• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking as a way of reviewing and strengthening the security of information systems - By Hansa Edirisinghe
 

INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking as a way of reviewing and strengthening the security of information systems - By Hansa Edirisinghe

on

  • 728 views

This report discuses the employment of ethical hacking through a disciplined, systematic analysis as a way of reviewing and strengthening the security of information systems. The preliminary ...

This report discuses the employment of ethical hacking through a disciplined, systematic analysis as a way of reviewing and strengthening the security of information systems. The preliminary objective of this study is therefore to understand the concept of Ethical Hacking. - By Hansa Edirisinghe

Statistics

Views

Total Views
728
Views on SlideShare
728
Embed Views
0

Actions

Likes
0
Downloads
20
Comments
1

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Download Here Free Setup 2014
    http://www.mediafire.com/download/m0ko1gjttp8e8az
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking as a way of reviewing and strengthening the security of information systems - By Hansa Edirisinghe INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking as a way of reviewing and strengthening the security of information systems - By Hansa Edirisinghe Document Transcript

    • INFORMATION SECURITY MANAGEMENT MSc IT Assignment 2013 Critique the employment of ethical hacking as a way of reviewing and strengthening the security of information systems. Hansa K. Edirisinghe BSc (Hons) University of Portsmouth, UK MSc IT - Cardiff Metropolitan University, UK 24th February 2013 This report discuses the employment of ethical hacking through a disciplined, systematic analysis as a way of reviewing and strengthening the security of information systems. The preliminary objective of this study is therefore to understand the concept of Ethical Hacking. i
    • Abstract This report discuses the employment of ethical hacking through a disciplined, systematic analysis as a way of reviewing and strengthening the security of information systems. The preliminary objective of this study is therefore to understand the concept of Ethical Hacking. In the process, it provides a basic idea of Information systems and its importance to an organization and its business; the importance of information security; the danger of hacking attacks and it its impact on finance and business setting of the organization; and different types of hackers. Later it gives a comprehensive description about Ethical Hacking and the importance of it to the security of Organizational Information Systems comprised with the literature evidence and statistics. The pros and cons of Ethical Hacking; the advantages of the employment of Ethical Hacker; the difficulties which companies faced when hiring Ethical Hackers also discussed in this report. Since the Ethical Hacker taken care of multiple aspect of the system security, the report will discuss the approach of strengthening the security from source code level of the applications; the network infrastructure of the Information system; the web server, web application and web services level of the Information system; The database level of the applications; the email server to malicious code protection of the Information system; wireless and mobile application level of the Information system and it has already discussed about the Ethical Hackers responsibilities when installing “new releases”, “version upgrades” and “bug fixes” to the Information System. Since it is a major critical factor to ensure the security of client’s information, the report has discussed the Ethical Hackers involvement of that function as well. The overall report analyzes/evaluates the above key points of how the employment of Ethical Hacker could strengthen the security and review the protection of Information System. ii
    • Table of Contents 1.0 Introduction .................................................................................................................... 1 1.1 Information System .................................................................................................... 1 1.2 Information Security .................................................................................................. 1 1.3 Types of Hackers ........................................................................................................ 2 2.0 Literature review ............................................................................................................ 4 2.1 Major hacking attacks ................................................................................................ 4 2.2 Ethical hacking ........................................................................................................... 5 2.3 Employment of Ethical hacker ................................................................................... 5 3.0 Pros and cons of ethical hacking .................................................................................... 6 3.1 Advantages of ethical hacking ................................................................................... 6 3.2 Barriers to ethical hacking.......................................................................................... 7 4.0 Reviewing and strengthening the security of IS – the role of EH ................................. 8 5.0 Evaluation & Recommendation ................................................................................... 10 6.0 Conclusion ................................................................................................................... 11 7.0 Bibliography ................................................................................................................ 12 iii
