Ethical hackers are computer and network experts who specialise in testing the security of an employer’s network. They look for vulnerabilities in a security system that malicious hackers could exploit. This type of hacking is also referred to as penetration testing, intrusion testing and red teaming.
An ethical hacker will employ the same techniques and methods as a malicious hacker but instead of exploiting the weaknesses, will produce a detailed document on the problems found. Typical vulnerabilities NewCo can expect from the test will include design flaws, configuration errors and software bugs.
The possible reasons NewCo will want to consider when deciding if penetration testing is needed are; if the business holds data that must be handled securely under government law, if NewCo suspects that it has been hacked in the past and to test any new security measures.
Typical areas NewCo can expect to have tested by an ethical hacker are the off the shelf products i.e. servers, firewalls, routers, switches, phones. Any bespoke software i.e. there website and mobile applications. Wireless systems, Telephone equipment and lastly a penetration tester will also check any physical protection like CCTV, locks and doors.
NewCo should ensure that when employing an ethical hacker they can be confirmed as reputable. Along with normal industry standards for checking references, NewCo should ask for examples of pervious work they have carried out and certificates from an organisation standards provider.
CREST, the council for registered ethical security testers is an example of a global information security organisation that serves to meet the needs of businesses that require a regulated and professional body of standards. They provide globally recognised certificates for individuals that have completed their exams and signed law binding decollations. This ensures the ethical hacker has the required skill and appropriate experience to complete the test fully and safely.
If an agency is used to acquire the ethical hacker is it worth nothing the Crest approval can be granted by companies and NewCo should be safe it the knowledge that all work carried out will be based on the appropriate methodologies and insurance can be given.
The approach an ethical hacker will take within NewCo will be based on a Framework. The framework is a collection of measurable tasks and provides hierarchical steps that are executed in close connection with a specific method. An overview of these steps is given below.
Planning will provide NewCo with an opportunity to express the desired goal from the testing. NewCo can expect to be asked for existing security polices, aspects of security they feel they can accept no risk and areas which are of little concern. From this initial stage, an ethical hacker should be able to construct a scoped test and an idea of NewCo’s focus toward security.
At this stage it will be NewCo’s responsibly to decide and inform the ethical hacker on the limitations they plan on enforcing during the test. To explain, this involves any time restrictions set by NewCo, regardless of the scope and the extent of the network NewCo is willing to allow the ethical hacker access to. The restriction on resources also extends to the level of support the ethical hacker can expect from internal staff.
It is also at this stage that NewCo can explain the underlying workings of their business and express the desired level of security amongst its internal staff.
The reconnaissance stage of the framework is a search for information that could assist in an attack on the network. This search is only limited by the extent to which NewCo and the hacker decide is necessary. It could include a simple ping sweep to see what IP addresses will respond or as extreme as building false friendships with employees to see what information they will ‘give up’ (social engineering).
Enumeration (Network/Vulnerability discovery)
Enumeration is process of gathering readily available information from the target system. This process is where the line between passive and active attack start to blur. If the appropriate expectations haven’t been set in the previous phases an ethical hacker could be at risk from legal action.
To gather information a (ethical) hacker will usually use port scanning. Port scanning tool is used as the first step in formulating an attack and simply put is the manipulation of two networked systems, using TCP/IP as a communication protocol. The scanning will highlight what port a computer on the network responds to and from this information a hacker can establish a connection.
This phase is the synthesising of all gathered information from pervious steps and comparing the collected information against known vulnerabilities. The type of vulnerabilities a network is at risk from are service packs, hacking tools, hardware and software flaws.
Exploitation is where all the planning and evaluation is finally used to form an attack on the network. NewCo can expect from this step a series of broken up processes each with an expectation and technical deliverable.
The expectation report will contain information on how the task is meeting with the NewCo’s assumptions and that the test is within the bounds agreed upon. If this is not the case NewCo and the penetration tester will have to revisit the previously mentioned steps. The technical report will contain information on how the system is reacting and the tactics used to perform the test.
This step will provide NewCo with information on the overall success of the entire engagement, a final analysis of all collected data and exploits. The report will be a categorised list based on severity and assist in the creation of a deliverable and mitigation plan. From this report NewCo should be able to determine their level of exposure.
The ethical hacker at this point will explain the findings and discuss with NewCo any unvisited areas of concern. It will then be NewCo’s decision to follow through with any suggestions made by the ethical hacker, who will most likely wish to return to the planning stage and retest the system.
Integration is the final step of the ethical hacker’s framework. The integration process is the following up of anything the penetration test highlighted.
This step is broken down into three stages mitigation, defence and incident management. Mitigation is the process of identifying what is beyond acceptable risk and fixing these vulnerabilities. The Defence stage is ensuring NewCo will follow the proposed network practices and establishing a foundation to ensure long-term security. Finally, incident management, the ethical hacker will cover how to detect, respond and recover from an attack.
To summarise, the penetration test will provide NewCo with an insight on what to fix, a plan of protection against mistakes and oversights in the future and how to be prepared during and after a real assault on the company.
Created: 2014-10-06 15:11:37 Updated: 2014-10-06 15:16:17