Scene from Hellboy

Ethical hacking: bad in a good way

More and more organisations are being targeted in cyber-attacks, and they must get to know their enemy if they are to protect vital networks. Meet the professional, ethical hacker.

Nasty, evil, devious, manipulative: adjectives commonly planted in front of the term 'hacker'. But stick the word 'ethical' in front of it, and you may just have struck on a useful concept. Of course, 'ethical hacker' sounds like an oxymoron: how can such a disruptive, destructive coder ever lay claim to a code of ethics?

With the rise of cyber-crime, ethical hacking has become a powerful strategy in the fight against online threats. In general terms, ethical hackers are authorised to break into supposedly 'secure' computer systems without malicious intent, but with the aim of discovering vulnerabilities in order to bring about improved protection.

Sometimes the local IT managers or security officers in an organisation will be informed that such an attack – usually called a 'penetration test' – is to take place, and may even be looking over the hacker's shoulder; but often they are not, and knowledge of an attack is confined to very senior personnel, sometimes even just two or three board members. Some ethical hackers work for consultants; others are salaried staffers, who conduct a scheduled programme of hacks on a regular basis.

A number of specialisms exist within the general discipline of ethical hacking; for this reason it is impossible to group all 'hackers' into a comprehensive category. An ethical hacker, also referred to as a 'white-hat' hacker or 'sneaker', is someone who hacks with no malicious intent and is assisting companies to help secure their systems. However, a 'black-hat' hacker is the opposite and will use his or her skills to commit cybercrimes, typically to make a profit. In between are hackers known as 'grey-hat' hackers, who will search for vulnerable systems and inform the company but will hack without permission.

Tools of the raid trade

Ethical hacker Peter Wood, founder of penetration-testing vendor First Base Technologies, specialises in Windows networks and social engineering. His first 'packet sniffing' exercise was in 1978, when he worked with defence corporation Raytheon, and later tested IBM's network systems. The choice of tools used depend on the task, says Wood, but when testing a corporate Windows network he will use Hyena – a program designed for Windows admins and programs fgdump and SAMInside for Windows password-cracking. He adds program Core Impact is ideal for running exploits as it creates a solid audit trail.

Cyber security issues change every day – new viruses, new malware, new ways to crack through even the most robust online defences. The 'threat landscape' has grown out from simple password breaking, viral infection, and the exploitation of weakness in online access safeguards, through to cyber-espionage, data asset theft, and denial of service (DoS) attacks. Add to this the proliferating problem of 'hacktivism' – the deployment of hacking techniques as a means of protest to promote political ends.

As well as the external baddies, organisations of all kinds are continually challenged to adopt emerging digital information technologies, such as bring your own device (BYOD) and cloud computing, which bring their own security issues. Now however businesses are facing increasingly accurate and sophisticated attacks. Despite spending millions implementing firewalls, anti-virus/anti-malware software, hardware firewalls, and data protection applications, there are still flaws in many organisations' IT security perimeters, and it's not necessarily the fault of the security technology. This has resulted in companies employing ethical hackers to perform penetration tests, vulnerability scans and identifying the unknown. Ethical hackers may be deployed to look for vulnerabilities from both inside and outside an organisation: covert cyber criminals can pass themselves off as bona fide employees to conduct their nefarious ends from within corporate premises.

Hacker history

In 1974, the Multics (Multiplexed Information and Computing service) operating systems were then renowned as the most secure OS available. The United States Air Force organised an 'ethical' vulnerability analysis to test the Multics OS and found that, though the systems were better than other conventional ones, they still had vulnerabilities in hardware and software security.

As companies begin to employ ethical hackers, the need for IT specialists with accredited skills is growing, but ethical hackers require support too.Shortly after the 11 September 2001 terrorist attacks on the World Trade Center, Jay Bavisi and Haja Mohideen co-founded the International Council of Electronic Commerce Consultants (EC-Council), a professional body that aims to assist individuals in gaining information security and e-business skills.

