of your environment which could change, literally, the second after the test is completed.”
There are four basic kinds of hacks you can have done, said Goddard:
- IP Hack: You hire someone to hack a specific IP address, giving them little or no information beforehand (Be careful if the IP address is an overseas server. You don’t want hackers hacking the wrong IP address, like a foreign government’s computers, causing an international incident.);
- Application Hack: A much more sophisticated hack that can delve deep into databases and down production servers. Only experienced hackers, with strict guidelines governing their actions, should be allowed to perform such tests. Never hire a “reformed” black-hat hacker for this type of test;
- Physical Infrastructure Hack: This is where people try to get into your facilities to access your systems or go dumpster diving looking for confidential information such as passwords discarded on sticky notes; and
- Wireless Hack: War-driving is the new term to describe this type of attack where wireless access points are exploited from the back of a van. Ethical hackers do the same thing, but report their findings back to you instead of stealing your passwords. Have them check out your teleworkers as well to see if home offices are a source of entry to your network.
For any of these tests, a reputable firm with clearly defined methodologies should be hired, cautioned Goddard. If a company can’t tell you exactly how it conducts its business, move on. And never hire former hackers to do the work on the cheap. They may not be as reformed as they say and could leave back doors behind or worse, he said.
Scope & Limits
Once a vendor is selected (never use the RFP process for this type of work, cautions Evans, interview prospective companies), it is very important to outline and define the scope of the project — you don’t want the hacker deciding where to start and stop an attack. Delegate a point person with decision-making authority the hackers can contact day or night if problems arises and authority to continue is required.
But, perhaps most importantly, know what you are looking to get from the experience. Too often, said Decker, companies conduct these tests and feel they are secure. This is not the case. Ethical hacking is just another tool, not a panacea. If viewed as such, it will fall into its proper place alongside other security tools. If not, it can leave you far more exposed through either false feelings of security or outright damage to your systems.
“There’s many, many different things we can do on a network that fall in or around ‘ethical’ hacking,” said FishNet’s Evans, ” … but, without that business case, its very hard to help the client make decisions about what technology services and perspectives they need.”