An ethical hacker's evaluation of information systems security seeks answers to three basic queries:
- What can an attacker see on the target systems? This is in line with the earlier comment on crackers thinking 'out of the box'. Normal and routine security checks by system administrators can overlook several vulnerabilities that can be exploited by a creative and innovative mind. This also describes the reconnaissance and scanning phases of hacking discussed earlier in this module.
- What can an attacker do with available information? The ethical hacker tries to know the intent and purpose behind potential exploits. This makes it possible to take appropriate countermeasures. This describes the two phases - gaining access and maintaining access in hacking. This is the true attack phase and the ethical hacker needs to be one step ahead of the hacker, in order to provide adequate protection.
- Are the attackers' attempts being noticed on the target systems? Often crackers enter a system and lurk around before they actually wreck havoc. They take their time in assessing the potential use of the information exposed. If the activities of an attacker are not noticed on target systems, the attackers can, and will, spend weeks or months trying to break-in and will usually eventually succeed in compromising the target system's security.
In order to do this, the attackers may even clear their tracks by modifying log files and creating backdoors or deploying Trojans. The ethical hacker needs to investigate whether such an activity has been recorded and what preventive measures were taken if any. This not only gives him an indirect assessment of the cracker's proficiency, but also gives him an insight into the security related activities of the enterprise / system he is evaluating.
The entire process of ethical hacking and subsequent patching of discovered vulnerabilities would depend on questions such as:
What is the organization trying to protect, against whom or what and how much resources the organization is willing to expend in order to gain protection.
Sometimes, when such exercises are taken up without proper framework, the organization might decide to call off the evaluation at the first instance of vulnerability reporting. These may be to ward off further discovery or save on resources. Therefore it is imperative that the ethical hacker and the organization work out a suitable framework.
The organization must be convinced about the need for the exercise. Usually the concerned personnel have to be guided to concisely describe all of the critical information assets whose loss could adversely affect the organization or its clients. These assets can also include secondary information sources, such as employee names and addresses (which are privacy and safety risks), computer and network information (which could provide assistance to an intruder), and other organizations with which the primary client organization collaborates (which provide alternate paths into the target systems through a possibly less secure partner's system).
Last, but not the least, the ethical hacker must remember that it is not possible to guard systems completely as we have discussed before in this module.
COMMENTS