SlideShare uma empresa Scribd logo
1 de 12
Baixar para ler offline
Ethical hacking

                                                              by C. C. Palmer




The explosive growth of the Internet has brought              scribe the rapid crafting of a new program or the
many good things: electronic commerce, easy                   making of changes to existing, usually complicated
access to vast stores of reference material,
collaborative computing, e-mail, and new                      software.
avenues for advertising and information
distribution, to name a few. As with most                     As computers became increasingly available at uni-
technological advances, there is also a dark side:            versities, user communities began to extend beyond
criminal hackers. Governments, companies, and                 researchers in engineering or computer science to
private citizens around the world are anxious to
be a part of this revolution, but they are afraid             other individuals who viewed the computer as a cu-
that some hacker will break into their Web server             riously flexible tool. Whether they programmed the
and replace their logo with pornography, read                 computers to play games, draw pictures, or to help
their e-mail, steal their credit card number from             them with the more mundane aspects of their daily
an on-line shopping site, or implant software that
will secretly transmit their organization’s secrets           work, once computers were available for use, there
to the open Internet. With these concerns and                 was never a lack of individuals wanting to use them.
others, the ethical hacker can help. This paper
describes ethical hackers: their skills, their                Because of this increasing popularity of computers
attitudes, and how they go about helping their                and their continued high cost, access to them was
customers find and plug up security holes. The
ethical hacking process is explained, along with              usually restricted. When refused access to the com-
many of the problems that the Global Security                 puters, some users would challenge the access con-
Analysis Lab has seen during its early years of               trols that had been put in place. They would steal
ethical hacking for IBM clients.                              passwords or account numbers by looking over some-
                                                              one’s shoulder, explore the system for bugs that
                                                              might get them past the rules, or even take control
                                                              of the whole system. They would do these things in
                                                              order to be able to run the programs of their choice,

T   he term “hacker” has a dual usage in the com-
    puter industry today. Originally, the term was
defined as:
                                                              or just to change the limitations under which their
                                                              programs were running.

                                                              Initially these computer intrusions were fairly benign,
  HACKER noun 1. A person who enjoys learning the             with the most damage being the theft of computer
  details of computer systems and how to stretch              time. Other times, these recreations would take the
  their capabilities—as opposed to most users of              ௠Copyright 2001 by International Business Machines Corpora-
  computers, who prefer to learn only the minimum             tion. Copying in printed form for private use is permitted with-
  amount necessary. 2. One who programs enthu-                out payment of royalty provided that (1) each reproduction is done
  siastically or who enjoys programming rather than           without alteration and (2) the Journal reference and IBM copy-
  just theorizing about programming. 1                        right notice are included on the first page. The title and abstract,
                                                              but no other portions, of this paper may be copied or distributed
                                                              royalty free without further permission by computer-based and
This complimentary description was often extended             other information-service systems. Permission to republish any
to the verb form “hacking,” which was used to de-             other portion of this paper must be obtained from the Editor.


IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001     0018-8670/01/$5.00 © 2001 IBM                                                PALMER     769
form of practical jokes. However, these intrusions did      This method of evaluating the security of a system
      not stay benign for long. Occasionally the less talented,   has been in use from the early days of computers.
      or less careful, intruders would accidentally bring down    In one early ethical hack, the United States Air Force
      a system or damage its files, and the system adminis-        conducted a “security evaluation” of the Multics op-
      trators would have to restart it or make repairs. Other     erating systems for “potential use as a two-level
      times, when these intruders were again denied ac-           (secret/top secret) system.” 4 Their evaluation found
      cess once their activities were discovered, they would      that while Multics was “significantly better than other
      react with purposefully destructive actions. When the       conventional systems,” it also had “ . . . vulnerabil-
      number of these destructive computer intrusions be-         ities in hardware security, software security, and pro-
      came noticeable, due to the visibility of the system        cedural security” that could be uncovered with “a
      or the extent of the damage inflicted, it became             relatively low level of effort.” The authors performed
      “news” and the news media picked up on the story.           their tests under a guideline of realism, so that their
      Instead of using the more accurate term of “com-            results would accurately represent the kinds of ac-
      puter criminal,” the media began using the term             cess that an intruder could potentially achieve. They
      “hacker” to describe individuals who break into com-        performed tests that were simple information-gath-
      puters for fun, revenge, or profit. Since calling some-      ering exercises, as well as other tests that were out-
      one a “hacker” was originally meant as a compliment,        right attacks upon the system that might damage its
      computer security professionals prefer to use the           integrity. Clearly, their audience wanted to know
      term “cracker” or “intruder” for those hackers who          both results. There are several other now unclassi-
                                                                  fied reports that describe ethical hacking activities
      turn to the dark side of hacking. For clarity, we will
                                                                  within the U.S. military. 5–7
      use the explicit terms “ethical hacker” and “crim-
      inal hacker” for the rest of this paper.
                                                                  With the growth of computer networking, and of the
                                                                  Internet in particular, computer and network vul-
                                                                  nerability studies began to appear outside of the mil-
      What is ethical hacking?
                                                                  itary establishment. Most notable of these was the
      With the growth of the Internet, computer security          work by Farmer and Venema, 8 which was originally
      has become a major concern for businesses and gov-          posted to Usenet 9 in December of 1993. They dis-
      ernments. They want to be able to take advantage            cussed publicly, perhaps for the first time, 10 this idea
      of the Internet for electronic commerce, advertis-          of using the techniques of the hacker to assess the
      ing, information distribution and access, and other         security of a system. With the goal of raising the over-
      pursuits, but they are worried about the possibility        all level of security on the Internet and intranets, they
      of being “hacked.” At the same time, the potential          proceeded to describe how they were able to gather
      customers of these services are worried about main-         enough information about their targets to have been
      taining control of personal information that varies         able to compromise security if they had chosen to
      from credit card numbers to social security numbers         do so. They provided several specific examples of
      and home addresses. 2                                       how this information could be gathered and exploited
                                                                  to gain control of the target, and how such an attack
                                                                  could be prevented.
      In their search for a way to approach the problem,
      organizations came to realize that one of the best          Farmer and Venema elected to share their report
      ways to evaluate the intruder threat to their inter-        freely on the Internet in order that everyone could
      ests would be to have independent computer secu-            read and learn from it. However, they realized that
      rity professionals attempt to break into their com-         the testing at which they had become so adept might
      puter systems. This scheme is similar to having             be too complex, time-consuming, or just too boring
      independent auditors come into an organization to           for the typical system administrator to perform on
      verify its bookkeeping records. In the case of com-         a regular basis. For this reason, they gathered up all
      puter security, these “tiger teams” or “ethical hack-       the tools that they had used during their work, pack-
      ers” 3 would employ the same tools and techniques           aged them in a single, easy-to-use application, and
      as the intruders, but they would neither damage the         gave it away to anyone who chose to download it. 11
      target systems nor steal information. Instead, they         Their program, called Security Analysis Tool for Au-
      would evaluate the target systems’ security and re-         diting Networks, or SATAN, was met with a great
      port back to the owners with the vulnerabilities they       amount of media attention around the world. Most
      found and instructions for how to remedy them.              of this early attention was negative, because the tool’s


770   PALMER                                                                          IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001
capabilities were misunderstood. The tool was not         ability testing, but are equally important when pre-
an automated hacker program that would bore into          paring the report for the client after the test.
systems and steal their secrets. Rather, the tool per-
formed an audit that both identified the vulnerabil-       Finally, good candidates for ethical hacking have
ities of a system and provided advice on how to elim-     more drive and patience than most people. Unlike
inate them. Just as banks have regular audits of their    the way someone breaks into a computer in the mov-
accounts and procedures, computer systems also
need regular checking. The SATAN tool provided that
auditing capability, but it went one step further: it
also advised the user on how to correct the prob-
lems it discovered. The tool did not tell the user how
the vulnerability might be exploited, because there        Just as in sports or warfare,
would be no useful point in doing so.                                  knowledge of the skills
                                                                 and techniques of your opponent
                                                             is vital to your success.
Who are ethical hackers?
These early efforts provide good examples of eth-
ical hackers. Successful ethical hackers possess a va-
riety of skills. First and foremost, they must be com-
                                                          ies, the work that ethical hackers do demands a lot
pletely trustworthy. While testing the security of a
                                                          of time and persistence. This is a critical trait, since
client’s systems, the ethical hacker may discover in-
formation about the client that should remain se-         criminal hackers are known to be extremely patient
cret. In many cases, this information, if publicized,     and willing to monitor systems for days or weeks
could lead to real intruders breaking into the sys-       while waiting for an opportunity. A typical evalua-
tems, possibly leading to financial losses. During an      tion may require several days of tedious work that
evaluation, the ethical hacker often holds the “keys      is difficult to automate. Some portions of the eval-
to the company,” and therefore must be trusted to         uations must be done outside of normal working
exercise tight control over any information about a       hours to avoid interfering with production at “live”
target that could be misused. The sensitivity of the      targets or to simulate the timing of a real attack.
information gathered during an evaluation requires        When they encounter a system with which they are
that strong measures be taken to ensure the security      unfamiliar, ethical hackers will spend the time to
of the systems being employed by the ethical hack-        learn about the system and try to find its weaknesses.
ers themselves: limited-access labs with physical se-     Finally, keeping up with the ever-changing world of
curity protection and full ceiling-to-floor walls, mul-    computer and network security requires continuous
tiple secure Internet connections, a safe to hold paper   education and review.
documentation from clients, strong cryptography to
protect electronic results, and isolated networks for     One might observe that the skills we have described
testing.                                                  could just as easily belong to a criminal hacker as
                                                          to an ethical hacker. Just as in sports or warfare,
Ethical hackers typically have very strong program-
                                                          knowledge of the skills and techniques of your op-
ming and computer networking skills and have been
                                                          ponent is vital to your success. In the computer se-
in the computer and networking business for several
years. They are also adept at installing and main-        curity realm, the ethical hacker’s task is the harder
taining systems that use the more popular operating       one. With traditional crime anyone can become a
systems (e.g., UNIX** or Windows NT**) used on tar-       shoplifter, graffiti artist, or a mugger. Their poten-
get systems. These base skills are augmented with         tial targets are usually easy to identify and tend to
detailed knowledge of the hardware and software           be localized. The local law enforcement agents must
provided by the more popular computer and net-            know how the criminals ply their trade and how to
working hardware vendors. It should be noted that         stop them. On the Internet anyone can download
an additional specialization in security is not always    criminal hacker tools and use them to attempt to
necessary, as strong skills in the other areas imply      break into computers anywhere in the world. Eth-
a very good understanding of how the security on          ical hackers have to know the techniques of the crim-
various systems is maintained. These systems man-         inal hackers, how their activities might be detected,
agement skills are necessary for the actual vulner-       and how to stop them.

IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001                                                                    PALMER    771
Given these qualifications, how does one go about            swers to questions similar to those posed by Gar-
      finding such individuals? The best ethical hacker can-       finkel and Spafford: 13
      didates will have successfully published research pa-
      pers or released popular open-source security soft-         1. What are you trying to protect?
      ware. 12 The computer security community is strongly        2. What are you trying to protect against?
      self-policing, given the importance of its work. Most       3. How much time, effort, and money are you will-
      ethical hackers, and many of the better computer and           ing to expend to obtain adequate protection?
      network security experts, did not set out to focus on
      these issues. Most of them were computer users from
      various disciplines, such as astronomy and physics,         A surprising number of clients have difficulty pre-
      mathematics, computer science, philosophy, or lib-          cisely answering the first question: a medical center
      eral arts, who took it personally when someone dis-         might say “our patient information,” an engineer-
      rupted their work with a hack.                              ing firm might answer “our new product designs,”
                                                                  and a Web retailer might answer “our customer da-
                                                                  tabase.”
      One rule that IBM’s ethical hacking effort had from
      the very beginning was that we would not hire ex-
      hackers. While some will argue that only a “real            All of these answers fall short, since they only de-
      hacker” would have the skill to actually do the work,       scribe targets in a general way. The client usually has
      we feel that the requirement for absolute trust elim-       to be guided to succinctly describe all of the critical
      inated such candidates. We likened the decision to          information assets for which loss could adversely af-
      that of hiring a fire marshal for a school district: while   fect the organization or its clients. These assets
      a gifted ex-arsonist might indeed know everything           should also include secondary information sources,
      about setting and putting out fires, would the par-          such as employee names and addresses (which are pri-
      ents of the students really feel comfortable with such      vacy and safety risks), computer and network informa-
      a choice? This decision was further justified when           tion (which could provide assistance to an intruder),
      the service was initially offered: the customers them-      and other organizations with which this organization
      selves asked that such a restriction be observed. Since     collaborates (which provide alternate paths into the tar-
      IBM’s ethical hacking group was formed, there have          get systems through a possibly less secure partner’s
      been numerous ex-hackers who have become secu-              system).
      rity consultants and spokespersons for the news me-
      dia. While they may very well have turned away from         A complete answer to (2) specifies more than just
      the “dark side,” there will always be a doubt.              the loss of the things listed in answer to (1). There
                                                                  are also the issues of system availability, wherein a
                                                                  denial-of-service attack could cost the client actual
      What do ethical hackers do?                                 revenue and customer loss because systems were un-
      An ethical hacker’s evaluation of a system’s security       available. The world became quite familiar with de-
      seeks answers to three basic questions:                     nial-of-service attacks in February of 2000 when at-
                                                                  tacks were launched against eBay**, Yahoo!**,
                                                                  E*TRADE**, CNN**, and other popular Web sites.
      ●   What can an intruder see on the target systems?         During the attacks, customers were unable to reach
      ●   What can an intruder do with that information?          these Web sites, resulting in loss of revenue and
      ●   Does anyone at the target notice the intruder’s at-     “mind share.” The answers to (1) should contain
          tempts or successes?                                    more than just a list of information assets on the or-
                                                                  ganization’s computer. The level of damage to an
      While the first and second of these are clearly im-          organization’s good image resulting from a success-
      portant, the third is even more important: If the own-      ful criminal hack can range from merely embarrass-
      ers or operators of the target systems do not notice        ing to a serious threat to revenue. As an example of
      when someone is trying to break in, the intruders           a hack affecting an organization’s image, on Janu-
      can, and will, spend weeks or months trying and will        ary 17, 2000, a U.S. Library of Congress Web site
      usually eventually succeed.                                 was attacked. The original initial screen is shown in
                                                                  Figure 1, whereas the hacked screen is shown in Fig-
      When the client requests an evaluation, there is quite      ure 2. As is often done, the criminal hacker left his
      a bit of discussion and paperwork that must be done         or her nickname, or handle, near the top of the page
      up front. The discussion begins with the client’s an-       in order to guarantee credit for the break-in.


772   PALMER                                                                          IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001
Figure 1   Library of Congress Web page before attack




Some clients are under the mistaken impression that     administrators at UNICEF (United Nations Children’s
their Web site would not be a target. They cite nu-     Fund) might very well have thought that no hacker
merous reasons, such as “it has nothing interesting     would attack them. However, in January of 1998,
on it” or “hackers have never heard of my compa-        their page was defaced as shown in Figures 3 and
ny.” What these clients do not realize is that every    4. Many other examples of hacked Web pages can
Web site is a target. The goal of many criminal hack-   be found at archival sites around the Web. 14
ers is simple: Do something spectacular and then
make sure that all of your pals know that you did it.   Answers to the third question are complicated by the
Another rebuttal is that many hackers simply do not     fact that computer and network security costs come
care who your company or organization is; they hack     in three forms. First there are the real monetary costs
your Web site because they can. For example, Web        incurred when obtaining security consulting, hiring

IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001                                                                 PALMER    773
Figure 2   Hacked Library of Congress Web page




      personnel, and deploying hardware and software to       Because of Moore’s Law, 15 this may be less of an issue
      support security needs. Second, there is the cost of    for mainframe, desktop, and laptop machines. Yet,
      usability: the more secure a system is, the more dif-   it still remains a concern for mobile computing.
      ficult it can be to make it easy to use. The difficulty
      can take the form of obscure password selection         The “get out of jail free card”
      rules, strict system configuration rules, and limited
      remote access. Third, there is the cost of computer     Once answers to these three questions have been de-
      and network performance. The more time a com-           termined, a security evaluation plan is drawn up that
      puter or network spends on security needs, such as      identifies the systems to be tested, how they should
      strong cryptography and detailed system activity log-   be tested, and any limitations on that testing. Com-
      ging, the less time it has to work on user problems.    monly referred to as a “get out of jail free card,” this


774   PALMER                                                                     IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001
Figure 3   UNICEF Web page before attack




is the contractual agreement between the client and     importance, since a minor mistake could lead to the
the ethical hackers, who typically write it together.   evaluation of the wrong system at the client’s instal-
This agreement also protects the ethical hackers        lation or, in the worst case, the evaluation of some
against prosecution, since much of what they do dur-    other organization’s system.
ing the course of an evaluation would be illegal in
most countries. The agreement provides a precise        Once the target systems are identified, the agreement
description, usually in the form of network addresses   must describe how they should be tested. The best
or modem telephone numbers, of the systems to be        evaluation is done under a “no-holds-barred” ap-
evaluated. Precision on this point is of the utmost     proach. This means that the ethical hacker can try

IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001                                                                PALMER    775
Figure 4   Hacked UNICEF Web page




      anything he or she can think of to attempt to gain         “no-holds-barred” approach should be employed. An
      access to or disrupt the target system. While this is      intruder will not be playing by the client’s rules. If
      the most realistic and useful, some clients balk at this   the systems are that important to the organization’s
      level of testing. Clients have several reasons for this,   well-being, they should be tested as thoroughly as
      the most common of which is that the target systems        possible. In either case, the client should be made
      are “in production” and interference with their op-        fully aware of the risks inherent to ethical hacker eval-
      eration could be damaging to the organization’s in-        uations. These risks include alarmed staff and uninten-
      terests. However, it should be pointed out to such         tional system crashes, degraded network or system per-
      clients that these very reasons are precisely why a        formance, denial of service, and log-file size explosions.


