The Benefits of Ethical Hacking

Abstract

The wide growth of the Internet has brought good things to the modern societies such as easy access to online stores, electronic commerce, emails, and new avenues of information distribution and advertising. As with most technological advances, there is always a dark side: the criminal hackers where they represent a threat to these information avenues.

Despite the fact that companies, governments, and individuals around the world are anxious to be a part of such revolution, there are always a fear of hackers who will break into their web servers and steal their data and sensitive information. With these concerns and others, the ethical hacker can help eliminate such fear, and introduce different solutions to these problems.

Introduction

With the fast growth of the Internet technologies, computer security has become a major concern for governments and business where the possibility of being hacked is proportional to the security implemented in their infrastructure. In addition to the above concern, the potential customers of the services provided by these entities are worried about maintaining control of their personal information that can vary from social security numbers, to credit card numbers to home addresses.

In an effort to find a proper approach to the problem, organizations came to realize that on of the best solution to the problem is to evaluate the intruder threat where computer security professionals can be hired to attempt to break into their computer systems. Such approach is similar to having independent auditors to verify an organization’s bookkeeping records. With the same concept, professional security team “We call them ethical hackers” will employ the same tools and techniques used by intruders to investigate the security gaps, and vulnerabilities without damaging the target systems or steal information. Once such process is complete, the security team will report back to the owners with the vulnerabilities they found and instructions on how to eliminate such security gaps.

What is Ethical Hacking do?

Professional ethical hackers possess a variety of skills and must be completely trustworthy since while testing the client’s systems security they may discover information about their clients that should remain secrets. The publication of such information could lead to real intruders to break into the clients’ systems and in most cases lead to financial losses. Ethical hackers must be trusted to exercise tight control over any information that might be a target of misused by intruders. Due to the sensitivity of the information gathered during the evaluation of the vulnerable systems, strong measures are required to be taken into considerations to ensure that the security of the systems being employed by the ethical hackers are intact.

During the evaluation of a system’s security, the ethical hackers seek the answers to some of the following questions:

  • What can an intruder see on the target systems?
  • What can an intruder do with the information captured?
  • What is organization trying to protect?
  • How much effort, time, and money are an organization is willing to expend to obtain adequate protection?

Once the answers to the above questioned were determined, a security evaluation plan is drawn up by the ethical hackers where it can identify the system to be tested, how such systems will be tested, and determining any limitations implemented in the testing plan.

In a society so dependent on computers and networks, breaking through somebody’s systems is considered anti-social behaviours, and as such organizations and business investing the best they can to have the best security in place to protect their interests and their information. However, with the best security and best security policy in place, a break-in still occurs by determined hackers. The only solution for organizations and businesses to avoid such problem could lie in the form of ethical hackers where such group get paid to hack into supposedly secure networks and expose flaws.

It is important to point out that unlike security consultants where they carry out specific tests to check out vulnerabilities, the hacking done by an ethical hacker is real test to such security vulnerabilities through similar deployment of tools and attacks used by intruders. No matter how layered and extensive the security architecture is constructed within any organization’s infrastructure, the potential for external intrusion still unknown until its defences are realistically tested.

Despite the fact that most organizations usually hire security specialists to protect their domains, the fact remains that security breaches happen due to the lack of knowledge about the organization’s systems, and its potential vulnerabilities. The solution to solve such vulnerabilities is for organizations to hire ethical hackers where they can test and determine such vulnerabilities through different ways of breaking into the systems and presenting the right solutions for such organizations to eliminate the existing security gaps within their security infrastructure.

Ethical Hacking – Penetration Test

Penetration testing (also called pen testing) is the practice of testing web applications, computer systems, and network to find vulnerabilities that any intruder may exploit. Such test can be automated with software applications or can be performed manually. In either way, the process encompasses gathering information about the target system, identifying possible entry points, attempting to break in (either for real or virtual) and reporting back such findings to the client. The main objective of penetration testing is to determine security weaknesses, and also testing how an organization’s security policy compliant with standard security guidelines.  

Some clients insist that as soon as the ethical hackers gain access to their network or to one of their systems, the evaluation should halt, and the client should be notified. Such short of ruling should be discouraged since it prevents the client from learning more about what ethical hackers might discover more about their systems vulnerabilities, and other issues that might harm their systems. The timing of such evaluation also might be important to the client where the client may request that such test be conducted within specific hours to avoid affecting networks, and systems during regular working hours. While such request and restriction might not be recommended it represents a certain percentage of accuracy since most intruders do attack outside of the local regular working hours. However, attacks done during regulate working hours may be easily hidden since most of the alerts from intrusion detection system may even be disabled or less carefully monitored during the working hours of the day.

Organizations and companies should allow enough time for the penetration test to be done properly since last minute evaluations are of little use, and the implementation of corrections for discovered security problems might take more time than is available, and may introduce new system problems. In order for the client to receive a valid evaluation, the client must be cautioned to limit prior knowledge of the test as much as possible for ethical hacker to run a real live test. Having such knowledge known to the organization’s employees will make the hacking process unreal since client’s employee will be running ahead of the ethical hackers locking doors and windows. Having a limited number of people at the target organization who know of the impending evaluation, it becomes possible for the evaluation to reflect the organization’s actual security exposure to the outside world.

