Bad in a Good Way [Information Technology Security]
-
Upload
rebe-piccolina -
Category
Documents
-
view
214 -
download
0
Transcript of Bad in a Good Way [Information Technology Security]
![Page 1: Bad in a Good Way [Information Technology Security]](https://reader033.fdocuments.us/reader033/viewer/2022052710/577cc8e41a28aba711a3559c/html5/thumbnails/1.jpg)
8/12/2019 Bad in a Good Way [Information Technology Security]
http://slidepdf.com/reader/full/bad-in-a-good-way-information-technology-security 1/5Engineering & Technology January 2013 www.EandTmagazine.com
64 INFORMATION TECHNOLOGY SECURITY
E Y E V I N E , C O R B I S
NASTY, EVIL, devious, manipulative:
adjectives commonly planted in front
of the term ‘hacker’. But stick the word
‘ethical’ in front of it, and you may justhave struck on a useful concept. Of course,
‘ethical hacker’ sounds like an oxymoron:
how can such a disruptive, destructive
coder ever lay claim to a code of ethics?
With the rise of cyber-crime, ethical
hacking has become a powerful strategy in
the fight against online threats. In general
terms, ethical hackers are authorised to
break into supposedly ‘secure’ computer
systems without malicious intent, but withthe aim of discovering vulnerabilities in
order to bring about improved protection.
Sometimes the local IT managers or
security officers in an organisation will be
informed that such an attack – usually called
a ‘penetration test’ – is to take place, and may
even be looking over the hacker’s shoulder;
but often they are not, and knowledge of an
attack is confined to very senior personnel,
sometimes even just two or three boardmembers. Some ethical hackers work for
consultants; others are salaried staffers, who
conduct a scheduled programme of hacks on
a regular basis.
A number of specialisms exist within
the general discipline of ethical hacking;
BAD… IN A GOOD WAY
Hacking the role model:in the film ‘Hellboy’ theeponymous superherois a demonic creaturerecruited as a defender ofgood against the unseenforces of darkness
More and moreorganisations are being
targeted in cyber-attacks,and they must get to know
their enemy if they are to protect vital networks.Meet the professional,
ethical hacker.
By Aasha Bodhani
![Page 2: Bad in a Good Way [Information Technology Security]](https://reader033.fdocuments.us/reader033/viewer/2022052710/577cc8e41a28aba711a3559c/html5/thumbnails/2.jpg)
8/12/2019 Bad in a Good Way [Information Technology Security]
http://slidepdf.com/reader/full/bad-in-a-good-way-information-technology-security 2/5
65
www.EandTmagazine.com January 2013 Engineering & Technology
There’s more online...Terrorism’s invisible propaganda networkhttp://bit.ly/eandt-terror-networkGCHQ’s drive to recruit new spieshttp://bit.ly/eandt-GCHQspiesCyber-terrorism concerns growinghttp://bit.ly/eandt-cyber-terrorism
for this reason it is impossible to group all
‘hackers’ into a comprehensive category.
An ethical hacker, also referred to as a
‘white-hat’ hacker or ‘sneaker’, is someonewho hacks with no malicious intent and is
assisting companies to help secure their
systems. However, a ‘black-hat’ hacker is
the opposite and will use his or her skills
to commit cybercrimes, typically to make
a profit. In between are hackers known
as ‘grey-hat’ hackers, who will search for
vulnerable systems and inform the company
but will hack without permission.
Tools of the raid tradeEthical hacker Peter Wood, founder of
penetration-testing vendor First Base
Technologies, specialises in Windows
networks and social engineering. His
first ‘packet sniffing’ exercise was in 1978,
when he worked with defence corporation
Raytheon, and later tested IBM’s network
systems. The choice of tools used depend
on the task, says Wood, but when testing
a corporate Windows network he will use
Hyena – a program designed for Windowsadmins and programs fgdump and SAMInside
for Windows password-cracking. He adds
program Core Impact is ideal for running
exploits as it creates a solid audit trail.
