Ethical hacking
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Ethical hacking

on

  • 1,632 views

 

Statistics

Views

Total Views
1,632
Views on SlideShare
1,632
Embed Views
0

Actions

Likes
0
Downloads
68
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Ethical hacking Document Transcript

  • 1. Ethical hacking by C. C. PalmerThe explosive growth of the Internet has brought scribe the rapid crafting of a new program or themany good things: electronic commerce, easy making of changes to existing, usually complicatedaccess to vast stores of reference material,collaborative computing, e-mail, and new software.avenues for advertising and informationdistribution, to name a few. As with most As computers became increasingly available at uni-technological advances, there is also a dark side: versities, user communities began to extend beyondcriminal hackers. Governments, companies, and researchers in engineering or computer science toprivate citizens around the world are anxious tobe a part of this revolution, but they are afraid other individuals who viewed the computer as a cu-that some hacker will break into their Web server riously flexible tool. Whether they programmed theand replace their logo with pornography, read computers to play games, draw pictures, or to helptheir e-mail, steal their credit card number from them with the more mundane aspects of their dailyan on-line shopping site, or implant software thatwill secretly transmit their organization’s secrets work, once computers were available for use, thereto the open Internet. With these concerns and was never a lack of individuals wanting to use them.others, the ethical hacker can help. This paperdescribes ethical hackers: their skills, their Because of this increasing popularity of computersattitudes, and how they go about helping their and their continued high cost, access to them wascustomers find and plug up security holes. Theethical hacking process is explained, along with usually restricted. When refused access to the com-many of the problems that the Global Security puters, some users would challenge the access con-Analysis Lab has seen during its early years of trols that had been put in place. They would stealethical hacking for IBM clients. passwords or account numbers by looking over some- one’s shoulder, explore the system for bugs that might get them past the rules, or even take control of the whole system. They would do these things in order to be able to run the programs of their choice,T he term “hacker” has a dual usage in the com- puter industry today. Originally, the term wasdefined as: or just to change the limitations under which their programs were running. Initially these computer intrusions were fairly benign, HACKER noun 1. A person who enjoys learning the with the most damage being the theft of computer details of computer systems and how to stretch time. Other times, these recreations would take the their capabilities—as opposed to most users of ௠Copyright 2001 by International Business Machines Corpora- computers, who prefer to learn only the minimum tion. Copying in printed form for private use is permitted with- amount necessary. 2. One who programs enthu- out payment of royalty provided that (1) each reproduction is done siastically or who enjoys programming rather than without alteration and (2) the Journal reference and IBM copy- just theorizing about programming. 1 right notice are included on the first page. The title and abstract, but no other portions, of this paper may be copied or distributed royalty free without further permission by computer-based andThis complimentary description was often extended other information-service systems. Permission to republish anyto the verb form “hacking,” which was used to de- other portion of this paper must be obtained from the Editor.IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001 0018-8670/01/$5.00 © 2001 IBM PALMER 769
  • 2. form of practical jokes. However, these intrusions did This method of evaluating the security of a system not stay benign for long. Occasionally the less talented, has been in use from the early days of computers. or less careful, intruders would accidentally bring down In one early ethical hack, the United States Air Force a system or damage its files, and the system adminis- conducted a “security evaluation” of the Multics op- trators would have to restart it or make repairs. Other erating systems for “potential use as a two-level times, when these intruders were again denied ac- (secret/top secret) system.” 