Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. LAZgroup SA - Business and Technology Solutions +41794822839 Rue du Cendrier 15, 1211 Geneva, Switzerland IT risks associated with outsource of Penetration Testing (Ethical Hacking) Written by Dr.Kretov Kirill from LAZgroup SAIntroductionPresently, the idea that information governs the world is not anything new. The swifter andquicker business develops its technological and information framework, the higher is the riskof malicious access to the information. Commercial, financial, managerial, HR and otherinformation is of interest not only for the company where it is created and used, but also forits competitors, and for people who can take hold of it for the purpose of further unauthorizedusage and resale. The need for data security is always growing.Data security is a state of data protection when their integrity, availability and confidentialityare ensured. Information integrity means that the information does not change when it isstored or transmitted; availability means that authorized persons can use the information andaccess it at any time; confidentiality means unavailability of information for those who are notauthorized for sufficient and lawful access to it.Information audit can be used to ensure data security. Generally, audit is performed toestimate the current level of data security, to assess possible risks during information storageand use in the company, and also to determine high-priority measures that will minimize therisks and information leakage threat. During audit, we reveal the security level provided in theautomated system, and collected statistics helps determine further steps to reach completeinformation security in the company.Security audit types include penetration tests (or "pentests") aimed at determination of variousvulnerability search methods and ways for intrusion into company information systems fromthe outside, for example, via the Internet. Penetration tests are mainly performed to estimatethe overall company level of protection from external threats and directed attacks, and also todocument the actions and to create a report on them.In most cases, the testing procedure consists of three steps, and each of the steps includes anumber of quite specific jobs. The first step covers operations planning and preparation. Thesecond step includes penetration into the automated system itself, and the third step is reportcreation and, possibly, recommendations to improve data security.More often, a company admits penetration testing when it needs to evaluate possible damagefrom malicious activities, to estimate the security level of specific company informationassets, to determine the most vulnerable places in the information security system or to assessthe measures taken by the company staff members in case of penetration attempts.However, one must not think that the testing procedure guaranties complete security for thecompany. Sometimes this is not true, as long as any penetration attempt may causeunexpected and crucial results for the audited company. This article is intellectual There are two major groups of risks we should always keep in mind.
  2. 2. LAZgroup SA - Business and Technology Solutions +41794822839 Rue du Cendrier 15, 1211 Geneva, SwitzerlandRisks due to the Testing CompanyThe first group of risks is caused directly by the company that performs the security audit inthe customer company. In other words, a company wishing to have reliable data securitychecks whether the information is accessible from the outside by intentionally making itaccessible, because a lot of vulnerabilities are usually revealed during pentests and testersaccess the protected data.Is it actually so bad? If the customer wishes to have penetration tests performed, the Customersigns a non-disclosure agreement with the testing company. Despite that the most ofcompanies think this is enough, each penetration test brings additional risks. We should keepin mind that each auditor group consists of persons, and the human factor cannot be ignored.First of all, it is the human factor that makes different penetration testing companies performpentests differently. Thus, vulnerabilities that can be revealed by one group will remainunknown for another group, and vice versa. That is why, logically, you cannot completelyrely on the results of penetration tests to ensure information security. Real penetration threatexists anyway, as long as different groups and different hackers can apply various methods tothe revealed vulnerabilities. In other words, such testing will not fully guarantee security inthe customer company.Even when the testing is finished and vulnerabilities have been found in the customerautomated system, the testing company can simply save the obtained information on thesoftware, network structure, etc. or conceal some vulnerabilities from the customer. Also, thetested company will now be open to all risks of the auditing company.The point is that it is too hard to maintain security within the company. And the risk thatemployees of the testing company – for example, after theyre fired – will use the informationto their own benefit or to the benefit of competitors. This is not a rare situation, and thestatistics for such cases, unfortunately, do grow.Often, client information leaks from companies that trust too much to their IT serviceproviders (the latter can be outsourcing companies, processing centers, security auditcompanies). According to the American telecommunication company VerizonCommunications, more then a half of all known information leaks in restaurant and retail shopnetworks and other organizations that, for whatever reasons, cannot afford high-grade IT staff,are due to unfair partners from the outside or the companies offering information securityaudit services.Here is a specific example. In 2009, the owner of a large IT company in the USA engaged ininformation audit and outsourcing services was accused of theft of confidential data of morethan 8 million people. All information was coming from large serviced companies, and theinvestigation revealed that the created database was intended for sale to competitors. Detailsof what data had been stolen, and the list of the aggrieved organizations were not published inthe interests of the investigation, but it was known for sure that during the audit, informationon the organizations network operation was carefully gathered for the purpose of furtherillegal use and theft.As illustrated by the examples, unfair companies among those who can render informationaudit services are not a rare exception. And though data leakage due to own companyemployees or insiders seems the most probable, it usually does not make sense to impose thecompany to additional risks for the sake of false safety feeling.