Cyber security issues change every day –
new viruses, new malware, new ways to
The basic definition for a hacker issomeone who breaks into computernetworks or personal computer systemseither for a challenge or to gain profit.
1 White-hat A ‘white-hat’ hacker, alsoreferred to as an ethical hacker, issomeone who has non-malicious
intent whenever breaking into securitysystems. The majority of white-hat hackersare security experts, and will often work
with a company to legally detect andimprove security weaknesses.
2Black-hat A ‘black-hat’ hacker, alsoknown as a ‘cracker’, is someone
who hacks with malicious intentand without authorisation. Typicallythe hacker wants to prove his or herhacking abilities and will commit arange of cybercrimes, such as identitytheft, credit card fraud and piracy.
3Grey-hat Like the colour suggests a‘grey-hat’ hacker is somewherebetween white-hat and black-hat
hackers, as he or she exhibits traits fromboth. For instance, a grey-hat hacker willroam the Internet in search of vulnerablesystems; like the white-hat hacker, thetargeted company will be informed of any
weaknesses and will repair it, but like theblack-hat hacker the grey-hat hacker is
hacking without permission.
4Blue Hat External computersecurity consulting firms areemployed to bug-test a system prior
to its launch, looking for weak links whichcan then be closed. Blue Hat is alsoassociated with an annual securityconference held by Microsoft whereMicrosoft engineers and hackers canopenly communicate.
5Elite hacker These types of hackershave a reputation for being the ‘bestin the business’ and are considered
as the innovators and experts. Elitehackers used an invented language called‘Leetspeak’ to conceal their sites from
search engines. The language meant someletters in a word were replaced by anumerical likeness or other letters thatsounded similar.
6Hacktivist Someone who hacks intoa computer network, for a politicallyor socially motivated purpose. The
controversial word can be constructed ascyber terrorism as this type of hacking canlead to non-violent to violent activities. The
word was first coined in 1996 by the Cult ofthe Dead Cow organisation.
7Script kiddies Amateur hacker whofollows directions and uses scriptsand shell codes from other hackers
and uses them without fully understandingeach step performed.
8Spy hackers Corporations hirehackers to infiltrate the competitionand steal trade secrets. They
may hack in from the outside or gainemployment in order to act as a mole.Spy hackers may use similar tactics ashacktivists, but their only agenda is toserve their client’s goals and get paid.
9Cyber terrorists These hackers,generally motivated by religious orpolitical beliefs, attempt to create
fear and chaos by disrupting criticalinfrastructures. Cyber terrorists are by farthe most dangerous, with a wide range of
skills and goals. Cyber Terrorists’ ultimatemotivation is to spread fear, terror andcommit murder.
10Mobile hackers These daysindividuals store everything ontheir mobile phones, from
personal information such as contactnumbers and addresses to credit carddetails. For these reasons mobile phonesare increasingly becoming attractive tohackers-on-the-hoof, either by hackingfaulty mobile chips or point-to-point
wireless networks, such as Bluetooth.
Sources:E&T , McAfee/ RobertSiciliano, Wikipedia
PROFILES IN PROBITY
TEN TYPES OF CYBER HACKER
crack through even the most robust online
defences. The ‘threat landscape’ has grown
out from simple password breaking, viral
infection, and the exploitation of weakness
in online access safeguards, through to
cyber-espionage, data asset theft, and denial
of service (DoS) attacks. Add to this the
proliferating problem of ‘hacktivism’ – the
deployment of hacking techniques as a
means of protest to promote political ends.