4 Their evaluation found cess once their activities were discovered, they would that while Multics was “significantly better than other react with purposefully destructive actions. When the conventional systems,” it also had “ . . . vulnerabil- number of these destructive computer intrusions be- ities in hardware security, software security, and pro- came noticeable, due to the visibility of the system cedural security” that could be uncovered with “a or the extent of the damage inflicted, it became relatively low level of effort.” The authors performed “news” and the news media picked up on the story. their tests under a guideline of realism, so that their Instead of using the more accurate term of “com- results would accurately represent the kinds of ac- puter criminal,” the media began using the term cess that an intruder could potentially achieve. They “hacker” to describe individuals who break into com- performed tests that were simple information-gath- puters for fun, revenge, or profit. Since calling some- ering exercises, as well as other tests that were out- one a “hacker” was originally meant as a compliment, right attacks upon the system that might damage its computer security professionals prefer to use the integrity. Clearly, their audience wanted to know term “cracker” or “intruder” for those hackers who both results. There are several other now unclassi- fied reports that describe ethical hacking activities turn to the dark side of hacking. For clarity, we will within the U.S. military. 5–7 use the explicit terms “ethical hacker” and “crim- inal hacker” for the rest of this paper. With the growth of computer networking, and of the Internet in particular, computer and network vul- nerability studies began to appear outside of the mil- What is ethical hacking? itary establishment. Most notable of these was the With the growth of the Internet, computer security work by Farmer and Venema, 8 which was originally has become a major concern for businesses and gov- posted to Usenet 9 in December of 1993. They dis- ernments. They want to be able to take advantage cussed publicly, perhaps for the first time, 10 this idea of the Internet for electronic commerce, advertis- of using the techniques of the hacker to assess the ing, information distribution and access, and other security of a system. With the goal of raising the over- pursuits, but they are worried about the possibility all level of security on the Internet and intranets, they of being “hacked.” At the same time, the potential proceeded to describe how they were able to gather customers of these services are worried about main- enough information about their targets to have been taining control of personal information that varies able to compromise security if they had chosen to from credit card numbers to social security numbers do so. They provided several specific examples of and home addresses. 2 how this information could be gathered and exploited to gain control of the target, and how such an attack could be prevented. In their search for a way to approach the problem, organizations came to realize that one of the best Farmer and Venema elected to share their report ways to evaluate the intruder threat to their inter- freely on the Internet in order that everyone could ests would be to have independent computer secu- read and learn from it. However, they realized that rity professionals attempt to break into their com- the testing at which they had become so adept might puter systems. This scheme is similar to having be too complex, time-consuming, or just too boring independent auditors come into an organization to for the typical system administrator to perform on verify its bookkeeping records. In the case of com- a regular basis. For this reason, they gathered up all puter security, these “tiger teams” or “ethical hack- the tools that they had used during their work, pack- ers” 3 would employ the same tools and techniques aged them in a single, easy-to-use application, and as the intruders, but they would neither damage the gave it away to anyone who chose to download it. 11 target systems nor steal information. Instead, they Their program, called Security Analysis Tool for Au- would evaluate the target systems’ security and re- diting Networks, or SATAN, was met with a great port back to the owners with the vulnerabilities they amount of media attention around the world. Most found and instructions for how to remedy them. of this early attention was negative, because the tool’s770 PALMER IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001
  • 3. capabilities were misunderstood. The tool was not ability testing, but are equally important when pre-an automated hacker program that would bore into paring the report for the client after the test.systems and steal their secrets. Rather, the tool per-formed an audit that both identified the vulnerabil- Finally, good candidates for ethical hacking haveities of a system and provided advice on how to elim- more drive and patience than most people. Unlikeinate them. Just as banks have regular audits of their the way someone breaks into a computer in the mov-accounts and procedures, computer systems alsoneed regular checking. The SATAN tool provided thatauditing capability, but it went one step further: italso advised the user on how to correct the prob-lems it discovered. The tool did not tell the user howthe vulnerability might be exploited, because there Just as in sports or warfare,would be no useful point in doing