776   PALMER                                                                         IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001
Some clients insist that as soon as the ethical hack-      The ethical hack itself
ers gain access to their network or to one of their
systems, the evaluation should halt and the client be      Once the contractual agreement is in place, the test-
notified. This sort of ruling should be discouraged,        ing may begin as defined in the agreement. It should
because it prevents the client from learning all that      be noted that the testing itself poses some risk to
the ethical hackers might discover about their sys-        the client, since a criminal hacker monitoring the
tems. It can also lead to the client’s having a false      transmissions of the ethical hackers could learn the
sense of security by thinking that the first security       same information. If the ethical hackers identify a
hole found is the only one present. The evaluation         weakness in the client’s security, the criminal hacker
should be allowed to proceed, since where there is         could potentially attempt to exploit that vulnerabil-
one exposure there are probably others.                    ity. This is especially vexing since the activities of the
                                                           ethical hackers might mask those of the criminal
The timing of the evaluations may also be impor-           hackers. The best approach to this dilemma is to
tant to the client. The client may wish to avoid af-       maintain several addresses around the Internet from
fecting systems and networks during regular work-          which the ethical hacker’s transmissions will ema-
ing hours. While this restriction is not recommended,      nate, and to switch origin addresses often. Complete
it reduces the accuracy of the evaluation only some-       logs of the tests performed by the ethical hackers
what, since most intruders do their work outside of        are always maintained, both for the final report and
the local regular working hours. However, attacks          in the event that something unusual occurs. In ex-
done during regular working hours may be more eas-         treme cases, additional intrusion monitoring software
ily hidden. Alerts from intrusion detection systems        can be deployed at the target to ensure that all the
may even be disabled or less carefully monitored dur-      tests are coming from the ethical hacker’s machines.
ing the day. Whatever timing is agreed to, the client      However, this is difficult to do without tipping off
should provide contacts within the organization who        the client’s staff and may require the cooperation of
can respond to calls from the ethical hackers if a sys-    the client’s Internet service provider.
tem or network appears to have been adversely af-
fected by the evaluation or if an extremely danger-        The line between criminal hacking and computer vi-
ous vulnerability is found that should be immediately      rus writing is becoming increasingly blurred. When
corrected.                                                 requested by the client, the ethical hacker can per-
                                                           form testing to determine the client’s vulnerability
It is common for potential clients to delay the eval-      to e-mail or Web-based virus vectors. However, it
uation of their systems until only a few weeks or days     is far better for the client to deploy strong antivirus
before the systems need to go on-line. Such last-          software, keep it up to date, and have a clear and
minute evaluations are of little use, since implemen-      simple policy in place for the reporting of incidents.
tations of corrections for discovered security prob-       IBM’s Immune System for Cyberspace 16,17 is another
lems might take more time than is available and may        approach that provides the additional capability of
introduce new system problems.                             recognizing new viruses and reporting them to a cen-
                                                           tral lab that automatically analyzes the virus and pro-
In order for the client to receive a valid evaluation,     vides an immediate vaccine.
the client must be cautioned to limit prior knowl-
edge of the test as much as possible. Otherwise, the       As dramatized in Figure 5, there are several kinds
ethical hackers might encounter the electronic equiv-      of testing. Any combination of the following may be
alent of the client’s employees running ahead of           called for:
them, locking doors and windows. By limiting the
number of people at the target organization who            ●   Remote network. This test simulates the intruder
know of the impending evaluation, the likelihood               launching an attack across the Internet. The pri-
that the evaluation will reflect the organization’s ac-         mary defenses that must be defeated here are bor-
tual security posture is increased. A related issue that       der firewalls, filtering routers, and Web servers.
the client must be prepared to address is the rela-        ●   Remote dial-up network. This test simulates the in-
tionship of the ethical hackers to the target organi-          truder launching an attack against the client’s mo-
zation’s employees. Employees may view this “sur-              dem pools. The primary defenses that must be de-
prise inspection” as a threat to their jobs, so the            feated here are user authentication schemes. These
organization’s management team must be prepared                kinds of tests should be coordinated with the local
to take steps to reassure them.                                telephone company.

IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001                                                                       PALMER    777
Figure 5    Different ways to attack computer security



                                                               DMZ




                               EXTRANET
                                                                                                            STOLEN LAPTOPS

                                                                           WEB

                    INTRANET

                                             FIREWALL                                                        INTERNET




                                                                     SERVICES



                       INSIDE BAD GUY                                                              OUTSIDE BAD GUY




      ●   Local network. This test simulates an employee or               phone numbers of the modem pool. Defending
          other authorized person who has a legal connec-                 against this kind of attack is the hardest, because
          tion to the organization’s network. The primary                 people and personalities are involved. Most peo-
          defenses that must be defeated here are intranet                ple are basically helpful, so it seems harmless to
          firewalls, internal Web servers, server security mea-            tell someone who appears to be lost where the
          sures, and e-mail systems.                                      computer room is located, or to let someone into
      ●   Stolen laptop computer. In this test, the laptop com-           the building who “forgot” his or her badge. The
          puter of a key employee, such as an upper-level                 only defense against this is to raise security aware-
          manager or strategist, is taken by the client with-             ness.
          out warning and given to the ethical hackers. They          ●   Physical entry. This test acts out a physical pene-
          examine the computer for passwords stored in di-                tration of the organization’s building. Special ar-
          al-up software, corporate information assets, per-              rangements must be made for this, since security
          sonnel information, and the like. Since many busy               guards or police could become involved if the eth-
          users will store their passwords on their machine,              ical hackers fail to avoid detection. Once inside
          it is common for the ethical hackers to be able to              the building, it is important that the tester not be
          use this laptop computer to dial into the corpo-                detected. One technique is for the tester to carry
          rate intranet with the owner’s full privileges.                 a document with the target company’s logo on it.
      ●   Social engineering. This test evaluates the target or-          Such a document could be found by digging
          ganization’s staff as to whether it would leak in-              through trash cans before the ethical hack or by
          formation to someone. A typical example of this                 casually picking up a document from a trash can
          would be an intruder calling the organization’s                 or desk once the tester is inside. The primary de-
          computer help line and asking for the external tele-            fenses here are a strong security policy, security


778   PALMER                                                                               IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001
guards, access controls and monitoring, and secu-        self. He or she might choose to test the company’s
  rity awareness.                                          systems, possibly annoying system administrators or
                                                           even inadvertently hiding a real attack. The employee
Each of these kinds of testing can be performed from       might also choose to test the systems of another or-
three perspectives: as a total outsider, a “semi-out-      ganization, which is a felony in the United States
sider,” or a valid user.                                   when done without permission.

A total outsider has very limited knowledge about          The actual delivery of the report is also a sensitive
the target systems. The only information used is avail-    issue. If vulnerabilities were found, the report could
able through public sources on the Internet. This test     be extremely dangerous if it fell into the wrong hands.
represents the most commonly perceived threat. A           A competitor might use it for corporate espionage,
well-defended system should not allow this kind of         a hacker might use it to break into the client’s com-
intruder to do anything.                                   puters, or a prankster might just post the report’s
                                                           contents on the Web as a joke. The final report is
A semi-outsider has limited access to one or more          typically delivered directly to an officer of the client
of the organization’s computers or networks. This          organization in hard-copy form. The ethical hack-
tests scenarios such as a bank allowing its deposi-        ers would have an ongoing responsibility to ensure
tors to use special software and a modem to access         the safety of any information they retain, so in most
information about their accounts. A well-defended          cases all information related to the work is destroyed
system should only allow this kind of intruder to ac-      at the end of the contract.
cess his or her own account information.
                                                           Once the ethical hack is done and the report deliv-
A valid user has valid access to at least some of the      ered, the client might ask “So, if I fix these things
organization’s computers and networks. This tests          I’ll have perfect security, right?” Unfortunately, this
whether or not insiders with some access can extend        is not the case. People operate the client’s comput-
that access beyond what has been prescribed. A well-       ers and networks, and people make mistakes. The
defended system should allow an insider to access          longer it has been since the testing was performed,
only the areas and resources that the system admin-        the less can be reliably said about the state of a cli-
istrator has assigned to the insider.                      ent’s security. A portion of the final report includes
                                                           recommendations for steps the client should con-
The actual evaluation of the client’s systems proceeds     tinue to follow in order to reduce the impact of these
through several phases, as described previously by         mistakes in the future.
Boulanger. 18

The final report                                            Conclusions

The final report is a collection of all of the ethical      The idea of testing the security of a system by trying
hacker’s discoveries made during the evaluation.           to break into it is not new. Whether an automobile
Vulnerabilities that were found to exist are explained     company is crash-testing cars, or an individual is test-
and avoidance procedures specified. If the ethical          ing his or her skill at martial arts by sparring with
hacker’s activities were noticed at all, the response      a partner, evaluation by testing under attack from
of the client’s staff is described and suggestions for     a real adversary is widely accepted as prudent. It is,
improvements are made. If social engineering test-         however, not sufficient by itself. As Roger Schell ob-
ing exposed problems, advice is offered on how to          served nearly 30 years ago:
raise awareness. This is the main point of the whole
exercise: it does clients no good just to tell them that     From a practical standpoint the security problem
they have problems. The report must include spe-             will remain as long as manufacturers remain com-
cific advice on how to close the vulnerabilities and          mitted to current system architectures, produced
keep them closed. The actual techniques employed             without a firm requirement for security. As long
by the testers are never revealed. This is because the       as there is support for ad hoc fixes and security pack-
person delivering the report can never be sure just          ages for these inadequate designs and as long as the
who will have access to that report once it is in the        illusory results of penetration teams are accepted as
client’s hands. For example, an employee might want          demonstrations of a computer system security, proper
to try out some of the techniques for himself or her-        security will not be a reality. 19

IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001                                                                     PALMER    779
Regular auditing, vigilant intrusion detection, good                 11. See http://www.cs.ruu.nl/cert-uu/satan.html.
      system administration practice, and computer secu-                   12. This strategy is based on the ideal of raising the security of
                                                                               the whole Internet by giving security software away. Thus,
      rity awareness are all essential parts of an organi-                     no one will have any excuse not to take action to improve
      zation’s security efforts. A single failure in any of                    security.
      these areas could very well expose an organization                   13. S. Garfinkel and E. Spafford, Practical Unix Security, First Edi-
      to cyber-vandalism, embarrassment, loss of revenue                       tion, O’Reilly & Associates, Cambridge, MA (1996).
                                                                           14. For a collection of previously hacked Web sites, see http://
      or mind share, or worse. Any new technology has its                      www.2600.com/hacked_pages/ or http://defaced.alldes.de. Be
      benefits and its risks. While ethical hackers can help                    forewarned, however, that some of the hacked pages may con-
      clients better understand their security needs, it is                    tain pornographic images.
      up to the clients to keep their guards in place.                     15. In 1965, Intel cofounder Gordon Moore was preparing a
                                                                               speech and made a memorable observation. When he started
                                                                               to graph data about the growth in memory chip performance,
      Acknowledgments                                                          he realized there was a striking trend. Each new chip con-
                                                                               tained roughly twice as much capacity as its predecessor, and
      The author would like to thank several people: the                       each chip was released within 18 –24 months of the previous
      members of the Global Security Analysis Lab at IBM                       chip. In subsequent years, the pace slowed down a bit, but
                                                                               data density has doubled approximately every 18 months, and
      Research for sharing their amazing expertise and                         this is the current definition of Moore’s Law.
      their ability to make just about anyone understand                   16. J. O. Kephart, G. B. Sorkin, D. M. Chess, and S. R. White,
      more about security; Chip Coy and Nick Simicich                          “Fighting Computer Viruses,” Scientific American 277, No.
      for their trailblazing work in defining IBM’s Security                    5, 88 –93 (November 1997).
      Consulting Practice at the very beginning; and Paul                  17. See http://www.research.ibm.com/antivirus/SciPapers.htm for
                                                                               additional antivirus research papers.
      Karger for his encyclopedic knowledge of computer                    18. A. Boulanger, “Catapults and Grappling Hooks: The Tools
      security research and for his amazing ability to pro-                    and Techniques of Information Warfare,” IBM Systems Jour-
      duce copies of every notable paper on the subject                        nal 37, No. 1, 106 –114 (1998).
      that was ever published.                                             19. R. R. Schell, P. J. Downey, and G. J. Popek, Preliminary Notes
                                                                               on the Design of Secure Military Computer Systems, MCI-73-1,
      **Trademark or registered trademark of the Open Group, Mi-               ESD/AFSC, Hanscom Air Force Base, Bedford, MA (Jan-
      crosoft Corporation, eBay Inc., Yahoo! Inc., E*TRADE Secu-               uary 1973).
      rities, Inc., or Cable News Network LP, LLLP.
                                                                           Accepted for publication April 13, 2001.
      Cited references and notes
                                                                           Charles C. Palmer IBM Research Division, Thomas J. Watson
       1. E. S. Raymond, The New Hacker’s Dictionary, MIT Press,           Research Center, P.O. Box 218, Yorktown Heights, New York 10598
          Cambridge, MA (1991).                                            (electronic mail: ccpalmer@us.ibm.com). Dr. Palmer manages the
       2. S. Garfinkel, Database Nation, O’Reilly & Associates, Cam-        Network Security and Cryptography department at the IBM Tho-
          bridge, MA (2000).                                               mas J. Watson Research Center. His teams work in the areas of
       3. The first use of the term “ethical hackers” appears to have       cryptography research, Internet security technologies, JavaTM se-
          been in an interview with John Patrick of IBM by Gary An-        curity, privacy, and the Global Security Analysis Lab (GSAL),
          thens that appeared in a June 1995 issue of ComputerWorld.       which he cofounded in 1995. As part of the GSAL, Dr. Palmer
       4. P. A. Karger and R. R. Schell, Multics Security Evaluation:      worked with IBM Global Services to start IBM’s ethical hacking
          Vulnerability Analysis, ESD-TR-74-193, Vol. II, Headquar-        practice. He frequently speaks on the topics of computer and net-
          ters Electronic Systems Division, Hanscom Air Force Base,        work security at conferences around the world. He was also an
          MA (June 1974).                                                  adjunct professor of computer science at Polytechnic University,
       5. S. M. Goheen and R. S. Fiske, OS/360 Computer Security Pen-      Hawthorne, New York, from 1993 to 1997. He holds four patents
          etration Exercise, WP-4467, The MITRE Corporation, Bed-          and has several publications from his work at IBM and Polytech-
          ford, MA (October 16, 1972).                                     nic.
       6. R. P. Abbott, J. S. Chen, J. E. Donnelly, W. L. Konigsford,
          and S. T. Tokubo, Security Analysis and Enhancements of Com-
          puter Operating Systems, NBSIR 76-1041, National Bureau
          of Standards, Washington, DC (April 1976).
       7. W. M. Inglis, Security Problems in the WWMCCS GCOS Sys-
          tem, Joint Technical Support Activity Operating System Tech-
          nical Bulletin 730S-12, Defense Communications Agency
          (August 2, 1973).
       8. D. Farmer and W. Z. Venema, “Improving the Security of Your
          Site by Breaking into It,” originally posted to Usenet (Decem-
          ber 1993); it has since been updated and is now available at
          ftp://ftp.porcupine.org/pub/security/index.html#documents.
       9. See http://www.faqs.org/usenet/.
      10. Who can really determine who said something first on the
          Internet?


780   PALMER                                                                                       IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001

Mais conteúdo relacionado

Mais procurados

Infromation Security as an Institutional Priority
Infromation Security as an Institutional PriorityInfromation Security as an Institutional Priority
Infromation Security as an Institutional Priorityzohaibqadir
 
Intrusion Detection Techniques In Mobile Networks
Intrusion Detection Techniques In Mobile NetworksIntrusion Detection Techniques In Mobile Networks
Intrusion Detection Techniques In Mobile NetworksIOSR Journals
 
White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?Windstream Enterprise
 
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...pharmaindexing
 
Cyber crime
Cyber crimeCyber crime
Cyber crime24sneha
 
Hacking - how accessible is it?
Hacking - how accessible is it?Hacking - how accessible is it?
Hacking - how accessible is it?CPPGroup Plc
 
Narus Cyber 3.0 Position Paper
Narus Cyber 3.0 Position PaperNarus Cyber 3.0 Position Paper
Narus Cyber 3.0 Position PaperTrobough
 
Case Study On Social Engineering Techniques for Persuasion Full Text
Case Study On Social Engineering Techniques for Persuasion   Full Text Case Study On Social Engineering Techniques for Persuasion   Full Text
Case Study On Social Engineering Techniques for Persuasion Full Text graphhoc
 
Nss repko
Nss repkoNss repko
Nss repkorrepko
 
At Your Expense
At Your ExpenseAt Your Expense
At Your ExpenseDan Oblak
 
Insiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkInsiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkRichard Common
 
Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkJahangirnagar University
 
Cyber Threat to Public Safety Communications
Cyber Threat to Public Safety CommunicationsCyber Threat to Public Safety Communications
Cyber Threat to Public Safety CommunicationsKory Edwards
 
Emerging cyber threats_report2012
Emerging cyber threats_report2012Emerging cyber threats_report2012
Emerging cyber threats_report2012day4justice
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareAditya K Sood
 
Social Engineering-The Underpinning of Unauthorized Access
Social Engineering-The Underpinning of Unauthorized AccessSocial Engineering-The Underpinning of Unauthorized Access
Social Engineering-The Underpinning of Unauthorized AccessKory Edwards
 

Mais procurados (19)

Infromation Security as an Institutional Priority
Infromation Security as an Institutional PriorityInfromation Security as an Institutional Priority
Infromation Security as an Institutional Priority
 
Intrusion Detection Techniques In Mobile Networks
Intrusion Detection Techniques In Mobile NetworksIntrusion Detection Techniques In Mobile Networks
Intrusion Detection Techniques In Mobile Networks
 
White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
 
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Hacking - how accessible is it?
Hacking - how accessible is it?Hacking - how accessible is it?
Hacking - how accessible is it?
 