Government institutions have recognised the benefits in using ethical hackers; the problem is where to find them. In 2011, UK intelligence agency GCHQ launched 'Can You Crack It?', an online code-breaking challenge in the aim to recruit 'self-taught' hackers to become the next generation of cyber security specialists. Early in 2012 GCHQ also unveiled a cyber-incident response (CIR) pilot scheme. This initiative launched by the agency's Communications-Electronics Security Group (CESG) and the Centre for Protection of National Infrastructure (CPNI), will provide a range of support from tactical, technical mitigation advice to guidance on the use of counter-measures to improve the quality of security within the public sector and critical national infrastructure organisations.

At present, data-intelligence provider BAE Systems Detica and security providers Cassidian, Context IS, and Mandiant have been selected by CESG and CPNI to work in partnership to provide support. A GCHQ spokesperson revealed both GCHQ and CPNI have not incurred any additional costs in establishing the scheme, but in line with other certification schemes they will charge an annual certification fee when the CIR scheme is launched in 2013.

"We certify 'ethical hacking' companies ourselves to undertake penetration testing of government IT systems, and work with industry schemes CREST and TIGER in setting the right standards for these companies to work to," adds a GCHQ spokesperson.

How ethical is 'ethical'?

Even though more enterprises are actively recruiting ethical hackers, for some there remains a hesitation when it comes from letting a licensed attacker loose on corporate information systems. According to the report 'When is a Hacker an "Ethical Hacker" – He's NOT' by AlienVault's research engineer Conrad Constantine, an 'ethical' hacker simply does not exist, and it is the contradictory job title that is the problem.

"The term 'ethical' is unnecessary – it is not logical to refer to a hacker as an 'ethical hacker' because they have moved over from the 'dark side' into 'the light'," Constantine argues. "The reason companies want to employ a hacker is not because they know the 'rules' to hacking, but because of the very fact that they do not play by the rules."

Constantine adds: "Some hackers would argue that they're not criminals, but activists. Others would say that they're just rebellious in the way they think about technology and have a duty to highlight an organisation's poor security. My personal view is that we need people who are willing to stand up and challenge authority – in so doing, does that then make them ethical? I don't see why it should, it is still hacking – end of argument."

Supporting this, Faronics project management vice president Dmitry Shesterin asks: "Have you ever heard of an ethical hacker that has started off as an ethical hacker? I have not."

"Experts do not typically adhere to textbook coding practices, and can uncover problems, vulnerabilities, or business practices of varying shades of 'ethical' – something they were not supposed to uncover," adds Shesterin. "So the concern often remains, how ethical is an ethical hacker?"

Turning tables

Despite this, the common belief among many at-risk companies is that 'to outwit a hacker, you need to hire one'. With so much at stake, even technology providers are turning to those with hacking skills to find the flaws in their products and fix them before the baddies are able to exploit them.

Twenty-three-year-old George 'GeoHot' Hotz gained notoriety in 2007 when he became the first person to 'jailbreak' Apple's iPhone by creating a program that enabled iPhone users to modify their devices to run on other carrier networks, despite AT&T having an exclusive deal with Apple. Two years later Hotz cracked Sony's PlayStation'3 games console, giving him access to the machines processor which helped gamers to amend their game consoles and run unapproved applications and pirated games. However, despite his reputation, social networking giant Facebook hired him, and is reported to be engaged on building an anti-hacker defence programme.

Earlier this year social networking site Twitter experienced a hacking mishap of its own where more than 55,000 Twitter usernames and passwords were released. Since then it has recruited former Apple device hacker Charlie Miller into its security team. Miller is renowned for being the first to find a bug in Apple's MacBook Air, as well as for discovering a security hole in Apple's iOS software which enabled applications to download unsigned code which was added to apps even after it had been approved. When Miller tested and proved this, he was later dismissed from Apple's developer program.