so. knowledge of the skills and techniques of your opponent is vital to your success.Who are ethical hackers?These early efforts provide good examples of eth-ical hackers. Successful ethical hackers possess a va-riety of skills. First and foremost, they must be com- ies, the work that ethical hackers do demands a lotpletely trustworthy. While testing the security of a of time and persistence. This is a critical trait, sinceclient’s systems, the ethical hacker may discover in-formation about the client that should remain se- criminal hackers are known to be extremely patientcret. In many cases, this information, if publicized, and willing to monitor systems for days or weekscould lead to real intruders breaking into the sys- while waiting for an opportunity. A typical evalua-tems, possibly leading to financial losses. During an tion may require several days of tedious work thatevaluation, the ethical hacker often holds the “keys is difficult to automate. Some portions of the eval-to the company,” and therefore must be trusted to uations must be done outside of normal workingexercise tight control over any information about a hours to avoid interfering with production at “live”target that could be misused. The sensitivity of the targets or to simulate the timing of a real attack.information gathered during an evaluation requires When they encounter a system with which they arethat strong measures be taken to ensure the security unfamiliar, ethical hackers will spend the time toof the systems being employed by the ethical hack- learn about the system and try to find its weaknesses.ers themselves: limited-access labs with physical se- Finally, keeping up with the ever-changing world ofcurity protection and full ceiling-to-floor walls, mul- computer and network security requires continuoustiple secure Internet connections, a safe to hold paper education and review.documentation from clients, strong cryptography toprotect electronic results, and isolated networks for One might observe that the skills we have describedtesting. could just as easily belong to a criminal hacker as to an ethical hacker. Just as in sports or warfare,Ethical hackers typically have very strong program- knowledge of the skills and techniques of your op-ming and computer networking skills and have been ponent is vital to your success. In the computer se-in the computer and networking business for severalyears. They are also adept at installing and main- curity realm, the ethical hacker’s task is the hardertaining systems that use the more popular operating one. With traditional crime anyone can become asystems (e.g., UNIX** or Windows NT**) used on tar- shoplifter, graffiti artist, or a mugger. Their poten-get systems. These base skills are augmented with tial targets are usually easy to identify and tend todetailed knowledge of the hardware and software be localized. The local law enforcement agents mustprovided by the more popular computer and net- know how the criminals ply their trade and how toworking hardware vendors. It should be noted that stop them. On the Internet anyone can downloadan additional specialization in security is not always criminal hacker tools and use them to attempt tonecessary, as strong skills in the other areas imply break into computers anywhere in the world. Eth-a very good understanding of how the security on ical hackers have to know the techniques of the crim-various systems is maintained. These systems man- inal hackers, how their activities might be detected,agement skills are necessary for the actual vulner- and how to stop them.IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001 PALMER 771
  • 4. Given these qualifications, how does one go about swers to questions similar to those posed by Gar- finding such individuals? The best ethical hacker can- finkel and Spafford: 13 didates will have successfully published research pa- pers or released popular open-source security soft- 1. What are you trying to protect? ware. 12 The computer security community is strongly 2. What are you trying to protect against? self-policing, given the importance of its work. Most 3. How much time, effort, and money are you will- ethical hackers, and many of the better computer and ing to expend to obtain adequate protection? network security experts, did not set out to focus on these issues. Most of them were computer users from various disciplines, such as astronomy and physics, A surprising number of clients have difficulty pre- mathematics, computer science, philosophy, or lib- cisely answering the first question: a medical center eral arts, who took it personally when someone dis- might say “our patient information,” an engineer- rupted their work with a hack. ing firm might answer “our new product designs,” and a Web retailer might answer “our customer da- tabase.” One rule that IBM’s ethical hacking effort had from the very beginning was that we would not hire ex- hackers. While some will argue that only a “real All of these answers fall short, since they only de- hacker” would