Professional Documents
Culture Documents
by C. C. Palmer
The explosive growth of the Internet has brought scribe the rapid crafting of a new program or the
many good things: electronic commerce, easy making of changes to existing, usually complicated
access to vast stores of reference material,
collaborative computing, e-mail, and new software.
avenues for advertising and information
distribution, to name a few. As with most As computers became increasingly available at uni-
technological advances, there is also a dark side: versities, user communities began to extend beyond
criminal hackers. Governments, companies, and researchers in engineering or computer science to
private citizens around the world are anxious to
be a part of this revolution, but they are afraid other individuals who viewed the computer as a cu-
that some hacker will break into their Web server riously flexible tool. Whether they programmed the
and replace their logo with pornography, read computers to play games, draw pictures, or to help
their e-mail, steal their credit card number from them with the more mundane aspects of their daily
an on-line shopping site, or implant software that
will secretly transmit their organizations secrets work, once computers were available for use, there
to the open Internet. With these concerns and was never a lack of individuals wanting to use them.
others, the ethical hacker can help. This paper
describes ethical hackers: their skills, their Because of this increasing popularity of computers
attitudes, and how they go about helping their and their continued high cost, access to them was
customers find and plug up security holes. The
ethical hacking process is explained, along with usually restricted. When refused access to the com-
many of the problems that the Global Security puters, some users would challenge the access con-
Analysis Lab has seen during its early years of trols that had been put in place. They would steal
ethical hacking for IBM clients. passwords or account numbers by looking over some-
ones shoulder, explore the system for bugs that
might get them past the rules, or even take control
of the whole system. They would do these things in
order to be able to run the programs of their choice,
IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001 0018-8670/01/$5.00 2001 IBM PALMER 769
form of practical jokes. However, these intrusions did This method of evaluating the security of a system
not stay benign for long. Occasionally the less talented, has been in use from the early days of computers.
or less careful, intruders would accidentally bring down In one early ethical hack, the United States Air Force
a system or damage its files, and the system adminis- conducted a security evaluation of the Multics op-
trators would have to restart it or make repairs. Other erating systems for potential use as a two-level
times, when these intruders were again denied ac- (secret/top secret) system. 4 Their evaluation found
cess once their activities were discovered, they would that while Multics was significantly better than other
react with purposefully destructive actions. When the conventional systems, it also had . . . vulnerabil-
number of these destructive computer intrusions be- ities in hardware security, software security, and pro-
came noticeable, due to the visibility of the system cedural security that could be uncovered with a
or the extent of the damage inflicted, it became relatively low level of effort. The authors performed
news and the news media picked up on the story. their tests under a guideline of realism, so that their
Instead of using the more accurate term of com- results would accurately represent the kinds of ac-
puter criminal, the media began using the term cess that an intruder could potentially achieve. They
hacker to describe individuals who break into com- performed tests that were simple information-gath-
puters for fun, revenge, or profit. Since calling some- ering exercises, as well as other tests that were out-
one a hacker was originally meant as a compliment, right attacks upon the system that might damage its
computer security professionals prefer to use the integrity. Clearly, their audience wanted to know
term cracker or intruder for those hackers who both results. There are several other now unclassi-
fied reports that describe ethical hacking activities
turn to the dark side of hacking. For clarity, we will
within the U.S. military. 57
use the explicit terms ethical hacker and crim-
inal hacker for the rest of this paper.
With the growth of computer networking, and of the
Internet in particular, computer and network vul-
nerability studies began to appear outside of the mil-
What is ethical hacking?
itary establishment. Most notable of these was the
With the growth of the Internet, computer security work by Farmer and Venema, 8 which was originally
has become a major concern for businesses and gov- posted to Usenet 9 in December of 1993. They dis-
ernments. They want to be able to take advantage cussed publicly, perhaps for the first time, 10 this idea
of the Internet for electronic commerce, advertis- of using the techniques of the hacker to assess the
ing, information distribution and access, and other security of a system. With the goal of raising the over-
pursuits, but they are worried about the possibility all level of security on the Internet and intranets, they
of being hacked. At the same time, the potential proceeded to describe how they were able to gather
customers of these services are worried about main- enough information about their targets to have been
taining control of personal information that varies able to compromise security if they had chosen to
from credit card numbers to social security numbers do so. They provided several specific examples of
and home addresses. 2 how this information could be gathered and exploited
to gain control of the target, and how such an attack
could be prevented.
