Thursday, February 17, 2011
“GUIDE TO ETHICAL HACKING”
What is Ethical Hacking?
¨ Ethical hacking (EH) is the process of having authorized individuals exercise the security of a target.
¨ An ethical hacker is someone who has permission to exercise the security of a target.
Key Features of Ethical Hacking 1
¨ EH has some distinct features when compared to routine security / vulnerability scans.
¨ Vulnerability / Security scanning is:-
o Highly or completely automated
o The goal is to find as many security flaws as possible.
Key Features of Ethical Hacking 2
¨ EH focuses on an objective;-
o How far can the “attacker” go?
o Can you get to system X or data Y?
¨ A vulnerability scan could be a sub-set of EH (if desired).
o Step 1: Find a weakness.
o Step 2: Exploit it to get additional access
o Step 3: Repeat the process until objective reached (e.g. access to critical data or system)
Key Features of Ethical Hacking 3
¨ EH will typically exploit the security flaws in order to gain access to data or another system
¨ This eliminates falsepositives by validating the flaw.
o A security scanner can have many false-positives
Ethical Hacking Example 1
¨ Scan the web server
o Locates a buffer overflow (flaw #1)
o Exploiting flaw #1 results in an account on the web server
¨ (From web server) Scan the database behind firewall (web and DB trusted each other, firewall allowed traffic)
¨ Find weakness in DB (flaw #2)
o Exploiting flaw #2 results in retrieving the DB password
o The password is cracked
o DB user/password is the same as the firewall
¨Firewall is compromised; custom rule allows EH team to pass any traffic through
Ethical Hacking Example 2
¨ typical vulnerability scan would have stopped at step 1
o Flaw #1 on the web server
¨ Therefore the true extent of the risk would not have been known.
¨ Also, the DB flaw would have gone unnoticed (unless an
Internal scan was also performed)
Ethical Hacking Pros & Cons
– Find true level of exposure, not just the surface
– Disruption potential
• Exploiting flaws in production?!?
– Higher skill set needed
– Other issues may be ignored due to time limits
A Note about Terminology
¨ What one person calls “ethical hacking”, another person will call “security testing” or a “vulnerability assessment”.
¨ The key is to define the objective and the rules of engagement.
¨ Example: Maybe you only want exploitation of flaws performed on a case-by-case basis (i.e. approval required) rather than a no-holds-barred approach.
Why use Ethical Hacking?
¨ Provides proof of insecurities
¨ Helps expose the true risk of flaws found
¨ The process of using EH is generally accepted best practice; therefore it…
¨ Demonstrates due care in maintaining a secure environment
¨ Alternatively, NOT using EH could be grounds to suspect a lack of due care
Limitations of Ethical Hacking
¨ Only a snap-shot in time
¨ Only a small part of a larger security program
o Security requirements during design phase is the most important
o Code reviews are great
¨ Cannot prove the system is secure, EH can only prove the
system is not secure (by failing the audit)
EH will only find a subset of flaws, where a code review could find others.
Who should perform the work? External
¨ Most organizations use a trusted third party
– Core competency
• Cost effective; better results
– Neutral party
• Unbiased results
– Extra layer of due care
– “3rd party” required by
• Maybe that could be a separate internal group?
• Idea of a true 3rd party seems best
Who should perform the work? Internal
¨ Internal resources are useful if you can afford them.
¨ Typically seen for high-security situations: Financial & Military
¨ Great resource for development
- check the security bugs early and save money
– Beware of developer turn over – bad security habits will return as senior
developers get promoted and junior ones take their place
How often should EH be used?
¨ At least once a year (like financial audits) by a 3rd Party
¨ Internal tests can be conducted as often as practical; typically after a major revision
When in the lifecycle should you use EH?
¨ At the very least you should test before going into production
– Reality shows this is not the most common scenario
¨ Ideally do some testing during development
– Limited testing of common issues
¨ Thorough testing after the system/application is stable (i.e. after UAT if possible)
¨ TIP: Plan on sufficient lead time to FIX the problems found. Don’t test
the night before going live!
Shopping for EH - Things to Look for 1
¨ STEP #1: Get a mutual NDA signed before talking to outsiders (CYA).
¨ Background check of company. Lawsuits?
¨ Verify the background check of the specific EH team members
– Don’t simply accept a verbal pass from the EH company.
¨ Does background check mean criminal and financial? Maybe it
¨ Read the liability release form (get out of jail free)- or write your own.
Shopping for EH - Things to Look for 2
¨ Are they incorporated, and where?
¨ E&O insurance? How much?
¨ Perform a site visit; reserve the right for future visits
¨ Vendor neutral
– Beware of up sell.
¨ Separation of duties - design vs. test
Shopping for EH - Beware of “Proprietary”
¨ If an EH provider will not let you observe their work in progress because it is a “proprietary” methodology then something is not right
¨ The methodology might have four parts:
– Point, Click, Print, and Invoice
Shopping for EH - Bait & Switch
¨ Beware of bait & switch
– Senior consultant is brought out for pre-sales meetings or the kick-off,
– but then the actual work is done primarily by a junior staff member.
Black Hats Need Not Apply - The Trust Factor
¨ Can ex-black hats be trusted?
– Yes, they can be trusted…
– to cut your lawn perhaps.