Narus Cyber 3.0 Position Paper
Narus Cyber 3.0 Position PaperNarus Cyber 3.0 Position Paper
Narus Cyber 3.0 Position Paper
 
Case Study On Social Engineering Techniques for Persuasion Full Text
Case Study On Social Engineering Techniques for Persuasion   Full Text Case Study On Social Engineering Techniques for Persuasion   Full Text
Case Study On Social Engineering Techniques for Persuasion Full Text
 
Nss repko
Nss repkoNss repko
Nss repko
 
Network monitoring white paper
Network monitoring white paperNetwork monitoring white paper
Network monitoring white paper
 
At Your Expense
At Your ExpenseAt Your Expense
At Your Expense
 
Insiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkInsiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest Link
 
Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking Framework
 
Cyber Threat to Public Safety Communications
Cyber Threat to Public Safety CommunicationsCyber Threat to Public Safety Communications
Cyber Threat to Public Safety Communications
 
Emerging cyber threats_report2012
Emerging cyber threats_report2012Emerging cyber threats_report2012
Emerging cyber threats_report2012
 
Presentation1
Presentation1Presentation1
Presentation1
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks Malware
 
Social Engineering-The Underpinning of Unauthorized Access
Social Engineering-The Underpinning of Unauthorized AccessSocial Engineering-The Underpinning of Unauthorized Access
Social Engineering-The Underpinning of Unauthorized Access
 

Destaque

Plandeautoproteccinmodificado 111119144226-phpapp01
Plandeautoproteccinmodificado 111119144226-phpapp01Plandeautoproteccinmodificado 111119144226-phpapp01
Plandeautoproteccinmodificado 111119144226-phpapp01alfredo lassalle
 
Ethical hacking presentation_october_2006
Ethical hacking presentation_october_2006Ethical hacking presentation_october_2006
Ethical hacking presentation_october_2006Umang Patel
 
How to Take the Ransom Out of Ransomware
How to Take the Ransom Out of RansomwareHow to Take the Ransom Out of Ransomware
How to Take the Ransom Out of Ransomwaremarketingunitrends
 

Destaque (7)

Wm4
Wm4Wm4
Wm4
 
Wm4
Wm4Wm4
Wm4
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Plandeautoproteccinmodificado 111119144226-phpapp01
Plandeautoproteccinmodificado 111119144226-phpapp01Plandeautoproteccinmodificado 111119144226-phpapp01
Plandeautoproteccinmodificado 111119144226-phpapp01
 
Ethical hacking presentation_october_2006
Ethical hacking presentation_october_2006Ethical hacking presentation_october_2006
Ethical hacking presentation_october_2006
 
How to Take the Ransom Out of Ransomware
How to Take the Ransom Out of RansomwareHow to Take the Ransom Out of Ransomware
How to Take the Ransom Out of Ransomware
 
Ethical hacking presentation
Ethical hacking presentationEthical hacking presentation
Ethical hacking presentation
 

Semelhante a Ethical hacking

The Basics of Protecting Against Computer Hacking
The Basics of Protecting Against Computer Hacking The Basics of Protecting Against Computer Hacking
The Basics of Protecting Against Computer Hacking - Mark - Fullbright
 
Ict H A C K I N G
Ict    H A C K I N GIct    H A C K I N G
Ict H A C K I N GHafizra Mas
 
61370436 main-case-study
61370436 main-case-study61370436 main-case-study
61370436 main-case-studyhomeworkping4
 
Hacking_ The Ultimate Hacking for Beginners_ How to Hack_ Hacking Intelligenc...
Hacking_ The Ultimate Hacking for Beginners_ How to Hack_ Hacking Intelligenc...Hacking_ The Ultimate Hacking for Beginners_ How to Hack_ Hacking Intelligenc...
Hacking_ The Ultimate Hacking for Beginners_ How to Hack_ Hacking Intelligenc...PavanKumarSurala
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516Yasser Mohammed
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011Felipe Prado
 
Chapter 3 Computer Crimes
Chapter 3 Computer  CrimesChapter 3 Computer  Crimes
Chapter 3 Computer CrimesMar Soriano
 
Advantages And Disadvantages Of Ids.pdfAdvantages And Disadvantages Of Ids
Advantages And Disadvantages Of Ids.pdfAdvantages And Disadvantages Of IdsAdvantages And Disadvantages Of Ids.pdfAdvantages And Disadvantages Of Ids
Advantages And Disadvantages Of Ids.pdfAdvantages And Disadvantages Of IdsVeronica Morse
 
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types  Of Hackers,Cyber Laws for ...Hacking,History Of Hacking,Types of Hacking,Types  Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...Qazi Anwar
 
Challenges Faced By Computer Network Security
Challenges Faced By Computer Network SecurityChallenges Faced By Computer Network Security
Challenges Faced By Computer Network SecurityLori Gilbert
 
How Technology Has Changed The Way Users Work
How Technology Has Changed The Way Users WorkHow Technology Has Changed The Way Users Work
How Technology Has Changed The Way Users WorkRegina Louisianaspc
 

Semelhante a Ethical hacking (20)

Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Ethical hacking1
Ethical hacking1Ethical hacking1
Ethical hacking1
 
Ka3118541860
Ka3118541860Ka3118541860
Ka3118541860
 
Cybercrimes
CybercrimesCybercrimes
Cybercrimes
 
The Basics of Protecting Against Computer Hacking
The Basics of Protecting Against Computer Hacking The Basics of Protecting Against Computer Hacking
The Basics of Protecting Against Computer Hacking
 
Ict Hacking
Ict   HackingIct   Hacking
Ict Hacking
 
Ict H A C K I N G
Ict    H A C K I N GIct    H A C K I N G
Ict H A C K I N G
 
61370436 main-case-study
61370436 main-case-study61370436 main-case-study
61370436 main-case-study
 
Hacking_ The Ultimate Hacking for Beginners_ How to Hack_ Hacking Intelligenc...
Hacking_ The Ultimate Hacking for Beginners_ How to Hack_ Hacking Intelligenc...Hacking_ The Ultimate Hacking for Beginners_ How to Hack_ Hacking Intelligenc...
Hacking_ The Ultimate Hacking for Beginners_ How to Hack_ Hacking Intelligenc...
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011
 
A01450131
A01450131A01450131
A01450131
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Chapter 3 Computer Crimes
Chapter 3 Computer  CrimesChapter 3 Computer  Crimes
Chapter 3 Computer Crimes
 
Advantages And Disadvantages Of Ids.pdfAdvantages And Disadvantages Of Ids
Advantages And Disadvantages Of Ids.pdfAdvantages And Disadvantages Of IdsAdvantages And Disadvantages Of Ids.pdfAdvantages And Disadvantages Of Ids
Advantages And Disadvantages Of Ids.pdfAdvantages And Disadvantages Of Ids
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types  Of Hackers,Cyber Laws for ...Hacking,History Of Hacking,Types of Hacking,Types  Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection System
 
Challenges Faced By Computer Network Security
Challenges Faced By Computer Network SecurityChallenges Faced By Computer Network Security
Challenges Faced By Computer Network Security
 
How Technology Has Changed The Way Users Work
How Technology Has Changed The Way Users WorkHow Technology Has Changed The Way Users Work
How Technology Has Changed The Way Users Work
 

Último

UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 

Último (20)

UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 

Ethical hacking

  • 1. Ethical hacking by C. C. Palmer The explosive growth of the Internet has brought scribe the rapid crafting of a new program or the many good things: electronic commerce, easy making of changes to existing, usually complicated access to vast stores of reference material, collaborative computing, e-mail, and new software. avenues for advertising and information distribution, to name a few. As with most As computers became increasingly available at uni- technological advances, there is also a dark side: versities, user communities began to extend beyond criminal hackers. Governments, companies, and researchers in engineering or computer science to private citizens around the world are anxious to be a part of this revolution, but they are afraid other individuals who viewed the computer as a cu- that some hacker will break into their Web server riously flexible tool. Whether they programmed the and replace their logo with pornography, read computers to play games, draw pictures, or to help their e-mail, steal their credit card number from them with the more mundane aspects of their daily an on-line shopping site, or implant software that will secretly transmit their organization’s secrets work, once computers were available for use, there to the open Internet. With these concerns and was never a lack of individuals wanting to use them. others, the ethical hacker can help. This paper describes ethical hackers: their skills, their Because of this increasing popularity of computers attitudes, and how they go about helping their and their continued high cost, access to them was customers find and plug up security holes. The ethical hacking process is explained, along with usually restricted. When refused access to the com- many of the problems that the Global Security puters, some users would challenge the access con- Analysis Lab has seen during its early years of trols that had been put in place. They would steal ethical hacking for IBM clients. passwords or account numbers by looking over some- one’s shoulder, explore the system for bugs that might get them past the rules, or even take control of the whole system. They would do these things in order to be able to run the programs of their choice, T he term “hacker” has a dual usage in the com- puter industry today. Originally, the term was defined as: or just to change the limitations under which their programs were running. Initially these computer intrusions were fairly benign, HACKER noun 1. A person who enjoys learning the with the most damage being the theft of computer details of computer systems and how to stretch time. Other times, these recreations would take the their capabilities—as opposed to most users of ௠Copyright 2001 by International Business Machines Corpora- computers, who prefer to learn only the minimum tion. Copying in printed form for private use is permitted with- amount necessary. 2. One who programs enthu- out payment of royalty provided that (1) each reproduction is done siastically or who enjoys programming rather than without alteration and (2) the Journal reference and IBM copy- just theorizing about programming. 1 right notice are included on the first page. The title and abstract, but no other portions, of this paper may be copied or distributed royalty free without further permission by computer-based and This complimentary description was often extended other information-service systems. Permission to republish any to the verb form “hacking,” which was used to de- other portion of this paper must be obtained from the Editor. IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001 0018-8670/01/$5.00 © 2001 IBM PALMER 769
  • 2. form of practical jokes. However, these intrusions did This method of evaluating the security of a system not stay benign for long. Occasionally the less talented, has been in use from the early days of computers. or less careful, intruders would accidentally bring down In one early ethical hack, the United States Air Force a system or damage its files, and the system adminis- conducted a “security evaluation” of the Multics op- trators would have to restart it or make repairs. Other erating systems for “potential use as a two-level times, when these intruders were again denied ac- (secret/top secret) system.” 4 Their evaluation found cess once their activities were discovered, they would that while Multics was “significantly better than other react with purposefully destructive actions. When the conventional systems,” it also had “ . . . vulnerabil- number of these destructive computer intrusions be- ities in hardware security, software security, and pro- came noticeable, due to the visibility of the system cedural security” that could be uncovered with “a or the extent of the damage inflicted, it became relatively low level of effort.” The authors performed “news” and the news media picked up on the story. their tests under a guideline of realism, so that their Instead of using the more accurate term of “com- results would accurately represent the kinds of ac- puter criminal,” the media began using the term cess that an intruder could potentially achieve. They “hacker” to describe individuals who break into com- performed tests that were simple information-gath- puters for fun, revenge, or profit. Since calling some- ering exercises, as well as other tests that were out- one a “hacker” was originally meant as a compliment, right attacks upon the system that might damage its computer security professionals prefer to use the integrity. Clearly, their audience wanted to know term “cracker” or “intruder” for those hackers who both results. There are several other now unclassi- fied reports that describe ethical hacking activities turn to the dark side of hacking. For clarity, we will within the U.S. military. 5–7 use the explicit terms “ethical hacker” and “crim- inal hacker” for the rest of this paper. With the growth of computer networking, and of the Internet in particular, computer and network vul- nerability studies began to appear outside of the mil- What is ethical hacking? itary establishment. Most notable of these was the With the growth of the Internet, computer security work by Farmer and Venema, 8 which was originally has become a major concern for businesses and gov- posted to Usenet 9 in December of 1993. They dis- ernments. They want to be able to take advantage cussed publicly, perhaps for the first time, 10 this idea of the Internet for electronic commerce, advertis- of using the techniques of the hacker to assess the ing, information distribution and access, and other security of a system. With the goal of raising the over- pursuits, but they are worried about the possibility all level of security on the Internet and intranets, they of being “hacked.” At the same time, the potential proceeded to describe how they were able to gather customers of these services are worried about main- enough information about their targets to have been taining control of personal information that varies able to compromise security if they had chosen to from credit card numbers to social security numbers do so. They provided several specific examples of and home addresses. 2 how this information could be gathered and exploited to gain control of the target, and how such an attack could be prevented. In their search for a way to approach the problem, organizations came to realize that one of the best Farmer and Venema elected to share their report ways to evaluate the intruder threat to their inter- freely on the Internet in order that everyone could ests would be to have independent computer secu- read and learn from it. However, they realized that rity professionals attempt to break into their com- the testing at which they had become so adept might puter systems. This scheme is similar to having be too complex, time-consuming, or just too boring independent auditors come into an organization to for the typical system administrator to perform on verify its bookkeeping records. In the case of com- a regular basis. For this reason, they gathered up all puter security, these “tiger teams” or “ethical hack- the tools that they had used during their work, pack- ers” 3 would employ the same tools and techniques aged them in a single, easy-to-use application, and as the intruders, but they would neither damage the gave it away to anyone who chose to download it. 11 target systems nor steal information. Instead, they Their program, called Security Analysis Tool for Au- would evaluate the target systems’ security and re- diting Networks, or SATAN, was met with a great port back to the owners with the vulnerabilities they amount of media attention around the world. Most found and instructions for how to remedy them. of this early attention was negative, because the tool’s 770 PALMER IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001
  • 3. capabilities were misunderstood. The tool was not ability testing, but are equally important when pre- an automated hacker program that would bore into paring the report for the client after the test. systems and steal their secrets. Rather, the tool per- formed an audit that both identified the vulnerabil- Finally, good candidates for ethical hacking have ities of a system and provided advice on how to elim- more drive and patience than most people. Unlike inate them. Just as banks have regular audits of their the way someone breaks into a computer in the mov- accounts and procedures, computer systems also need regular checking. The SATAN tool provided that auditing capability, but it went one step further: it also advised the user on how to correct the prob- lems it discovered. The tool did not tell the user how the vulnerability might be exploited, because there Just as in sports or warfare, would be no useful point in doing so. knowledge of the skills and techniques of your opponent is vital to your success. Who are ethical hackers? These early efforts provide good examples of eth- ical hackers. Successful ethical hackers possess a va- riety of skills. First and foremost, they must be com- ies, the work that ethical hackers do demands a lot pletely trustworthy. While testing the security of a of time and persistence. This is a critical trait, since client’s systems, the ethical hacker may discover in- formation about the client that should remain se- criminal hackers are known to be extremely patient cret. In many cases, this information, if publicized, and willing to monitor systems for days or weeks could lead to real intruders breaking into the sys- while waiting for an opportunity. A typical evalua- tems, possibly leading to financial losses. During an tion may require several days of tedious work that evaluation, the ethical hacker often holds the “keys is difficult to automate. Some portions of the eval- to the company,” and therefore must be trusted to uations must be done outside of normal working exercise tight control over any information about a hours to avoid interfering with production at “live” target that could be misused. The sensitivity of the targets or to simulate the timing of a real attack. information gathered during an evaluation requires When they encounter a system with which they are that strong measures be taken to ensure the security unfamiliar, ethical hackers will spend the time to of the systems being employed by the ethical hack- learn about the system and try to find its weaknesses. ers themselves: limited-access labs with physical se- Finally, keeping up with the ever-changing world of curity protection and full ceiling-to-floor walls, mul- computer and network security requires continuous tiple secure Internet connections, a safe to hold paper education and review. documentation from clients, strong cryptography to protect electronic results, and isolated networks for One might observe that the skills we have described testing. could just as easily belong to a criminal hacker as to an ethical hacker. Just as in sports or warfare, Ethical hackers typically have very strong program- knowledge of the skills and techniques of your op- ming and computer networking skills and have been ponent is vital to your success. In the computer se- in the computer and networking business for several years. They are also adept at installing and main- curity realm, the ethical hacker’s task is the harder taining systems that use the more popular operating one. With traditional crime anyone can become a systems (e.g., UNIX** or Windows NT**) used on tar- shoplifter, graffiti artist, or a mugger. Their poten- get systems. These base skills are augmented with tial targets are usually easy to identify and tend to detailed knowledge of the hardware and software be localized. The local law enforcement agents must provided by the more popular computer and net- know how the criminals ply their trade and how to working hardware vendors. It should be noted that stop them. On the Internet anyone can download an additional specialization in security is not always criminal hacker tools and use them to attempt to necessary, as strong skills in the other areas imply break into computers anywhere in the world. Eth- a very good understanding of how the security on ical hackers have to know the techniques of the crim- various systems is maintained. These systems man- inal hackers, how their activities might be detected, agement skills are necessary for the actual vulner- and how to stop them. IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001 PALMER 771
  • 4. Given these qualifications, how does one go about swers to questions similar to those posed by Gar- finding such individuals? The best ethical hacker can- finkel and Spafford: 13 didates will have successfully published research pa- pers or released popular open-source security soft- 1. What are you trying to protect? ware. 12 The computer security community is strongly 2. What are you trying to protect against? self-policing, given the importance of its work. Most 3. How much time, effort, and money are you will- ethical hackers, and many of the better computer and ing to expend to obtain adequate protection? network security experts, did not set out to focus on these issues. Most of them were computer users from various disciplines, such as astronomy and physics, A surprising number of clients have difficulty pre- mathematics, computer science, philosophy, or lib- cisely answering the first question: a medical center eral arts, who took it personally when someone dis- might say “our patient information,” an engineer- rupted their work with a hack. ing firm might answer “our new product designs,” and a Web retailer might answer “our customer da- tabase.” One rule that IBM’s ethical hacking effort had from the very beginning was that we would not hire ex- hackers. While some will argue that only a “real All of these answers fall short, since they only de- hacker” would have the skill to actually do the work, scribe targets in a general way. The client usually has we feel that the requirement for absolute trust elim- to be guided to succinctly describe all of the critical inated such candidates. We likened the decision to information assets for which loss could adversely af- that of hiring a fire marshal for a school district: while fect the organization or its clients. These assets a gifted ex-arsonist might indeed know everything should also include secondary information sources, about setting and putting out fires, would the par- such as employee names and addresses (which are pri- ents of the students really feel comfortable with such vacy and safety risks), computer and network informa- a choice? This decision was further justified when tion (which could provide assistance to an intruder), the service was initially offered: the customers them- and other organizations with which this organization selves asked that such a restriction be observed. Since collaborates (which provide alternate paths into the tar- IBM’s ethical hacking group was formed, there have get systems through a possibly less secure partner’s been numerous ex-hackers who have become secu- system). rity consultants and spokespersons for the news me- dia. While they may very well have turned away from A complete answer to (2) specifies more than just the “dark side,” there will always be a doubt. the loss of the things listed in answer to (1). There are also the issues of system availability, wherein a denial-of-service attack could cost the client actual What do ethical hackers do? revenue and customer loss because systems were un- An ethical hacker’s evaluation of a system’s security available. The world became quite familiar with de- seeks answers to three basic questions: nial-of-service attacks in February of 2000 when at- tacks were launched against eBay**, Yahoo!**, E*TRADE**, CNN**, and other popular Web sites. ● What can an intruder see on the target systems? During the attacks, customers were unable to reach ● What can an intruder do with that information? these Web sites, resulting in loss of revenue and ● Does anyone at the target notice the intruder’s at- “mind share.” The answers to (1) should contain tempts or successes? more than just a list of information assets on the or- ganization’s computer. The level of damage to an While the first and second of these are clearly im- organization’s good image resulting from a success- portant, the third is even more important: If the own- ful criminal hack can range from merely embarrass- ers or operators of the target systems do not notice ing to a serious threat to revenue. As an example of when someone is trying to break in, the intruders a hack affecting an organization’s image, on Janu- can, and will, spend weeks or months trying and will ary 17, 2000, a U.S. Library of Congress Web site usually eventually succeed. was attacked. The original initial screen is shown in Figure 1, whereas the hacked screen is shown in Fig- When the client requests an evaluation, there is quite ure 2. As is often done, the criminal hacker left his a bit of discussion and paperwork that must be done or her nickname, or handle, near the top of the page up front. The discussion begins with the client’s an- in order to guarantee credit for the break-in. 772 PALMER IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001
  • 5. Figure 1 Library of Congress Web page before attack Some clients are under the mistaken impression that administrators at UNICEF (United Nations Children’s their Web site would not be a target. They cite nu- Fund) might very well have thought that no hacker merous reasons, such as “it has nothing interesting would attack them. However, in January of 1998, on it” or “hackers have never heard of my compa- their page was defaced as shown in Figures 3 and ny.” What these clients do not realize is that every 4. Many other examples of hacked Web pages can Web site is a target. The goal of many criminal hack- be found at archival sites around the Web. 14 ers is simple: Do something spectacular and then make sure that all of your pals know that you did it. Answers to the third question are complicated by the Another rebuttal is that many hackers simply do not fact that computer and network security costs come care who your company or organization is; they hack in three forms. First there are the real monetary costs your Web site because they can. For example, Web incurred when obtaining security consulting, hiring IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001 PALMER 773
  • 6. Figure 2 Hacked Library of Congress Web page personnel, and deploying hardware and software to Because of Moore’s Law, 15 this may be less of an issue support security needs. Second, there is the cost of for mainframe, desktop, and laptop machines. Yet, usability: the more secure a system is, the more dif- it still remains a concern for mobile computing. ficult it can be to make it easy to use. The difficulty can take the form of obscure password selection The “get out of jail free card” rules, strict system configuration rules, and limited remote access. Third, there is the cost of computer Once answers to these three questions have been de- and network performance. The more time a com- termined, a security evaluation plan is drawn up that puter or network spends on security needs, such as identifies the systems to be tested, how they should strong cryptography and detailed system activity log- be tested, and any limitations on that testing. Com- ging, the less time it has to work on user problems. monly referred to as a “get out of jail free card,” this 774 PALMER IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001
  • 7. Figure 3 UNICEF Web page before attack is the contractual agreement between the client and importance, since a minor mistake could lead to the the ethical hackers, who typically write it together. evaluation of the wrong system at the client’s instal- This agreement also protects the ethical hackers lation or, in the worst case, the evaluation of some against prosecution, since much of what they do dur- other organization’s system. ing the course of an evaluation would be illegal in most countries. The agreement provides a precise Once the target systems are identified, the agreement description, usually in the form of network addresses must describe how they should be tested. The best or modem telephone numbers, of the systems to be evaluation is done under a “no-holds-barred” ap- evaluated. Precision on this point is of the utmost proach. This means that the ethical hacker can try IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001 PALMER 775
  • 8. Figure 4 Hacked UNICEF Web page anything he or she can think of to attempt to gain “no-holds-barred” approach should be employed. An access to or disrupt the target system. While this is intruder will not be playing by the client’s rules. If the most realistic and useful, some clients balk at this the systems are that important to the organization’s level of testing. Clients have several reasons for this, well-being, they should be tested as thoroughly as the most common of which is that the target systems possible. In either case, the client should be made are “in production” and interference with their op- fully aware of the risks inherent to ethical hacker eval- eration could be damaging to the organization’s in- uations. These risks include alarmed staff and uninten- terests. However, it should be pointed out to such tional system crashes, degraded network or system per- clients that these very reasons are precisely why a formance, denial of service, and log-file size explosions. 776 PALMER IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001
  • 9. Some clients insist that as soon as the ethical hack- The ethical hack itself ers gain access to their network or to one of their systems, the evaluation should halt and the client be Once the contractual agreement is in place, the test- notified. This sort of ruling should be discouraged, ing may begin as defined in the agreement. It should because it prevents the client from learning all that be noted that the testing itself poses some risk to the ethical hackers might discover about their sys- the client, since a criminal hacker monitoring the tems. It can also lead to the client’s having a false transmissions of the ethical hackers could learn the sense of security by thinking that the first security same information. If the ethical hackers identify a hole found is the only one present. The evaluation weakness in the client’s security, the criminal hacker should be allowed to proceed, since where there is could potentially attempt to exploit that vulnerabil- one exposure there are probably others. ity. This is especially vexing since the activities of the ethical hackers might mask those of the criminal The timing of the evaluations may also be impor- hackers. The best approach to this dilemma is to tant to the client. The client may wish to avoid af- maintain several addresses around the Internet from fecting systems and networks during regular work- which the ethical hacker’s transmissions will ema- ing hours. While this restriction is not recommended, nate, and to switch origin addresses often. Complete it reduces the accuracy of the evaluation only some- logs of the tests performed by the ethical hackers what, since most intruders do their work outside of are always maintained, both for the final report and the local regular working hours. However, attacks in the event that something unusual occurs. In ex- done during regular working hours may be more eas- treme cases, additional intrusion monitoring software ily hidden. Alerts from intrusion detection systems can be deployed at the target to ensure that all the may even be disabled or less carefully monitored dur- tests are coming from the ethical hacker’s machines. ing the day. Whatever timing is agreed to, the client However, this is difficult to do without tipping off should provide contacts within the organization who the client’s staff and may require the cooperation of can respond to calls from the ethical hackers if a sys- the client’s Internet service provider. tem or network appears to have been adversely af- fected by the evaluation or if an extremely danger- The line between criminal hacking and computer vi- ous vulnerability is found that should be immediately rus writing is becoming increasingly blurred. When corrected. requested by the client, the ethical hacker can per- form testing to determine the client’s vulnerability It is common for potential clients to delay the eval- to e-mail or Web-based virus vectors. However, it uation of their systems until only a few weeks or days is far better for the client to deploy strong antivirus before the systems need to go on-line. Such last- software, keep it up to date, and have a clear and minute evaluations are of little use, since implemen- simple policy in place for the reporting of incidents. tations of corrections for discovered security prob- IBM’s Immune System for Cyberspace 16,17 is another lems might take more time than is available and may approach that provides the additional capability of introduce new system problems. recognizing new viruses and reporting them to a cen- tral lab that automatically analyzes the virus and pro- In order for the client to receive a valid evaluation, vides an immediate vaccine. the client must be cautioned to limit prior knowl- edge of the test as much as possible. Otherwise, the As dramatized in Figure 5, there are several kinds ethical hackers might encounter the electronic equiv- of testing. Any combination of the following may be alent of the client’s employees running ahead of called for: them, locking doors and windows. By limiting the number of people at the target organization who ● Remote network. This test simulates the intruder know of the impending evaluation, the likelihood launching an attack across the Internet. The pri- that the evaluation will reflect the organization’s ac- mary defenses that must be defeated here are bor- tual security posture is increased. A related issue that der firewalls, filtering routers, and Web servers. the client must be prepared to address is the rela- ● Remote dial-up network. This test simulates the in- tionship of the ethical hackers to the target organi- truder launching an attack against the client’s mo- zation’s employees. Employees may view this “sur- dem pools. The primary defenses that must be de- prise inspection” as a threat to their jobs, so the feated here are user authentication schemes. These organization’s management team must be prepared kinds of tests should be coordinated with the local to take steps to reassure them. telephone company. IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001 PALMER 777
