Friday 04 March 2011
This is a part of chapter "Security" of my forthcoming book "Infrastructure Architecture". Please feel free to comment using my email address stated in the right column of this website.
Ethical hacking is attacking a system in various ways on request of the owner of the system, and within the law. The goal is to find vulnerabilities in the system before real hackers find and exploit them. In the IT infrastructure realm two ways of ethical hacking are relevant: hardening checks and penetration tests.
I think it should be a company's policy to do a hardening check and/or a penetration test for each and every new infrastructure component that is to be placed into production. A hardening check is an active analysis of the system for vulnerabilities resulting from bad system configuration and operational weaknesses in process or technical countermeasures. In practice a hardening check consists of checking if various services or daemons are switched off, IPSec is used, no default login accounts are used, a firewall is used; all patches are applied, etc. This is a check on the "inside" of an infrastructure component. This check can be done using a checklist of things that need to be configured on a system, based on the identified risk.
A penetration test checks the outside of the infrastructure component. Which TCP/UDP ports are open, can the system be overloaded, is the system vulnerable to SQL-injection or cross-site scripting, etc. A penetration test (also known as pentest) is a method of evaluating the security of a system by simulating an attack from a malicious source. The intent of a penetration test is to determine the feasibility of an attack and the amount of business impact of a successful exploit, if discovered.
Usually ethical hackers are hired by the company to perform pentests. At the start of the pentest the scope of the pentest must be made very clear. The potential impact on the organization must be clear and the hacker must have official clearance to perform the hack test from the highest level management of the organization (on paper!). Pentesters use a myriad of tools and much experience. Most of the used tools are available from the Internet usually in the form of open source software. Pentests can be performed from the internal network or from the Internet. Often used techniques include:
- War dialing (dialing all phone numbers in the range of the company to see if a modem answers and then try to hack the modem connection)
- Password cracking (brute force or intelligent guessing)
- Sniffing the IP network for information Using sources of information on the internet (phone numbers, used equipment, usernames) or intranet (IP addresses)
- Use of a password used on Gmail as well as on the corporate network
- Open or badly secured wifi access points (which can be hacked from the parking lot – the hacker does not even have to enter the building)
These tests should not be done by the company’s system administrators, but by security professionals, preferably from an external company. The results should be documented in a report with non-compliances and tips to resolve them. Systems should only be allowed in production after a hardening check and pentest. If changes are made to the infrastructure, these tests must be repeated. I think too few companies implement this strategy today.
It takes time, slows down implementations, and costs money. I know. But systems usually will be in production for many years. Making sure the system has a secure start is the least one can do.