    • Table of Figures Figure 1.1 : An organization's IT components, platform, IT services and IT infrastructure. ... 2 Figure 2.1 : Cyber Attacks- 2012 .............................................................................................. 4 iv
    • 1.0 Introduction Almost every industry has a high dependability on information system. Emerging technology has changed the typical life style of the people drastically. The traditional paper based solutions has almost become abandoned and people move towards the electronic based life styles thus electronic equipments and systems play a major role in modern technology. Since the technology help improve the effectiveness and efficiency, people are attracted to electronic information systems and virtual databases to make their life easier. This report is a discourse of disciplined, systematic analysis of employment of ethical hacking as a way of reviewing and strengthening the security of information systems. 1.1 Information System Information System (IS) usually consists of the components that involves in processing data and produce information. Though the technical representation of IS sounds simple as above it is one of the main area that directly affect to the growth and existance of business. IS is an integrated, user-machine system for providing information to support operations, management and decision-making functions in an organization. The system utilizes computer hardware and software; manual procedures; models for analysis, planning, control and decision making; and a database. (Davis & Olson, 2000) In an environment where the business depends on an IS, the system owners should take care of the quality, durability and security of the system. Although the system is operationally in good condition outsiders can easily harm the company’s IS if it is not secured well. Consequently, it could directly spoil the entire business. Therefore Information security is a major and critical factor in IS. 1.2 Information Security Modern companies have their own “Security Policies” to overcome potential security threats. There are different security policies such as Cyber security. The impact of security threats is plainly visible when analyzing the statistics and is discussed in details in the literature review. Large scale organizations and government ministries are usually highly vulnerable for Security Threats. Information security plays critical role between the organizational information system and basic IT components. Similarly, information security is important for the IS as far as system development and data management is concerned as illustrated in Figure 1.1. 1
    • Figure 1.1 : An organization's IT components, platform, IT services and IT infrastructure. Source : (Rainer & Cegielski, 2011) It is necessary that the IS should be protected from the potential external threats while managaging the organizational IS. Therefore the company security system should be strong enough to protect the system form external hacking attack, unautherized access and malwhares. Accordingly,the company security policy should be capable in order to prevent from possible risks of Social engineering and data theft. 1.3 Types of Hackers Out of all the types of security threats, hacking is the most common and critical threat for IS. Hacking usually take advantages from weaknesses of the system. According to main purpose of employing hackers, they are divided in to three parts. i.e. Black Hat hackers; White Hat hackers; and Gray Hat hackers. Black hat hackers are known as criminal hackers. They violate the system’s security for their personal gains or someone else’s needs. Usually these attacks are illegal. They break-in to organizational systems, put viruses and malwares to the system, steal or destroy the organization’s critical data and sometimes jam the system to prevent from future use. Some hackers are hacking just for fun. But most of them do it for the financial benefits. Unlike Black hats, White hat hackers do not attempt to any illegal activity by hacking. They are hired by organizations to test the vulnerability of their own IS. They are essentially specialist in hacking and use a range of hacking techniques in different level to hack a system, find vulnerable areas and provide solutions and expert knowledge prior taking place of attacks and advice how to take actions to prevent from future attacks. 2
    • Since hacking becomes a major challenge for IS companies’ recruit the white hat hackers as internal employees for high salary scales. Therefore the job description of these employees reflects the functions of a white hat hacker. Accordingly the personnel who perform such duty are termed as Ethical Hackers (EH). Gray Hat is a combination of both black hat and white hat. There is no specific gain for these hackers except to show their strengths in hacking. They deem to be acting illegally, though in good will, or to show how they disclose vulnerabilities in some circumstances. 3
    • 2.0 Literature review According to the 2012 Cyber Attacks Timeline Master Index of hackmageddon.com, it is reveled that, at least three or more critical hacking attacks have been reported a day. Some of these attacks made huge damages to the organizations. Figure 2.1 : Cyber Attacks- 2012 Source : (Passeri, 2013) The statistics reveals that most of these attacks are Cyber Crimes and Hacktivism. The targeted categories for many of these attacks were country’s governments, Banks and ecommerce websites. 2.1 Major hacking attacks There were famous Black hat hackers in the history who have done massive damages to the leading organization in the world. “Operation Aurora” is one of the major attacks in 2010 that targeted Google and 33 US Technological companies. It was reported that, Kevin Mitnick was arrested in 1995 for hacking IBM, Motorola, NEC, Nokia, Sun Microsystems and Fujitsu Siemens, Pacific Bell, FBI, Pentagon and Novell. A British hacker Gary McKinnon is known as the “biggest military computer hacker of all time” that caused damage amounting more than $700,000 to U.S. military systems. Rediff News website stated on October 5, 2012 that there were 42 million Indians hit by cyber crimes and the recorded loss was $8 billion within the past 12 months. (Nanjappa, 2012) Apart from these foreign attacks, the Sri Lankan army website was reported hacked in 2009 as a result of terrorist activities. 4
    • 2.2 Ethical hacking Ethical hacking is a modern security technique that exists in certain countries such as USA and Europe. These countries have gained successful results by employing this concept. Some of the large organizations in Sri Lanka also practice Ethical Hacking for the protection of there IS. Being a highly paid and responsible job there is a huge demand for the profession of EH. Due to this emerging demand there are several certification criteria have been introduced in order to recognize/certify the knowledge, skills, and professional qualifications pertaining to EH. 2.3 Employment of Ethical hacker The main job function for EH is to do vulnerability testing on the organizational IS for both Internal and external thus identify the vulnerabilities and evaluating fixes (patches) of vulnerabilities and malicious code. In order to do those the EH should be highly competent in computer literacy, software, hardware and network. This is a highly important employment thus, EH should understand the significance of the job and deliver the duties with utmost care and vigilance. One mistake may cost a huge damage to the company and the EH should be a trustworthy person. He/she should be self motivated, effective, efficient, and intelligent decision maker as well. According to an article of The Times of India on May 14, 2012, last year ethical hacking was estimated to be a US$ 3.8 billion industry in the US alone. According to Nasscom, India will require at least 77,000 ethical hackers every year whereas we are producing only 15,000 in a year, currently. Frost & Sullivan have estimated that there are 2.28 million information security professionals worldwide which is expected to increase to nearly 4.2 million by 2015. (Dewan, 2012) When it comes to remuneration, the article also status that a fresher may work as an intern for a couple of months and can start with a minimum of Rs 2.5 lakh per annum. With one year of experience, one can expect upto Rs 4.5 lakh per annum. Those with work experience five years or more can get from 10-12 lakh per annum. (Dewan, 2012) Thus these statements provide evidence about the importance, demand and commercial value of EH in the industry. 5
    • 3.0 Pros and cons of ethical hacking EH carry out a critical job thus the safety of business and reputation of the organization ultimately depends on EH. By employing an EH, in fact the organization creates a person who can either protect or destroy the organization overnight. 3.1 Advantages of ethical hacking EH acts proactively thus is capable of identifying a potential risk of theft well in advance. By conducting internal and external vulnerability testing EH find the weaknesses of the company information system. This facilitates proactive actions as the organization can take necessary precautions to prevent the IS from potential hackers. In addition to seize unethical hacking, the EH could create traps to monitor the hacking attempts. This facilitates the respective company to take legal actions against hackers. It may discourage the hacker in making attempts of hacking. Therefore ethical hacking helps to address the loopholes in the IS in advance. The confidentiality of the data is the key especially in Banking and financial establishments that usually are major targets for hacking. If hacker access to such system, the hacker can change, destroy or pilfering the critical information. It might damage for the entire business setup of the organization. But Ethical hacking can professionally prevent hackers accessing to the system. Web domain hacking is a common threat for every organization. It is harmful for the company reputation and image if the hackers manage to succeed their attempt. However, EH can prevent defacement of websites. Hacking is technically a broader subject. Even though there are identified tools and techniques, it is an evolving subject and hackers usually keep on experimenting new techniques forever. An EH expert is therefore a person who plays the role of an inventor. He/she explore every possibility attacks and void all the potential opportunities as far as hackers are concerned. Therefore EH has to identify and analyze the potential risks and control vulnerable areas. The hands on experience of doing these tasks could evolve the employee’s personal skills, technical skills and management skills. The value that EH could create to an organization will often increase with the skills and knowledge EH gained by working. This upgraded skills eventually become an asset to the organization creating a competitive edge. 6
    • 3.2 Barriers to ethical hacking Unlike most of other professions, everything depends on the trustworthiness in ethical hacking. While certain terms and conditions could control the employee to some extent, EH has the full control of the organizational information system. Therefore EH can access, modify or delete anything in the system and knows the both strengths and weaknesses of the system. Creation of such individual could eventually be a threat to the organization. Since there is a higher demand for ethical hackers, it is so expensive to hire or recruiting them as an employee. Therefore the small-scale organizations might not be capable of recruiting EH since the recruitment is costly. Usually, it is difficult to employ an EH in an organization because finding a trustworthy person who equally coupled with expert skills in hacking is a tough task. Just the trustworthiness is not enough for the profession of EH. The person should be competent and specialist in the field and innovative person as well. Identifying such a revolutionary figure is not an easy task. Although it is difficult to find the most suitable person it is equally difficult to ensure that the person will not leave the company shortly. Frequent employee turnover may cause problems to the organization especially in this field and to the security of IS. 7
    • 4.0 Reviewing and strengthening the security of IS – the role of EH It is evident from above discussion that EH should play a proactive role thus should necessarily be vigilant in every activity of the Organizational IS. An efficient and effective EH’s duty does not limit to mere performance of routine work schedule but a genuinely task oriented, self motivated, devoted and highly disciplined functionality. There is no control once the hacker accessed the system irrespective of the hidden objectives (whether malicious or innocent). Whatever the objective it would be, a hacker usually has an expert knowledge in IT field. Therefore the service of even smarter EH is needed to catch or deny access of criminal hackers. EH should conduct external and internal vulnerability testing and network penetration testing frequently. Once identified a vulnerable area of the system EH should identify the potential threats to that particular area and through a systematic analysis, assess the maximum potential damage the hacker may perform. Once a risk assessment is made EH should plan a suitable approach according to his/her analytical observations etc. and propose necessary precautions. Thereafter EH may instruct/supervise the technical staff to fix the problem area immediately. The time would be a very critical factor during this process thus the personal qualities of EH mentioned above would be the key. Once the issues are fixed, EH should review the system and ensure the intended protection to the system is well in place. The system should be frequently reviewed, instead of once or twice, in order to verify/strengthen the protection and even from future attacks as well. IS consists of both software and hardware. Therefore the security of system’s network infrastructure & database should be frequently reviewed. The EH should foresee and analyze potential risks when changing or enhancing the current network infrastructure, upgrading or installing new hardware to IS and enhancing the databases. A proper guidance should be provided by EH while taking these actions and make sure the change or enhancement does create opportunities or open a pathway to hackers. In addition to the threats on the entire IS, EH should pay attention to the organizational web applications and web services. It is necessary to test for vulnerabilities and analyze potential threats to the web. EH should always monitor the unethical activities particularly by the external users on the website. Despite the due protection is applied, hacker sometimes may break into the system in an unexpected way. Therefore EH should maintain a tracking and alerting system to catch the attackers with minimum damage to the system “before it is too late”. Once the damages are being repaired EH should reassure the security and strengthen the security as much as possible. The role of EH will not perform under any other common software methods. For an example, White Box testing checks whether the source code is working and whether there are any code errors or unhandled exceptions. But it does not check the level of vulnerability for 8
    • hacking attacks to the source code. Therefore EH should frequently review the source code of applications. While reviewing the excising source codes, EH should analyze the vulnerabilities of “new releases”, “version upgrades” or “bug fixes” which installed to IS from their source code level. In today’s mobile era many organizations have developed wireless and mobile applications which could directly communicate with the organizational IS. Although system monitors all the connected wireless devices it does not help to protect the system from hackers. It provides evidence to catch the hacker only after the attack is been done. EH’s role is to identify the vulnerabilities for wireless attacks and should properly test and review the mobile applications which are capable of accessing the system. Portable devices such as mobiles and laptops could be easily stolen. So EH must be vigilant on the physical safety of company portable devices. Nearly 60% of