the importance of penetration testing & safeguarding it ...citebm.business.illinois.edu/twc...
TRANSCRIPT
TTeerrmm ppaappeerr oonn::
TThhee IImmppoorrttaannccee ooff PPeenneettrraattiioonn TTeessttiinngg &&
SSaaffeegguuaarrddiinngg IITT SSyysstteemmss
NNaattaallyyaa SShhoolloommyyaannsskkyy
May 2007
2
Abstract
Information technology is expanding throughout all processes from e-mail to
transaction systems, to databases full of data. With crackers and rogue insiders on the
prowl, organizations need to be vigilant in their protection of their systems. The breach
of security is harmful for all parties involved – the organization and those who conduct
business with it. This paper begins by discussing the current security environment and
concerns. Then it elaborates on what the specific issues businesses should be concerned
with when thinking about safeguarding their information. An extreme example of a
breached system and the resulting consequences is the provided case of TJX. This leads
into the discussion of two approaches of safeguarding an organization against attacks, in
particular penetration testing (also known as ethical hacking). An elaboration of the
concerns and processes of both client and hackers ends from beginning to end of a
penetration test is the bulk of the paper.
Key Words:
Security, Penetration testing, Vulnerability management.
3
Introduction
The world is in an information age where all data is steadily migrated to
electronic formats. Keeping information on databases and networks is convenient and
efficient in comparison to endless folders filled with papers. However, this modern
convenience is not all sunshine and roses; it poses dangers to businesses, clients, and
everyday users of technology. There are malicious individuals who desire to gain access
to private information and through perverted use of the same technology. Organizations
that keep data in electronic formats or perform any tasks electronically are at risk and
need to be aware of the business issues posed by those individuals. Smaller organizations
do not always perceive themselves at risk because they think that criminal hackers
(crackers) and rogue insiders have no interest in them. That is not true, everyone is at
risk; crackers brag and wear their successful hacks like badges no matter the scale of
damage they cause. They do not discriminate, if they can hack into a system they will,
even if it is a non-for profit organization such as Unicef. Stephenson provides alarming
statistics of attacks:
• 75 percent of all networks are vulnerable to an external attack, 95 percent with a
secondary exploit
• More than 65 percent of all networks are vulnerable to dial-in exploits
• 100 percent of all networks are vulnerable to an internal exploit
A 2005 FBI Computer Crime Survey announced that nearly nine out of ten organizations
experienced a computer security incident within a year and 20% of those indicated they
had experienced twenty or more attacks (Protiviti). Given these high rates of security
breaches, businesses should be concerned with the issues that may arise if they were to
experience an incident. They should take measures to safeguard their organization,
4
clients, and partners from the damages and threats of these intrusions. Vulnerability
management / assessment and penetration testing are the two most common methods
used for the purpose of security assurance and fixes. There is a tendency in the security
industry to focus on one of the two methods, but it is important to use both since they
compliment each other. Organizations tend to be reluctant to employ penetration testing
because of the risks that are inherent, but it is a vital tool. They should keep in mind that
it is more specific and tangible than vulnerability assessments and is the only sure way to
know that the security measures in place are functional.
5
Business Issues of Concern in Security There are three interrelated information security issues of concern to businesses:
zero-tolerance, well-being, and privileged information. Zero-tolerance in the protection
of data is the high expectation environment in which businesses are emerged. If an
intruder breaches data, the well-being of a business is at risk. To recover from losses
suffered as a result, it will need to go to court and prove that it took the proper measures
to safeguard information. In well-being situations, it is the business attempting to recover
from damages, but with privileged information the clients / customers seek to gain
financial relief from the business. The business will again need to prove that they acted
appropriately to safeguard data or they will be liable for negligence.
The environment is zero-tolerance because companies often will not work with a
business that cannot assure their system is safe. To ensure a company meets the
requirements of a zero tolerance environment, security audits are used. They involve
“Complete scans of the network, computing architecture, and application platforms
(Volonino, p24)”. Auditors also perform tests against viruses, Trojans, worms, and other
internal and external threats. Additionally, there is an evaluation of the responsiveness of
the company including their ability to identify and resist attacks. After examination of
the companies system, an assessment is composed describing the problems uncovered
and recommendations for improvements. A third party at the request of the business or
their clients / partners performs these audits.
The goal of a security audit is to reassure clients that appropriate security
measures are in place to prevent the various problems that hackers can cause that affect
the well-being or bottom line of a company. Additionally, they work to uphold the well-
6
being of a company assuming that it passes the audit if it seeks to recover damage in the
courtroom. Courts look at the standard of reasonableness, the “extent to which the
company exercised reasonable diligence by safeguarding its own network and
information assets and treated them as being important (Volonino, p25)”. If the court
deems that a company did not act appropriately to protect their information, it will lose
the case and not recover losses. Examples of consequential court losses include litigation
by employees for breach of fiduciary responsibilities, relief for financial losses, personal
injury lawsuits, and class action lawsuits (Volonino, p26).
Breach of privileged information is another area of major concern that involves
the courtroom. Privileged information is confidential or proprietary information that
usually belongs to a third party. If damages occur that adversely affects the business to
which it belongs, the organization may be liable for negligence. HIPAA is an example of
an act that regulates the confidential information, in particular that of healthcare
consumers. If a business or person releases any information on a client, HIPAA calls for
a fine up to $250,000 or a jail sentence for up to ten years.
7
Case in Point: TJ Haxx
TJX Cos. may be the largest breach of customer information in the United States
and revealed this year, 2007. Below are excerpts from Jewell’s article, summarizing the
events that occurred.
For at least 17 months, someone had free rein inside TJX Cos.’ computers. Without anyone
noticing, one or more intruders installed code on the discount retailer’s systems to methodically
unearth, collect and transmit account data from at least 45.7 million credit and debit cards.
The 17-month duration appears to be unprecedented among recent large U.S. data thefts
involving hackers, according to an Associated Press review of a dozen of the biggest cases over
the past four years.
Some experts believe the long period of unobstructed access and the hacker’s apparent use of
electronic encryption keys to unlock some data suggest involvement inside the 125,000-employee
company.
“Whoever did this knew what to look for, knew where to look and even may have had
knowledge of how files were encrypted,” said Deepak Taneja, chief executive of Aveksa, a
security software company. “It’s hard to fathom how an outside hacker could know how the data
was encrypted.”
Even after TJX finally detected the breach, the intruders apparently had the upper hand.
The company waited nearly a month to announce the theft – a strategic feint taken on advice of the
Secret Service to prevent intruders from learning investigators were watching. But even without
such public disclosure, the theft of card numbers stopped when the access was detected.
TJX said the intruders also may have been able to tap the unencrypted flow of information to
card issuers as customers checked out with their credit cards.
The case has become a global investigation, with incidents of fraud believed tied to the TJX
breach as far away as Sweden and Hong Kong.
It is clear that TJX lacked severely in appropriate security measures if it could
allow such a large-scale operation to occur that stole millions of credit card numbers and
customer information and even installing software on their system. TJX’s response and
detection capabilities are exceptionally poor for not diagnosing this issue earlier. They
appear to have rogue insiders, possibly working alongside external crackers, which may
8
have contributed to the duration their work remained hidden. It is likely that these
insiders had more access than necessary for their position and went unmonitored.
This incident may cost TJX tens of millions of dollars as the Massachusetts
Bankers Association, Connecticut Bankers Association, the Maine Association of Banks,
and individual banks filed a class-action lawsuit (Bank Group et al). The banks had to re-
issue new credit cards to their customers at approximately $25 per credit card! The only
chance that TJX stands against these banks is if it can prove that it provided sufficient
level of security for the information they held. However, it is unlikely that they will be
able to prove that as crackers abused this hole for such a large period without notice. If
TJX had performed penetration testing or requested a security audit, they would likely
have uncovered this hole and not be held liable.
9
Vulnerability Management vs. Penetration Testing
To prevent incidents like TJX, companies have a couple of options available:
vulnerability management / assessment and penetration testing. Both are equally as
important in analyzing a system for weaknesses and making improvements. The former
is a broad examination of the policies and security measures in place and the latter tests
that specific measures are indeed providing sufficient security. Companies tend to be
squeamish about allowing penetration testing, but as the two charts below illustrate, it is
important to use penetration testing in addition to vulnerability assessments. The
assessment is a good starting point in identifying weaknesses and can help to narrow
down what needs to be tested.
The chart below highlights the differences between vulnerability management and
penetration testing. At all points, with the exception of coverage, penetration testing is
superior to vulnerability management. The level of upfront knowledge refers to that of
those providing the service of their clients system. The benefit of low knowledge is that
a cracker starts from this point. Measuring response capability of the company to an
attack is an extremely important aspect of these tests. It reveals the ability of the
company to recognize an attack and respond to it – T.J Maxx would have failed. Shock
value awakens it to the dangers that it is vulnerable to and the importance of dealing with
them. The direct financial benefits a business may see are that it expends a significantly
smaller amount of internal resources and a lower price. The method is not necessarily the
cause of the low coverage in penetration testing, but rather organizations halting testing
10
upon discovering a hole in their system.
The next diagram, provided in McElligott’s article, further elaborates on the
differences in the coverage of the two types of security testing. Testing scope is broad in
vulnerability as opposed to penetration that focuses on specific issues. Relevance is
again more specific in penetration testing allowing prioritizing of fixes. Since
vulnerability assessments are broad and theoretical, their reliability is not as great as
penetration whereas penetration exploits specific vulnerabilities and precisely identifies
them. Penetration tests examine relationships between networks, but vulnerability
assessment does not. Remediation is limited in vulnerability assessment and often results
in widespread patches. Penetration testing is specific enough to allow only necessary
patches. Vulnerability, unlike penetration testing, does not simulate real world attacks on
systems. Security risk assessment only identifies missing patches, whereas penetration
testing bases its recommendations on tangible threats.
12
Ethical Hacking: Know Your Enemy
The theory behind penetration testing or ethical hacking is simple; know your
enemy – just like in war and sports. Ethical hackers know the tricks that crackers and
rogue insiders use and exploit. They both explore the security of a system based on their
knowledge and use of tools to discover holes. This similar nature of two kinds of hackers
alarms organizations. It is important to remember ethical hackers are not crackers and do
not usually have a past of criminal hacking.
Most security assessing companies will not hire an ex cracker onto their team.
This is due to the lack of trust and customer distaste for allowing an individual with that
background work on sensitive systems. Ethical hackers have different histories, but all
have one factor in common, being trustworthy. They cannot maliciously cause any
damage, steal client information, or perform any malicious acts in their search for holes.
All the work they perform must remain confidential and any problems discovered must
have proper security measures in place to prevent leakage. In addition to being
trustworthy, hackers must possess technical knowledge of systems and crackers tricks.
They tend to have strengths in programming, and networking as well as familiarity with
popular operating systems as well, such as Windows NT. It is common for them to have
previously worked in related fields or to have picked up hacking after having been
victims of attacks.
13
Risks
However innocent the intentions of an ethical hacker are, the client should be
aware of the risks that come along with evaluations. “These risks include alarmed staff
and unintentional system crashes, degraded network or system performance, denial of
service, and log-file size explosions (Palmer).” To mitigate risks, some clients request
that upon discovering a problem hacker’s stop immediately – as opposed to permitting
them to continue investigating the issue they discovered. However, discontinuing the
hack poses two dilemmas. First, it prevents the uncovering of everything a cracker might
find. Secondly, it disillusions the client by allowing him to believe that once there is a
remedy for the hole, the system is safe.
A second major concern is the possibility of a cracker monitoring the system
undergoing testing. The implication is that if an ethical hacker discovered a weakness in
the system, the cracker may see it as well and exploit it. There are a couple of solutions
to this and ways of minimizing potential risk. “The best approach to this dilemma is to
maintain several addresses around the Internet from which the ethical hacker’s
transmissions will emanate, and to switch origin addresses often (Palmer).” If there is
suspicious activity, a crosscheck with the log that the hackers keep for the final report
should clarify the source. Placing intrusion-monitoring software on the clients system is
another option. There are two problems with it though, exposure of the ethical hacker to
employees and possible need for cooperation with the clients internet service provider.
14
Get out of Jail Free Card
The key questions organizations need to ask themselves when opting to work with
ethical hackers are:
1. What are you trying to protect?
2. What are you trying to protect against?
3. How much time, effort, and money are you willing to expend to obtain adequate
protection?
(Palmer)
The first question refers to critical assets whose loss could cause damage for an
organization or its clients. It includes information such as employee names and
addresses, computer network information, and other organizations, with which the
organization collaborates, as well as their image and reputation. The second involves the
possibilities of losing the items in question one, the resulting adverse affects, and issues
of system availability. The third question has three different costs to consider monetary,
usability, and computer / network performance. The more secure a system is, the more
difficult it can be to make it easy to use. Performance refers to the time a system spends
on security resulting in less time spent on user problems.