As well as the external baddies,
organisations of all kinds are continually
challenged to adopt emerging digital
information technologies, such as bring
your own device (BYOD) and cloud
computing, which bring their own securityissues. Now however businesses are facing
increasingly accurate and sophisticated
attacks. Despite spending millions
implementing firewalls, anti-virus/
anti-malware software, hardware firewalls,
and data protection applications, there are >
![Page 3: Bad in a Good Way [Information Technology Security]](https://reader033.fdocuments.us/reader033/viewer/2022052710/577cc8e41a28aba711a3559c/html5/thumbnails/3.jpg)
8/12/2019 Bad in a Good Way [Information Technology Security]
http://slidepdf.com/reader/full/bad-in-a-good-way-information-technology-security 3/5Engineering & Technology January 2013 www.EandTmagazine.com
66 INFORMATION TECHNOLOGY SECURITY
< still flaws in many organisations’ IT
security perimeters, and it’s not necessarily
the fault of the security technology. This has
resulted in companies employing ethicalhackers to perform penetration tests,
vulnerability scans and identifying the
unknown. Ethical hackers may be deployed
to look for vulnerabilities from both inside
and outside an organisation: covert cyber
criminals can pass themselves off as bona
fide employees to conduct their nefarious
ends from within corporate premises.
Hacker historyIn 1974, the Multics (Multiplexed
Information and Computing service)
operating systems were then renowned as
the most secure OS available. The United
States Air Force organised an ‘ethical’
vulnerability analysis to test the Multics
OS and found that, though the systems
were better than other conventional
ones, they still had vulnerabilities in
hardware and software security.
As companies begin to employ ethical
hackers, the need for IT specialists with
accredited skills is growing, but ethical
hackers require support too.Shortly
after the 11 September 2001 terrorist
attacks on the World Trade Center, Jay
Bavisi and Haja Mohideen co-founded
the International Council of Electronic
Commerce Consultants (EC-Council),
a professional body that aims to assist
individuals in gaining information
security and e-business skills.Government institutions have recognised
the benefits in using ethical hackers; the
problem is where to find them. In 2011, UK
intelligence agency GCHQ launched ‘Can
You Crack It?’, an online code-breaking
challenge in the aim to recruit ‘self-taught’
hackers to become the next generation of
cyber security specialists. Early in 2012
GCHQ also unveiled a cyber-incident
response (CIR) pilot scheme. This initiative
launched by the agency’s Communications-
Electronics Security Group (CESG) and the
Centre for Protection of National
Infrastructure (CPNI), will provide a range
of support from tactical, technical
mitigation advice to guidance on the use of
counter-measures to improve the quality of
security within the public sector and critical
national infrastructure organisations.
At present, data-intelligence provider
BAE Systems Detica and security providers
Cassidian, Context IS, and Mandiant have
been selected by CESG and CPNI to work in
partnership to provide support. A GCHQ
spokesperson revealed both GCHQ and
CPNI have not incurred any additional
costs in establishing the scheme, but in
line with other certification schemes they
will charge an annual certification fee
when the CIR scheme is launched in 2013.
“We certify ‘ethical hacking’ companies
ourselves to undertake penetration testing ofgovernment IT systems, and work with
industry schemes CREST and TIGER in
setting the right standards for these
companies to work to,” adds a GCHQ
spokesperson.
How ethical is ‘ethical’?Even though more enterprises are actively
recruiting ethical hackers, for some there
remains a hesitation when it comes from
letting a licensed attacker loose on corporate
information systems. According to the report
‘When is a Hacker an “Ethical Hacker”
– He’s NOT’ by AlienVault’s research
engineer Conrad Constantine, an ‘ethical’
hacker simply does not exist, and it is the
contradictory job title that is the problem.
“The term ‘ethical’ is unnecessary – it is
not logical to refer to a hacker as an ‘ethical
hacker’ because they have moved over from
the ‘dark side’ into ‘the light’,” Constantine
argues. “The reason companies want to
employ a hacker is not because they know the
‘rules’ to hacking, but because of the very
fact that they do not play by the rules.”
