bad in a good way [information technology security]

8/12/2019 Bad in a Good Way [Information Technology Security]

http://slidepdf.com/reader/full/bad-in-a-good-way-information-technology-security 1/5Engineering & Technology January 2013 www.EandTmagazine.com

64 INFORMATION TECHNOLOGY SECURITY

E Y E V I N E , C O R B I S

NASTY, EVIL, devious, manipulative:

adjectives commonly planted in front

of the term ‘hacker’. But stick the word

‘ethical’ in front of it, and you may justhave struck on a useful concept. Of course,

‘ethical hacker’ sounds like an oxymoron:

how can such a disruptive, destructive

coder ever lay claim to a code of ethics?

With the rise of cyber-crime, ethical

hacking has become a powerful strategy in

the fight against online threats. In general

terms, ethical hackers are authorised to

break into supposedly ‘secure’ computer

systems without malicious intent, but withthe aim of discovering vulnerabilities in

order to bring about improved protection.

Sometimes the local IT managers or

security officers in an organisation will be

informed that such an attack – usually called

a ‘penetration test’ – is to take place, and may

even be looking over the hacker’s shoulder;

but often they are not, and knowledge of an

attack is confined to very senior personnel,

sometimes even just two or three boardmembers. Some ethical hackers work for

consultants; others are salaried staffers, who

conduct a scheduled programme of hacks on

a regular basis.

A number of specialisms exist within

the general discipline of ethical hacking;

BAD… IN A GOOD WAY

Hacking the role model:in the film ‘Hellboy’ theeponymous superherois a demonic creaturerecruited as a defender ofgood against the unseenforces of darkness

More and moreorganisations are being

targeted in cyber-attacks,and they must get to know

their enemy if they are to protect vital networks.Meet the professional,

ethical hacker.

By Aasha Bodhani


http://slidepdf.com/reader/full/bad-in-a-good-way-information-technology-security 2/5

65

www.EandTmagazine.com January 2013 Engineering & Technology

There’s more online...Terrorism’s invisible propaganda networkhttp://bit.ly/eandt-terror-networkGCHQ’s drive to recruit new spieshttp://bit.ly/eandt-GCHQspiesCyber-terrorism concerns growinghttp://bit.ly/eandt-cyber-terrorism

for this reason it is impossible to group all

‘hackers’ into a comprehensive category.

An ethical hacker, also referred to as a

‘white-hat’ hacker or ‘sneaker’, is someonewho hacks with no malicious intent and is

assisting companies to help secure their

systems. However, a ‘black-hat’ hacker is

the opposite and will use his or her skills

to commit cybercrimes, typically to make

a profit. In between are hackers known

as ‘grey-hat’ hackers, who will search for

vulnerable systems and inform the company

but will hack without permission.

Tools of the raid tradeEthical hacker Peter Wood, founder of

penetration-testing vendor First Base

Technologies, specialises in Windows

networks and social engineering. His

first ‘packet sniffing’ exercise was in 1978,

when he worked with defence corporation

Raytheon, and later tested IBM’s network

systems. The choice of tools used depend

on the task, says Wood, but when testing

a corporate Windows network he will use

Hyena – a program designed for Windowsadmins and programs fgdump and SAMInside

for Windows password-cracking. He adds

program Core Impact is ideal for running

exploits as it creates a solid audit trail.

Cyber security issues change every day –

new viruses, new malware, new ways to

The basic definition for a hacker issomeone who breaks into computernetworks or personal computer systemseither for a challenge or to gain profit.

1 White-hat A ‘white-hat’ hacker, alsoreferred to as an ethical hacker, issomeone who has non-malicious

intent whenever breaking into securitysystems. The majority of white-hat hackersare security experts, and will often work

with a company to legally detect andimprove security weaknesses.

2Black-hat A ‘black-hat’ hacker, alsoknown as a ‘cracker’, is someone

who hacks with malicious intentand without authorisation. Typicallythe hacker wants to prove his or herhacking abilities and will commit arange of cybercrimes, such as identitytheft, credit card fraud and piracy.

3Grey-hat Like the colour suggests a‘grey-hat’ hacker is somewherebetween white-hat and black-hat

hackers, as he or she exhibits traits fromboth. For instance, a grey-hat hacker willroam the Internet in search of vulnerablesystems; like the white-hat hacker, thetargeted company will be informed of any

weaknesses and will repair it, but like theblack-hat hacker the grey-hat hacker is

hacking without permission.