have the skill to actually do the work, scribe targets in a general way. The client usually has we feel that the requirement for absolute trust elim- to be guided to succinctly describe all of the critical inated such candidates. We likened the decision to information assets for which loss could adversely af- that of hiring a fire marshal for a school district: while fect the organization or its clients. These assets a gifted ex-arsonist might indeed know everything should also include secondary information sources, about setting and putting out fires, would the par- such as employee names and addresses (which are pri- ents of the students really feel comfortable with such vacy and safety risks), computer and network informa- a choice? This decision was further justified when tion (which could provide assistance to an intruder), the service was initially offered: the customers them- and other organizations with which this organization selves asked that such a restriction be observed. Since collaborates (which provide alternate paths into the tar- IBM’s ethical hacking group was formed, there have get systems through a possibly less secure partner’s been numerous ex-hackers who have become secu- system). rity consultants and spokespersons for the news me- dia. While they may very well have turned away from A complete answer to (2) specifies more than just the “dark side,” there will always be a doubt. the loss of the things listed in answer to (1). There are also the issues of system availability, wherein a denial-of-service attack could cost the client actual What do ethical hackers do? revenue and customer loss because systems were un- An ethical hacker’s evaluation of a system’s security available. The world became quite familiar with de- seeks answers to three basic questions: nial-of-service attacks in February of 2000 when at- tacks were launched against eBay**, Yahoo!**, E*TRADE**, CNN**, and other popular Web sites. ● What can an intruder see on the target systems? During the attacks, customers were unable to reach ● What can an intruder do with that information? these Web sites, resulting in loss of revenue and ● Does anyone at the target notice the intruder’s at- “mind share.” The answers to (1) should contain tempts or successes? more than just a list of information assets on the or- ganization’s computer. The level of damage to an While the first and second of these are clearly im- organization’s good image resulting from a success- portant, the third is even more important: If the own- ful criminal hack can range from merely embarrass- ers or operators of the target systems do not notice ing to a serious threat to revenue. As an example of when someone is trying to break in, the intruders a hack affecting an organization’s image, on Janu- can, and will, spend weeks or months trying and will ary 17, 2000, a U.S. Library of Congress Web site usually eventually succeed. was attacked. The original initial screen is shown in Figure 1, whereas the hacked screen is shown in Fig- When the client requests an evaluation, there is quite ure 2. As is often done, the criminal hacker left his a bit of discussion and paperwork that must be done or her nickname, or handle, near the top of the page up front. The discussion begins with the client’s an- in order to guarantee credit for the break-in.772 PALMER IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001
  • 5. Figure 1 Library of Congress Web page before attackSome clients are under the mistaken impression that administrators at UNICEF (United Nations Children’stheir Web site would not be a target. They cite nu- Fund) might very well have thought that no hackermerous reasons, such as “it has nothing interesting would attack them. However, in January of 1998,on it” or “hackers have never heard of my compa- their page was defaced as shown in Figures 3 andny.” What these clients do not realize is that every 4. Many other examples of hacked Web pages canWeb site is a target. The goal of many criminal hack- be found at archival sites around the Web. 14ers is simple: Do something spectacular and thenmake sure that all of your pals know that you did it. Answers to the third question are complicated by theAnother rebuttal is that many hackers simply do not fact that computer and network security costs comecare who your company or organization is; they hack in three forms. First there are the real monetary costsyour Web site because they can. For example, Web incurred when obtaining security consulting, hiringIBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001 PALMER 773
