Defining hacker

Hacker has two meanings:

• Traditionally, hackers like to tinker with software or electronic systems. Hackers enjoy exploring and learning how computer systems operate. They love discovering new ways to work — both mechanically and electronically.
• In recent years, hacker has taken on a new meaning — someone who maliciously breaks into systems for personal gain. Technically, these criminals are crackers (criminal hackers). Crackers break into, or crack, systems with malicious intent. The gain they seek could be fame, intellectual property, profit, or even revenge. They modify, delete, and steal critical information as well as take entire networks offline, often bringing large corporations and government agencies to their knees.

The good-guy (white hat) hackers don’t like being lumped in the same category as the bad-guy (black hat) hackers. (In case you’re curious, the white hat and black hat terms come from old Western TV shows in which the good guys wore white cowboy hats and the bad guys wore black cowboy hats.) Gray hat hackers are a little bit of both. Whatever the case, most people have a negative connotation of the word hacker.

Many malicious hackers claim that they don’t cause damage but instead help others for the “greater good” of society. Yeah, right. Malicious hackers are electronic miscreants and deserve the consequences of their actions.

Be careful not to confuse criminal hackers with security researchers. Researchers not only hack aboveboard and develop the amazing tools that we get to use in our work, but also they (usually) take responsible steps to disclose their findings and publish their code.

Defining malicious user

Malicious user — meaning a rogue employee, contractor, intern, or other user who abuses his or her trusted privileges — is a common term in security circles and in headlines about information breaches. The issue isn’t necessarily users “hacking” internal systems, but rather users who abuse the computer access privileges they’ve been given. Users ferret through critical database systems to glean sensitive information, e-mail confidential client information to the competition or elsewhere to the cloud, or delete sensitive files from servers that they probably didn’t need to have access to in the first place. There’s also the occasional ignorant insider whose intent is not malicious but who still causes security problems by moving, deleting, or corrupting sensitive information. Even an innocent “fat-finger” on the keyboard can have dire consequences in the business world.

Malicious users are often the worst enemies of IT and information security professionals because they know exactly where to go to get the goods and don’t need to be computer savvy to compromise sensitive information. These users have the access they need and the management trusts them — often without question.

So, what about that Edward Snowden guy — the former National Security Agency employee who ratted out his own employer? That’s a complicated subject and I talk about hacker motivations in Chapter 2. Regardless of what you think of Snowden, he abused his authority and violated the terms of his non-disclosure agreement.

Ethical hacking versus auditing

Many people confuse security testing via the ethical hacking approach with security auditing, but there are big differences, namely in the objectives. Security auditing involves comparing a company’s security policies (or compliance requirements) to what’s actually taking place. The intent of security auditing is to validate that security controls exist — typically using a risk-based approach. Auditing often involves reviewing business processes and, in many cases, might not be very technical. I often refer to security audits as security checklists because they’re usually based on (you guessed it) checklists.

Not all audits are high-level, but many of the ones I’ve seen (especially around PCI DSS [Payment Card Industry Data Security Standard] compliance) are quite simplistic — often performed by people who have no technical computer, network, and application experience or, worse, they work outside of IT altogether!

Conversely, security assessments based around ethical hacking focus on vulnerabilities that can be exploited. This testing approach validates that security controls do not exist or are ineffectual at best. Ethical hacking can be both highly technical and nontechnical, and although you do use a formal methodology, it tends to be a bit less structured than formal auditing. Where auditing is required (such as for the ISO 9001 and 27001 certifications) in your organization, you might consider integrating the ethical hacking techniques I outline in this book into your IT/security audit program. They complement one another really well.

Policy considerations

If you choose to make ethical hacking an important part of your business’s information risk management program, you really need to have a documented security testing policy. Such a policy outlines who’s doing the testing, the general type of testing that is performed, and how often the testing takes place. Specific procedures for carrying out your security tests could outline the methodologies I cover in this book. You might also consider creating a security standards document that outlines the specific security testing tools that are used and specific people performing the testing. You might also list standard testing dates, such as once per quarter for external systems and biannual tests for internal systems — whatever works for your business.

Compliance and regulatory concerns

Your own internal policies might dictate how management views security testing, but you also need to consider the state, federal, and international laws and regulations that affect your business. In particular, the Digital Millennium Copyright Act (DMCA) sends chills down the spines of legitimate researchers. See www.eff.org/issues/dmca for everything the DMCA has to offer.

Many of the federal laws and regulations in the United States — such as the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH) Act, Gramm-Leach-Bliley Act (GLBA), North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) requirements, and PCI DSS — require strong security controls and consistent security evaluations. Related international laws such as the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the European Union’s Data Protection Directive, and Japan’s Personal Information Protection Act (JPIPA) are no different. Incorporating your security tests into these compliance requirements is a great way to meet the state and federal regulations and beef up your overall information security and privacy program.