4Blue Hat External computersecurity consulting firms areemployed to bug-test a system prior

to its launch, looking for weak links whichcan then be closed. Blue Hat is alsoassociated with an annual securityconference held by Microsoft whereMicrosoft engineers and hackers canopenly communicate.

5Elite hacker These types of hackershave a reputation for being the ‘bestin the business’ and are considered

as the innovators and experts. Elitehackers used an invented language called‘Leetspeak’ to conceal their sites from

search engines. The language meant someletters in a word were replaced by anumerical likeness or other letters thatsounded similar.

6Hacktivist Someone who hacks intoa computer network, for a politicallyor socially motivated purpose. The

controversial word can be constructed ascyber terrorism as this type of hacking canlead to non-violent to violent activities. The

word was first coined in 1996 by the Cult ofthe Dead Cow organisation.

7Script kiddies Amateur hacker whofollows directions and uses scriptsand shell codes from other hackers

and uses them without fully understandingeach step performed.

8Spy hackers Corporations hirehackers to infiltrate the competitionand steal trade secrets. They

may hack in from the outside or gainemployment in order to act as a mole.Spy hackers may use similar tactics ashacktivists, but their only agenda is toserve their client’s goals and get paid.

9Cyber terrorists These hackers,generally motivated by religious orpolitical beliefs, attempt to create

fear and chaos by disrupting criticalinfrastructures. Cyber terrorists are by farthe most dangerous, with a wide range of

skills and goals. Cyber Terrorists’ ultimatemotivation is to spread fear, terror andcommit murder.

10Mobile hackers These daysindividuals store everything ontheir mobile phones, from

personal information such as contactnumbers and addresses to credit carddetails. For these reasons mobile phonesare increasingly becoming attractive tohackers-on-the-hoof, either by hackingfaulty mobile chips or point-to-point

wireless networks, such as Bluetooth.

Sources:E&T , McAfee/ RobertSiciliano, Wikipedia

PROFILES IN PROBITY

TEN TYPES OF CYBER HACKER

crack through even the most robust online

defences. The ‘threat landscape’ has grown

out from simple password breaking, viral

infection, and the exploitation of weakness

in online access safeguards, through to

cyber-espionage, data asset theft, and denial

of service (DoS) attacks. Add to this the

proliferating problem of ‘hacktivism’ – the

deployment of hacking techniques as a

means of protest to promote political ends.

As well as the external baddies,

organisations of all kinds are continually

challenged to adopt emerging digital

information technologies, such as bring

your own device (BYOD) and cloud

computing, which bring their own securityissues. Now however businesses are facing

increasingly accurate and sophisticated

attacks. Despite spending millions

implementing firewalls, anti-virus/

anti-malware software, hardware firewalls,

and data protection applications, there are >




< still flaws in many organisations’ IT

security perimeters, and it’s not necessarily

the fault of the security technology. This has

resulted in companies employing ethicalhackers to perform penetration tests,

vulnerability scans and identifying the

unknown. Ethical hackers may be deployed

to look for vulnerabilities from both inside

and outside an organisation: covert cyber

criminals can pass themselves off as bona

fide employees to conduct their nefarious

ends from within corporate premises.

Hacker historyIn 1974, the Multics (Multiplexed

Information and Computing service)

operating systems were then renowned as

the most secure OS available. The United

States Air Force organised an ‘ethical’

vulnerability analysis to test the Multics

OS and found that, though the systems

were better than other conventional

ones, they still had vulnerabilities in

hardware and software security.

As companies begin to employ ethical

hackers, the need for IT specialists with

accredited skills is growing, but ethical

hackers require support too.Shortly

after the 11 September 2001 terrorist

attacks on the World Trade Center, Jay

Bavisi and Haja Mohideen co-founded

the International Council of Electronic

Commerce Consultants (EC-Council),

a professional body that aims to assist

individuals in gaining information

security and e-business skills.Government institutions have recognised

the benefits in using ethical hackers; the

problem is where to find them. In 2011, UK

intelligence agency GCHQ launched ‘Can

You Crack It?’, an online code-breaking

challenge in the aim to recruit ‘self-taught’

hackers to become the next generation of

cyber security specialists. Early in 2012

GCHQ also unveiled a cyber-incident

response (CIR) pilot scheme. This initiative

launched by the agency’s Communications-

Electronics Security Group (CESG) and the

Centre for Protection of National

Infrastructure (CPNI), will provide a range

of support from tactical, technical

mitigation advice to guidance on the use of

counter-measures to improve the quality of

security within the public sector and critical

national infrastructure organisations.

