Ethical Hacking

Challenging black hat hackers

Ethical hacking, also known as white hat hacking or penetration testing, is an important aspect of security auditing, writes Vinita Gupta

In Sun Tzu’s The Art of War, the chapter on attack by stratagem shares this bit of wisdom—“If you know the enemy and know yourself, you need not fear the result of a hundred battles.” It was true then, and it is especially true in today’s networked economy.

By partnering with companies which focus on new and emerging threats and lead the way in new forms of protection, organizations can deploy security to meet the challenges ahead, but they need to understand their own weaknesses and take steps to fix the same. In this way they will be protected and ethical hacking is a means to do just that. It is required to gain an in-depth knowledge of known and potential vulnerabilities or security gaps in an organization’s infrastructure. Earlier this activity was primarily performed as part of audits done by internal/external auditors. It has gradually become a task handled by expert ethical hackers.

An ethical hacker is hired by a company to attempt to break into its system/network. He scans the client’s networks for known vulnerabilities, and then reports [security gaps] his findings to the company. In most instances, a white hat hacker (white hat hackers are the good guys, hackers who have criminal intentions are known as black hat hackers) will also provide remediation services to fix any loopholes found.

Companies doing ethical hacking are generally security consultants with strong domain expertise. Sometimes, big companies have their own ethical hacking teams as well, historically referred to as the Red Team or the Tiger Team.

The need for ethical hacking

The motivation behind ethical hacking is to identify known and potential vulnerabilities and inform organizations of exploits in advance. Performing ethical hacking alone does not provide the assurance of being invulnerable—it takes a combination of security processes and user awareness to reduce human errors; adequate technology controls and an organization’s readiness to respond to incidents can help businesses avoid becoming soft targets. Ethical hacking can assure stakeholders vis-a-vis the security aspects of their IT infrastructure when conducted by experts mostly independent third parties specializing in this activity. It has become a critical area for companies operating in the BFSI, telecommunications, and IT/ITES verticals.

Venkateshwer Nippani, Senior Principal, Wipro Consulting Services revealed that security is a moving target with companies continuously evolving their security level. Security is no longer about products—it is about constantly aligning business processes to security objectives. Organizations that are stagnant in their approach towards security become vulnerable. With evolving technology platforms, fresh vulnerabilities are being found every day, rendering organizations vulnerable until they patch their applications and OSs for these vulnerabilities and changes their approach towards proactive security.

“I do not like the term ethical hacking. Proactive Security Auditing is a much better term for this service,” said Greg Boyle, Small and Medium Business Product Marketing Manager Asia Pacific Region, Trend Micro. He added, “There is always a need to test your own defenses, it is up to an organization to determine what the best way to do this is. The Army runs drills to test their troops and law students do mock trials. It is also important to look at hacking from a non-technical perspective—social engineering is a major factor in corporate security.”

Let us be clear that it is not just banking Web sites that are at risk. In fact, due to the nature of banks and online banking, we can safely assume that banks employ a much more stringent level of security than other online businesses. However, one can never be too careful when sending personal and confidential information over the Internet and it is largely up to an individual to ensure that he is protected while transacting with a third-party.

Dominic K, Head-Global Operations, Orchidseven mentioned that ethical hacking is needed to analyze and understand the hidden vulnerabilities and problems in an enterprise network. Right from ERP packages to network printers and workstations to firewalls—everything should be tested for in-depth security. Sub-standard products and services present in the network should be identified as they could lead to system downtime or it being compromised. Every enterprise, regardless of its size or revenue generated should look into penetration testing for systems as well as network self-diagnostics and self-assessment.

Guillaume Lovet, EMEA Threat Response Leader, Fortinet pointed out that all companies are potentially vulnerable to hacking; in computer security, it is virtually impossible to achieve a 100% defense and this is all the more true when the systems involved are complex. Creating awareness among companies that they should be sensitive to security issues is an important function of ethical hacking. It is the first step towards framing effective risk management policies.

When to hack

It is up to a company as to how often it conducts ethical hacking tests. A quarterly to annual frequency is common. Mature IT organizations are moving towards a regular quarterly ethical hacking schedule from a one-off exercise. This helps them to check configurations, patches and other aspects of system security regularly.

