Ethical Hacking A high-level information security study on protecting a company’s information...

Ethical Hacking A high-level information security study on

protecting a company’s information system infrastructure in the 21st century

Aaron Varrone

December 2011 Quinnipiac University- MS IT

CIS 652- Advanced Topics in Information Security- Independent Study

Varrone 1 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century

Contents

ABSTRACT .............................................................................................................. 2

INTRODUCTION TO ETHICAL HACKING ................................................................. 3

What do Hackers do? .......................................................................................... 4

FOOTPRINTING AND RECONNAISSANCE ............................................................... 5

SYSTEM HACKING .................................................................................................. 6

Types of Attacks .................................................................................................. 6

Why Cover Tracks? ............................................................................................. 8

PENETRATION TESTING ......................................................................................... 8

Why Penetration Testing? .................................................................................. 8

COUNTERMEASURES ............................................................................................. 9

How to defend against Footprinting? ............................................................... 10

How to defend against Password Cracking?...................................................... 10

How to defend against Privilege Escalation? ..................................................... 10

How to defend against Malware? ..................................................................... 11

How to defend against Steganography? ........................................................... 11

REAL-WORLD EXAMPLES ..................................................................................... 12

Hacker Boot Camp Helps Good Guys Outsmart Intruders ................................. 12

Government Agencies Seeking Code Breakers .................................................. 12

Ethical Hacking Proves to be an Excellent Test for Companies .......................... 13

Ethical Hacking Demand Helping Firm Achieve Record Profits .......................... 13

College Universities Teaching Students How to Hack ........................................ 13

CONCLUSION ....................................................................................................... 14

REFERENCES ........................................................................................................ 16


ABSTRACT

As organizations in recent years continue to increase their investment into the advancements of technology to upsurge productivity and efficiently, more and more companies begin to realize that protecting of this technology is just as significant (Information Security), if not; even more important in order to protect their reputation and integrity as a company.

This paper provides a comprehensive high-level view of ethical hacking, such as what it is, what it entails, and why companies hack into their own technology. Additionally, counter measures including penetration testing and real-world examples will be examined to give the reader a better understanding of ethical hacking and why it’s such an essential element of Information Security in the Information Systems/Technology field.


INTRODUCTION TO ETHICAL HACKING

In simple terms, Ethical Hacking can be described as a process in which working professionals (in the technology field) are hired on by an organization to perform a variety of attacks to their own network, systems, and technology. The goal is quite simple, and that is to ‘break into’, also known as ‘hack’ their way into the organization’s information system where vulnerabilities are discovered and then eventually ‘patched’ so that a real attack would have no harming consequences to the company such as; data leakages, compromised systems, stolen proprietary information, and so on. Hence where the word, ‘ethical’, comes into play, as these hackers are solely hired on for this purpose. Professionals in this field include outside security consultants hired by the company or even a direct role within the company who possess expert computer skills in a wide variety of areas and systems (networks, operating systems, application programming). Ethical hackers try to answer three basic questions: what can the intruder see on the target system, what can an intruder do with the information compromised, and will anyone notice that the attack occurred? Before proceeding further, a basic understanding of the umbrella, Information Security field must be conveyed. There are three elements of Information Security: Confidentiality- assurance that the information is accessible only to those authorized to have access, Integrity- the reliability of data or resources in terms of preventing improper and unauthorized changes, and Availability- assurance that the systems responsible for delivering, storing, and processing information are accessible when required by an authorized user. (EC-Council, 2011) With this said, all three elements have a direct impact to the way in which network and system security is portrayed, which leads us to our discussion of Ethical Hacking. If all three of these elements are properly addressed and implemented during the architecture of the way in which an organization’s systems interact, then one would not have to be so concerned with their technology and securing of this technology. As companies continue to grow and expand their horizon for the need of information systems by increasing their investment on a year-to-year basis , so does the need to protect and defend their infrastructure against malicious activities, attacks, and destructive encounters. The risk of not protecting one’s information system is too extraordinary as the effects of a successful hacking attempt include: damage and theft of proprietary information, client/customer data, personal information, impeding of business operations and activities. All in which can lead to a company’s downfall. As great as the technology is that many of these companies have adapted in creating an efficient


operation, their lack on focusing their attention on security can contradict themselves and instead create an inefficient and ineffective use of the technology.

Who is a Hacker?

A hacker can be defined as an individual with superb computer skills who has the ability to create and explore into another system, which can be software programs or hardware based devices. A motive behind a hacker’s mindset is to gain knowledge or poke around to do illegal and disruptive activities that could result in monetary benefits. For some, it’s a hobby to see how many systems and networks they can control. There are four unique hacker classes: Black Hats- individuals who resort to malicious or destructive activity for malicious intent. White Hats- individuals using them for defensive purposes, also known as security analysts. Suicide Hackers- individuals who aim to bring down critical infrastructure for a “cause” and would rather be known for their destruction they commit. These individuals are not worried about facing any type of severe penalty regardless of fines or jail time sentences. Gray Hats- are individuals who work both offensively and defensively at various times whose intent is mostly for the well-being, however this is not always the case.

(EC-Council, 2011)

What do Hackers do? There are five phases that goes through a hacker’s mindset: Phase 1 Reconnaissance- refers to the preparatory phase where an attacker looks to gather as much information about a target as they can prior to launching an attack. Such examples include: employees’ names, phone numbers, and email addresses, system names, and software installed on these systems. There are two types of reconnaissance: Passive- which involves acquiring information without directly interacting with the target or someone affiliated with the target, such as searching for press releases or public records; and Active- which involves interacting with the target directly by any means, for instance phoning calls to the help desk or technical support center pretending to be an employee of the company.


Phase 2 Scanning- refers to the “pre-attack phase” of when an attacker scans the network seeking specific information on the basis of information gathered during reconnaissance. Such examples include: port scanning, vulnerability scanners, and dialers. Phase 3 Gaining Access- Once access is achieved to the desired operating system, application, or network; the attacker can escalate privileges to obtain complete control of the system. Such examples include: password cracking, buffer overflows, denial of service, and session hijacking. Phase 4 Maintaining Access- After access has been attained, most hackers attempt ways in which to retain their ownership of the system/application/device. Attackers may prevent the system from being owned by other fellow hackers by securing their access exclusively with backdoors, trojans, or rookits. Attackers then use the compromised system to launch further attacks, which allows them to upload, download, or manipulate data, configuration, and applications at any given time period. Phase 5 Covering Tracks- After a hacker’s activities have been carried out, smarter attackers usually look for ways in which they can hide their malicious act by covering their tracks and hiding their own identity. This can be achieved by overwriting system, application, audit, and event logs or deleting any evidence that may lead to prosecution.

(EC-Council, 2011)

FOOTPRINTING AND RECONNAISSANCE Footprinting and reconnaissance are hacking methodologies used to uncover and collect as much information as possible regarding an organization’s information system. These two methods are carefully planned well ahead in time before an attack is carried out. Basic information such as a company’s DNS, IP addresses, system and network architectures, platforms, and applications used, is all prevalent information that can be gathered and collected by an hacker to help carry out the attack. While this information is collected, the hacker cautiously examines and identifies vulnerabilities that can be exploited. An ethical hacker looks to examine what information can be made available publicly by collecting information from the internet or internally and then documents the effects this may have to the organization, such as: privacy loss, corporate espionage, competitive intelligence, and information leakage. There are four types of Footprinting:


Anonymous Footprinting- Gathering information from sources where the author of the information cannot be traced nor identified. Internet Footprinting- Collecting information about a target from the Internet. Organizational/Private Footprinting- Collecting information internally within the organization. Pseudonymous Footprinting- Collecting information that may be published under a different name in an attempt to preserve privacy and confidentiality.

(EC-Council, 2011)

SYSTEM HACKING There are several ways an attacker can gain access to a particular system, however each way requires the ability for an attacker to exploit a weakness, vulnerability, or even human-error.

Types of Attacks Operating System Attacks- Attackers search for platform (operating system) vulnerabilities and then exploit them. Such examples include: buffer overflow, bugs and glitches, and unpatched operating systems. Application-Level/Shrink Wrap Code Attacks- Programming is complex and there are times where unsecure code is used over and over again to reduce this complexity, such as utilizing existing libraries of code. If it’s there, why reinvent the wheel? This leads to poor and nonexistent error checking in these applications which can lead to buffer overflow attacks, cross-site scripting, denial of service, SQL injection attacks, session hijacking, man-in-the-middle attacks, and so on. Misconfiguration Attacks- Misconfigured systems occur when a change is made to a file’s permission. If that’s the case, the file or application can no longer be considered as secure. Administrators are expected to change the configuration and limit authority of the devices before they are deployed to the network. Failure to do this allows the default settings to be used to attack the system. Password Cracking- Various techniques and tools are utilized to recover passwords from computer systems. Hackers can use these tools to gain unauthorized access to a vulnerable system. Most of these techniques are successful due to weak or easily guessable passwords, such as dictionary words or default


passwords. Such password cracking techniques include: dictionary attacks, brute force attacks, hybrid attacks, syllable attacks, and rule-based attacks. Surprisingly an increasingly number of non-technical password stealing techniques have been reported in recent years, such as: shoulder surfing, social engineering, and dumpster diving. Spyware/Keyloggers- Refers to a program or device (software or hardware) specifically hidden to record the user’s interaction with the system without the user’s knowledge. The various types of spyware include: screen capturing spyware, USB spyware, child monitoring spyware, video spyware (secretly monitors and records webcams and video IM conversations, attacks can then be remotely viewed via the web or mobile phone), audio/cellphone spyware, GPS spyware (uses the global positioning system to determine location of a vehicle, person, or asset to which it is attached or installed to), and even print spyware. Viruses/Trojans/Worms- Are all examples of malware, unsolicited code or software on a system that in most cases allows for data breaches, backdoor access for a hacker to gain access to or executes damage that can harm the system. This type of malware is commonly created with malicious code or tools and utilities that have the ability to attack vulnerable systems (as long as the hacker knows where the vulnerability exists). Rootkits- Refers to code hidden within a kernel of the operating system that has the ability to hide itself and cover up traces of the malicious intent. More specifically, it replaces certain operating system calls and utilities with its own modified version. From there, the attacker acquires root access (above a level of administrator) to the system by installing a virus, trojan, worm, or other malware in order to exploit it. This allows the attacker to maintain undetected access to the system. Such types of rookits include: hypervisor level, kernel level, application level, hardware/firmware, and boot loader. Steganography- Is a technique consisting of hiding a secret message within an ordinary message or file and extracting it at the destination to maintain its hidden identity. The most popular use of this technique are when hackers utilize a graphic image and embedding a code within that image file to perform a malicious activity. This conceals the data within the file. Such techniques include: substitution, transform domains, cover generation, distortion, statistical, and spread spectrum. The various means of steganography besides images include: document, video, and audio steganography.

(EC-Council, 2011)


Why Cover Tracks? Most hackers, with the exception of a suicidal one, will cover their traces to avoid detection and possible jail sentence. However, this is not the only reason. By covering their track, this allows the attacker to install backdoors to gain access in the future. When this is executed, a clever hacker will usually escalate the compromised account’s privileges without documenting the system change. As previously mentioned, they can do this by manipulating the log files of an operating system or altering the event logs. Once intruders have successfully gained administrator type access on a system, they will attempt to cover their tracks in every possible way that they can, including deleting recently modified files and disabling audit logs. Disabling these logs is usually performed immediately after obtaining administrator privileges.

PENETRATION TESTING Penetration testing is a method of actively evaluating the security of an information system or network by simulating an attack from a malicious source. Various security measures are analyzed for weaknesses in design, technical flaws, and vulnerabilities that can be exploited. There are two types of testing that is performed: Black box testing, which simulates an attack from someone who is unfamiliar with the system; and white box testing, which simulates an attacker that has knowledge about the system, such as an employee. The results are recorded and delivered to senior level management and technical audiences.