malicious codes are coming through emails. Some hackers trace the system information through malicious codes. Therefore, EH should make an extra effort to safeguard the organization’s email server. EH should provide necessary advices to the technical staff to detect the threats prior to an infection. It is important to educate the email users not to open the spam and ambiguous mails. It will be an effective precaution to strengthen the safety of IS. Similar to the company internal information, the whole organization is responsible to protect the client’s information provided for different business reasons. In certain business environments the client is compelled to provide very confidential/critical data based on trust. It is anyway not ethical (and also illegal) to use those data without the owner’s consent, irrespective whether it is harmful or harmless to the owner of data. The trust between the organization and client is lost if the client’s critical information goes to wrong hands. In such situations both the company and client will be in trouble. In one extreme it could be a threat to the client’s business while the company will lose its client on the other hand. This does not end there as the company reputation will be seriously damaged through “word of mouth”. Therefore EH play an indirect role in wellbeing of the clients’ business as well. 9
    • 5.0 Evaluation & Recommendation When analyzing the role played by EH, it is proved that EH is an essential employment for an organization especially in the modern era. Organizations globally adapting to the emerging technology and reduces paper based work considerably. It is very difficult to find an office without having at least a simple tailor-made system. Some big organizations are fully automated electronically. While they enjoy many benefits from that, it exposes them to many threats thus the security of information has become a huge challenge. The human being is an innovative creature thus no artificial intelligence tool could totally control the information security. Therefore another human being is required to regularly control such innovative security threats that have no end. There should be trustworthiness between the company and its client in securing a business. Thus the company always bound to protect the critical information of the client that has been entered into the system for easy recovery. EH is an employment which assures the security of organizational IS in every aspect. It strengthens the security of the system’s network infrastructure, Firewalls, mail servers, web applications, mobile application and databases. Regular monitoring and reviewing make the security more stringent and up-to-date. Regular track and trace of hacking attempts will discourage the hackers continue their attempts. Therefore it is highly recommended to have an EH for a medium to large scale organizations. Small scale organizations too may consider to employ EH after comparing the cost and the benefits that can acquire by recruiting an EH. 10
    • 6.0 Conclusion IS security has become a major challenge and organizations are finding solutions to protect their systems from hackers in an electronic based culture. It is suggested that the ethical hacking could minimize if not totally eliminated the threat of criminal hackers. Since ethical hacking is an evolving subject and understanding the effectiveness of ethical hacking would be vital. Firewalls, password protections, malicious code protections, encryption and legal barriers could support for IS security in various aspects. These are manmade fixed protections that cannot be upgraded automatically. This gap can be successfully bridged by EH because ethical hacking is an effective method that involves live activities of a human being on continuous basis. US and European countries effectively use EH. Their companies sustain and make considerable profits despite the challenges applicable to any modern firm globally. As a result they usually invest a considerable amount for ethical hacking every year. While understanding the importance of ethical hacking, some of the giant Asian countries such as India and China also follow the suit. This clearly shows that the increasing demand for EH given the daily statistics of reported incidences of cyber attacks on news papers and international forums. In respect to analysis of all these factors, it is very clear that the employment of EH is an important figure for Information security. The functions carried out by EH will effectively manipulate security of the organizational IS and the EH could effectively review and strengthen the security of IS. 11
    • 7.0 Bibliography Davis, G. B., and Olson, M. H., 2000. Management Information Systems. 2nd ed. New Delhi: Tata McGraw-Hill. Dewan, D., 2012. Ethical hacking: On the right side of law. [online] The Times Of India. Available at: <http://articles.timesofindia.indiatimes.com/2012-0514/education/31700535_1_ethical-hacker-malicious-hacker-information-security> [Accessed 22 February 2013]. Nanjappa, V., 2012. India needs more than 4 lakh hackers. [online] rediff News. Available at: < http://www.rediff.com/news/slide-show/slide-show-1-india-needs-more-than-4-lakhhackers/20121005.htm> [Accessed 22 February 2013]. Passeri, P., 2013. 2012 Cyber Attacks Statistics. [online] hackmageddon.com. Available at: <http://hackmageddon.com/2012-cyber-attacks-statistics-master-index/> [Accessed 22 February 2013]. Rainer, K. R., & Cegielski, C. G., 2011. Introduction to Information Systems. 3rd ed. New Jersey: John Wiley & Sons. 12