Set a thief to catch a thief is the principle behind hiring ethical hackers to check out your IT security. XYZ Inc (its real name has been withheld for security) is a $30bn (£20.5bn) global corporation with 90,000 staff. It has been using ethical hackers to check IT security for several years.
"As a global company, it is only prudent to consider the corporate network as 'dark and dirty' so we must protect each platform connected to it," says John Doe (not his real name), European information security officer of XYZ. "Our company is so big it's impossible to guarantee that there is no illegitimate access - we can't assume it's a trusted environment. In particular you should consider the corporate intranet, like the [public] Internet, to be absolutely unsafe."
That is especially true, says Doe, when you take trading partners and suppliers, who access your intranet, into account. "We have no control over what else they are connected to. An ethical hacker will have a hacker's mindset to exploit any vulnerabilities we have - and expose them," he says.
The ethical hacking programme was set up in conjunction with CSC, the company's IT security consultancy, and is run by the company's audit department, rather than by IT. "When we first brought in an ethical hacker several years ago our IT community was too arrogant," says Doe. "When the hacker broke into systems very quickly, IT staff were really surprised."
The ethical hacker got into some core systems, says Doe. He got lots of access through easily guessable passwords which he was able to exploit to move from system to system. He even gained access to the main mail server, which he could copy and open up."
Since not all hackers ply their trade for satisfaction alone, getting hold of the contents of corporate e-mail could feed a lucrative income from commercial espionage or disclosure to the press.
The shock tactics worked- theITdepartment rose to the challenge and fought back, fiercely and effectively. Now XYZ is a tougher nut to crack - passwords, for example, use three-factor authentication and are only valid for 30 seconds.
"For example, the ethical hacker broke into the SAP system holding our financial data - he could not now," says Doe.
But a programme of regular ethical hacking means they still keep trying - and learning. "Now we do an ethical hack on a random basis - to test a portion of the network, or a particular business unit, or at night. It depends on what we think it's interesting to look at," says Doe.
Crucially, "IT is not alerted, nor can IT veto or delay when an ethical hack can take place - after all, a real hacker won't wait until you've finished bedding in a new system." Knowing that an ethical hacker could be set loose on them at any time means that securing systems has become a challenge between system administrators and the hackers, says Doe.
XYZ uses ethical hackers from both inside and outside the company, the external ones supplied by CSC. Both internal and external hackers work within an agreed framework with an agreed scope. "We decide on the scenario in advance," says Doe. For example, "We tell them 'Try and get in by any means' - they can sit as an employee, or plug directly into the network - it's all defined in advance," he says.
Once, Doe says, he asked the hackers to try to gain access to the finance systems by any means they could. Then he sat back to see what happened - and how IT responded. IT's response is important. It is vital, if under real attack, not to exacerbate the damage that an attack can do. "It's important to have valid processes in place," points out Doe. "You need an alert system, so the incident is communicated properly, and a process for what to do in case of intruder detection."
"The key is to guarantee that business will continue, and not immediately shut everything down." Not only would that paralyse the organisation - very satisfying for the hacker - but it would cost money to recover. "The financial systems are expensive to restore," points out Doe. Moreover, "it is relatively easy to bring down systems," he says. "There are very few architectures that could survive floods of attacks. The cost of building in sufficient resilience would be phenomenal."
Although the ethical hackers stop short of bringing down systems, "IT needs to understand that they could have done so," says Doe. Passwords are a particular weak point of many business systems. Not because the hacker can get hold of the correct ones, but because he can use incorrect ones to faze the system into reacting badly. "[The hacker] would throw, say, five invalid passwords at a server, and then all passwords, including the correct ones, would be locked out by the server," says Doe.
But if IT was swift to learn that hackers could get in to do real damage, Doe had a challenge on his hands to make business departments sit up and take notice. One of the perennial problems for security is that no one wants to pay for it, and everyone begrudges the cost.