  3. 3. LAZgroup SA - Business and Technology Solutions +41794822839 Rue du Cendrier 15, 1211 Geneva, SwitzerlandEven when you do need penetration testing from the outside, you must first carefully examinereputation of the company to conduct the research. But the companys reputation is notenough. Find out as much as possible about the company management and technicians.Because even a perfect-reputation company that provides high-quality security audit servicesmight employ persons who secretly help competitors with the main intention of accessing theprotected information without testing interruption.Part of information being used internally by the company has a long lifespan, meaning that ifsuch information becomes available to anyone else even after a few months, the company willstill suffer essential losses. Thus, one must be very careful when attracting external humanresources and pay attention not only to their skills, cost and quality, but also to potentialconsequences of granting them access to the company information assets.Another threat during penetration tests is the investigation of various attack scenarios.Employees of the auditor company can document only some of the vulnerabilities revealed inthe information protection system, while the remaining vulnerabilities can still be used byhackers.Technical RisksEven when penetration tests bring good results, eliminating lots of vulnerabilities, they still donot guarantee that information will remain inaccessible in a few days, weeks, or months. Thepoint is that new vulnerabilities arise every day, new types of attack are used, and even someold vulnerabilities can be utilized a-new with the course of time. No information securityorganization can possess the complete information on all vulnerabilities. That is whyvulnerabilities that will be used tomorrow may strongly differ from the existing ones.By providing fast operation in data networks and using the Internet in daily activities,companies make their business more effective and flexible, on the one hand, but at the sametime, increase the risks, because absolutely secure systems do not exist. Failures of networkprotocols and services, faults in network equipment operation may cause not only directfinancial losses to the company, but also loss of reputation, the latter being a more seriousharm for many large companies means as compared to financial losses. Information securitybecomes more and more important, since more and more services allow maintaining customerrelations directly via the Internet.Usually, vulnerability means that the malicious user can make the application performoperations for which user has insufficient or no rights at all by issuing a correspondingcommand. And though there are detection tools for different types of vulnerabilities, they cannever substitute a persons experience during information security research.In the attempts of security provision, management of many companies often makes severeerrors that may result in further serious consequences for the company. Among them are:  The companys staff is excessively confident in reliability of the security technologies used.  Accurate technical information on the security level does not exist.  There is no clear information security policy.  IT department staff qualification is insufficient.
  4. 4. LAZgroup SA - Business and Technology Solutions +41794822839 Rue du Cendrier 15, 1211 Geneva, Switzerland  This article is intellectual Property of Dr. Kretov Kirill, the founder of LAZgroup SA  The personnel wrongly think that there is no important information for hackers in the companys information system.  The personnel wrongly think that companys web site/server cracking will not result in serious losses.Based on of last-year statistics gathered during analysis of almost 12 thousand of variousprograms and web applications, more than 97 thousand vulnerabilities has been found. Theydiffer in their threat level, but more than a half of them are urgent and critical, the data from13% of systems can be automatically compromised. In the course of detailed testing, theprobability of revealing critical vulnerabilities reaches extreme rates – from 80% to 96%.Any company can suffer from cyber attacks regardless of its business. Of course, hackers aremainly interested in large organizations, but small companies usually suffer more severedamages from such illegal activities. Small companies, as well as mid-sized businesses, oftensuffer from harmful software and viruses, which are becoming harder to neutralize. Note thatdata security companies themselves are often the target for directed network attacks.Interesting statistics has been published by Ponemon Institute. The research, in which theinformation received from 45 large American companies had been used, showed how greatare the losses of a company from attacks using the vulnerabilities in the information system.On the average, companies lose a little less than four million dollars per year due to suchfaulty conditions, and this figure ranges from one million for medium-scale companies to 52million dollars. Struggle against network data leakages, attacks of companies web sites andonline services, and also harmful software distribution, constitutes the lion share of costs forinformation security maintenance. But nevertheless, the studied companies had been exposedto more than 50 successful attacks per week during which hackers could have plundered thedata.As proved by the above impressive statistics, hackers do their criminal business withimpunity. While competition in this field grows, prices for computer network cracking andinformation theft fall, but hackers proficiency continues to increase. Among all hackers, nomore than ten persons are exposed to criminal liability a year, and for some frauds with amullions-strong turn the hackers are subject to conditional prison sentence. Experts think thatsuch avalanche-like growth of criminality in information technologies is a considerable threatfor any business.ConclusionIn conclusion, we have to emphasize the fact that the situation in the field of informationprotection is rapidly changing, and a company must response to each change as promptly aspossible. Any new vulnerability revealed, any weakness of an anti-penetration system mayresult not only in direct financial losses, but also in irrevocable loss of partner reputation,which is often much more important.Hackers arsenal grows with new complicated software and hardware, and their proficiencyhas long ago advanced the proficiency of an average employee in an IT or informationsecurity department. A company can protect itself from possible threats only by constantlypaying attention to network and other resources integrity and security. As for now,
  5. 5. LAZgroup SA - Business and Technology Solutions +41794822839 Rue du Cendrier 15, 1211 Geneva, Switzerlandvulnerabilities have been found out in all operating systems. Once again, this is to prove thatno absolute security can be guaranteed, and will not be guaranteed in the nearest future.But you can keep your risks at a minimum. For this purpose, prompt staff response in case ofthreat detection is crucial, as well as timely installation and update of anti-virus software andfirewalls, installation of all critical and essential operating systems updates. Staff overallawareness on the recent known vulnerabilities, viruses and harmful software is also important.Many organizations resort to penetration tests as the last possible measure. But now, thismeasure is expensive and ineffective. During such test, only part of existing vulnerabilitieswill be discovered, meanwhile new methods for information security breaks appear almostevery day. One must understand that even a large company providing computer audit servicesmay be exposed to its own internal data leakage risks. Entrusting such company with detailedinformation about network structure, operations and protocols basically means taking andcovering all risks of the company. So, penetration tests usually grant you false, illusory safety.Internal network audit methods are more effective than penetration testing. A company mustuse software for access restriction, user activity monitoring and data encryption, and alsonetwork activity logs must be monitored on a regular basis. This is a necessary condition forkeeping the information loss risk at an acceptable minimum. Written in January 2010 by Dr.Kretov Kirill specially for LAZgroup SA