Why Penetration Testing? Penetration testing allows the company to identify threats that may occur during the testing stage discovered in its information system or network. Companies that hire such testers have actually discovered that overall IT security costs are reduced and provides a better return on security investment (ROSI) by identifying and resolving vulnerabilities, weaknesses, and possible exploits that may have been taken advantage of if the proper security measures weren’t enforce. Additionally, companies are also seeing what type of IT security investments they really need to focus on, as oppose to investing in a large enterprise-wide security solution that covers everything, which may not always be necessary for every organization out there.


Additionally, these professionals provide an organization with assurance of a thorough and comprehensive assessment of an organization’s security policy, procedure, controls, and how they may decide to be implemented. Many industry-wide regulations may be applied such as HIPAA (Health Insurance Portability and Accountability Act), FDA (Food Drug Administration), PCI (Personal Confidential Information); requiring specific certification and best practice security standards in order to continue business. For instance, PCI regulation requires all hard drives to be encrypted within the organization. A Penetration Tester’s Best Friend Vulnerability libraries are a penetration tester’s best friend as it documents all of the discovering vulnerabilities that have been reported by testers, users, ethical hackers, and even the programmers themselves. The majority of these vulnerabilities are design flaws that will open an operating system and its applications susceptible to an attack. These vulnerabilities are classified based on severity levels (low, medium, or high) and exploit range (remote or local). Such professionals need access to this research in order to identify and correct exposures to their respective function. Many of these vulnerabilities are documented on websites and databases available to the public, where even some of the more ‘proficient’ hackers, seek to expand those vulnerabilities to a further level. A list of vulnerability research websites are listed below:

The United States Computer Emergency Readiness Team (US-CERT) Vulnerabitlity Database (kb.cert.org)

National Vunerability Database Sponsored by DHS National Cyber Security Division (National Institute of Standards and Technology) (nvd.nist.gov)

Secunia – (secunia.com ) SecuriTeam – (securiteam.com) SecurityTracker- (securitytracker.com)

COUNTERMEASURES In conjunction with penetration testing, countermeasures are examined closely, documented, and then reviewed by the ethical hacker to improve the security posture at the company. There are several different countermeasures that are more closely scrutinized than others, including but not limited to: footprinting, defending against password cracking, defend against privilege escalation, defending against malware including session hi-jacking, networking sniffing, man-in-the-middle, denial of service, and against steganography attacks.


How to defend against Footprinting? Defending against footprinting includes: configuring routers and access control list (ACL) to restrict the responses to footprinting request, implement/configure IDS (Intrusion Detection System) to refuse suspicious traffic picked up in patterns, locking down ports with a suitable firewall configuration, configuring web servers to avoid information leakage, and lastly disable unwanted protocols. Ethical hackers will additionally document and evaluate the content of information made available publicly and work to remove any sensitive information discovered such as their network architecture, applications, employees, and/or email addresses.

(EC-Council, 2011)

How to defend against Password Cracking? By incorporating strict password guidelines within an organization’s security policy, hackers will have that much more of a difficult time of successfully being able to crack a password. These guidelines should include: requiring user’s to use a combination of alphanumeric characters along with upper and lowercase numbers, letters, and symbols. Additionally, by requiring users to change their password on a more frequent basis- such as 30 days, this will help alleviate hackers from returning to an account or system that has been compromised at one point in time. There should be additional effort and resources available for monitoring system logs or alarming events for possible attacks as well.

How to defend against Privilege Escalation? As described above, once hackers obtain access to a system or account, they will seek ways to escalate their privileges to that similar of an administrator. Therefore, countermeasures to defend against the ability for them to escalate privileges is examined:

Use encryption as much as possible and wherever it can be done. Not all systems, applications, devices have the ability to encrypt their data; but one level of encryption (for instance, on a user’s workstations) will make it that much more difficult for an intruder to gain access to.

Systems should be patched on a continuing basis as patching cycles never end

and there will always be room to resolve vulnerabilities, bugs, and other fixes in an application or operating system.


Run services within a system’s environment as an “unprivileged” account, this way if this account does become compromised, the intruder can’t do much since access is restricted.

Restrict interactive logon privileges and run users and applications on the least possible privileges.