Constantine adds: “Some hackers
would argue that they’re not criminals,
but activists. Others would say that
Spying tonight: early in2012 GCHQ also unveiled
a cyber-incident response(CIR) pilot scheme
![Page 4: Bad in a Good Way [Information Technology Security]](https://reader033.fdocuments.us/reader033/viewer/2022052710/577cc8e41a28aba711a3559c/html5/thumbnails/4.jpg)
8/12/2019 Bad in a Good Way [Information Technology Security]
http://slidepdf.com/reader/full/bad-in-a-good-way-information-technology-security 4/5
67
www.EandTmagazine.com January 2013 Engineering & Technology
A stylised, high-level overview of theTrustwave SpiderLabs applicationpenetration testing methodology. Ithighlights the iterative nature of anassessment, and that successful deliveryis dependent almost entirely on themanual security testing expertise andexperience of the penetration tester(s).Furthermore, it is important to understandthat the consulting/professional services
wrapper (alerting, reporting and debrief
elements) around the technical deliveryexpertise is key to ensuring that the clientis best equipped to fully understand whatthe business impact of each identifiedsecurity issue is - and ultimately how bestto prioritise, plan and action the resultantremediation activities.
STEP-BY-STEP DEFINITION
WHAT EXACTLY IS A
‘PENETRATION TEST’?
Start assessment
Target gathering
Publicrecordssearch
Clientprovided
information
NO
YES
Alert clienton high
or critical
Manual testing
Reporting
Compromise?
Session analysis
Application mapping
Logic and fraud abuse
Issue identification
Vuln. confirmation
Automatedtools
Dataextraction
End assessment
Final report/close out call
they’re just rebellious in the way they
think about technology and have a duty to
highlight an organisation’s poor security.
My personal view is that we need people
who are willing to stand up and challenge
authority – in so doing, does that then makethem ethical? I don’t see why it should,
it is still hacking – end of argument.”
Supporting this, Faronics project
management vice president Dmitry
Shesterin asks: “Have you ever heard
of an ethical hacker that has started
off as an ethical hacker? I have not.”
“Experts do not typically adhere to
textbook coding practices, and can uncover
problems, vulnerabilities, or business
practices of varying shades of ‘ethical’ –
something they were not supposed to
uncover,” adds Shesterin. “So the concer n
often remains, how ethical is an ethical
hacker?”
Turning tablesDespite this, the common belief among
many at-risk companies is that ‘to outwit
a hacker, you need to hire one’. With so
much at stake, even technology providers
are turning to those with hacking skills to
find the flaws in their products and fix them
before the baddies are able to exploit them.
Twenty-three year-old George ‘GeoHot’
Hotz gained notoriety in 2007 when he
became the first person to ‘jailbreak’ Apple’s
iPhone by creating a program that enabled
iPhone users to modify their devices to run
on other carrier networks, despite AT&T
having an exclusive deal with Apple. Two
years later Hotz cracked Sony’s PlayStation 3games console, giving him access to the
machines processor which helped gamers
to amend their game consoles and run
unapproved applications and pirated games.
However, despite his reputation, social
networking giant Facebook hired him,
and is reported to be engaged on building
an anti-hacker defence programme.
Earlier this year social networking site
Twitter experienced a hacking mishap of its
own where more than 55,000 Twitter
usernames and passwords were released.
Since then it has recruited former Apple
device hacker Charlie Miller into its security
team. Miller is renowned for being the first to
find a bug in Apple’s MacBook Air, as well as
for discovering a security hole in Apple’s iOS
software which enabled applications to
download unsigned code which was added to
apps even after it had been approved. When
Miller tested and proved this, he was later
dismissed from Apple’s developer program.
Cybercriminals are adept at finding
vulnerability anywhere, and though no
known attacks have occurred, the health
industry is also a target. McAfee employed
hacker Barnaby Jack to break into cars and
develop anti-virus products to prevent car
computer malware. Jack’s latest stunt
involved hacking into and shutting down a
wireless insulin pump, upon which diabetics
are reliant to dispense the hormone into the
body. Jack is best known for hacking intocash machines and making them eject money
at a Black Hat computer security conference
in Las Vegas in 2010. In October he left
McAfee and returned to computer security
firm IO Active, where he initially served in
the role of director of security testing.
