Beruflich Dokumente
Kultur Dokumente
Ethical Hacking
From start to success
By Rob Kraus – ISSA member, Alamo (San Antonio), USA Chapter
Ethical hacking services provide a unique solution to help IT practitioners secure their networks
and other assets before malicious attackers gain a foothold on the secrets of the organization.
E
thical hacking is nothing new. The term has been information technology (IT) assets and non-IT related as-
used in the information security world and accept- sets. Of course, overlap is possible in some cases, and those
ed by the security community for quite some time. instances should be addressed as necessary. Physical secu-
Even though many have an understanding of the practi- rity and organizational practices, policies, and procedures
cal application of ethical hacking, organizations still fail must be addressed for a complete approach.
to apply remediation recommendations based on assess-
ment outcomes. This article does not identify innovative Management acceptance
methods to put a new spin on an old concept, but instead
As a general foundation for ethical hacking and other
focuses on where organizations fail to ensure success. For
security-related initiatives, recall the most elemental of
this reason, pre- and post-ethical hacking engagement ac-
requirements: management acceptance and support. No
tivities are discussed rather than specific attacks or vendor
security plan is guaranteed success. Additionally, no se-
selection criteria. Before exploring what organizations can
curity plan lacking management support will succeed.
do to maximize the ROI, consider the basic elements of
Sometimes the most difficult part of embarking on a suc-
ethical hacking and security principles.
cessful ethical hacking engagement is conveying to execu-
tive management the importance of the engagement in the
Traditional ethical hacking overall security program.
Let’s face it, ethical hacking services are a part of the in- This point may be common sense to most, but common
formation security community and serve many purposes. sense is not always common. Ethical hacking should be
In its most generic form, ethical hacking allows organiza- a means to identify weaknesses in an organization’s se-
tions to make use of professionals talented in the “black curity posture. However, as a practitioner, I find a large
arts” of hacking and vulnerability identification. An ethi- number of organizations use ethical hacking engagements
cal hacking engagement can be outsourced to a third par- to measure the organization’s implemented controls
ty or can be conducted by an established internal team. against Health Insurance Portability and Accountability
Ethical hacking engagements may include social engineer- Act (HIPAA),1 Sarbanes-Oxley Act (SOX),2 or Payment
ing, wireless penetration testing, Web application reviews,
and other consulting services in addition to the com- 1 http://www.hhs.gov/ocr/privacy/index.html.
monly associated external and internal penetration tests. 2 http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_
The goal is to identify vulnerabilities in organizational bills&docid=f:h3763enr.tst.pdf.
©2009 Information Systems Security Association • www.issa.org • editor@issa.org • Permission for author use only.
14
Ethical Hacking: From start to success | Rob Kraus ISSA Journal | May 2009
Card Industry (PCI)3 compliance directives, or simply an ethical hacking provider offers. To put things into per-
to check-the-box. True management buy-in spective, do not buy the buffet when à la carte will suffice.
means supporting the assessment because the Use the risk assessment as a tool to save your organization
organization wants to be secure in addition to money when deciding what services to purchase.
being compliant.
Thrifty…not cheap
Getting back to basics Making the right choices can save the organization money,
A “holistic approach” to security has been recommended by but be careful not to shortcut the quality and scope of the ser-
security practitioners for some time. Unfortunately, market- vice. As ethical hacking services are selected and the scope is
ing and sales professionals may use this word in a different defined for the rules of engagement, consider the limitations
context than intended. In the eyes of the security profes- your organization imposes on the services. Corporations to-
sional, a holistic approach implies a comprehensive analysis day expect ethical hacking engagements to be quick, accu-
of critical assets having a high risk that vulnerabilities may rate, and cheap. These are basic requirements with which al-
be leveraged or having an increased potential of loss. To the most any project manager will agree. Facilitators should have
buzzword-enabled salesperson, it may sound like “holistic” a good idea of how the command and control of the engage-
means “kitchen sink.” ments are handled but ensure it does not hinder the ethical
hackers from executing real world attack scenarios. Most ethi-
Rather than using holistic terminology, address organiza-
cal hacking service providers understand project goals and
tional needs by evaluating existing controls against “best
are flexible to make clients happy.
practices.” Following best practices means implementing
controls and taking the course of a “prudent man.” A biblical Malicious attackers have a major advantage over typical busi-
reference to a prudent man states, “A prudent man seeth the ness culture when it comes to time, planning, and execution
evil, and hideth himself; But the simple pass on, and suffer for of attacks. A well-planned attack can cause havoc for even
it.” 4 In short, do not accept the deal of the week. Take a hard the largest of corporations. For this reason, proper funding
look at what is important, assess the risk, and engage in as- should be secured to ensure the assessments conducted re-
sessment activities that apply to your organization. semble authentic attack scenarios.
©2009 Information Systems Security Association • www.issa.org • editor@issa.org • Permission for author use only.
15
Ethical Hacking: From start to success | Rob Kraus ISSA Journal | May 2009
Comprehensive reporting and results Sometimes it can be a tough decision to make for organiza-
tions that need to protect assets and deliver products while
Depending on report formats and the skill level of the indi- maintaining a competitive advantage. Making decisions
vidual responsible for reviewing the assessment results, un- based on gaining competitive advantage can cause organiza-
derstanding the results can be confusing. Report delivery and tions to neglect security initiatives. As mentioned earlier, it
format should be discussed with the vendor prior to finaliz- is vital to the success of any security initiative to have upper
ing service contracts to ensure it will provide the appropriate management support and ensure that the delicate balance be-
level of detail. This detail will help your organization identify tween functionality and security is maintained.
the root cause of the issues and help define possible remedia-
tion paths. At a minimum, organizations should be aware of In many cases, I discover IT and security administrators are
the following: at a disadvantage when answering to upper management and
board members, especially when security evaluations do not
• The report generation and delivery time line provide positive findings. Ultimately, the finger is pointed at
• The report format (CSV, PDF, Microsoft Word, Web- IT and security administrators for not doing the job. How-
based) ever, in some cases, the friction between administrators and
• If remediation recommendations are available for management may be due to lack of understanding, funding
identified vulnerabilities issues, or lack of resources being properly allocated to ensure
a properly secured organization. Take a moment to review
• The report retention policies of the provider to ensure the concept of ownership and maintenance roles within an
reports are available in the future if needed organization and how those roles may contribute to the over-
all information security program.