At present, data-intelligence provider

BAE Systems Detica and security providers

Cassidian, Context IS, and Mandiant have

been selected by CESG and CPNI to work in

partnership to provide support. A GCHQ

spokesperson revealed both GCHQ and

CPNI have not incurred any additional

costs in establishing the scheme, but in

line with other certification schemes they

will charge an annual certification fee

when the CIR scheme is launched in 2013.

“We certify ‘ethical hacking’ companies

ourselves to undertake penetration testing ofgovernment IT systems, and work with

industry schemes CREST and TIGER in

setting the right standards for these

companies to work to,” adds a GCHQ

spokesperson.

How ethical is ‘ethical’?Even though more enterprises are actively

recruiting ethical hackers, for some there

remains a hesitation when it comes from

letting a licensed attacker loose on corporate

information systems. According to the report

‘When is a Hacker an “Ethical Hacker”

– He’s NOT’ by AlienVault’s research

engineer Conrad Constantine, an ‘ethical’

hacker simply does not exist, and it is the

contradictory job title that is the problem.

“The term ‘ethical’ is unnecessary – it is

not logical to refer to a hacker as an ‘ethical

hacker’ because they have moved over from

the ‘dark side’ into ‘the light’,” Constantine

argues. “The reason companies want to

employ a hacker is not because they know the

‘rules’ to hacking, but because of the very

fact that they do not play by the rules.”

Constantine adds: “Some hackers

would argue that they’re not criminals,

but activists. Others would say that

Spying tonight: early in2012 GCHQ also unveiled

a cyber-incident response(CIR) pilot scheme


http://slidepdf.com/reader/full/bad-in-a-good-way-information-technology-security 4/5

67

www.EandTmagazine.com January 2013 Engineering & Technology

A stylised, high-level overview of theTrustwave SpiderLabs applicationpenetration testing methodology. Ithighlights the iterative nature of anassessment, and that successful deliveryis dependent almost entirely on themanual security testing expertise andexperience of the penetration tester(s).Furthermore, it is important to understandthat the consulting/professional services

wrapper (alerting, reporting and debrief

elements) around the technical deliveryexpertise is key to ensuring that the clientis best equipped to fully understand whatthe business impact of each identifiedsecurity issue is - and ultimately how bestto prioritise, plan and action the resultantremediation activities.

STEP-BY-STEP DEFINITION

WHAT EXACTLY IS A

‘PENETRATION TEST’?

Start assessment

Target gathering

Publicrecordssearch

Clientprovided

information

NO

YES

Alert clienton high

or critical

Manual testing

Reporting

Compromise?

Session analysis

Application mapping

Logic and fraud abuse

Issue identification

Vuln. confirmation

Automatedtools

Dataextraction

End assessment

Final report/close out call

they’re just rebellious in the way they

think about technology and have a duty to

highlight an organisation’s poor security.

My personal view is that we need people

who are willing to stand up and challenge

authority – in so doing, does that then makethem ethical? I don’t see why it should,

it is still hacking – end of argument.”

Supporting this, Faronics project

management vice president Dmitry

Shesterin asks: “Have you ever heard

of an ethical hacker that has started

off as an ethical hacker? I have not.”

“Experts do not typically adhere to

textbook coding practices, and can uncover

problems, vulnerabilities, or business

practices of varying shades of ‘ethical’ –

something they were not supposed to

uncover,” adds Shesterin. “So the concer n

often remains, how ethical is an ethical

hacker?”

Turning tablesDespite this, the common belief among

many at-risk companies is that ‘to outwit

a hacker, you need to hire one’. With so

much at stake, even technology providers

are turning to those with hacking skills to

find the flaws in their products and fix them

before the baddies are able to exploit them.

Twenty-three year-old George ‘GeoHot’

Hotz gained notoriety in 2007 when he

became the first person to ‘jailbreak’ Apple’s

iPhone by creating a program that enabled

iPhone users to modify their devices to run

on other carrier networks, despite AT&T

having an exclusive deal with Apple. Two

years later Hotz cracked Sony’s PlayStation 3games console, giving him access to the

machines processor which helped gamers

to amend their game consoles and run

unapproved applications and pirated games.

However, despite his reputation, social

networking giant Facebook hired him,

and is reported to be engaged on building

an anti-hacker defence programme.

Earlier this year social networking site

Twitter experienced a hacking mishap of its

own where more than 55,000 Twitter

usernames and passwords were released.

Since then it has recruited former Apple

device hacker Charlie Miller into its security

team. Miller is renowned for being the first to

find a bug in Apple’s MacBook Air, as well as

for discovering a security hole in Apple’s iOS

software which enabled applications to

download unsigned code which was added to

apps even after it had been approved. When

Miller tested and proved this, he was later

dismissed from Apple’s developer program.

Cybercriminals are adept at finding

vulnerability anywhere, and though no

known attacks have occurred, the health

industry is also a target. McAfee employed

hacker Barnaby Jack to break into cars and

develop anti-virus products to prevent car

computer malware. Jack’s latest stunt

involved hacking into and shutting down a

wireless insulin pump, upon which diabetics

are reliant to dispense the hormone into the

body. Jack is best known for hacking intocash machines and making them eject money

at a Black Hat computer security conference

in Las Vegas in 2010. In October he left

McAfee and returned to computer security

firm IO Active, where he initially served in

the role of director of security testing.

Breaches become the normSecurity vendor Faronics revealed findings

from its ‘State of SMB Cyber Security

Readiness’ survey about the motivations

behind companies investing in data defences

and security. On behalf of Faronics,

the Ponemon Institute surveyed 544 IT

experts from SMEs – 58 per cent of which

were at supervisor level or higher andall were familiar with the organisation’s

security mission. It found 54 per cent of

respondents have experienced at least

one data breach in the last year, and 19 per

cent have experienced more than four.

“As well as raising awareness of

cybercriminal tactics, organisations

must consider a more holistic approach to

security,” says Faronics vice president Dmitry

Shesterin. “They cannot afford to rely solely

on traditional solutions, such as anti-virus.

Today’s threats are just too sophisticated.”

However, Shesterin adds, availing to

the services of an ethical hacker has its

drawbacks. “Contracting an ethical hacker

will virtually always uncover a vulnerability,but dealing with that vulnerability

might prove extremely expensive,” he

cautions. “Some businesses are simply

not prepared to deal with the findings,

and would rather not know themselves

to maintain plausible deniability.”

The ‘ethical professional’Trustwave, a data security vendor is

responsible for assisting small and

medium-sized businesses on how to

manage compliance and secure network

infrastructure, data communications

and critical information assets. Within

Trustwave, a security team calledSpiderLabs focuses on application security,

incident response, and penetration

testing and treat intelligence.

Director of Trustwave’s SpiderLabs

security team John Yeo has several years

experience as a security consultant. He >

Charlie Miller: Apple bugfinder general

‘Some businesses are not prepared to deal with the

findings of an ethical hacker’Dmitry Shesterin,Faronics




UK-based Firebrand Training offers a‘boot-camp’ style approach to gaining aprofessional certification in various IT andmanagement computer courses. Coursesare scheduled every month, each with anaverage capacity of 15 students. Firebrandcertifies 150 ethical hackers yearly since itstarted running the courses in 2001.

In particular, Firebrand Training isaccredited by the EC-Council to run arange of Certified Ethical Hacking (CEH)training programmes. Richard Millett,product lead and senior instructor atFirebrand, explains the CEH course givesan insight into the methodologies and toolsused by the hacking community and theguiding concept is that “if you understandhow the bad guys get in you can take theappropriate steps to kick them out”.

The CEH course has more ofan emphasis on techniques andmethodologies and aims to certify astudent in just five days. The course covers19 modules, starting with an introduction toethical hacking, and then on to footprintingand reconnaissance, scanning networks,enumeration, system hacking, trojans andbackdoors, viruses and worms, sniffers,social engineering, denial of service,session hijacking, hacking webservers,hacking web applications, SQL injection,

hacking wireless networks, evading IDS,firewalls and honeypots, buffer overflows,crytography and penetration testing.