Cybercriminals are adept at finding vulnerability anywhere, and though no known attacks have occurred, the health industry is also a target. McAfee employed hacker Barnaby Jack to break into cars and develop anti-virus products to prevent car computer malware. Jack's latest stunt involved hacking into and shutting down a wireless insulin pump, upon which diabetics are reliant to dispense the hormone into the body. Jack is best known for hacking into cash machines and making them eject money at a Black Hat computer security conference in Las Vegas in 2010. In October he left McAfee and returned to computer security firm IO Active, where he initially served in the role of director of security testing.

Breaches become the norm

Security vendor Faronics revealed findings from its 'State of SMB Cyber Security Readiness' survey about the motivations behind companies investing in data defences and security. On behalf of Faronics, the Ponemon Institute surveyed 544 IT experts from SMEs – 58 per cent of which were at supervisor level or higher and all were familiar with the organisation's security mission. It found 54 per cent of respondents have experienced at least one data breach in the last year, and 19 per cent have experienced more than four.

"As well as raising awareness of cybercriminal tactics, organisations must consider a more holistic approach to security," says Faronics vice president Dmitry Shesterin. "They cannot afford to rely solely on traditional solutions, such as anti-virus. Today's threats are just too sophisticated."

However, Shesterin adds, availing to the services of an ethical hacker has its drawbacks. "Contracting an ethical hacker will virtually always uncover a vulnerability, but dealing with that vulnerability might prove extremely expensive," he cautions. "Some businesses are simply not prepared to deal with the findings, and would rather not know themselves to maintain plausible deniability."

The 'ethical professional'

Trustwave, a data security vendor is responsible for assisting small and medium-sized businesses on how to manage compliance and secure network infrastructure, data communications and critical information assets. Within Trustwave, a security team called SpiderLabs focuses on application security, incident response, and penetration testing and treat intelligence.

Director of Trustwave's SpiderLabs security team John Yeo has several years experience as a security consultant. He describes his background as typical: "As a youth I was obsessed with technology' Yes, you could say I was a bit of a geek, but that's the standard profile of anyone that ends up in [the IT security] industry."

The computer science graduate adds: "I just want to put that out there, because it is just as important as any formal education. There is an element of creativity to the mindset that's required, because it's not just about knowing the technical hows and whys, there is a problem-solving mentality required, you have think outside the box."

Yeo claims two of the things lacking in the IT security testing industry is a professional standards and ethics body, and a lack of specialist training, in terms of skills required for penetration testing. "Training courses aren't necessarily perceived as the most valuable thing by active practitioners; instead it's learning through doing. That's how you get into the industry."

Trustwave's 2012 Global Security Report is based on data from real-world investigations researched in 2011 by SpiderLabs. It revealed only 16 per cent of companies' self-detected data compromises, which suggests organisations aren't capable of detecting breaches and the remaining 84'per cent of organisations relied on regulatory, law enforcement, third-party and even the public to inform them of incidents.

On average, SpiderLabs performs 2,200 penetration tests a year, and finds a range of high-risk problems reports John Yeo. When a breach occurs, incident response investigations are performed to discover if private information has been exposed. SpiderLabs uses a 'sniper forensics' methodology, first by containing the breach by shutting down what the hacker has done and secondly investigating what information was exposed and how it was done. The average length of time from intrusion to detection from SpiderLabs incident response caseload is around six months, but in some cases cybercriminals have gone undetected for many years.

He explains the problems start as there is a naive perception with companies wanting to stay ahead by adopting new technologies, such as BYOD and cloud and mobile applications. Furthermore, many organisations are outsourcing to third-party companies who may not take security seriously. SpiderLabs identified 75 per cent out of 330 cases investigated; a third party was responsible for a major incident.

Yeo heads a team of skilled ethical hackers and the size of them team varies according to the incident. "Honestly, it is one of the best jobs in the world, from a comradery perspective it's amazing," says Yeo. "If one person finds an interesting technical problem, the whole team chips in to solve it, it's a good feeling." 

Further information

Download an E&T interview with Mohammed Naseer, Penetration Tester at Tranchulas Ltd, a training company for ethical hackers. 

[mp3 file]

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles