7/27/2019 Ethical Haking Goo Bad

1/6

4 I N F O R M A T I O N T E C HN O L OG Y SECURITY

Hacking the role model:in the film 'H ellboy' theeponymous superherois a demonic creaturerecruited as a defender ofgood against the unseenforces of darknessNASTY, EVIL, devious, manipulative;adjectives commonly planted in front the fight ag ainst online threa ts. In generalterms, ethical hackers are authorised to even b e looking over th e hacker's shouldbut often they a re n o t , and knowledge of

7/27/2019 Ethical Haking Goo Bad

2/6

r this reason it is impossible to group alla comprehensive category.ethical hacker, also referred t o a s a

There's more online,,.Terrorism's invisibie propaganda networkhttp://bit.ly/eandt-terror.'networkGCHQ's drive to recruit newspieshttp://bit.ly/eandt-GCHQspiesCyber-terrorism concerns growinghttp://bit.ly/eandt-cyber-terrorismPROFILES IN PROBITYTEN TYPES O F CYBER HACKERT h e bas ic definition for a hacker issomeone w h o breaks into computernetworks or person al computer system seithe r for a challenge or to gain profit.

1hite-hat A 'white-hat' hacker, alsoreferred to as an ethical hacker, issomeone w h o has non-maliciousintent when ever breakin g into securitysyste ms . The majority of white-hat hac kersare security experts, an d will often workwith a company to legally detect an dimprove security weakne sses.2Black-hat A'black-hat' hacker, alsoknown as a 'cracker', is someonew h o hacks with malicious intentand w ithout a uthorisation. Topicallythe hacker wants to prove h is or herhacking abilities and will commit arange of cybe rcrimes, such a s identitytheft, credit card fraud and piracy.3rey-hat Like the colour suggests a'grey-hat' hacke r is somewherebetw een w hite-hat and black-hathackers, a s he o r she e xhibits traits fromboth. F o r instance, a grey-hat hacker willroam t h e Internet in search of vulnerablesystems; like the white-hat hacker, thetargeted company will be informed of a n yweaknesses and will repair it , bu t like theblack-hat hacker the grey-hat hacke r ishacking without perm ission.4Blue H at External computersecu rity consulting firms areemployed to bug-test a system priort o i t s launch, looking for weak links whichcan then be closed.Blue H a t i s alsoassociated with an annual securityconference held b y Microsoft whereMicrosoft eng inee rs and hack ers canopenly communicate.5lite hack er These types of hackershave a reputation for being the 'bes ti n t h e business' and are considereda s the irmovators and exp erts. Elitehackers used a n invented language called'Leetspeak' to con ceal their sites from

search engines.The language meant someletters in a word were rep laced by aniumerical liken ess or othe r letter s thatsound ed similar.6Hacktivist Someone w h o hacks intoa computer network, for a politicallyor socially motivated pu rpose.T hecontroversial word can be constructed ascyber terrorism a s this type of hacking canlead to non-violent to violent a ctivities. Theword w a s first coined i n 1 9 9 6 by the Cult ofthe Dead C o w organisation.2

Script kid dies Amateur hacker whofollows directions and uses scriptsand shell codes from other hac kersan d uses them without fully und ersta nd ingeach step performed.8p y hackers Corporations hirehackers to infiltrate the com petitionand steal trade secrets. Theym a y hack in from t h e outside or gainemployment in order to act as a mole.S p y hack ers may use similar tactics ashacktivists, but their only agenda is toserve their client's goals and g et paid.9Cyber terrorists These hackers,generally m otivated b y religious orpolitical beliefs, attemp t to createfear and chao s by disrupting criticalinfrastructures. C yber terrorists are b y farthe most dan gerous, with a wide range ofskills and goals. C ybe r Terrorists' ultimatemotivation i s t o sprea d fear, terror andcommit murder.Mobile hackers These daysindividuals store eve rything ontheir mobile phones, fromperso nal information such a s contactnumbers and addresses to credit carddetails. F o r these reasons mobile pho nesare increasingly beco ming attractive tohackers-on-the-hoof, either b y hackingfaulty mob ile chips or po int-to-pointVTireless networks, such a s Bluetooth.Sources: E & T , McA fee/ RobertSiciliano, Wikipedia

as 'grey-hat' hackers, w h o will search forvulnerable systems and inform the companybut will hack without permission.Tools of the raid tradeEthical hacker Peter Wood, founder ofpenetration-testing vendor First BaseTechnologies, specialises in Windowsnetworks and social engineering. Hisfirst 'packet sniffing' exercise w a s in 1978 ,when h e worked with defence corporationRaytheon, and later tested IBM's networksystems. T h e choice of tools used dependon the task, says Wood, but when testinga corporate Windows network h e will use

crack through even the most robust onlinedefences. The 'threa t landscape' has growno u t from simple password breaking, viralinfection, and the exploitation of weaknessin online access safeguards, through tocyber-espionage, data asset theft, and denialof service ( D o S ) attacks. Add to this theproliferating problem of 'hacktivism' - thedeployment of hacking techniques as ameans of protest to promote political ends.A s well a s the externa l baddies,organisations of all kinds are con tinuallychallenged to adopt emerging digitalinformation technologies, such a s bringyour o w n device (BYOD) and cloud

7/27/2019 Ethical Haking Goo Bad

3/6

6 I N F O R M A T I O N T E CH N O LO G Y SECURITY

< stillflaws n many organ isations' ITsecurity perime ters, and it's not necessarilythe fault of the security technology This ha sresulted in companies employing ethicalhackers to perform penetration tests,vulnerability scans and identifying theunknown. Ethical hackers may be deployedto look for vulnerabilities from both insideand outside an organisation: covert cybercriminals can pass themselves off as bonafide employees to conduct their nefariousends from w ithin corporate premises.Hacker historyIn 1974, the Multics (MultiplexedInformation and Computing service)operating systems were then renowned asthe most secure OS available. The UnitedStates Air Force organised an 'ethic al'vulnerability analysis to test the MulticsOS and found that, though the systemswere better than other conventionalones, they still had vulnera bilities inhardw are and software security.As companies begin to employ ethicalhackers, the need for IT specialists withaccredited skills is growing, but ethicalhackers req uire support too.Shortlyafter the 11 September 2001 terroristattacks on the World Trade Center, JayBavisi and Haja Mohideen co-foundedthe Interna tional Council of Electronic

Commerce Consu ltants (EC-Council),a professional body that aims to assistindividuals in gaining informationsecurity and e-business skills.Government institutions have recognisedthe benefits in using ethical hackers; theproblem is where to find them. In 2011, UKintelligence agency GCHQ launched 'CanYou Crack It?', an online code-breakingchallenge in the aim to recruit 'self-taught'hackers to become the next generation ofcyber security specialists. Early in 2012GCHQ also unveiled a cyber-incidentresponse (CIR) pilot scheme. This initiativelaunched by the agency's Comm unications-Electronics Security G roup (CESG) and theCentre for Protection of NationalInfrastructure (CPNI), will provide a rangeof support from tactical, technicalmitigation advice to guidance on the use ofcounter-measures to improve the q uality ofsecurity w ithin the public sector and criticalnational infrastructure organisations.At present, data-intelligence providerBAE Systems Detica and security providersCassidian, Context IS, and M andiant havebeen selected by CESG and CPNI to work inpartnership to provide support. A GCHQspokesperson revealed both GCHQ andCPNI have not incurred any additionalcosts in establishing the scheme, but inline with other certification schemes they

will charge an an nual ce rtification feewhen the CIR scheme is launched in 201"We certify 'ethical hacking ' companourselves to undertake p enetration testgovernment IT systems, and work withindustry schemes CREST and TIGER insetting the right standa rds for thesecompanies to work to," adds a GCHQspokesperson.How ethical is 'ethical'?Even though more enterprises are activrecru iting ethical hackers, for some theremains a hesitation when it comes fromletting a licensed attacke r loose on corpinformation systems. According to the 'When is a Hacker an "Ethical Hacker"- He's NOT' by AlienVault's res earchengineer Conrad Constantine, an 'ethichacker simply does not exist, and it is thcontradictory job title that is the proble"The term 'ethical' is unnecessary - inot logical to refer to a hacker as an 'ethhacke r' because they have moved over fthe 'dark side' into 'the light'," Constantargues. "The reason companies want toemploy a hacker is not because they kno'rules' to hacking, but because of the vefact that they donot play by the rules. "Constantine adds: "Some hackerswould argue that th ey're not crim inals,but activists. O thers would say that

7/27/2019 Ethical Haking Goo Bad

4/6

the way theyabout technology and have a duty toy personal view is that we need peopleo are willing to stand up and challenge- in so doing, does that then m akeI don't see why it should,is still hackin g- end of argument."Supporting this, Faronics projectvice president Dm itryasks: "Have you ever heardt has startedas an ethical hacker? I have not.""Experts do not typically adhere tocoding practices, and can uncover

of varying shades of 'ethical' -were not supposed to" adds Shesterin. "So the concernremains, how ethical is an ethical

this, the common belief amongis that 'to outwityou need to hire one'. With sostake, even technology provide rsto those with hacking skills toflaws n their products and fix themore the baddies are able to exploit them.Twenty-three year-old George 'GeoHot'gained notoriety in 2007 when hethe first person to 'jailbreak' Apple'sby creating a program that enabledto modify the ir devices to ru ner networks, despite AT&Texclusive deal with Apple. Two

'Some businesses are notprep ared to deal with thefindings of an ethical hack er'Dmitry Shesterin,Faronics

and is reported to be engaged on buildingan anti-hacker defence programm e.Earlier this year social networking siteTwitter experienced a hacking mishap of itsown where more than 55,000 Twitterusernames and passwords were released.Since then it has recruited former Appledevice hacker Charlie Miller into its securityteam. Miller is renowned for being the first tofind a bug in Apple's MacBook Air, as well asfor discovering a security hole in Apple's iOSsoftware which enabled applications todownload unsigned code which was added toapps even after it had been approved. WhenMiller tested and proved this, he was laterdismissed from Apple's developer p rogram.Cybercriminals are adept at findingvulnerability anywhere, and though noknown attacks have occurred, the healthindustry is also a target. McAfee employedhacker Barnaby Jack to break into cars anddevelop anti-virus p roducts to prevent carcomputer malware. Jac k's latest stuntinvolved hacking into and shutting down awireless insulin pump, upon which diabeticsare reliant to dispense the hormone into thebody. Jack is best known for hacking intocash machines and making them eject moneyat a Black Hat computer security conferencein Las Vegas in 2010. In October he leftMcAfee and re turned to computer securityfirm 10 Active, where he initially served inthe role of director of security testing.Breaches becom e the normSecurity vendor Faronics revealed findingsfrom its 'State of SMB Cyber SecurityReadiness' survey about the motivationsbehind com panies investing in data defencesand security. On behalf of Faronics,the Ponemon Institute surveyed 544 ITexpe rts from SMEs - 58 per cent of whichwere at supervisor level or higher andall were familiar with the organisation'ssecurity mission. It found 54 per cent ofrespondents have experienced at leastone data breach in the last year, and 19 percent have experienced more than four."As well as raising awareness ofcybercriminal tactics, organisationsmust consider a more holistic approach tosecurity " says Faronics vicepresident DmitryShester in. "They cannot afford to rely solelyon traditional solutions, such as anti-virus.Today's threats are just too sophisticated."

However, Shesterin adds, availing tothe services of an ethical hacker has itsdrawbacks. "Contracting an ethical hacker

STEP-BY-STEP DEFINITION

'PENETRATION TEST'?

ReportingFinal report/close outcall i

End assessmentA stylised, high-level overview of theTrustwave SpiderLabs applicationpenetration testing methodology. Ithighlights the iterative nature of anassessm ent, and that successful deliveryis dependent almost entirely on themanual security testing expertise andexperien ce of the penetration tester(s).Furthermore, it is important to understandthat the consulting/professional servic eswrapp er (alerting, reporting and debriefelements) around the technical deliveryexpertise is key to ensurin g that the clientis best equipped to fully und erstan d whatthe busines s impact of each identifiedsecurity issue is - and ultimately how bestto prioritise , plan and action the resultantremediation activities.

The 'ethical profes sional'Trustwave, a data security vendor isresponsible for ass isting small andmedium-sized businesses on how tomanage compliance and secure networkinfrastructure, data communicationsand critical information assets. Within

7/27/2019 Ethical Haking Goo Bad

5/6

I N F O R M A T I O N T E C HN O L OG Y SECURITY

i < describes his back ground as typical: "As a; youth I was obsessed with techno logy... Yes,I you could say I was a bit of a geek, but tha t'sI the standa rd profile of anyone th at ends upI in [the IT security] industry."I The com puter science grad uate adds: "Ii just w ant to put that out there , because it isi just as important as any formal education.I Ther e is an elemen t of cr eativity to theI mindset that 's required, because it 's not justI about know ing the technical hows and whys,I there is a problem-solving m entalityi required, you have think outside the box."i Y eo claims two of the thin gs lacking in theI IT secur ity testing indust ry is a professionali standa rds and e thics body, and a lack of\ specialist trainin g, in term s of skillsI required for penetrat ion tes t ing. "Trainingi courses ar en't nec essarily perceived as theI most valuable thing by active practitio ners ;i instead it 's learning through doing. That'si how you get into the in dus try "; Trustwave's 2 0 1 2 Global Securityi Repo rt is based on da ta from real-world: investigations researched in 2 0 1 1 byi SpiderLabs. It revealed only 16 per ce nt ofi com panies' self-detected data com promises,i which suggests organisations aren't capableI of detect ing breaches and the rem aining; 84 per cent of org anisatio ns relied onI regulatory, law enforcement, third-p artyi and even the public to inform the m ofI incidents.: On average, SpiderLabs perform s 2,200i pene tration tests a year, and finds a rang ei of high-risk problems reports John Y e o .i When a breach occurs, incident response\ investigations are performed to discover

