Penetration testing was all we heard about during the Internet boom, but the craze seems to have waned over the past few years. This form of assessing information risks -- now with the 21st century moniker of ethical hacking -- is making a comeback. People are starting to see that thinking like hackers to protect against hackers is a solid part of an overall information risk management program.
Rather than hashing out the same ethical hacking pros and cons we've seen documented over the years, I want to share with you 10 lessons I've learned from both my own experiences as well as from watching others succeed and fail. Hopefully you can use a tip or two to get the most bang for your ethical-hacking buck.
- Get it in writing.
You've heard it a thousand times, but believe it or not I've seen security professionals perform -- and security managers allow -- ethical hacking on critical business systems without putting anything in writing ahead of time. You've absolutely got to cover your assets and not only get a basic sign-off by all parties involved, but also consider and document who's responsible (or not) when something goes awry during the testing. Bad things can happen during ethical hacking -- servers can crash and data can get lost. Think about this from a business perspective. You'll make your lawyer and insurance underwriter proud!
- You've got to have goals.
Just like with any successful business venture, you've got to determine exactly what you want to get out of ethical hacking. What outcomes are you looking for? Is this to prove you need to migrate to a Novell or Unix platform? Are you trying to get more money to spend on security? Are you trying to comply with federal regulations or meet security standards? Also, ask yourself what information you're trying to protect and which systems need to be tested.
- Don't try to test everything at once.
This doesn't necessarily apply to small networks, but who really has a small network any more? Prioritize the systems that need to be tested, and test the most critical ones first. This is most likely Web, e-mail or database servers, and even perimeter devices such as routers and firewalls. Look for single points of failure and systems your business can do without. Many security professionals focus only on publicly accessible hosts. Remember that hacking can occur from inside the network, so don't forget about the insider threat and the systems that could be affected by it.
- Don't forget to test the "unimportant" systems.
OK, so this conflicts with lesson number three. Well, not exactly. You don't have to test all of your systems, but it does help to think through how attacks can occur and affect other, less important systems. Workstations that don't have confidential data on them, the telecommuter's home PC or that Web server that only provides basic e-mail access are often the systems that are used as stepping stones to attack other, more critical systems. Never rule out the rogue "little guy."
- It sounds clichÉ, but thinking like the enemy really does help.
On the heels of lesson number four comes the tried and true "know your enemy." It's old-fashioned, but true. If systems are tested using only the latest automated tools without thinking through all the other various ways manual hacks that can be carried out, the complete picture won't be seen. There's no way to test for every possible hack from every possible angle. The key is making sure the research has been done and hacker motives and methods are understood and made part of your ethical hacking program.
- Use the right tools.
This is something I'm reminded of every time I perform ethical hacking tests. I don't know what I'd do without the tools (both freeware and commercial) I've gathered over the years. It's just like any successful homebuilder will tell you; you've got to have the right tool for the task at hand. Otherwise, it will likely be an exercise in futility with bad results. As a security manager, make sure your team or the third-party ethical hackers you've hired have the right tools. Many are not simple to use and many are not inexpensive, but they sure are worth it.
- It's all in the timing.
Ever hear of someone pounding on a system with a million packets per minute to see if the TCP/IP stack is stable? This kind of testing might be OK, but as my mother always told me, there's a time and a place for everything. Make sure that the ethical hacking tests are not carried out during peak network or host usage. You don't want the network to run slow or have a system crash. There are a lot of security tools that can do just that if the system is unstable or overloaded with other requests at the time the testing is being carried out. Come up with a timeline. And put it in writing!
- Don't think that no penetration means you're secure.
A very common misconception is that if no penetration was possible that the systems must be secure. Nope! It could be that the right tools weren't used or the right systems weren't tested. It could also be that a vulnerability has not yet been discovered for the system you're testing. Ethical hacking is a snapshot in time of a few specific systems. There could be a rogue router (or user) presenting a security problem on the other side of the world that was overlooked or not part of the original scope. You just never saw it.
- Keep up the good work.
Lesson number eight is what makes number nine critical. I know you hear about testing your systems over and over again. It's true; things change. New threats and vulnerabilities crop up. Make sure your systems are being tested periodically for new issues and to catch vulnerabilities that were missed in the past. Repetition is key.
- Focus on the important and urgent vulnerabilities
I've seen a lot of security managers feel obligated to fix every vulnerability discovered during the ethical hacking process. It realistically can't be done. It's not reasonable or fair to put pressure on yourself or your team to secure everything. Take the route that time management experts recommend when prioritizing daily tasks: go for vulnerabilities that are both important (high impact if exploited) and urgent (high likelihood of being exploited). The other vulnerabilities can then be addressed as time, resources and money allows.
If you can incorporate into your ethical hacking efforts even just a few of these 10 lessons I've learned over the years, I know they'll make your job as a security manager a little easier; after all, every little bit counts.
About the author
Kevin Beaver, CISSP, is president of the Atlanta-based information security consulting firm Principle Logic, LLC. He is the author of the new book Ethical Hacking for Dummies by John Wiley and Sons. In addition, he is co-author of the new book The Practical Guide to HIPAA Privacy and Security Compliance by Auerbach Publications as well as author of the book The Definitive Guide to E-mail Management and Security by Realtimepublishers.com. Kevin is a columnist and expert advisor for SearchSecurity.com and serves as Secretary of InfraGard Atlanta. He earned a bachelor's degree in Computer Engineering Technology from Southern Polytechnic State University and a master's degree in Management of Technology from Georgia Tech.
For more information on this topic, listen to the webcast Audits, assessments and penetration tests, oh my! with guest speaker Ira Winkler, Chief Security Strategist for HP Consulting, North America.