The way round this is to demonstrate that not having security is more expensive than the cost of providing it. "Business departments learn the cost of an IT security breach when they can translate it into dollars," says Doe. By equating downtime with loss of production, order servicing, wasted personnel time and so on, all of which can be costed out in language business managers understand, "They can then build a continuity plan on that basis," he says.
"If I tell them, 'Did you know anyone can get in and look at figures on a system?' they will say, so what? But if I say, 'Well then they can change those figures so that the general ledger is wrong, which will take a lot of work to correct,' then that translates into dollars they understand," says Doe.
For all that, convincing business that IT security is worth paying for is a long process, says Doe."How much will they pay? There's a limit that is acceptable," he says. "It's based on asking, 'What can we afford if the business doesn't continue?'"
Ethical hackers can highlight the fact that giving high-value systems more security than low-value systems may not be safe. "Hackers could get into a high value system via a low value one," he says. Hackers love to come in through the ill-guarded back door - a fact that the company has now accepted.
"There has been a change in corporate mind set since two years ago," says Doe. "We operated a safe environment, with a controlled perimeter, so we did not need internal security, it was thought, because we were secure from the outside. Management had the idea that having a secure perimeter was enough. Our ethical hackers demonstrated that this was not the case."
Mindset has had to change throughout the company. "One of our biggest goals has been to get senior management to accept the value of having a secure IT environment," he says.
He was fortunate in that safety and security are already crucial for the company in the sectors it operates in - that culture simply had to be extended to IT. Bringing in ethical hackers was critical in demonstrating the need for it.
"When we did the first [ethical hack] audit the results went right up to senior management and down again to the audit room within an hour to tell us to get [the holes] fixed," says Doe. "That expressly opened to us all the support we needed to fix things from line- and middle-managers."
Now, he says, two years down the line, there has been a marked improvement in both actual levels of IT security, and the entire company attitude towards it.
"We didn't get hit by Nimda or Code Red," says Doe, "and that was not an accident. We identified vulnerable systems and fixed them before the viruses reached them. So two years of prudence have paid dividends." Moreover, a culture of safety-consciousness about IT has permeated the company. "We've developed a feel for IT security that's like driving a car without a seat-belt. People feel worried if it's not in place," he says.
As for the IT department, "there's nothing like a convert," says Doe. "Systems administrators now take a huge pride in the level of security." They know that, if they don't, the ethical hackers will be in like a flash.
A word of warning
Any organisation that tells the world it is hacker-proof is waving a red rag at the e-crime community. Names have been changed throughout this article, simply to prevent the contributors being bombarded with attacks from all sides, which would cost them both time and money to defend.
Why employ an ethical hacker?
- It demonstrated where there were weaknesses, and proved that it was possible to get into systems
- It helped to validate the security concepts in hand and tested the security processes already in place
- Having an ethical hacker is the only way to validate IT security because he or she uses what real hackers would use - hackers don't need complex tools, most are freely available on the Internet
- If you do get attacked by a real hacker, your ethical hacker will probably be the first to spot how it was done
- IT security has no future without ethical hackers - it would be suicidal to ignore them.
How to use an ethical hacker
- Do a risk assessment first to identify the most business-critical systems you want to protect
- Agree your plan with the ethical hacker. Agree their scope, mode of operation (at home with Internet PC; pretending to be an employee etc), whether they can go into systems they can penetrate, or should just report that they could have got in
- Get top-down buy-in from senior management so that any weaknesses exposed by the ethical hacker can be acted on fast
- Run the ethical hack out of the audit department, not the IT department
- Don't tell IT an ethical hack is about to take place
- Set up an ethical hacking programme to regularly test corporate IT security
- Ideally, use someone internally as one ethical hacker, and one from an external consultancy. That way they can complement each other, pool findings, and bring different attitudes and skill sets to bear
- Don't keep the same ethical hacker for ever. Bring in new ones without expectations or experience of your system security to test it more rigorously.