Have you ethically hacked your business network? SearchNetworking.com asked this question of our readers and found...
shocking results: More than half had not conducted a network penetration test -- and the reasons ranged from not knowing enough about network security to thinking ethical hacking was illegal! (The remaining respondents who had conducted a pen test found that unauthorized users were accessing their enterprise network, policies were being broken, and ports were left wide open.)
To clear up some misconceptions about ethical hacking and countermeasures, SearchNetworking.com interviewed enterprise network security expert Michael Gregg, author of Hack the Stack and Build Your Own Security Lab. Here he explains what ethical hacking is, how to get into ethical hacking, which ethical hacking tools are needed to conduct a network penetration test and more.
Were you surprised to find that 34.15% of our readers had ethically hacked their networks while 65.85%* said they never had? Why or why not? (*Statistical note: Of the "Have not ethically hacked my network" category, only 4.63% said that network penetration testing was not part of their job function. Even with this adjustment, 64% of respondents said that they had not ethically hacked their network.)
Michael Gregg: Yes and no. It seems that many times, as people, we are more reactive than proactive. My experience has shown that companies and individuals do not take security seriously until something bad happens. Should this number be higher? Yes, most certainly. Just consider that in the last few weeks, news reports have listed that the development work being done on the U.S. government's new joint strike fighter (JSF) has been compromised and that a hard drive sold on eBay contained top secret missile defense data. Also, the State of Virginia prescription monitoring program has potentially been hacked and lost more than 8 million records. The amount of data lost in just one of these attacks, JSF, is believed to have been several terabytes. We've got a long way to go to stay ahead of the people targeting our systems.
Exactly what is ethical hacking? To those new to the network security field, "ethical hacking" sounds like an oxymoron. Our readers (ranging from CIOs and CFOs to engineers and analysts) have said that upper management is not only skeptical of it, but thinks that any form of hacking is unethical. Can you give us some examples of ethical versus unethical hacking?
Gregg: Let's start with some definitions. The whole problem is the word "hacking." According to Whatis.com, "a good hack is a clever solution to a programming problem and 'hacking' is the act of doing it." In the early years of computing, the press deemed anyone breaking into computers to be a hacker. That is why terms like "ethical hacker," "penetration tester," and "red team" evolved. If you were to look at my company's website, Superior Solutions, Inc., the term you would see is "penetration test."
Now, on to your question. The big difference between hacking and ethical hacking is that an ethical hacker has written permission to target a company's website in specific ways. As an example, in one security assessment we performed early this year, we were provided with a range of network addresses and asked to identify what was connected to these addresses and what level of access we could obtain on any of these devices. The specific terms were laid out in a contract we both signed. An example of an unethical hack is GhostNet. According to an article published in The New York Times on March 28, 2009, there is a rather large spy system at work that has targeted government organizations and private businesses around the world. The article reported that at least 1,295 computers in 103 countries were successfully breached illegally.
Does every network need to be ethically hacked in order to be more secure?
Gregg: No, although what must be done is a structured risk assessment that addresses the following components:
- risk assessment
- policy development
- periodic audits
Is there anything that IT professionals can do or say to explain to upper management why ethical hacking is needed to secure an enterprise network?
Gregg: Sure. To start with, it's important to remind senior management that they are ultimately responsible. As an example, the Securities and Exchange Act requires all publicly held companies to keep accurate records and maintain internal control systems to safeguard assets. Failure to do so can result in fines of up to $10,000 and/or five years imprisonment.
What kind of knowledge or information is necessary to ethically hack a network? Do you need to take any courses or earn any certifications beforehand? Do you need to be a Certified Ethical Hacker (CEH)?
Gregg: Just as with any field, you need to have a level of expertise before marketing yourself as an ethical hacker. I have met many people who are self taught, but the best path is a degree in computer science or another computer-related field. Many people start in networking and move over to the IT security field as a type of natural progression. For these individuals, there are many security courses that can help fill in the gaps and many books to increase one's understanding. This is one of the reasons I wrote Build Your Own Security Lab. I was also very pleased to work with David Miller on Security Administrators Street Smarts, which has gone into its second edition.
More about ethical hacking
PDF: Introduction to ethical hacking, Chapter 1 of Ethical Hacking for Dummies
Q&A: Network security threats solved by risk management
Expert advice: How to select a penetration tester
Screencast: An intro to the Open Source Security Testing Methodology Manual (OSSTMM)
Who is responsible for penetration testing a network?
Gregg: Many large organizations use a team of insiders, while others hire outsiders such as my company (or many others) that perform such duties.
Is it better to ethically hack your network internally or to hire an external company? If you have the same tools, is one still better than the other?
Gregg: This all has to do with paradigms. My personal opinion is that outsiders -- unlike someone who interacts with the network on a daily basis -- have the ability to look at a network in a different light.
How much time should you allot (you or a team) to conduct a pen test? Is there a formula you can use to calculate how long a particular network will take to hack?
Gregg: There's no real magic formula. Most security assessments follow a structured methodology in that an initial meeting is held, an agreement is reached, and the assessment is performed. The assessment typically runs from three days to two weeks. Afterwards, a report is written and a meeting is held with the client to discuss the finding or findings. For those looking for a formula, I would suggest the Open Source Security Testing Methodology Manual (OSSTMM). The OSSTMM is a peer-reviewed methodology for performing security tests and metrics.
Which ethical hacking tools are necessary to conduct network penetration tests?
Gregg: Let me first rephrase the question by saying that a variety of tools are available to help verify the controls that have been implemented to protect an organization's valuable resources. Some of these tools require significant amounts of capital expenditures, while others are available at little or no cost. Backtrack is an example of a Linux distribution of penetration tools that is free for download.
What's the difference between pen testing a wired and a wireless network?
Gregg: The difference is primarily tools and technologies. One tool recently used in a wireless security assessment is Jasager, which, when coupled with a Fon router, makes a potent tool.
Can you stop in the middle of a network penetration test (and would this negatively affect results)?
Gregg: It is always possible that issues can arise that may cause a test to be suspended so that problems can [be] researched and resolved. There is always some element of risk when running penetration testing tools. As an example, Nessus is a well-known vulnerability assessment tool. Nessus supports dangerous plug-ins. These plug-ins can potentially crash a server. Dangerous plug-ins test for vulnerabilities by attempting to DoS (Denial of Service) a targeted server. While it's a good idea to check Internet connected servers, the resulting test could cause the server to crash and force the test to halt until the situation can be assessed.
Do you have any recommendations for successfully completing a pen test?
Gregg: A pen test is not just about finding problems, it is also about finding what the company is doing right and discovering ways to build on it. Many times, we find people in the targeted companies who have good ideas or who want to use techniques that have proved to be successful and broaden them. We work with these people to help them champion those ideas and expand their usage.