  • 6. Figure 2 Hacked Library of Congress Web page personnel, and deploying hardware and software to Because of Moore’s Law, 15 this may be less of an issue support security needs. Second, there is the cost of for mainframe, desktop, and laptop machines. Yet, usability: the more secure a system is, the more dif- it still remains a concern for mobile computing. ficult it can be to make it easy to use. The difficulty can take the form of obscure password selection The “get out of jail free card” rules, strict system configuration rules, and limited remote access. Third, there is the cost of computer Once answers to these three questions have been de- and network performance. The more time a com- termined, a security evaluation plan is drawn up that puter or network spends on security needs, such as identifies the systems to be tested, how they should strong cryptography and detailed system activity log- be tested, and any limitations on that testing. Com- ging, the less time it has to work on user problems. monly referred to as a “get out of jail free card,” this774 PALMER IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001
  • 7. Figure 3 UNICEF Web page before attackis the contractual agreement between the client and importance, since a minor mistake could lead to thethe ethical hackers, who typically write it together. evaluation of the wrong system at the client’s instal-This agreement also protects the ethical hackers lation or, in the worst case, the evaluation of someagainst prosecution, since much of what they do dur- other organization’s system.ing the course of an evaluation would be illegal inmost countries. The agreement provides a precise Once the target systems are identified, the agreementdescription, usually in the form of network addresses must describe how they should be tested. The bestor modem telephone numbers, of the systems to be evaluation is done under a “no-holds-barred” ap-evaluated. Precision on this point is of the utmost proach. This means that the ethical hacker can tryIBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001 PALMER 775
  • 8. Figure 4 Hacked UNICEF Web page anything he or she can think of to attempt to gain “no-holds-barred” approach should be employed. An access to or disrupt the target system. While this is intruder will not be playing by the client’s rules. If the most realistic and useful, some clients balk at this the systems are that important to the organization’s level of testing. Clients have several reasons for this, well-being, they should be tested as thoroughly as the most common of which is that the target systems possible. In either case, the client should be made are “in production” and interference with their op- fully aware of the risks inherent to ethical hacker eval- eration could be damaging to the organization’s in- uations. These risks include alarmed staff and uninten- terests. However, it should be pointed out to such tional system crashes, degraded network or system per- clients that these very reasons are precisely why a formance, denial of service, and log-file size explosions.776 PALMER IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001
  • 9. Some clients insist that as soon as the ethical hack- The ethical hack itselfers gain access to their network or to one of theirsystems, the evaluation should halt and the client be Once the contractual agreement is in place, the test-notified. This sort of ruling should be discouraged, ing may begin as defined in the agreement. It shouldbecause it prevents the client from learning all that be noted that the testing itself poses some risk tothe ethical hackers might discover about their sys- the client, since a criminal hacker monitoring thetems. It can also lead to the client’s having a false transmissions of the ethical hackers could learn thesense of security by thinking that the first security same information. If the ethical hackers identify ahole found is the only one present. The evaluation weakness in the client’s security, the criminal hackershould be allowed to proceed, since where there is could potentially attempt to exploit that vulnerabil-one exposure there are probably others. ity. This is especially vexing since the activities of the ethical hackers might mask those of the criminalThe timing of the evaluations may also be impor- hackers. The best approach to this dilemma is totant to the client. The client may wish to avoid af- maintain several addresses around the Internet fromfecting systems and networks during regular work- which the ethical hacker’s transmissions will ema-ing hours. While this restriction is not recommended, nate, and to switch origin addresses often. Completeit reduces the accuracy of the evaluation only some- logs of the tests performed by the ethical hackerswhat, since most intruders do their work outside of are always maintained, both for the final report andthe local regular working hours. However, attacks in the event that something unusual occurs. In ex-done during regular working hours may be more eas- treme cases, additional intrusion monitoring softwareily hidden. Alerts from intrusion detection systems can be deployed at the target to ensure that all themay even be disabled or less carefully monitored dur- tests are coming from the ethical hacker’s machines.ing the day. Whatever timing is agreed to, the client However, this is difficult to do without tipping offshould provide contacts within the organization who the client’s staff and