Breaches become the normSecurity vendor Faronics revealed findings
from its ‘State of SMB Cyber Security
Readiness’ survey about the motivations
behind companies investing in data defences
and security. On behalf of Faronics,
the Ponemon Institute surveyed 544 IT
experts from SMEs – 58 per cent of which
were at supervisor level or higher andall were familiar with the organisation’s
security mission. It found 54 per cent of
respondents have experienced at least
one data breach in the last year, and 19 per
cent have experienced more than four.
“As well as raising awareness of
cybercriminal tactics, organisations
must consider a more holistic approach to
security,” says Faronics vice president Dmitry
Shesterin. “They cannot afford to rely solely
on traditional solutions, such as anti-virus.
Today’s threats are just too sophisticated.”
However, Shesterin adds, availing to
the services of an ethical hacker has its
drawbacks. “Contracting an ethical hacker
will virtually always uncover a vulnerability,but dealing with that vulnerability
might prove extremely expensive,” he
cautions. “Some businesses are simply
not prepared to deal with the findings,
and would rather not know themselves
to maintain plausible deniability.”
The ‘ethical professional’Trustwave, a data security vendor is
responsible for assisting small and
medium-sized businesses on how to
manage compliance and secure network
infrastructure, data communications
and critical information assets. Within
Trustwave, a security team calledSpiderLabs focuses on application security,
incident response, and penetration
testing and treat intelligence.
Director of Trustwave’s SpiderLabs
security team John Yeo has several years
experience as a security consultant. He >
Charlie Miller: Apple bugfinder general
‘Some businesses are not prepared to deal with the
findings of an ethical hacker’Dmitry Shesterin,Faronics
![Page 5: Bad in a Good Way [Information Technology Security]](https://reader033.fdocuments.us/reader033/viewer/2022052710/577cc8e41a28aba711a3559c/html5/thumbnails/5.jpg)
8/12/2019 Bad in a Good Way [Information Technology Security]
http://slidepdf.com/reader/full/bad-in-a-good-way-information-technology-security 5/5Engineering & Technology January 2013 www.EandTmagazine.com
68 INFORMATION TECHNOLOGY SECURITY
UK-based Firebrand Training offers a‘boot-camp’ style approach to gaining aprofessional certification in various IT andmanagement computer courses. Coursesare scheduled every month, each with anaverage capacity of 15 students. Firebrandcertifies 150 ethical hackers yearly since itstarted running the courses in 2001.
In particular, Firebrand Training isaccredited by the EC-Council to run arange of Certified Ethical Hacking (CEH)training programmes. Richard Millett,product lead and senior instructor atFirebrand, explains the CEH course givesan insight into the methodologies and toolsused by the hacking community and theguiding concept is that “if you understandhow the bad guys get in you can take theappropriate steps to kick them out”.
The CEH course has more ofan emphasis on techniques andmethodologies and aims to certify astudent in just five days. The course covers19 modules, starting with an introduction toethical hacking, and then on to footprintingand reconnaissance, scanning networks,enumeration, system hacking, trojans andbackdoors, viruses and worms, sniffers,social engineering, denial of service,session hijacking, hacking webservers,hacking web applications, SQL injection,
hacking wireless networks, evading IDS,firewalls and honeypots, buffer overflows,crytography and penetration testing.
The official course material is updatedevery 18 months, and when new attackmethodologies and trends come to light,Firebrand will implement them andincorporate practical exercises into thecourse. Firebrand instructors remainin contact through the use of email andforums such as LinkedIn.The customer andsales departments also maintain contact toannounce course updates and new products.