– But there is no good reason you have to trust them with your data
– You have a legal obligation of due care
¨ The person does not need to be a convicted criminal - you can decline
to use them for any cause of concern
– As long as it is not prohibited by law (discrimination based on race, gender, etc)
¨ When in doubt you should take the safer path.
¨ With EH - trust is everything.
Beware of companies with staff members that brag about being “black hats” or ex-hackers. Most companies will deny that they hire people with prior computer related convictions. Many companies will insist they do background checks. But do they really? Ask to see the results of the background checks. While everybody deserves a second chance in life, you have to ask yourself, “Are you willing to give them that second chance while they have access to your company’s most sensitive data?”
Mr. Rootkit Story
A security consultant was hired to verify and maintain a secure OS configuration on a firewall system. He decided to install a rootkit to allow himself remote administration of the system - to make his job easier. The customer found out and was less than happy.
The Risks of Ethical Hacking
¨ We will discuss mitigating these risks next
– Service disruptions
– False sense of security
– EH results fall into the wrong hands
Safety Measures after Testing - Protect the Output
¨ The output (scanner files, the report) is sensitive
– Use existing information classifications (e.g. confidential, private, “DO NOT COPY OR FORWARD, etc)
– Limit distribution of results
¨ Customize the level of detail based on the need to know
– Be sure tool output is not webified (Google Hacking)
– Encrypt the raw files and secure on CD-R
– Printed with local non-networked printer
¨ Not a public copy shop! Have you seen the people that work in those places at 2 AM?!?
¨ I like PDFs: strong crypto, restricts read access, prevents changes, prevents copy & paste, and/or printing if desired
Customized versions and distribution
Everybody does not need the entire report; just the parts that pertain to them
E.g. Each department or system owner would get recommendations for their own
Perhaps explicit “how to exploit” details (if any) should be removed for some staff
E.g. Instead of saying, “System X can be hacked using technique Z.”, you can
say, “System X needs patch Y.”
Security paper can help prevent copying by exposing hidden text when this type
of paper is copied or scanned. This will alert the person to the fact that
unauthorized duplication of the document is not permitted.
In my experience this is rarely done, but is something to consider for very
Safety Measures to Consider During Testing
¨ Throttle scans (do not flood)
¨ Monitor systems
– Remotely for uptime
– Locally for CPU load
¨ Back-up sensitive systems in case of crash with data loss
¨ Sys admins on standby (for reboot or trouble shooting)
¨ During Non-critical times
¨ Use the Disaster Recovery / Staging / Testing environment instead of
¨ See “Shopping for EH” for additional considerations with outsourced EH
Using Ethical Hacking for Your 3rd Party Service Providers - Remote System
¨ If you are not hosting thesystem then the easiest way seems to contract with your provider (e.g. ASP) and have them hire a mutually agreed
upon 3rd party.
¨ Contract states that you get a copy of the report.
¨ NDA will be required from you to safeguard sensitive information about the 3rd party
¨ Try to get them to pay for the
¨ EH (since they benefit)
Using Ethical Hacking for Your 3rd Party Service Providers - Local System
¨ If you are hosting the system / software; and it is not tied to 3rd
party system or data, then MAYBE you can simply do it yourself
¨ Check with legal counsel – some software vendors have restrictions in their licenses (e.g. first born child)
¨ Try to split the cost in exchange for a copy of the report
¨ Make them promise to fix high-risk issues by the next release (this is where being a big customer helps).
¨ Consider NDA and/or sanitized report to protect your sensitive information
If you are hosting the system / software; and it is not tied to 3rd party system or
data, then MAYBE you can simply do it yourself
Check with legal counsel - some software vendors have clauses in their licenses
“Though shalt not reverse engineer.”
EH does not have to involve reverse engineering
Still, it is best to double check license restrictions
Try to get vendor to split the cost in exchange for a copy of the report
Make them promise to fix high-risk issues by the next release (this is where being
a big customer helps)..
NDA will be required from them to safeguard your sensitive information in the
shared report (or give them a sanitized version)
EH Recommendations - QA & Training
¨ Observe the EH team in action (at least for the first assessment). This provides:
– Quality Assurance - see what you are getting
– Knowledge Transfer - insist on knowledge sharing to help improve your internal resources (e.g. IT auditors)
o Two objectives (security test & training) in one expense
o NOTE: This will slow things down a bit as time is taken to explain actions and results.
EH Recommendation - Rotate Your Service Providers
¨ Rotate between two or three providers
¨ Avoids tunnel vision
¨ Allows you to compare providers for quality assurance purposes
¨ Think bandwidth: Established relationships with multiple EH providers helps with sudden man-power issues
o E.g. You just inherited a new group and there apps have never been tested.
Game Plan / Recommendations
¨ Prioritize your systems / services by importance
¨ Begin with preliminary “scan” via internal resources if possible
¨ Use a 3rd party once a year; of after a “major” revision
–Major revision should at least include changes in security functions/features.
Does changing your authentication scheme constitute a major revision? Probably
¨ US financial institutions are “strongly recommended” to implement dualfactor authentication by Dec 31, 2006
– Something the consumer has, such as hardware tokens or smart cards, as well as something the consumer knows, such as passwords or birth dates.
¨ “Banks have been directed to conduct a risk assessment process, including identification of all transactions and access levels associated with Internet-based transactions, and to assess authentication methodologies.”
¨ See http://tinyurl.com/bnecb
http://tinyurl.com/bnecb points to the news story at
“Feds Order Banks To Strengthen Online Authentication” slide 32