may require the cooperation ofcan respond to calls from the ethical hackers if a sys- the client’s Internet service provider.tem or network appears to have been adversely af-fected by the evaluation or if an extremely danger- The line between criminal hacking and computer vi-ous vulnerability is found that should be immediately rus writing is becoming increasingly blurred. Whencorrected. requested by the client, the ethical hacker can per- form testing to determine the client’s vulnerabilityIt is common for potential clients to delay the eval- to e-mail or Web-based virus vectors. However, ituation of their systems until only a few weeks or days is far better for the client to deploy strong antivirusbefore the systems need to go on-line. Such last- software, keep it up to date, and have a clear andminute evaluations are of little use, since implemen- simple policy in place for the reporting of incidents.tations of corrections for discovered security prob- IBM’s Immune System for Cyberspace 16,17 is anotherlems might take more time than is available and may approach that provides the additional capability ofintroduce new system problems. recognizing new viruses and reporting them to a cen- tral lab that automatically analyzes the virus and pro-In order for the client to receive a valid evaluation, vides an immediate vaccine.the client must be cautioned to limit prior knowl-edge of the test as much as possible. Otherwise, the As dramatized in Figure 5, there are several kindsethical hackers might encounter the electronic equiv- of testing. Any combination of the following may bealent of the client’s employees running ahead of called for:them, locking doors and windows. By limiting thenumber of people at the target organization who ● Remote network. This test simulates the intruderknow of the impending evaluation, the likelihood launching an attack across the Internet. The pri-that the evaluation will reflect the organization’s ac- mary defenses that must be defeated here are bor-tual security posture is increased. A related issue that der firewalls, filtering routers, and Web servers.the client must be prepared to address is the rela- ● Remote dial-up network. This test simulates the in-tionship of the ethical hackers to the target organi- truder launching an attack against the client’s mo-zation’s employees. Employees may view this “sur- dem pools. The primary defenses that must be de-prise inspection” as a threat to their jobs, so the feated here are user authentication schemes. Theseorganization’s management team must be prepared kinds of tests should be coordinated with the localto take steps to reassure them. telephone company.IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001 PALMER 777
  • 10. Figure 5 Different ways to attack computer security DMZ EXTRANET STOLEN LAPTOPS WEB INTRANET FIREWALL INTERNET SERVICES INSIDE BAD GUY OUTSIDE BAD GUY ● Local network. This test simulates an employee or phone numbers of the modem pool. Defending other authorized person who has a legal connec- against this kind of attack is the hardest, because tion to the organization’s network. The primary people and personalities are involved. Most peo- defenses that must be defeated here are intranet ple are basically helpful, so it seems harmless to firewalls, internal Web servers, server security mea- tell someone who appears to be lost where the sures, and e-mail systems. computer room is located, or to let someone into ● Stolen laptop computer. In this test, the laptop com- the building who “forgot” his or her badge. The puter of a key employee, such as an upper-level only defense against this is to raise security aware- manager or strategist, is taken by the client with- ness. out warning and given to the ethical hackers. They ● Physical entry. This test acts out a physical pene- examine the computer for passwords stored in di- tration of the organization’s building. Special ar- al-up software, corporate information assets, per- rangements must be made for this, since security sonnel information, and the like. Since many busy guards or police could become involved if the eth- users will store their passwords on their machine, ical hackers fail to avoid detection. Once inside it is common for the ethical hackers to be able to the building, it is important that the tester not be use this laptop computer to dial into the corpo- detected. One technique is for the tester to carry rate intranet with the owner’s full privileges. a document with the target company’s logo on it. ● Social engineering. This test evaluates the target or- Such a document could be found by digging ganization’s staff as to whether it would leak in- through trash cans before the ethical hack or by formation to someone. A typical example of this casually picking up a document from a trash can would be an intruder calling the organization’s or desk once the tester is inside. The primary de- computer help line and asking for the external tele- fenses here are a strong security policy, security778 PALMER IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001