The course provides group andone-to-one instruction, hands-on labs,group and independent study, plus
question and answer opportunities.However Firebrand stipulates thatprospective student applicants shouldideally have at least two years’ ITexperience, a strong knowledge of specifictechnologies such as TCP/IP, WindowsServer (NT, 2000, 2003, 2008) and a basicfamiliarity with Linus and/or Unix.
All CEH students must agree to sign alegally-binding non-disclosure agreement(NDA) before they are allowed to start
the course. The NDA states that studentsmust “not use the newly acquired skills forillegal or malicious attacks and you will notuse such tools in an attempt to compromiseany computer system”. However FirebrandTraining’s NDA is the only formalundertaking to prevent students fromthen going on to become black-hatters;it is down to them to remain fully ethical.
The course is based upon thepractical side of securing networksin the workplace and gives a broadoverview of what skills and knowledgeare important to have. Students who
want to continue developing move onto other certifications such as CertifiedInformation Systems Security Professional(CISSP) or Certified Information SecurityManager (CISM) on the managementpath or look at professional penetrationtesting and purse qualifications suchas the Council of Registered EthicalSecurity Testers (CREST) and TIGER.
The main driver for students who enrolis to learn and practice the practical side ofIT security, playing with the software toolsand learning the methodologies of thehacker. “They have aspirations that includemastering as many aspects of computersecurity as possible and taking thatknowledge back to the workplace to make
their own networks secure,” addsFirebrand’s Richard Millett. The courseincludes 12-hour training days, coursematerials, exams, and accommodation;students who do not pass first time roundcan train again for free, and only pay foraccommodation and exams.
COMPANY PROFILE
FIREBRAND TRAINING CERTIFIED ETHICAL HACKER
Richard Millett,senior instructorat Firebrand F
< describes his background as typical: “As a
youth I was obsessed with technology… Yes,
you could say I was a bit of a geek, but that’s
the standard profile of anyone that ends up
in [the IT security] industry.”
The computer science graduate adds: “I
just want to put that out there, because it is just as important as any formal education.
There is an element of creativity to the
mindset that’s required, because it’s not just
about knowing the technical hows and whys,
there is a problem-solving mentality
required, you have think outside the box.”
Yeo claims two of the things lacking in the
IT security testing industry is a professional
standards and ethics body, and a lack of
specialist training, in terms of skills
required for penetration testing. “Training
courses aren’t necessarily perceived as the
most valuable thing by active practitioners;
instead it’s learning through doing. That’s
how you get into the industry.”
Trustwave’s 2012 Global SecurityReport is based on data from real-world
investigations researched in 2011 by
SpiderLabs. It revealed only 16 per cent of
companies’ self-detected data compromises,
which suggests organisations aren’t capable
of detecting breaches and the remaining
84 per cent of organisations relied on
regulatory, law enforcement, third-party
and even the public to inform them of
incidents.
On average, SpiderLabs performs 2,200
penetration tests a year, and finds a range
of high-risk problems reports John Yeo.
When a breach occurs, incident response
investigations are performed to discover
if private information has been exposed.SpiderLabs uses a ‘sniper forensics’
methodology, first by containing the
breach by shutting down what the hacker
has done and secondly investigating what
information was exposed and how it was
done. The average length of time from
intrusion to detection from SpiderLabs
incident response caseload is around six
months, but in some cases cybercriminals
have gone undetected for many years.
He explains the problems start as there is anaïve perception with companies wanting to
stay ahead by adopting new technologies,
such as BYOD and cloud and mobile
applications. Furthermore, many
organisations are outsourcing to third-party
companies who may not take security
seriously. SpiderLabs identified 75 per cent
out of 330 cases investigated; a third party
was responsible for a major incident.
Yeo heads a team of skilled ethical
hackers and the size of them team variesaccording to the incident. “Honestly, it is
one of the best jobs in the world, from a
comradery perspective it’s amazing,” says
Yeo. “If one person finds an interesting
technical problem, the whole team chips
in to solve it, it’s a good feeling.” *
George ‘GeoHot’Hotz: iPhonecracker king