Nontechnical attacks

Exploits that involve manipulating people — end users and even yourself — are the greatest vulnerability within any computer or network infrastructure. Humans are trusting by nature, which can lead to social engineering exploits. Social engineering is the exploitation of the trusting nature of human beings to gain information — often via e-mail phishing — for malicious purposes. Check out Chapter 6 for more information about social engineering and how to guard your systems against it.

Other common and effective attacks against information systems are physical. Hackers break into buildings, computer rooms, or other areas containing critical information or property to steal computers, servers, and other valuable equipment. Physical attacks can also include dumpster diving — rummaging through trash cans and dumpsters for intellectual property, passwords, network diagrams, and other information.

Network infrastructure attacks

Attacks against network infrastructures can be easy to accomplish because many networks can be reached from anywhere in the world via the Internet. Some examples of network infrastructure attacks include the following:

• Connecting to a network through an unsecured wireless access point attached behind a firewall
• Exploiting weaknesses in network protocols, such as TCP/IP and Secure Sockets Layer (SSL)
• Flooding a network with too many requests, creating a denial of service (DoS) for legitimate requests
• Installing a network analyzer on a network segment and capturing every packet that travels across it, revealing confidential information in clear text

Operating system attacks

Hacking an operating system (OS) is a preferred method of the bad guys. OS attacks make up a large portion of attacks simply because every computer has an operating system, and OSes are susceptible to many well-known exploits, including vulnerabilities that remain unpatched years later.

Occasionally, some operating systems that tend to be more secure out of the box — such as the old-but-still-out-there Novell NetWare, OpenBSD, and IBM Series i — are attacked, and vulnerabilities turn up. But hackers tend to prefer attacking Windows, Linux, and, more recently, Mac OS X, because they’re more widely used.

Here are some examples of attacks on operating systems:

• Exploiting missing patches
• Attacking built-in authentication systems
• Breaking file system security
• Cracking passwords and weak encryption implementations

Application and other specialized attacks

Applications take a lot of hits by hackers. Programs (such as e-mail server software and web applications) are often beaten down. For example:

• Hypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP) applications are frequently attacked because most firewalls and other security mechanisms are configured to allow full access to these services to and from the Internet, even when running with SSL (yuck!) or Transport Layer Security (TLS) encryption.
• Mobile apps face increasing attacks given their prevalence in business settings.
• Unsecured files containing sensitive information are scattered across workstation and server shares. Database systems also contain numerous vulnerabilities that malicious users can exploit.

Working ethically

The word ethical in this context means working with high professional morals and values. Whether you’re performing security tests against your own systems or for someone who has hired you, everything you do must be aboveboard in support of the company’s goals. No hidden agendas allowed! This also includes reporting all your findings regardless of whether or not it will create political backlash.

Trustworthiness is the ultimate tenet. It’s also the best way to get (and keep) people on your side in support of your security program. The misuse of information is absolutely forbidden. That’s what the bad guys do. Let them receive a fine or go to prison because of their poor choices. Keep in mind that you can be ethical but not trustworthy and vice versa, along the lines of Edward Snowden.

Respecting privacy

Treat the information you gather with the utmost respect. All information you obtain during your testing — from web application flaws to clear text e-mail passwords to personally identifiable information (PII) and beyond — must be kept private. Nothing good can come of snooping into confidential corporate information or employees’ private lives.

Involve others in your process. Employ a watch-the-watcher system that can help build trust and support for your security assessment projects. Documentation is key so document, document, document!

Not crashing your systems

One of the biggest mistakes I’ve seen people make when trying to test their own systems is inadvertently crashing the systems they’re trying to keep running. It doesn’t happen as much is it used to, given the resiliency of today’s systems. However, poor planning and timing can have negative consequences.

Although it’s not likely, you can create DoS conditions on your systems when testing. Running too many tests too quickly can cause system lockups, data corruption, reboots, and more. This is especially true when testing websites and applications. I should know: I’ve done it! Don’t rush and assume that a network or specific host can handle the beating that network tools and vulnerability scanners can dish out.

You can even accidentally create an account lockout or a system lockout condition by using vulnerability scanners or by socially engineering someone into changing a password, not realizing the consequences of your actions. Proceed with caution and common sense. Either way, be it you or someone else, these weaknesses still exist, and it’s better that you discover them first!

Many vulnerability scanners can control how many tests are performed on a system at the same time. These settings are especially handy when you need to run the tests on production systems during regular business hours. Don’t be afraid to throttle back your scans. It will take longer to complete your testing, but it can save you a lot of grief.

Formulating your plan

Getting approval for security testing is essential. Make sure that what you’re doing is known and visible — at least to the decision makers. Obtaining sponsorship of the project is the first step. This is how your testing objectives will be defined. Sponsorship could come from your manager, an executive, your client, or even yourself if you’re the boss. You need someone to back you up and sign off on your plan. Otherwise, your testing might be called off unexpectedly if someone (including third parties such as cloud service and hosting providers) claims you were never authorized to perform the tests. Even worse, you get fired or charged with criminal activity — it has happened!

The authorization can be as simple as an internal memo or an e-mail from your boss when you perform these tests on your own systems. If you’re testing for a client, have a signed contract stating the client’s support and authorization. Get written approval on this sponsorship as soon as possible to ensure that none of your time or effort is wasted. This documentation is your “Get Out of Jail Free” card if anyone such as your Internet Service Provider (ISP), cloud service provider, or related vendor questions what you’re doing, or worse, if the authorities come calling. Don’t laugh — it wouldn’t be the first time it has happened.

One slip can crash your systems — not necessarily what anyone wants. You need a detailed plan, but that doesn’t mean you need volumes of testing procedures to make things overly complex. A well-defined scope includes the following information:

• Specific systems to be tested: When selecting systems to test, start with the most critical systems and processes or the ones you suspect are the most vulnerable. For instance, you can test server OS passwords, test an Internet-facing web application, or attempt social engineering via e-mail phishing before drilling down into all your systems.

• Risks involved: Have a contingency plan for your ethical hacking process in case something goes awry. What if you’re assessing your firewall or web application and you take it down? This can cause system unavailability, which can reduce system performance or employee productivity. Even worse, it might cause loss of data integrity, loss of data itself, and even bad publicity. It’ll most certainly tick off a person or two and make you look bad.

  Handle social engineering and DoS attacks carefully. Determine how they affect the people and systems you test.

• Dates the tests will be performed and your overall timeline: Determining when the tests are performed is something you must think long and hard about. Do you perform tests during normal business hours? How about late at night or early in the morning so that production systems aren’t affected? Involve others to make sure they approve of your timing.

  You may get pushback and suffer DoS-related consequences, but the best approach is an unlimited attack, where any type of test is possible at any time of day. The bad guys aren’t breaking into your systems within a limited scope, so why should you? Some exceptions to this approach are performing all out DoS attacks, social engineering, and physical security tests.

• Whether or not you intend to be detected: One of your goals might be to perform the tests without being detected. For example, you might perform your tests on remote systems or on a remote office and you might not want the users to be aware of what you’re doing. Otherwise, the users or IT staff might catch on to you and be on their best behavior — instead of their normal behavior.

• Knowledge of the systems you have before you start testing: You don’t need extensive knowledge of the systems you’re testing — just a basic understanding. This basic understanding helps protect you and the tested systems.

  Understanding the systems you’re testing shouldn’t be difficult if you’re hacking your own in-house systems. If you’re testing a client’s systems, you may have to dig deeper. In fact, I’ve only had one or two clients ask for a fully blind assessment. Most IT managers and others responsible for security are scared of these assessments — and they can take more time, cost more, and be less effective. Base the type of test you perform on your organization’s or client’s needs.

• Actions you will take when a major vulnerability is discovered: Don’t stop after you find one or two security holes. Keep going to see what else you can discover. I’m not saying to keep hacking until the end of time or until you crash all your systems; ain’t nobody got time for that! Instead, simply pursue the path you’re going down until you just can’t hack it any longer (pun intended). If you haven’t found any vulnerabilities, you haven’t looked hard enough. They’re there. If you uncover something big, you need to share that information with the key players (developers, DBAs, IT managers, and so on) as soon as possible to plug the hole before it’s exploited.
• The specific deliverables: This includes vulnerability scanner reports and your own distilled report outlining the important vulnerabilities to address, along with recommendations and countermeasures to implement.

Selecting tools

As with any project, if you don’t have the right tools for your security testing, you will have difficulty accomplishing the task effectively. Having said that, just because you use the right tools doesn’t mean that you’ll discover all the right vulnerabilities. Experience counts.

Know the limitations of your tools. Many vulnerability scanners generate false positives and negatives (incorrectly identifying vulnerabilities). Others just skip right over vulnerabilities altogether. In certain situations, like when testing web applications, you’ll no doubt have to run multiple vulnerability scanners to find all of the vulnerabilities.

Many tools focus on specific tests, and no tool can test for everything. For the same reason that you wouldn’t drive a nail with a screwdriver, don’t use a port scanner to uncover specific network vulnerabilities. This is why you need a set of specific tools for the task. The more (and better) tools you have, the easier your ethical hacking efforts are.

Make sure you’re using the right tool for the task:

• To crack passwords, you need cracking tools, such as Ophcrack and Proactive Password Auditor.
• For an in-depth analysis of a web application, a web vulnerability scanner (such as Netsparker, Acunetix Web Vulnerability Scanner, or AppSpider) is more appropriate than a network analyzer (such as Wireshark or OmniPeek).

When selecting the right security tool for the task, ask around. Get advice from your colleagues and from other people online via Google, LinkedIn, and Twitter. Hundreds, if not thousands, of tools can be used for your security tests. The following list runs down some of my favorite commercial, freeware, and open source security tools:

• Cain & Abel
• OmniPeek
• Nexpose
• Netsparker
• Elcomsoft Proactive System Password Recovery
• Metasploit
• GFI LanGuard
• CommView for WiFi

I discuss these tools and many others in Parts II through V when I go into the specific tests. The Appendix contains a more comprehensive listing of these tools for your reference.

The capabilities of many security and hacking tools are often misunderstood. This misunderstanding has cast a negative light on otherwise excellent and legitimate tools. Even government agencies around the world are talking about making them illegal! Part of this misunderstanding is due to the complexity of many security testing tools. Whichever tools you use, familiarize yourself with them before you start using them. That way, you’re prepared to use the tools in the ways they’re intended to be used. Here are ways to do that:

• Read the readme and/or online Help files and FAQs.
• Study the user guides.
• Use the tools in a lab or test environment.
• Watch tutorial videos on YouTube (if you can bear the poor production on most of them).
• Consider formal classroom training from the security tool vendor or another third-party training provider, if available.

Look for these characteristics in tools for security testing:

• Adequate documentation
• Detailed reports on the discovered vulnerabilities, including how they might be exploited and fixed
• General industry acceptance
• Availability of updates and responsiveness of technical support
• High-level reports that can be presented to managers or nontechnical types (This is especially important in today’s audit- and compliance-driven world!)

These features can save you a ton of time and effort when you’re performing your tests and writing your final reports.

Executing the plan

Good security testing takes persistence. Time and patience are important. Also, be careful when you’re performing your ethical hacking tests. A criminal on your network or a seemingly benign employee looking over your shoulder might watch what’s going on and use this information against you or your business.

Making sure that no hackers are on your systems before you start isn’t practical. Be sure you keep everything as quiet and private as possible. This is especially critical when transmitting and storing your test results. If possible, encrypt any e-mails and files containing sensitive test information via an encrypted Zip file, or cloud-based file sharing service.

You’re now on a reconnaissance mission. Harness as much information as possible about your organization and systems, much like malicious hackers do. Start with a broad view and narrow your focus:

1. Search the Internet for your organization’s name, your computer and network system names, and your IP addresses.

   Google is a great place to start.

2. Narrow your scope, targeting the specific systems you’re testing.

   Whether you’re assessing physical security structures or web applications, a casual assessment can turn up a lot of information about your systems.

3. Further narrow your focus with a more critical eye. Perform actual scans and other detailed tests to uncover vulnerabilities on your systems.
4. Perform the attacks and exploit any vulnerabilities you find if that’s what you choose to do.

Check out Chapters 4 and 5 to find out more information and tips on this process.

Evaluating results

Assess your results to see what you’ve uncovered, assuming that the vulnerabilities haven’t been made obvious before now. This is where knowledge counts. Your skill at evaluating the results and correlating the specific vulnerabilities discovered will get better with practice. You’ll end up knowing your systems much better than anyone else. This makes the evaluation process much simpler moving forward.

Submit a formal report to management or to your client, outlining your results and any recommendations you need to share. Keep these parties in the loop to show that your efforts and their money are well spent. Chapter 17 describes the ethical hacking reporting process.

Moving on

When you finish your security tests, you (or your client) still need to implement your recommendations to make sure the systems are secure. Otherwise, all the time, money, and effort spent on ethical hacking goes to waste. Sadly, I see this very scenario fairly often.

New security vulnerabilities continually appear. Information systems constantly change and become more complex. New security vulnerabilities and exploits are regularly uncovered. Vulnerability scanners get better and better. Security tests are a snapshot of the security posture of your systems. At any time, everything can change, especially after upgrading software, adding computer systems, or applying patches. This underscores the need to update your tools, before each use if possible. Plan to test regularly and consistently (for example, once a month, once a quarter, or biannually). Chapter 19 covers managing security changes as you move forward.