Raghu Raman, CEO, Mahindra Special Services Group said, “A company should go for ethical hacking at least once in a year and also when it is implementing a new technology, adding new partners or customers or making a major structural change.”

According to Nippani, organizations that have an established risk management approach and those who comply with standards such as ISO 27001 or PCI DSS are required to conduct such activities once or twice a year at the very least. He said, “Many organizations, typically in an outsourced environment, get ethical hacking exercises conducted by independent experts on a regular schedule to satisfy contractual obligations.”

“Web threats have increased 1,564% since 2005. Staying on top of system security is critical, it is really up to an organization as to how often they perform security audits, and each organization differs [in its approach],” added Boyle.

Inside ethical hacking

This is done through a layered approach of deploying optimal technology, incorporating security in business processes, and making employees aware of their responsibilities with regard to information security.

Raman explained the process of ethical hacking. According to him, there are two kinds of ethical hacking—controlled and free flow. In the former, the company being hacked decides on what the scope of the exercise is going to be. In the free-flow method, the company gives complete freedom to the ethical hacker to conduct his tests and ferret out flaws. Here an ethical hacker does not ask for passwords. Rather he goes all out to break into the systems. There are three types of free flow hacking involving people, technology, and processes. In the process type, the white hat hacker taps into a process to demonstrate what can be done by someone with malicious intent. For instance, the ethical hacker gains access to an employee’s system to demonstrate to the organization that he could get all the information on it if he wants.

Raman revealed that usually controlled hacking is always clean chit with just a few flaws turning up here and there. Free-flow hacking is more credible than controlled. Knowing a problem and going to the root cause to solve it so that the company has a robust solution is what it is all about. Raman said, “We have over 100 clients including Kotak Mahindra Group, Ranbaxy, Castrol, etc who are using our services.”

Vulnerabilities come in many forms

With almost every company offering Web-based services such as portals and e-commerce, it is difficult to estimate the exact number of vulnerable sites. The type of vulnerability varies case-to-case and on the type of infrastructure deployed.

According to Nippani, although most organizations are aware of known vulnerabilities through vendor notifications, and apply patches and updates, human error and fresh vulnerabilities (Zero Day exploits) are still a big challenge. Key security loopholes in recent times have been discovered to be of a hybrid nature with exploited binaries being uploaded to Web servers and used to execute remote attacks.

“Any Web site is at risk from myriad potential threats. SQL Injection is used to gain access to database information and Web site source code; Cross-Site Scripting is used to deploy commands and malicious code or re-direct visitors to a legitimate Web site to other pages as was seen in the current US presidential elections where candidates’ Web pages were redirected to their opposition,” revealed Boyle.

Vulnerabilities also include man in the middle attacks, session hijacking or DDoS (distributed denial of service) attacks.

Going beyond tools

Ethical hacking cannot be done by tools alone. Although they are important to speed-up repetitive tasks and automate the same, tools cannot compensate for human knowledge and experience. It is important to understand the mindset of a hacker.

Many organizations that are being hacked in spite of using ethical hacking services are overly dependent on products for security. While ethical hacking is primarily a technology driven exercise, it is important for organizations to substantiate it with adequate people and process level controls.

“Vast security knowledge is the key. There is no silver bullet or automated knowledge base. Companies must invest in the resources to stay on top of threats that are coming at us every day. Companies who do this sort of security testing part time or are not fully committed will not be able to keep up,” said Boyle.

Education is also of paramount importance, the weakest link is the user—it is critical that organizations put in place a security policy and enforce it as well as running regular educational sessions on how to stay safe online.

“The human factor is often neglected when building a line of defense, which is a major mistake, for the human employee has always been the weakest link. It was true back in Kevin Mitnick’s days, and still is today. Social engineering and manipulating people is the surest way to the heart of an enterprise,” stated Lovet.

Raman revealed that it is important for a company to look at holistic ethical hacking that will not only check the technology but also the people and process. However, the sad part is that most companies focus more on the technological aspect of ethical hacking and not on people and processes.

Hacking will always take place, as long as there are vulnerable systems and money to be made. However, the capabilities that ethical hackers bring are rich in terms of the knowledge and abilities required to understand trends and the mindset of hackers. This will ensure that organizations are safe and customers feel secure in transacting with such organizations.

vinita.gupta@expressindia.com