The official course material is updatedevery 18 months, and when new attackmethodologies and trends come to light,Firebrand will implement them andincorporate practical exercises into thecourse. Firebrand instructors remainin contact through the use of email andforums such as LinkedIn.The customer andsales departments also maintain contact toannounce course updates and new products.

The course provides group andone-to-one instruction, hands-on labs,group and independent study, plus

question and answer opportunities.However Firebrand stipulates thatprospective student applicants shouldideally have at least two years’ ITexperience, a strong knowledge of specifictechnologies such as TCP/IP, WindowsServer (NT, 2000, 2003, 2008) and a basicfamiliarity with Linus and/or Unix.

All CEH students must agree to sign alegally-binding non-disclosure agreement(NDA) before they are allowed to start

the course. The NDA states that studentsmust “not use the newly acquired skills forillegal or malicious attacks and you will notuse such tools in an attempt to compromiseany computer system”. However FirebrandTraining’s NDA is the only formalundertaking to prevent students fromthen going on to become black-hatters;it is down to them to remain fully ethical.

The course is based upon thepractical side of securing networksin the workplace and gives a broadoverview of what skills and knowledgeare important to have. Students who

want to continue developing move onto other certifications such as CertifiedInformation Systems Security Professional(CISSP) or Certified Information SecurityManager (CISM) on the managementpath or look at professional penetrationtesting and purse qualifications suchas the Council of Registered EthicalSecurity Testers (CREST) and TIGER.

The main driver for students who enrolis to learn and practice the practical side ofIT security, playing with the software toolsand learning the methodologies of thehacker. “They have aspirations that includemastering as many aspects of computersecurity as possible and taking thatknowledge back to the workplace to make

their own networks secure,” addsFirebrand’s Richard Millett. The courseincludes 12-hour training days, coursematerials, exams, and accommodation;students who do not pass first time roundcan train again for free, and only pay foraccommodation and exams.

COMPANY PROFILE

FIREBRAND TRAINING CERTIFIED ETHICAL HACKER

Richard Millett,senior instructorat Firebrand F

< describes his background as typical: “As a

youth I was obsessed with technology… Yes,

you could say I was a bit of a geek, but that’s

the standard profile of anyone that ends up

in [the IT security] industry.”

The computer science graduate adds: “I

just want to put that out there, because it is just as important as any formal education.

There is an element of creativity to the

mindset that’s required, because it’s not just

about knowing the technical hows and whys,

there is a problem-solving mentality

required, you have think outside the box.”

Yeo claims two of the things lacking in the

IT security testing industry is a professional

standards and ethics body, and a lack of

specialist training, in terms of skills

required for penetration testing. “Training

courses aren’t necessarily perceived as the

most valuable thing by active practitioners;

instead it’s learning through doing. That’s

how you get into the industry.”

Trustwave’s 2012 Global SecurityReport is based on data from real-world

investigations researched in 2011 by

SpiderLabs. It revealed only 16 per cent of

companies’ self-detected data compromises,

which suggests organisations aren’t capable

of detecting breaches and the remaining

84 per cent of organisations relied on

regulatory, law enforcement, third-party

and even the public to inform them of

incidents.

On average, SpiderLabs performs 2,200

penetration tests a year, and finds a range

of high-risk problems reports John Yeo.

When a breach occurs, incident response

investigations are performed to discover

if private information has been exposed.SpiderLabs uses a ‘sniper forensics’

methodology, first by containing the

breach by shutting down what the hacker

has done and secondly investigating what

information was exposed and how it was

done. The average length of time from

intrusion to detection from SpiderLabs

incident response caseload is around six

months, but in some cases cybercriminals

have gone undetected for many years.

He explains the problems start as there is anaïve perception with companies wanting to

stay ahead by adopting new technologies,

such as BYOD and cloud and mobile

applications. Furthermore, many

organisations are outsourcing to third-party

companies who may not take security

seriously. SpiderLabs identified 75 per cent

out of 330 cases investigated; a third party

was responsible for a major incident.

Yeo heads a team of skilled ethical

hackers and the size of them team variesaccording to the incident. “Honestly, it is

one of the best jobs in the world, from a

comradery perspective it’s amazing,” says

Yeo. “If one person finds an interesting

technical problem, the whole team chips

in to solve it, it’s a good feeling.” *

George ‘GeoHot’Hotz: iPhonecracker king

bad in a good way [information technology security]

Documents