Ethical Hacks - Pay to break into an organisation
Good security practice seeks assurance that systems and protective measures are effective through programmes of ongoing review, audit and maintenance. A component of this involves performing self-assessment on the security in your organisation. This is as relevant to traditional physical security as it is to information security (of which, it should be noted, physical security is an important element). The last time you shook a door to ensure you had locked it, you were performing an audit activity. Looking beyond this, the security professional should develop strategies to test the whole gamut of security within their organization. There is little to be gained from well-secured computer systems in an insecure environment, such as on a desk in an unlocked room. Similarly, armoured fortresses housing poorly configured internet gateways would also amount to bad security. Remember, a false sense of security is worse than no security at all. At least with no security, you understand the risks (and can have a copy of your CV ready!). Audit activities help ascertain the real situation concerning an organisation's security.
How then, can the security professional conduct an adequate assessment of their own security posture, and whether they are a hard or a soft target for would-be attackers. Ethical hacking is one such avenue. By imitating the Black Hat (malicious) hacker's activities, the White Hat (law-abiding) hacker can perform the same activities as his adversary to find openings in a system or environment. Essentially, the ethical hacker is using the same tools (or arsenal) and/or knowledge as the 'bad guys'. The key difference, is that the ethical hacker is making intrusion attempts with the prior authorisation of system owners.
Critical to assessing your security is a policy of ensuring such assessments are performed in a realistic fashion. Generally, system administrators and security personnel are not made aware of the forthcoming test lest they pay greater attention than usual and invalidate the results - if someone knows a system is going to be broken into, they may watch it more closely or isolate it. They will not however have the same knowledge about an unauthorised attempt so this is not a true reflection of your security.
Sadly, within the information security marketplace there are a large number of vendors, organisations and individuals billing themselves as experts, when they really are not. As with many security products, the client needs to assign a certain level of trust to the vendor where they otherwise may not have a means of assessing them. Security films for windows are a good example. On appearance alone, it is difficult to tell the difference between a strong protection capability that would stop bullets and hold the glass together against determined intruders with pickaxes, versus a weak film that would be more appropriate for covering schoolbooks than glass. Without hurling a brick through the window however (which will probably break the glass if not the film layer) one can only rely on the guarantee by the vendor as to the capability of the product they have proposed selling you - and your own confidence that you have received what you actually paid for and there was no substitution in quality.
Where organisations choose to outsource specialist security work such as ethical hacking assignments, they need to understand the competence of the contractor. If an ethical hacking assignment returns a negative result - a clean bill of health, does this mean that the systems were relatively impenetrable? Or does it simply mean the tester was disinterested or insufficiently qualified and trained to achieve a break-in whereas a malicious hacker would not have the same difficulty - a false sense of security, and a waste of money in the first place.
Choosing a provider of infosec services depends on your own environment. A key indicator of experience is reviewing the CVs of whomever will be performing the work. Have they performed previous assignments of a similar nature to those your organisation is considering? Remember that small to medium enterprises may require wholly different approaches to large organisations. For example, infosec companies which cite experience in defence or corporate security may not be the ideal choice for other types of organisations and vice-versa. Similarly, small contractors however experienced (and often they are) may not have the required familiarity with operations in a banking or Government environment and the associated third-party legislative requirements this entails. In short, ensure that your provider has demonstrable experience in your field. This extends to specific technical expertise also. The world's greatest Unix hackers are of limited value when your environment is predominantly Microsoft based. More specific systems such as PABXs, access controllers or associated networking hardware pose their own challenges. You may even require separate providers to completely address your systems. Make sure you are aware of all your 'target' assets, and discuss these issues up front before awarding any engagement.
When you have identified potential candidates, ask to see the methodology they propose employing in the testing of your systems. If they are not readily forthcoming with a formal, well documented approach to the exercise give them a wide berth. Similarly, beware of companies or individuals touting their 'proprietary methodologies' in this field. Penetration testing, ethical hacking and vulnerability assessment methodologies are widely shared and as with any other field of research, developed through the collaborative effort of numerous experts in the field. The excellence with which practitioners perform activities are what separates professionals from amateurs, not the methodology they may use. Remember, most surgeons or auto-mechanics perform procedures which are identical and no secret to anyone in their field, yet some are much better than others.
In an earlier step, you ascertained which similar work they had performed, and how recently it was undertaken. You should ask to see copies of this. In general, such material will be 'sanitised' with information such as IP addresses or server details blanked or changed to protect the confidentiality of their client (names changed to protect the innocent) however the intent should be obvious. In particular, make sure the documents you read match the methodology claimed by the marketing material or tender documents. Certain unscrupulous providers have had methodologies and procedures written by true professionals who have long since left the company. The current consultants may not have the skills required yet this will not be reflected by the marketing material. It is of no use to your organisation to award work based on the sales effort of an experienced pro, only to have the work itself performed by wet-behind-the-ears junior employees. Surprisingly, this is often the case with larger information security organisations than smaller ones who have to rely on their ability, not just name in the marketplace. Again, make sure you are getting what you expected - and paid for!
Contractual issues of key importance to the tester will be the so-called 'get out of gaol free card'. This is a letter from a suitably authorised party within your organisation (often the CEO, not security manager) giving permission for the attacks to take place and indemnifying the tester from any negative consequences. This should clearly identify the scope, that is which systems or facilities are to be tested, when, by whom and conversely, any systems which are out-of-bounds. This should also have a clear start and end date such that the permission expires at some point. You should also address non-disclosure requirements for the tester to protect the findings and ensure you don't become marketing material. You should also specify (based on methodologies) how 'damaging' the attack attempts are going to be. There may be certain vulnerabilities you are already aware of such as theft, distributed denial of service attacks, social engineering attempts or spam. In such a case, little will be achieved by the tester damaging or crippling your systems accordingly, other than being able to say 'I told you so'. To illustrate, consider in physical security assessments, you don't need to throw a brick through every glass window pane to prove it is a weakness.
After the attack your provider should be able to give advice about how to easily resolve any issues they identify in the course of the assignment. As well, they should help you, as the Security Manager review how your company's security staff or network teams performed during the attacks. Were any or all attack attempts identified? What reaction was initiated? Who was contacted and what procedures were activated? Also, how effectively were the attacks logged for audit purposes and evidence in court after a prosecution? If the attacks were adequately logged, yet these log entries were only located after you went looking for them, a genuine attack would likely have gone undetected so adjust your procedures accordingly. If the log entries were insufficient, then not only is it unlikely you would have detected the attack save for obvious damage such as web-page defacement, but you would have little recourse, civil or criminal in law-enforcement efforts later.
Improving your security posture remember that the results of an ethical hacking exercise are only a snapshot of your security posture at that time. A system which is given a 'clean bill of health' and regarded as a 'hard target' today may become vulnerable to an exploit which was discovered a week later and a relatively 'soft target' as a result. Ethical hacking exercises (penetration testing, vulnerability scanning (automated or manual) or intrusion attempts) are certainly a more glamorous security activity however do not excuse traditional responsibilities for hardening, securing and protecting your systems. Exercises such as the above should also be repeated at regular intervals to identify new vulnerabilities or differences from cycle to cycle.