  • 11. guards, access controls and monitoring, and secu- self. He or she might choose to test the company’s rity awareness. systems, possibly annoying system administrators or even inadvertently hiding a real attack. The employeeEach of these kinds of testing can be performed from might also choose to test the systems of another or-three perspectives: as a total outsider, a “semi-out- ganization, which is a felony in the United Statessider,” or a valid user. when done without permission.A total outsider has very limited knowledge about The actual delivery of the report is also a sensitivethe target systems. The only information used is avail- issue. If vulnerabilities were found, the report couldable through public sources on the Internet. This test be extremely dangerous if it fell into the wrong hands.represents the most commonly perceived threat. A A competitor might use it for corporate espionage,well-defended system should not allow this kind of a hacker might use it to break into the client’s com-intruder to do anything. puters, or a prankster might just post the report’s contents on the Web as a joke. The final report isA semi-outsider has limited access to one or more typically delivered directly to an officer of the clientof the organization’s computers or networks. This organization in hard-copy form. The ethical hack-tests scenarios such as a bank allowing its deposi- ers would have an ongoing responsibility to ensuretors to use special software and a modem to access the safety of any information they retain, so in mostinformation about their accounts. A well-defended cases all information related to the work is destroyedsystem should only allow this kind of intruder to ac- at the end of the contract.cess his or her own account information. Once the ethical hack is done and the report deliv-A valid user has valid access to at least some of the ered, the client might ask “So, if I fix these thingsorganization’s computers and networks. This tests I’ll have perfect security, right?” Unfortunately, thiswhether or not insiders with some access can extend is not the case. People operate the client’s comput-that access beyond what has been prescribed. A well- ers and networks, and people make mistakes. Thedefended system should allow an insider to access longer it has been since the testing was performed,only the areas and resources that the system admin- the less can be reliably said about the state of a cli-istrator has assigned to the insider. ent’s security. A portion of the final report includes recommendations for steps the client should con-The actual evaluation of the client’s systems proceeds tinue to follow in order to reduce the impact of thesethrough several phases, as described previously by mistakes in the future.Boulanger. 18The final report ConclusionsThe final report is a collection of all of the ethical The idea of testing the security of a system by tryinghacker’s discoveries made during the evaluation. to break into it is not new. Whether an automobileVulnerabilities that were found to exist are explained company is crash-testing cars, or an individual is test-and avoidance procedures specified. If the ethical ing his or her skill at martial arts by sparring withhacker’s activities were noticed at all, the response a partner, evaluation by testing under attack fromof the client’s staff is described and suggestions for a real adversary is widely accepted as prudent. It is,improvements are made. If social engineering test- however, not sufficient by itself. As Roger Schell ob-ing exposed problems, advice is offered on how to served nearly 30 years ago:raise awareness. This is the main point of the wholeexercise: it does clients no good just to tell them that From a practical standpoint the security problemthey have problems. The report must include spe- will remain as long as manufacturers remain com-cific advice on how to close the vulnerabilities and mitted to current system architectures, producedkeep them closed. The actual techniques employed without a firm requirement for security. As longby the testers are never revealed. This is because the as there is support for ad hoc fixes and security pack-person delivering the report can never be sure just ages for these inadequate designs and as long as thewho will have access to that report once it is in the illusory results of penetration teams are accepted asclient’s hands. For example, an employee might want demonstrations of a computer system security, properto try out some of the techniques for himself or her- security will not be a reality. 19IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001 PALMER 779