In their search for a way to approach the problem,
organizations came to realize that one of the best Farmer and Venema elected to share their report
ways to evaluate the intruder threat to their inter- freely on the Internet in order that everyone could
ests would be to have independent computer secu- read and learn from it. However, they realized that
rity professionals attempt to break into their com- the testing at which they had become so adept might
puter systems. This scheme is similar to having be too complex, time-consuming, or just too boring
independent auditors come into an organization to for the typical system administrator to perform on
verify its bookkeeping records. In the case of com- a regular basis. For this reason, they gathered up all
puter security, these tiger teams or ethical hack- the tools that they had used during their work, pack-
ers 3 would employ the same tools and techniques aged them in a single, easy-to-use application, and
as the intruders, but they would neither damage the gave it away to anyone who chose to download it. 11
target systems nor steal information. Instead, they Their program, called Security Analysis Tool for Au-
would evaluate the target systems security and re- diting Networks, or SATAN, was met with a great
port back to the owners with the vulnerabilities they amount of media attention around the world. Most
found and instructions for how to remedy them. of this early attention was negative, because the tools
Some clients are under the mistaken impression that administrators at UNICEF (United Nations Childrens
their Web site would not be a target. They cite nu- Fund) might very well have thought that no hacker
merous reasons, such as it has nothing interesting would attack them. However, in January of 1998,
on it or hackers have never heard of my compa- their page was defaced as shown in Figures 3 and
ny. What these clients do not realize is that every 4. Many other examples of hacked Web pages can
Web site is a target. The goal of many criminal hack- be found at archival sites around the Web. 14
ers is simple: Do something spectacular and then
make sure that all of your pals know that you did it. Answers to the third question are complicated by the
Another rebuttal is that many hackers simply do not fact that computer and network security costs come
care who your company or organization is; they hack in three forms. First there are the real monetary costs
your Web site because they can. For example, Web incurred when obtaining security consulting, hiring
personnel, and deploying hardware and software to Because of Moores Law, 15 this may be less of an issue
support security needs. Second, there is the cost of for mainframe, desktop, and laptop machines. Yet,
usability: the more secure a system is, the more dif- it still remains a concern for mobile computing.
ficult it can be to make it easy to use. The difficulty
can take the form of obscure password selection The get out of jail free card
rules, strict system configuration rules, and limited
remote access. Third, there is the cost of computer Once answers to these three questions have been de-
and network performance. The more time a com- termined, a security evaluation plan is drawn up that
puter or network spends on security needs, such as identifies the systems to be tested, how they should
strong cryptography and detailed system activity log- be tested, and any limitations on that testing. Com-
ging, the less time it has to work on user problems. monly referred to as a get out of jail free card, this
is the contractual agreement between the client and importance, since a minor mistake could lead to the
the ethical hackers, who typically write it together. evaluation of the wrong system at the clients instal-
This agreement also protects the ethical hackers lation or, in the worst case, the evaluation of some
against prosecution, since much of what they do dur- other organizations system.
ing the course of an evaluation would be illegal in
most countries. The agreement provides a precise Once the target systems are identified, the agreement
description, usually in the form of network addresses must describe how they should be tested. The best
or modem telephone numbers, of the systems to be evaluation is done under a no-holds-barred ap-
evaluated. Precision on this point is of the utmost proach. This means that the ethical hacker can try
anything he or she can think of to attempt to gain no-holds-barred approach should be employed. An
access to or disrupt the target system. While this is intruder will not be playing by the clients rules. If
the most realistic and useful, some clients balk at this the systems are that important to the organizations
level of testing. Clients have several reasons for this, well-being, they should be tested as thoroughly as
the most common of which is that the target systems possible. In either case, the client should be made
are in production and interference with their op- fully aware of the risks inherent to ethical hacker eval-
eration could be damaging to the organizations in- uations. These risks include alarmed staff and uninten-
terests. However, it should be pointed out to such tional system crashes, degraded network or system per-
clients that these very reasons are precisely why a formance, denial of service, and log-file size explosions.