After careful consideration of these questions, follows the creation of a
contractual agreement, often referred to as the “get out of jail free card”. The client and
ethical hacker usually jointly write this contract. It contains a security evaluation plan
that identifies the precise systems to be tested, how to test, and any limitations on that
testing. Additionally, it protects the hacker against prosecution, since the tasks they
perform are illegal in most locations. The “no-holds-barred” approach is the best
evaluation where ethical hackers can attempt anything they wish to attain access to or
15
disrupt the system. The benefits of this approach are that it is realistic, but many
companies are not comfortable with the idea. The most common reason against this
approach is “the target systems are “in production” and interference with their operation
could be damaging to the organization’s interests (Palmer)”. This argument is self-
defeating – crackers are out to do just that and do not follow a clients rules. If the
business is concerned about the damages of downtime, it should test it before a cracker
finds a hole and causes far more damage than the hacker causes.
Another important element of the evaluation plan is the timing. Similar to the
“no-holds-barred” approach, it is most realistic to allow the hacker to test at any time.
However, clients tend to prefer testing outside of normal working hours to avoid serious
downtime or other problems. This restriction does not necessarily negate but does reduce
accuracy as most intruders do their work outside of working hours. Despite the visible
prevalence outside normal hours, daytime attacks can be more easily masked than later in
the day. “Alerts from intrusion detection systems may even be disabled or less carefully
monitored during the day (Palmer)”.
At any time of day, there is a risk of adverse affects on a businesses system. With
that in mind, ethical hackers need access to a contact network when they discover a
problem that needs immediate correction. Still, the business should minimize the amount
of contacts necessary and awareness of employees to the ethical hacker’s activities. This
is to ensure that the evaluation is accurate and reflections actual response time without
giving employees a chance to stay on top of the hacker. Due to the secretive nature of
testing the companies system, if employees stumble upon the hacker they may feel
16
threatened. The management team should reassure their employees that there is no
evaluation on them taking place.
17
The Ethical Hack
The next step in the process after establishment of a contract is the testing.
Ethical hackers attempt to answer three questions about a systems security during the
process. “What can an intruder see on the target systems? What can an intruder do with
that information? Does anyone at the target notice the intruder’s attempts or successes
(Palmer)?” The act of hacking into the system reveals the answer to the first question.
The second would be the damages potentially inflicted by the breach of security and
seriousness of it. The last part assesses the diligence of the company in noticing and
resolving issues, a major benefit of penetration testing.
There are several types of tests hackers are able to perform alone or in
combination: remote network, remote dial-up network, local network, stolen laptop
computer, social engineering, and physical entry. Additionally, due to the blur of the line
between hacking and viruses, hackers test systems vulnerability to these at the request of
the client. It is preferred that the client instead have up to date anti-virus software and a
policy to deal with virus issues. Performing each of these tests can use one of three
perspectives: a complete outsider, a semi outsider, and insider / valid user. A complete
outsider, the most common perceived threat, is someone who has public access via
internet – he should not be able to penetrate anything. A semi-outsider is a user that has
remote access to only specific parts of a network, for example their personal account
information. Lastly, an insider or valid user should only have access to those parts of the
network he was granted. Testing involves exploring the boundaries set and if each type
of user can do more than is defined in their limitations. Below is a description of each of
the standard type of testing.
18
I Remote network
The objective is to measure the exposure of the network resources and online
services to attacks from the Internet. The hacking team evaluates the effectiveness of
network controls such as firewalls.
II Remote dial-up network
This test, often referred to as war dialing, is “the act of using a computer to scan
other computers automatically for accessible modems (Beaver, p115).” The hackers
literally dial phone numbers using special tools. Modems use is often for outbound
access, but there is a chance a hacker can obtain inbound access to a computer, putting
the entire network at risk.
III Local network
During this tests, the hacker acts as an authorized person with access to the
company’s connection. They test the boundaries of the internal network including
firewalls, web servers, and e-mail.
IV Stolen laptop computer
As the title of this test suggests, a laptop is ‘stolen’ from an employee without
warning. The ethical hacker then proceeds to search for things he can access on the
companies network. This is often a problem because individuals tend to store passwords
and other information on their computer so that they do not have to retype it every time
they wish to login.
V Social engineering
Social engineering is all about prying information directly from employees within
the organization. This is the hardest security problem for an organization to eliminate
19
because people and their personalities are involved. Just as a person is likely to assist
someone who appears lost, he is likely to answer innocently asked questions or let
someone without their badge into a building. The only way a company can fight against
such security breaches is by raising risk awareness.
VI Physical entry
This test entails physically intruding on a businesses property by getting around
security and avoiding detection once inside. One tactic for successful penetration is
carrying items that have the businesses logo on it. Special arrangements with security
guards and police may be required due to the nature of this test. The main defenses a
business can have to resist this penetration include security guards, awareness, and access
controls.
20
Results Once testing is complete, the findings must be analyzed and documented. The
hacker must determine the important vulnerabilities and those that are negligible. There
are tools that can help to assign a ranking based on overall risk, explain the vulnerability,
and provide recommendations and vendors. The typical ranking system is high, medium,
or low. The recommendations are the most important aspect of the final report as the
purpose of testing is to eliminate and holes in a system. The bases of recommendations
are the hacker’s knowledge as a security professional, the tools previously mentioned,
and the context of the vulnerabilities.
The reports produced need to be kept confidential and only provided on a need to
know basis. If leaked there is a risk of competitors, crackers, or insiders (who
intentionally or unintentionally) testing out the actions of the hackers and causing
damage. There are a few tactics available to prevent unapproved use of the report against
the client. The first is ensuring that only those who need to see the report have it directly
delivered to them. Further, the data can be encrypted and password protected, with the
encryption keys and passwords provided on a need to know basis. A second major
recommended safeguard is removing program and data information, such as tools used,
log files, and test data. This will prevent crackers or insiders from following the steps of
the hackers. There is also the option of leaving out the testing steps that leave room for
abuse and only answering questions on the topics as needed.
21
Conclusion
With crackers, insiders, and the numerous tools available, it is important for an
organization to make sure its system is secure. If penetrated, at the minimum there is a
temporary disruption of business processes. At the extreme scale, an organization may
have a situation like TJX where millions upon millions of private data records leaked.
This kind of information loss does not come cheap; as it appears, it will cost TJX tens of
millions of dollars. Security breached organizations will end up in court fighting suits
brought against them by customers, partners, and other affected third parties. They may
also lose their own proprietary information and suffer reputation damage. The only way
to recover from and prevent such losses is taking appropriate security measures. A
vulnerability assessment will provide a broad overview of a systems security.
Penetration testing further exploits the system to ensure that there are no holes or if
discovering any, recommends how to fix them. Penetration testing is the most in depth
and realistic approach to safeguard data. Organizations that are hesitant to employ this
approach should consider why they are nervous. If it is because they do not wish to risk
downtime or damage to their system, the organizations should realize that a cracker can
do the exact same thing but with malicious intentions. It is more hurtful and expensive to
deal with a breach after a cracker has penetrated their system than the proactive approach
of finding the hole and keep it from exploitation. As the world converts information to
electronic data, penetration testing becomes ever more important in an environment that
does not well tolerate security breaches.
22
Works Cited
Bank Group Sues TJX over Data Breach.(Massachusetts Bankers Association, TJX Companies
Inc.)." eWeek (April 25, 2007): NA. Expanded Academic ASAP. Thomson Gale. CIC University of
Illinois Urbana Champ. 3 May. 2007
<http://find.galegroup.com.proxy2.library.uiuc.edu/ips/infomark.do?&contentSet=IAC-
Documents&type=retrieve&tabID=T003&prodId=IPS&docId=A162617285&source=gale&srcprod=E
AIM&userGroupName=uiuc&version=1.0>
Beaver, Kevin. Hacking for Dummies. 2nd ed. Hoboken: Wiley, Inc., 2007.
Jewell, Mark. "Slipup More Likely in Long Hack, Experts Say." Journal Gazette 18 Apr. 2007. 20 Apr.
2007 <http://www.fortwayne.com/mld/journalgazette/business/17095858.htm>.
McElligott, Tim. "Penetration Testing Digs Deeper." Telephony (2006): 40-43.
Palmer, C C. "Ethical Hacking." IBM Systems Journal 40.3 (2001): 769-780.
Schutzmann, Mark. "Vulnerability Management." Protiviti. Seminar in Business Administration 490.
University of Illinois, Urbana Champaign. 8 Feb. 2007.
Volonino, Linda, and Stephen R. Robinson. Principles and Practice of Information Security. Upper Saddle
River: Pearson Education, Inc., 2004. 24-27.
23
Appendix
Abstract ............................................................................................................................... 2 Introduction......................................................................................................................... 3 Business Issues of Concern in Security .............................................................................. 5 Case in Point: TJ Haxx ....................................................................................................... 7 Vulnerability Management vs. Penetration Testing............................................................ 9 Ethical Hacking: Know Your Enemy ............................................................................... 12 Risks.................................................................................................................................. 13 Get out of Jail Free Card................................................................................................... 14 The Ethical Hack............................................................................................................... 17 Results............................................................................................................................... 20 Conclusion ........................................................................................................................ 21 Works Cited ...................................................................................................................... 22