  • 12. Regular auditing, vigilant intrusion detection, good 11. See http://www.cs.ruu.nl/cert-uu/satan.html. system administration practice, and computer secu- 12. This strategy is based on the ideal of raising the security of the whole Internet by giving security software away. Thus, rity awareness are all essential parts of an organi- no one will have any excuse not to take action to improve zation’s security efforts. A single failure in any of security. these areas could very well expose an organization 13. S. Garfinkel and E. Spafford, Practical Unix Security, First Edi- to cyber-vandalism, embarrassment, loss of revenue tion, O’Reilly & Associates, Cambridge, MA (1996). 14. For a collection of previously hacked Web sites, see http:// or mind share, or worse. Any new technology has its www.2600.com/hacked_pages/ or http://defaced.alldes.de. Be benefits and its risks. While ethical hackers can help forewarned, however, that some of the hacked pages may con- clients better understand their security needs, it is tain pornographic images. up to the clients to keep their guards in place. 15. In 1965, Intel cofounder Gordon Moore was preparing a speech and made a memorable observation. When he started to graph data about the growth in memory chip performance, Acknowledgments he realized there was a striking trend. Each new chip con- tained roughly twice as much capacity as its predecessor, and The author would like to thank several people: the each chip was released within 18 –24 months of the previous members of the Global Security Analysis Lab at IBM chip. In subsequent years, the pace slowed down a bit, but data density has doubled approximately every 18 months, and Research for sharing their amazing expertise and this is the current definition of Moore’s Law. their ability to make just about anyone understand 16. J. O. Kephart, G. B. Sorkin, D. M. Chess, and S. R. White, more about security; Chip Coy and Nick Simicich “Fighting Computer Viruses,” Scientific American 277, No. for their trailblazing work in defining IBM’s Security 5, 88 –93 (November 1997). Consulting Practice at the very beginning; and Paul 17. See http://www.research.ibm.com/antivirus/SciPapers.htm for additional antivirus research papers. Karger for his encyclopedic knowledge of computer 18. A. Boulanger, “Catapults and Grappling Hooks: The Tools security research and for his amazing ability to pro- and Techniques of Information Warfare,” IBM Systems Jour- duce copies of every notable paper on the subject nal 37, No. 1, 106 –114 (1998). that was ever published. 19. R. R. Schell, P. J. Downey, and G. J. Popek, Preliminary Notes on the Design of Secure Military Computer Systems, MCI-73-1, **Trademark or registered trademark of the Open Group, Mi- ESD/AFSC, Hanscom Air Force Base, Bedford, MA (Jan- crosoft Corporation, eBay Inc., Yahoo! Inc., E*TRADE Secu- uary 1973). rities, Inc., or Cable News Network LP, LLLP. Accepted for publication April 13, 2001. Cited references and notes Charles C. Palmer IBM Research Division, Thomas J. Watson 1. E. S. Raymond, The New Hacker’s Dictionary, MIT Press, Research Center, P.O. Box 218, Yorktown Heights, New York 10598 Cambridge, MA (1991). (electronic mail: ccpalmer@us.ibm.com). Dr. Palmer manages the 2. S. Garfinkel, Database Nation, O’Reilly & Associates, Cam- Network Security and Cryptography department at the IBM Tho- bridge, MA (2000). mas J. Watson Research Center. His teams work in the areas of 3. The first use of the term “ethical hackers” appears to have cryptography research, Internet security technologies, JavaTM se- been in an interview with John Patrick of IBM by Gary An- curity, privacy, and the Global Security Analysis Lab (GSAL), thens that appeared in a June 1995 issue of ComputerWorld. which he cofounded in 1995. As part of the GSAL, Dr. Palmer 4. P. A. Karger and R. R. Schell, Multics Security Evaluation: worked with IBM Global Services to start IBM’s ethical hacking Vulnerability Analysis, ESD-TR-74-193, Vol. II, Headquar- practice. He frequently speaks on the topics of computer and net- ters Electronic Systems Division, Hanscom Air Force Base, work security at conferences around the world. He was also an MA (June 1974). adjunct professor of computer science at Polytechnic University, 5. S. M. Goheen and R. S. Fiske, OS/360 Computer Security Pen- Hawthorne, New York, from 1993 to 1997. He holds four patents etration Exercise, WP-4467, The MITRE Corporation, Bed- and has several publications from his work at IBM and Polytech- ford, MA (October 16, 1972). nic. 6. R. P. Abbott, J. S. Chen, J. E. Donnelly, W. L. Konigsford, and S. T. Tokubo, Security Analysis and Enhancements of Com- puter Operating Systems, NBSIR 76-1041, National Bureau of Standards, Washington, DC (April 1976). 7. W. M. Inglis, Security Problems in the WWMCCS GCOS Sys- tem, Joint Technical Support Activity Operating System Tech- nical Bulletin 730S-12, Defense Communications Agency (August 2, 1973). 8. D. Farmer and W. Z. Venema, “Improving the Security of Your Site by Breaking into It,” originally posted to Usenet (Decem- ber 1993); it has since been updated and is now available at ftp://ftp.porcupine.org/pub/security/index.html#documents. 9. See http://www.faqs.org/usenet/. 10. Who can really determine who said something first on the Internet?780 PALMER IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001