DMZ
EXTRANET
STOLEN LAPTOPS
WEB
INTRANET
FIREWALL INTERNET
SERVICES
Local network. This test simulates an employee or phone numbers of the modem pool. Defending
other authorized person who has a legal connec- against this kind of attack is the hardest, because
tion to the organizations network. The primary people and personalities are involved. Most peo-
defenses that must be defeated here are intranet ple are basically helpful, so it seems harmless to
firewalls, internal Web servers, server security mea- tell someone who appears to be lost where the
sures, and e-mail systems. computer room is located, or to let someone into
Stolen laptop computer. In this test, the laptop com- the building who forgot his or her badge. The
puter of a key employee, such as an upper-level only defense against this is to raise security aware-
manager or strategist, is taken by the client with- ness.
out warning and given to the ethical hackers. They Physical entry. This test acts out a physical pene-
examine the computer for passwords stored in di- tration of the organizations building. Special ar-
al-up software, corporate information assets, per- rangements must be made for this, since security
sonnel information, and the like. Since many busy guards or police could become involved if the eth-
users will store their passwords on their machine, ical hackers fail to avoid detection. Once inside
it is common for the ethical hackers to be able to the building, it is important that the tester not be
use this laptop computer to dial into the corpo- detected. One technique is for the tester to carry
rate intranet with the owners full privileges. a document with the target companys logo on it.
Social engineering. This test evaluates the target or- Such a document could be found by digging
ganizations staff as to whether it would leak in- through trash cans before the ethical hack or by
formation to someone. A typical example of this casually picking up a document from a trash can
would be an intruder calling the organizations or desk once the tester is inside. The primary de-
computer help line and asking for the external tele- fenses here are a strong security policy, security
A total outsider has very limited knowledge about The actual delivery of the report is also a sensitive
the target systems. The only information used is avail- issue. If vulnerabilities were found, the report could
able through public sources on the Internet. This test be extremely dangerous if it fell into the wrong hands.
represents the most commonly perceived threat. A A competitor might use it for corporate espionage,
well-defended system should not allow this kind of a hacker might use it to break into the clients com-
intruder to do anything. puters, or a prankster might just post the reports
contents on the Web as a joke. The final report is
A semi-outsider has limited access to one or more typically delivered directly to an officer of the client
of the organizations computers or networks. This organization in hard-copy form. The ethical hack-
tests scenarios such as a bank allowing its deposi- ers would have an ongoing responsibility to ensure
tors to use special software and a modem to access the safety of any information they retain, so in most
information about their accounts. A well-defended cases all information related to the work is destroyed
system should only allow this kind of intruder to ac- at the end of the contract.
cess his or her own account information.
Once the ethical hack is done and the report deliv-
A valid user has valid access to at least some of the ered, the client might ask So, if I fix these things
organizations computers and networks. This tests Ill have perfect security, right? Unfortunately, this
whether or not insiders with some access can extend is not the case. People operate the clients comput-
that access beyond what has been prescribed. A well- ers and networks, and people make mistakes. The
defended system should allow an insider to access longer it has been since the testing was performed,
only the areas and resources that the system admin- the less can be reliably said about the state of a cli-
istrator has assigned to the insider. ents security. A portion of the final report includes
recommendations for steps the client should con-
The actual evaluation of the clients systems proceeds tinue to follow in order to reduce the impact of these
through several phases, as described previously by mistakes in the future.
Boulanger. 18
The final report is a collection of all of the ethical The idea of testing the security of a system by trying
hackers discoveries made during the evaluation. to break into it is not new. Whether an automobile
Vulnerabilities that were found to exist are explained company is crash-testing cars, or an individual is test-
and avoidance procedures specified. If the ethical ing his or her skill at martial arts by sparring with
hackers activities were noticed at all, the response a partner, evaluation by testing under attack from
of the clients staff is described and suggestions for a real adversary is widely accepted as prudent. It is,
improvements are made. If social engineering test- however, not sufficient by itself. As Roger Schell ob-
ing exposed problems, advice is offered on how to served nearly 30 years ago:
raise awareness. This is the main point of the whole
exercise: it does clients no good just to tell them that From a practical standpoint the security problem
they have problems. The report must include spe- will remain as long as manufacturers remain com-
cific advice on how to close the vulnerabilities and mitted to current system architectures, produced
keep them closed. The actual techniques employed without a firm requirement for security. As long
by the testers are never revealed. This is because the as there is support for ad hoc fixes and security pack-
person delivering the report can never be sure just ages for these inadequate designs and as long as the
who will have access to that report once it is in the illusory results of penetration teams are accepted as
clients hands. For example, an employee might want demonstrations of a computer system security, proper
to try out some of the techniques for himself or her- security will not be a reality. 19