Implement multi-factor authentication and authorization such as biometrics and token keys. If an intruder only has compromised one authentication type in a multi-factor verification environment, the hacker is left with the same result as when they first started, and that’s clearly no system access.

(EC-Council, 2011)

How to defend against Malware? Malware and other unsolicited software can be tricky at times if the malicious files are not detected by an anti-virus product, which in this case would be known as a zero-day threat. In any circumstance to help alleviate the issue and reduce risk; install, maintain, administer, and update the anti-virus product within the environment. This includes updates to signature files, scan engine versions, program versions, patches and hot fixes releases. Additionally by installing and administering a personal and enterprise firewall with application and device control policies and restrict and limit web-access, can all diminish the company’s risk from exposure.

How to defend against Steganography? Steganography is one of the more difficult types of attacks to defend against as code is hidden and embedded into an existing application or file. Since these types of attacks are performed in the background, an ordinary user or even a computer expert may have trouble ‘noticing’ if anything has been altered before the file or application was changed. The best ways to defend against these type of attacks is to use steganography detection tools that specifically look for these changes from file to file and application to application. These tools are also known as file integrity verification checks. One of the more common steganography detection tools used is a product called Stego Watch.


REAL-WORLD EXAMPLES The number of information security professionals in the workforce continues to rise as companies have realized that as their usage of technology continues to grow, so does the risk associated with using the technology. Technology is becoming much more complex with the advancements that are made which further complicates how attacks are performed and ultimately carried out by an intruder. With this said, below are some real-life examples of how organizations (including: government agencies and non-for-profit such as universities) have utilized ethical hacking tactics to protect their technology from being hacked into, breached, and ultimately compromised.

Hacker Boot Camp Helps Good Guys Outsmart Intruders Rudy Chavez, a former Unix system administrator, employed by IT services firm Booz Allen Hamilton, became a certified ethical hacker one month later. The company that he was employed for decided they would benefit by having a ‘hacker of their own’ to help outsmart other cybercriminals at their own game, sending Chavez off to an ethical hacking boot camp. During the boot camp, which consisted of a combination of classroom instruction and computer-lab time, Chavez learned how legitimate tools, technologies, and techniques are being issued for illegal activities and hostile purposes. Chavez claims that the sophistication and pervasiveness of the tools out there allows for great havoc and that although generally the IT security field takes a defensive approach, the training has lead him to take an offensive posture and help him understand how these attacks happen.

(Information Week, 2005)

Government Agencies Seeking Code Breakers Even government agencies are searching for hacking talent. According to the Toronto Star, a widely recognized newspaper in Canada, reports that a British spy agency is using an anonymous code-breaking web page to recruit self-taught hackers that they might not have found otherwise. The page was launched in November of 2011. A spokesman for the U.K.’s Government Communications Headquarters even admitted that recruiting Oxford and Cambridge graduates is not always in the best interest for the agency. They also claim that most cyber-specialists enter their organization as graduates, however with the quickly evolving world of cybercrime, they feel it’s essential to look for candidates who may be self-taught but have a keen interest in code-breaking and ethical hacking.

(Taylor, 2011)


Ethical Hacking Proves to be an Excellent Test for Companies As the growth of extortion attempts by hackers against firms continue to rise at an alarming rate, Mark Hanvey, Chief Security Officer of Cable & Wireless, U.K.’s second largest fixed line telecommunications operator, states that he is encouraged to see companies investing in ethical hacking to protect their commercial assets. He states that ethical hacking is an excellent test for systems and is helping out companies, however he urges that risk can never be eliminated, only minimized, which is done by putting in effective monitoring and counter measures tactics, such as around the clock monitoring. As long as companies continue to invest in effective information security systems, and this starts with hacking your own; organizations can stay away from being on the news the next day about a possible data breach.

(Hanvey, 2005)

Ethical Hacking Demand Helping Firm Achieve Record Profits A computer service company hired by large corporations for their expert in security consulting, NCC, has achieved record profits thanks to the increase demand for its ethical hacking services. These companies are hiring the firm for them to hack into their own systems so that vulnerabilities can be found. Rob Cotton, chief executive of the firm has stated that because of the nature of the economy, many companies are seeing an alarming number of increase in threats. The Financial Times reports that revenue has risen to 31 percent because of this service, which only very few companies have to offer.