  • 10. Figure 5 Different ways to attack computer security DMZ EXTRANET STOLEN LAPTOPS WEB INTRANET FIREWALL INTERNET SERVICES INSIDE BAD GUY OUTSIDE BAD GUY ● Local network. This test simulates an employee or phone numbers of the modem pool. Defending other authorized person who has a legal connec- against this kind of attack is the hardest, because tion to the organization’s network. The primary people and personalities are involved. Most peo- defenses that must be defeated here are intranet ple are basically helpful, so it seems harmless to firewalls, internal Web servers, server security mea- tell someone who appears to be lost where the sures, and e-mail systems. computer room is located, or to let someone into ● Stolen laptop computer. In this test, the laptop com- the building who “forgot” his or her badge. The puter of a key employee, such as an upper-level only defense against this is to raise security aware- manager or strategist, is taken by the client with- ness. out warning and given to the ethical hackers. They ● Physical entry. This test acts out a physical pene- examine the computer for passwords stored in di- tration of the organization’s building. Special ar- al-up software, corporate information assets, per- rangements must be made for this, since security sonnel information, and the like. Since many busy guards or police could become involved if the eth- users will store their passwords on their machine, ical hackers fail to avoid detection. Once inside it is common for the ethical hackers to be able to the building, it is important that the tester not be use this laptop computer to dial into the corpo- detected. One technique is for the tester to carry rate intranet with the owner’s full privileges. a document with the target company’s logo on it. ● Social engineering. This test evaluates the target or- Such a document could be found by digging ganization’s staff as to whether it would leak in- through trash cans before the ethical hack or by formation to someone. A typical example of this casually picking up a document from a trash can would be an intruder calling the organization’s or desk once the tester is inside. The primary de- computer help line and asking for the external tele- fenses here are a strong security policy, security 778 PALMER IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001
  • 11. guards, access controls and monitoring, and secu- self. He or she might choose to test the company’s rity awareness. systems, possibly annoying system administrators or even inadvertently hiding a real attack. The employee Each of these kinds of testing can be performed from might also choose to test the systems of another or- three perspectives: as a total outsider, a “semi-out- ganization, which is a felony in the United States sider,” or a valid user. when done without permission. A total outsider has very limited knowledge about The actual delivery of the report is also a sensitive the target systems. The only information used is avail- issue. If vulnerabilities were found, the report could able through public sources on the Internet. This test be extremely dangerous if it fell into the wrong hands. represents the most commonly perceived threat. A A competitor might use it for corporate espionage, well-defended system should not allow this kind of a hacker might use it to break into the client’s com- intruder to do anything. puters, or a prankster might just post the report’s contents on the Web as a joke. The final report is A semi-outsider has limited access to one or more typically delivered directly to an officer of the client of the organization’s computers or networks. This organization in hard-copy form. The ethical hack- tests scenarios such as a bank allowing its deposi- ers would have an ongoing responsibility to ensure tors to use special software and a modem to access the safety of any information they retain, so in most information about their accounts. A well-defended cases all information related to the work is destroyed system should only allow this kind of intruder to ac- at the end of the contract. cess his or her own account information. Once the ethical hack is done and the report deliv- A valid user has valid access to at least some of the ered, the client might ask “So, if I fix these things organization’s computers and networks. This tests I’ll have perfect security, right?” Unfortunately, this whether or not insiders with some access can extend is not the case. People operate the client’s comput- that access beyond what has been prescribed. A well- ers and networks, and people make mistakes. The defended system should allow an insider to access longer it has been since the testing was performed, only the areas and resources that the system admin- the less can be reliably said about the state of a cli- istrator has assigned to the insider. ent’s security. A portion of the final report includes recommendations for steps the client should con- The actual evaluation of the client’s systems proceeds tinue to follow in order to reduce the impact of these through several phases, as described previously by mistakes in the future. Boulanger. 18 The final report Conclusions The final report is a collection of all of the ethical The idea of testing the security of a system by trying hacker’s discoveries made during the evaluation. to break into it is not new. Whether an automobile Vulnerabilities that were found to exist are explained company is crash-testing cars, or an individual is test- and avoidance procedures specified. If the ethical ing his or her skill at martial arts by sparring with hacker’s activities were noticed at all, the response a partner, evaluation by testing under attack from of the client’s staff is described and suggestions for a real adversary is widely accepted as prudent. It is, improvements are made. If social engineering test- however, not sufficient by itself. As Roger Schell ob- ing exposed problems, advice is offered on how to served nearly 30 years ago: raise awareness. This is the main point of the whole exercise: it does clients no good just to tell them that From a practical standpoint the security problem they have problems. The report must include spe- will remain as long as manufacturers remain com- cific advice on how to close the vulnerabilities and mitted to current system architectures, produced keep them closed. The actual techniques employed without a firm requirement for security. As long by the testers are never revealed. This is because the as there is support for ad hoc fixes and security pack- person delivering the report can never be sure just ages for these inadequate designs and as long as the who will have access to that report once it is in the illusory results of penetration teams are accepted as client’s hands. For example, an employee might want demonstrations of a computer system security, proper to try out some of the techniques for himself or her- security will not be a reality. 19 IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001 PALMER 779
  • 12. Regular auditing, vigilant intrusion detection, good 11. See http://www.cs.ruu.nl/cert-uu/satan.html. system administration practice, and computer secu- 12. This strategy is based on the ideal of raising the security of the whole Internet by giving security software away. Thus, rity awareness are all essential parts of an organi- no one will have any excuse not to take action to improve zation’s security efforts. A single failure in any of security. these areas could very well expose an organization 13. S. Garfinkel and E. Spafford, Practical Unix Security, First Edi- to cyber-vandalism, embarrassment, loss of revenue tion, O’Reilly & Associates, Cambridge, MA (1996). 14. For a collection of previously hacked Web sites, see http:// or mind share, or worse. Any new technology has its www.2600.com/hacked_pages/ or http://defaced.alldes.de. Be benefits and its risks. While ethical hackers can help forewarned, however, that some of the hacked pages may con- clients better understand their security needs, it is tain pornographic images. up to the clients to keep their guards in place. 15. In 1965, Intel cofounder Gordon Moore was preparing a speech and made a memorable observation. When he started to graph data about the growth in memory chip performance, Acknowledgments he realized there was a striking trend. Each new chip con- tained roughly twice as much capacity as its predecessor, and The author would like to thank several people: the each chip was released within 18 –24 months of the previous members of the Global Security Analysis Lab at IBM chip. In subsequent years, the pace slowed down a bit, but data density has doubled approximately every 18 months, and Research for sharing their amazing expertise and this is the current definition of Moore’s Law. their ability to make just about anyone understand 16. J. O. Kephart, G. B. Sorkin, D. M. Chess, and S. R. White, more about security; Chip Coy and Nick Simicich “Fighting Computer Viruses,” Scientific American 277, No. for their trailblazing work in defining IBM’s Security 5, 88 –93 (November 1997). Consulting Practice at the very beginning; and Paul 17. See http://www.research.ibm.com/antivirus/SciPapers.htm for additional antivirus research papers. Karger for his encyclopedic knowledge of computer 18. A. Boulanger, “Catapults and Grappling Hooks: The Tools security research and for his amazing ability to pro- and Techniques of Information Warfare,” IBM Systems Jour- duce copies of every notable paper on the subject nal 37, No. 1, 106 –114 (1998). that was ever published. 19. R. R. Schell, P. J. Downey, and G. J. Popek, Preliminary Notes on the Design of Secure Military Computer Systems, MCI-73-1, **Trademark or registered trademark of the Open Group, Mi- ESD/AFSC, Hanscom Air Force Base, Bedford, MA (Jan- crosoft Corporation, eBay Inc., Yahoo! Inc., E*TRADE Secu- uary 1973). rities, Inc., or Cable News Network LP, LLLP. Accepted for publication April 13, 2001. Cited references and notes Charles C. Palmer IBM Research Division, Thomas J. Watson 1. E. S. Raymond, The New Hacker’s Dictionary, MIT Press, Research Center, P.O. Box 218, Yorktown Heights, New York 10598 Cambridge, MA (1991). (electronic mail: ccpalmer@us.ibm.com). Dr. Palmer manages the 2. S. Garfinkel, Database Nation, O’Reilly & Associates, Cam- Network Security and Cryptography department at the IBM Tho- bridge, MA (2000). mas J. Watson Research Center. His teams work in the areas of 3. The first use of the term “ethical hackers” appears to have cryptography research, Internet security technologies, JavaTM se- been in an interview with John Patrick of IBM by Gary An- curity, privacy, and the Global Security Analysis Lab (GSAL), thens that appeared in a June 1995 issue of ComputerWorld. which he cofounded in 1995. As part of the GSAL, Dr. Palmer 4. P. A. Karger and R. R. Schell, Multics Security Evaluation: worked with IBM Global Services to start IBM’s ethical hacking Vulnerability Analysis, ESD-TR-74-193, Vol. II, Headquar- practice. He frequently speaks on the topics of computer and net- ters Electronic Systems Division, Hanscom Air Force Base, work security at conferences around the world. He was also an MA (June 1974). adjunct professor of computer science at Polytechnic University, 5. S. M. Goheen and R. S. Fiske, OS/360 Computer Security Pen- Hawthorne, New York, from 1993 to 1997. He holds four patents etration Exercise, WP-4467, The MITRE Corporation, Bed- and has several publications from his work at IBM and Polytech- ford, MA (October 16, 1972). nic. 6. R. P. Abbott, J. S. Chen, J. E. Donnelly, W. L. Konigsford, and S. T. Tokubo, Security Analysis and Enhancements of Com- puter Operating Systems, NBSIR 76-1041, National Bureau of Standards, Washington, DC (April 1976). 7. W. M. Inglis, Security Problems in the WWMCCS GCOS Sys- tem, Joint Technical Support Activity Operating System Tech- nical Bulletin 730S-12, Defense Communications Agency (August 2, 1973). 8. D. Farmer and W. Z. Venema, “Improving the Security of Your Site by Breaking into It,” originally posted to Usenet (Decem- ber 1993); it has since been updated and is now available at ftp://ftp.porcupine.org/pub/security/index.html#documents. 9. See http://www.faqs.org/usenet/. 10. Who can really determine who said something first on the Internet? 780 PALMER IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001