Take immediate action
Many organizations fail due to the lack of planning for re- Data Ownership
mediation efforts, and misunderstanding of how to address One common misconception is that the data stored within
the identified issues with proper, industry-recommended so- the organization is owned by the IT department. To the lay-
lutions. One of the worst things an organization can do is to man the rational may sound similar to “Of course, they per-
conduct a risk assessment, identify required ethical hacking form backups and ensure availability, so that must be the cor-
services, select a vendor, conduct the assessment, and then rect answer.” This actually cannot be further from the truth.
©2009 Information Systems Security Association • www.issa.org • editor@issa.org • Permission for author use only.
16
Ethical Hacking: From start to success | Rob Kraus ISSA Journal | May 2009
Data belongs to “data owners,” and the data maintenance sessment activities. While the organization may experience a
functions belong to “data custodians.” slight delay to the progress of the engagement, it may be bet-
Data owners may include the frontline manager all the way ter to take the immediate action rather than allowing the vul-
up to the CEO. A data owner is an individual or group re- nerability to remain. Flexibility needs to be considered while
sponsible for the identification and protection of a data set. ensuring the core goals of the project are not compromised.
This includes deciding who is granted appropriate access,
determining sensitivity classification, and the frequency of
Peer support
backing up the data. Additionally, the data owner is respon- Over the last ten years, there has been tremendous growth in
sible for the due care of the data and will be held accountable the security community. Conferences and training are excel-
for any loss of integrity and confidentiality. lent places to meet peers, discuss security, and share experi-
ences. Some of the greatest things I have learned about ethical
Data Owner Data Custodian hacking engagements have come from listening to the success
Disclosure approvals Integrity verification and failure of others’ experiences. Ensure your IT and securi-
ty administrators have the opportunity to attend these price-
Violation investigations Data backup
less events. Organizations such as the ISSA provide access to
Data classification Restoring data many resources through publications and local chapters.
Define security requirements Enforcing standards of protection
Security ambassadors
A data custodian is responsible for the care and feeding of the Trick Question: Who is responsible for the security of your
data that needs to be protected. This includes your IT and se- organization? Answer: Everyone. Security is not a one-man
curity administrators who will perform integrity tests, back- or one-woman show. It takes effort for any security program
ups, test restores, and implement technologies to help ensure to be successful, and this alone is a large burden to carry
the overall availability of the data. without help. Empowering the organization’s employees at
The roles of owner and custodian responsibilities can indeed all levels increases the overall success of the program.
overlap in some cases. However, the data owner is the one In the past, I have advised organizations to implement a “se-
who ultimately has to answer for mishaps and losses. The dis- curity ambassador program,”6 which makes it fun for em-
tinction is important, as it can often be a struggle to remem- ployees to engage in thinking and acting securely. Simple se-
ber the overall goal of ensuring confidentiality, integrity, and curity awareness programs can have a significant impact on
availability of data. the overall security. Implement awareness and be open with
your employees about ways they can help protect the organi-
The strong finish zation.
Maintaining a secure environment is one of the most difficult
organizational challenges. A delicate balance exists between Conclusion
costs, functionality, and prudence in security decisions. Preparing your organization for an ethical hacking engage-
Sometimes it may be difficult to identify the appropriate level ment and trying to maximize its effectiveness can be a chal-
of security simply because as technology advances, so do the lenge. Ensuring proper planning is in place for both pre- and
attack vectors. No organization can be prepared for one hun- post-engagement activities can be the ultimate test of maxi-
dred percent of the possibilities and stay vigilant. The com- mizing your ROI. Ensuring the proper support channels are
mon administrator is focused primarily on the availability of in place will help guide your organization to success. Use
services and ensuring SLAs are met. Even organizations with your resources and do not be afraid to ask questions of your
dedicated staff responsible for security cannot keep up with peers, vendors, and stakeholders. Lastly, security is dynamic,
the vulnerabilities published on a daily basis. be flexible.
Planning for success About the Author
Much of this article has discussed concepts important to un- Rob Kraus of Digital Defense, Inc. conducts
derstand when attempting to maximize an ethical hacking internal and external penetration tests and
engagement. As security practitioners the goal is to ensure a social engineering engagements. He serves
plan is in place, appropriate parties are included in the pro- as the program director for the ISSA Alamo
cess, and execution yields results your organization can use. (San Antonio) Chapter and is a regular
presenter at TRISC. You can contact Rob
It is important to remember plans change! As you travel
at rob.kraus@ddifrontline.com.
down the road of outlining your ethical hacking engagement,
do not be surprised if you find the path taking you in an un-
expected direction. During engagements high-level vulner- 6 A security ambassador is how I refer to the individuals who are regular employees, but
have the capability of helping ensure security practices are being followed. Think of
abilities may be identified, requiring immediate remediation. them as the equivalent to your local community safety watch programs found in many
The severity of the vulnerabilities may warrant halting as- residential neighborhoods today.
©2009 Information Systems Security Association • www.issa.org • editor@issa.org • Permission for author use only.
18