Part dedicated professional, part creative thinker and part con man.
On a weekly basis a major corporation’s data is compromised in a most public fashion – in an instant slaughtering consumer confidence and bringing immediate disgrace. Who doesn’t remember the Google Aurora attacks and AT&T’s iPad data leak exposing 114,000 users personal information and costing them millions? Yet unbeknownst to the public, legions of ethical hackers (AKA penetration testers) are quietly pilfering passwords, war-driving, finding vulnerabilities and brute forcing their way into protected systems… and doing so with great ease. How much ease? According to Michael Miora, President & Founder of ContingenZ Corp, if given ample resources without too many restrictions his team can penetrate a financial institutions network and gain access to sensitive client information in a few hours. Ben Fortenberry of PROACCURA is a little more conservative, but still offers a chilling figure of a few hours, to several days.
The easiest way to break into a network isn’t an elaborate and long-planned attack, nor is it a few keystrokes as portrayed on T.V. explains Miora “Probably the most well known and ignored vulnerabilities are still social engineering issues such as shoulder surfing, tailgating, impersonation, and other techniques.” End users require certain permissions in order to do their job, which create varying levels of risk, which are controlled by each end user. If an end user is negligent it can compromise the entire company and enable attackers to bypass all external defenses and have a foothold in the internal network.
Some penetration testers however are more James Bond and less keyboard commando. Dave Chronister of Parameter Security does whatever it takes to get the job done, even if it involves a costume and some sweet-talking, “I was able to install Trojans on every computer in a bank’s branch in 15 minutes by walking through the front door, pretending to be an exterminator.” Does your company have policies in place to validate the identity and employer of all visitors on premise? If you answered yes – think about it one more time… when was the last time you asked your UPS driver for his ID and confirmed it with his dispatching office?
Clearly, these ethical hackers don’t mess around – but what purpose do they serve? They’re actually hired by security-conscious organizations to test systems, policies and procedures in order to expose and report weaknesses. Fortenberry provided a surprising example “I identified what appeared to be modified remnants of the "Code Red Worm" on a large health care providers Web server. A couple of quick modifications to the publicly available exploit code resulted in full access to the compromised web server. After a short analysis of the log files and file system revealed that the server had been compromised for months and was actively being used by an unauthorized user.” Fortenberry immediately reported his findings to the organization and the penetration test quickly morphed into a forensic analysis - “It turned out that the entire facility had been compromised and confidential information had been accessed.”
On the contrary, some organizations use penetration testing firms for political purposes. According to Chronister “Many corporations will set the rules of engagement artificially tight so they can get a clear bill of health, while many real world scenarios in which they are vulnerable are not tested.” Chronister was quick to point out a widespread false sense of security amongst most organizations. “They believe if they have this or that security device they are safe. They think if they don’t see intrusions they’re not happening. These are usually the same corporations using event logs to detect intrusions on the same system the logs are stored and if I have gained access to that system I will erase my activity from the logs.” Chronister rated the average corporation’s network security at a paltry four out of ten and the average financial institution a six out of ten. Fortenberry provided more optimistic figures at five and seven respectively. Miora declined to comment.
Call them penetration testers or ethical hackers, they’re breaking into networks like Houdini on Red Bull, but whatever you call them make sure it’s followed by “one of the good guys.”