COMPANY PROFILEFIREBRAND TRAINING CERTIHED ETHICAL HACKERUK-based Firebrand Training offers a'boot-camp' style approach to gaining aprofessional certification in various IT andmanagement computer courses. Coursesare scheduled every month, each with anaverage capacity of 15 students. Firebrandcertifies 1 5 0 ethical hackers yearly since itstarted running the courses in 2 0 0 1 .In particular. Firebrand Training isaccred ited by the EC-Council to run arang e of Certified Ethical Hacking (CEH)training prog ram me s. Richard Millett,product lead and senior instructor a tFirebrand, explains the C E H course givesa n insight into the methodologies and toolsused by the hacking community and theguiding concept is that "if y o u understandh o w t h e bad guys get in you can take theappropriate steps to kick them out".The C E H course has more ofan emphasis o n techniques andmethodologies and aims to certify astudent in just five days. The course covers19 modules, starting with an introduction toethical hacking, and then o n t o footprintingand reconnaissance, scanning networks,enumeration, system hacking, trojans andbackdoo rs, viruses and worms, sniffers,social engineer ing, denial of service ,session hijacking, hacking webs ervers,hacking w e b applications, SQ L injection,hacking wireless networks, evading I D S ,firewalls and hone ypo ts, buffer overflows,crytography and penetration testing.The official course material is updatedevery 18 months, and when new attackmethodologies and trends come to light.Firebrand will implement them andincorporate practical exercises into thecourse. Firebrand instructors remainin contact through th e use of email andforums such a s Linkedln.The customer an dsales departments also maintain contact toannounce course updates and newproducts.The course provides group andone-to-one instruction, hands-on labs,group and indep endent study, plusquestion and answer opportunities.However Firebrand stipulates thatprospective student applicants shouldideally have a t least tw o years' ITexperience, a strong know ledge of specifictechnolog ies such as TCP/IP, WindowsServer ( N T , 2000,2003,2008) and a basicfamiliarity with Linus and /or Unix.

A l l C E H students must agre e to sign alegally-binding non-disclosure agreement( N D A ) before they are allowed to start

the course.The N D A states that studenmust "not u s e the newly acquired skillsillegal or malicious attacks and you wiuse such tools in an attempt to comproany computer system' '. However FirebTraining's N D A i s the only formalundertaking to prevent stu dents fromthen going o n t o become black-hattersi t i s down to them to remain fully ethiccThe course is based upon thepractical side of securi ng networksi n t h e workplace and gives a broadoverview of what skills and know ledgeare important to have. Students w h owant to continue developing move onto other certifications such a s CertifiedInformation Systems Security Professi(CISSP) or Certified Information SecurManager (CISM) on the managem entpath or look a t professional penetratiotesting and pu rse qualifications suchas the C ouncil of Registered EthicalSecurity Testers (CREST) and TIGER.

T h e main driver for students w h o eni s t o learn and practice the practical siIT security, playing with the software tand learning the methodologies of thehacker. "They have aspirations that incmastering a s many aspects of com putesecurity a s possible and taking thatknowledge back to the workplace to mtheir o w n networks secure," add sFirebrand's Richard Millett. The co urseincludes 12-hour training days, coursematerials, exams, and accommodationstudents w h o do n o t pas s first time roucan train again for free, and only pay foaccommodation and exam s.

intrusion to detection from SpiderLabsincident response caseload is around sixmonths, but in some cases cybercriminalshave gone undetected for many years.seriously SpiderLabs identified 75 per cout of 33 0 cases investigated; a third parw a s responsible for a major incident.Y eo heads a team of skilled ethical

7/27/2019 Ethical Haking Goo Bad

6/6

Copyright of Engineering & Technology (17509637) is the property of Institution of Engineering & Technology

and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright

holder's express written permission. However, users may print, download, or email articles for individual use.