(Stafford, 2006)

College Universities Teaching Students How to Hack A study conducted in 2007 revealed that the average computer is attacked by hackers more than 2,200 times a day which comes out to about once every 40 seconds and that hackers have stolen an estimated $49 billion in the United States alone in 2006. Geoffrey Lund, leader of the software-applications program at University of Abertary Dundee in Scotland has stated that he has helped design a new course to teach students on how to hack and defend against network systems. Although classes that teach hacking techniques are rare and controversial as administrators at the school were nervous about teaching such potential destructive techniques, he claims that ethics are also covered in the classroom, and that they do conduct background checks on students beforehand as a prerequisite. Lund states that the course prepares students for a rapidly growing job market by teaching that the best defense is a good offense. The class is set up with a network of


approximately 20 computers isolated from the rest of the university system where the students then practice hacking into or even bringing down the network. By hacking into these systems and network, students are able to learn about weaknesses of an intuition’s system. Alexander Graham, an experienced information technology professional who even enrolled in the course had stated that he is shocked by how much damage a malicious hacker can do. He claims the course is extremely helpful and believes in the philosophy of “Know thy enemy, then you can defeat them” at their own game.

(Vance, 2007)

CONCLUSION Ethical Hacking is a growing trend that appears to be on all types of organizations’ radar. As evident from this study, we see a large number of money invested to ensure that they are protected against risks associated with hacking attacks. The increasing alarming number of attacks against these organizations are well known and the losses can be easily quantified. As hacking involves creative thinking; vulnerability testing and security audits cannot guarantee that an information system is secure. To rebuttal this, organizations must implement a defense in depth strategy by penetrating into their own systems and network. Ethical hacking becomes necessary as it allows one to counter the attack and reverse engineer malicious attackers by anticipating methods they used to launch an attack and break into a system. An ethical hacker can only help the organization better understand their system from a security perspective, however it is still up to the organization to place the right guards around the technology. Securing of these information systems does comes with its challenges. For instance, compliance to government laws and regulations must be followed and maintained. Companies (depending on the industry) must be willing to spend vast amounts of dollars on education, training, and awareness in order to stay in compliance. Such industries for example have strict laws that prevent data from being outsourced outside the country (or if it is outsourced, requires the use of encryption), similar to sensitive personal information. Other industries may require certain security measures in placed in order to continue business operations. These regulations add another challenge to security, ensuring that the proper measures are being enforced. Additionally, it is difficult to centralize security in a distributed computing environment as the evolution of technology evolves, so does the complexity in administering, managing, and monitoring sophisticated and complex attacks. As we turn everything we do into the palm of our hands; mobile security, adaptive


authentication, and social media strategies from an offensive and defensive perspective are only the stepping stones on what’s next to expect in the digital age that we live in today. “The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge.” –Stephen Hawking, Theoretical Physicist and Cosmologist


REFERENCES

EC-Council. (2011). Ethical Hacking and Countermeasures v7.1 Course.

Hanvey, M. (2005, June 22). Ethical Hacking An Excellent Test of Mettle for Security Systems. The Financial Times, p. 16.

Information Week. (2005, June 23). Hacker Boot Camp Helps Good Guys Outsmart Internet Troublemakers; The number of IT security professionals is expected to grow to nearly 800,000 by 2008, and more of them need to think like hackers to be effective. Information Week.

Stafford, P. (2006, July 19). NCC Ethically Hacks its Way to Record. The Financial Times, p. 24.

Taylor, L. C. (2011, December 2). British spies recruit 'ethical hackers'. Toronto Star.

Vance, E. (2007, April 13). Students at the University of Abertay Dundee Learn Computer Hacking to Defend Networks. The Chronicle of Higher Education.

Ethical Hacking A high-level information security study on protecting a company’s information...

Technology

Transcript of Ethical Hacking A high-level information security study on protecting a company’s information...