Once the contractual agreement with ethical hackers is in place, the testing may start as defined in the agreement. It’s important to point out that penetration test itself poses some risks to the client networks and systems, since criminal hackers might monitor the transmissions of the ethical hackers and learn the same information about the client during such test. In such case, if the ethical hackers identify weakness in the client’s security, the criminal hackers could potentially attempt to exploit such vulnerabilities, and as such; implementing the best approach to avoid such dilemma is very important. One of these approaches is for ethical hackers to maintain several addresses around the Internet from which the transmission will emanate and to switch origin addresses often. A complete log of the test performed by the ethical hackers is always a good idea to be maintained for the final report, and also to identify any unusual event that might happen during the test. In many cases, additional intrusion monitoring software can be deployed at the target to ensure that all the testes are coming from the ethical hacker’s machines.

The line between criminal hacking and computer virus writing is becoming increasingly blurred, and as such; many clients request from ethical hackers to perform testing to determine the client’s vulnerabilities to web-based virus and email. However, it is far better for the client to deploy strong antivirus software, to keep it up to date, and implement a clear and simple policy within an organization to report any incidents.       

There are several kinds of testing that can be done during the penetration test, and any combination of the following may be called for:

  • Remote network – This test simulate the intruder launching an attack across the Internet. The primary defences that must be defeated are filtering routers, firewalls, and web servers.
  • Remote dial-up network – This test simulates the intruder launching an attack against the client’s modem pools. The primary defences that must be defeated are the user authentication schemes.
  • Local network – This test simulates authorized person has a legal connection to the organization’s network. The primary defences that must be defeated are internal web servers, Intranet firewalls, server security measures and e-mail systems.
  • Stolen laptop computer – This test makes use of the laptop computer of a key employee within the organization. The test will examine the computer for passwords stored in dial-up software corporate information assets, and personal information.
  • Social engineering – This test will evaluate the target organization’s staff as to whether it would leak information to someone. In such test, the ethical hacker will be calling the organization’s computer help line and asking for the external telephone numbers of the modem pool. Defending against such attack is hard, because people and personalities are involved.  
  • Physical entry – This test examine the physical penetration of the organization’s building. Security guards or police could become involved if the ethical hackers fail to avoid detection.

Penetration test usually have strategies, and such strategy include the following:

  • Target testing – Such test is performed by the penetration testing team (Ethical hackers) in coordination with the organization’s IT team. It is sometimes referred to as a “light-turned-on” approach since everyone can see the test being carried out. 
  • External testing – This type of pen test targets a company’s external visible servers or devices including web servers, firewalls, domain name servers (DNS), or email servers. The objective of such test is to find out if outside attackers can get in, and how far they can get in and gain access.
  • Internal testing – this test mimics an inside attack behind the firewall by an authorized user with standard access privileges. Such test is useful for estimating how much damage a disgruntled employee could cause.
  • Blind testing – Such test simulates the procedures and actions of a real attacker by severely limiting the information given to the person or team that’s performing the test beforehand.
  • Double blind testing – Such test is conducted while one to two people within the organization might be aware of the test. The test can be useful for testing an organization’s security monitoring and incident identification as well as its response procedures.

The Final Penetration Report

The final report represents a collection of all of the ethical hacker’s discoveries as the result of the penetration test evaluation. Vulnerabilities found during such test are explained, and the steps to avoid such vulnerabilities were specified through specific procedures to close any security gaps discovered during such process. The report also offers advices on how to raise awareness, and advice on how to close the vulnerabilities and keep them closed. The report is considered to be a very sensitive issue since such vulnerabilities found and stated in such report if it fell into the wrong hands might be used against the company’s vulnerabilities to gain access to sensitive information within the company networks.

The ethical hackers would have an ongoing responsibility to ensure the safety of any information they retain, and as such; in most cases all information related to the work is destroyed at the end of the contract. 

Conclusion

The idea of testing the security of a system by trying to break into it is not a new idea such test were done long time ago by many automobile companies during the crash-testing cars to identify the weakest points of their products. From a practical standpoint the security problem will remain as long as manufacturers remain committed to current system architectures without a firm requirement for security. It is imperative for organization to execute regular auditing, implementing vigilant intrusion detection and inherent a good system administration practices, and computer security awareness that can guarantee business continuity and success. A single failure in any of these areas could very well expose an organization to cyber-vandalism, and loss of revenue and client’s information. While ethical hackers can help clients better understand their security needs, it is up to the clients to keep their guards in place.

Advertisements

1 Comment »

  1. 1

    My brother recommended I might like this blog.
    He was entirely right. This post actually made my day. You can not imagine just how much time I had spent for this information!
    Thanks!


RSS Feed for this entry

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: