TTeerrmm ppaappeerr oonn::

TThhee IImmppoorrttaannccee ooff PPeenneettrraattiioonn TTeessttiinngg &&

SSaaffeegguuaarrddiinngg IITT SSyysstteemmss

NNaattaallyyaa SShhoolloommyyaannsskkyy

May 2007

2

Abstract

Information technology is expanding throughout all processes from e-mail to

transaction systems, to databases full of data. With crackers and rogue insiders on the

prowl, organizations need to be vigilant in their protection of their systems. The breach

of security is harmful for all parties involved – the organization and those who conduct

business with it. This paper begins by discussing the current security environment and

concerns. Then it elaborates on what the specific issues businesses should be concerned

with when thinking about safeguarding their information. An extreme example of a

breached system and the resulting consequences is the provided case of TJX. This leads

into the discussion of two approaches of safeguarding an organization against attacks, in

particular penetration testing (also known as ethical hacking). An elaboration of the

concerns and processes of both client and hackers ends from beginning to end of a

penetration test is the bulk of the paper.

Key Words:

Security, Penetration testing, Vulnerability management.

3

Introduction

The world is in an information age where all data is steadily migrated to

electronic formats. Keeping information on databases and networks is convenient and

efficient in comparison to endless folders filled with papers. However, this modern

convenience is not all sunshine and roses; it poses dangers to businesses, clients, and

everyday users of technology. There are malicious individuals who desire to gain access

to private information and through perverted use of the same technology. Organizations

that keep data in electronic formats or perform any tasks electronically are at risk and

need to be aware of the business issues posed by those individuals. Smaller organizations

do not always perceive themselves at risk because they think that criminal hackers

(crackers) and rogue insiders have no interest in them. That is not true, everyone is at

risk; crackers brag and wear their successful hacks like badges no matter the scale of

damage they cause. They do not discriminate, if they can hack into a system they will,

even if it is a non-for profit organization such as Unicef. Stephenson provides alarming

statistics of attacks:

• 75 percent of all networks are vulnerable to an external attack, 95 percent with a

secondary exploit

• More than 65 percent of all networks are vulnerable to dial-in exploits

• 100 percent of all networks are vulnerable to an internal exploit

A 2005 FBI Computer Crime Survey announced that nearly nine out of ten organizations

experienced a computer security incident within a year and 20% of those indicated they

had experienced twenty or more attacks (Protiviti). Given these high rates of security

breaches, businesses should be concerned with the issues that may arise if they were to

experience an incident. They should take measures to safeguard their organization,

4

clients, and partners from the damages and threats of these intrusions. Vulnerability

management / assessment and penetration testing are the two most common methods

used for the purpose of security assurance and fixes. There is a tendency in the security

industry to focus on one of the two methods, but it is important to use both since they

compliment each other. Organizations tend to be reluctant to employ penetration testing

because of the risks that are inherent, but it is a vital tool. They should keep in mind that

it is more specific and tangible than vulnerability assessments and is the only sure way to

know that the security measures in place are functional.

5

Business Issues of Concern in Security There are three interrelated information security issues of concern to businesses:

zero-tolerance, well-being, and privileged information. Zero-tolerance in the protection

of data is the high expectation environment in which businesses are emerged. If an

intruder breaches data, the well-being of a business is at risk. To recover from losses

suffered as a result, it will need to go to court and prove that it took the proper measures

to safeguard information. In well-being situations, it is the business attempting to recover

from damages, but with privileged information the clients / customers seek to gain

financial relief from the business. The business will again need to prove that they acted

appropriately to safeguard data or they will be liable for negligence.

The environment is zero-tolerance because companies often will not work with a

business that cannot assure their system is safe. To ensure a company meets the

requirements of a zero tolerance environment, security audits are used. They involve

“Complete scans of the network, computing architecture, and application platforms

(Volonino, p24)”. Auditors also perform tests against viruses, Trojans, worms, and other

internal and external threats. Additionally, there is an evaluation of the responsiveness of

the company including their ability to identify and resist attacks. After examination of

the companies system, an assessment is composed describing the problems uncovered

and recommendations for improvements. A third party at the request of the business or

their clients / partners performs these audits.

The goal of a security audit is to reassure clients that appropriate security

measures are in place to prevent the various problems that hackers can cause that affect

the well-being or bottom line of a company. Additionally, they work to uphold the well-

6

being of a company assuming that it passes the audit if it seeks to recover damage in the

courtroom. Courts look at the standard of reasonableness, the “extent to which the

company exercised reasonable diligence by safeguarding its own network and

information assets and treated them as being important (Volonino, p25)”. If the court

deems that a company did not act appropriately to protect their information, it will lose

the case and not recover losses. Examples of consequential court losses include litigation

by employees for breach of fiduciary responsibilities, relief for financial losses, personal

injury lawsuits, and class action lawsuits (Volonino, p26).

Breach of privileged information is another area of major concern that involves

the courtroom. Privileged information is confidential or proprietary information that

usually belongs to a third party. If damages occur that adversely affects the business to

which it belongs, the organization may be liable for negligence. HIPAA is an example of

an act that regulates the confidential information, in particular that of healthcare

consumers. If a business or person releases any information on a client, HIPAA calls for

a fine up to $250,000 or a jail sentence for up to ten years.

7

Case in Point: TJ Haxx

TJX Cos. may be the largest breach of customer information in the United States

and revealed this year, 2007. Below are excerpts from Jewell’s article, summarizing the

events that occurred.

For at least 17 months, someone had free rein inside TJX Cos.’ computers. Without anyone

noticing, one or more intruders installed code on the discount retailer’s systems to methodically

unearth, collect and transmit account data from at least 45.7 million credit and debit cards.

The 17-month duration appears to be unprecedented among recent large U.S. data thefts

involving hackers, according to an Associated Press review of a dozen of the biggest cases over

the past four years.

Some experts believe the long period of unobstructed access and the hacker’s apparent use of

electronic encryption keys to unlock some data suggest involvement inside the 125,000-employee

company.

“Whoever did this knew what to look for, knew where to look and even may have had

knowledge of how files were encrypted,” said Deepak Taneja, chief executive of Aveksa, a

security software company. “It’s hard to fathom how an outside hacker could know how the data

was encrypted.”

Even after TJX finally detected the breach, the intruders apparently had the upper hand.

The company waited nearly a month to announce the theft – a strategic feint taken on advice of the

Secret Service to prevent intruders from learning investigators were watching. But even without

such public disclosure, the theft of card numbers stopped when the access was detected.

TJX said the intruders also may have been able to tap the unencrypted flow of information to

card issuers as customers checked out with their credit cards.

The case has become a global investigation, with incidents of fraud believed tied to the TJX

breach as far away as Sweden and Hong Kong.

It is clear that TJX lacked severely in appropriate security measures if it could

allow such a large-scale operation to occur that stole millions of credit card numbers and

customer information and even installing software on their system. TJX’s response and

detection capabilities are exceptionally poor for not diagnosing this issue earlier. They

appear to have rogue insiders, possibly working alongside external crackers, which may

8

have contributed to the duration their work remained hidden. It is likely that these

insiders had more access than necessary for their position and went unmonitored.

This incident may cost TJX tens of millions of dollars as the Massachusetts

Bankers Association, Connecticut Bankers Association, the Maine Association of Banks,

and individual banks filed a class-action lawsuit (Bank Group et al). The banks had to re-

issue new credit cards to their customers at approximately $25 per credit card! The only

chance that TJX stands against these banks is if it can prove that it provided sufficient

level of security for the information they held. However, it is unlikely that they will be

able to prove that as crackers abused this hole for such a large period without notice. If

TJX had performed penetration testing or requested a security audit, they would likely

have uncovered this hole and not be held liable.

9

Vulnerability Management vs. Penetration Testing

To prevent incidents like TJX, companies have a couple of options available:

vulnerability management / assessment and penetration testing. Both are equally as

important in analyzing a system for weaknesses and making improvements. The former

is a broad examination of the policies and security measures in place and the latter tests

that specific measures are indeed providing sufficient security. Companies tend to be

squeamish about allowing penetration testing, but as the two charts below illustrate, it is

important to use penetration testing in addition to vulnerability assessments. The

assessment is a good starting point in identifying weaknesses and can help to narrow

down what needs to be tested.

The chart below highlights the differences between vulnerability management and

penetration testing. At all points, with the exception of coverage, penetration testing is

superior to vulnerability management. The level of upfront knowledge refers to that of

those providing the service of their clients system. The benefit of low knowledge is that

a cracker starts from this point. Measuring response capability of the company to an

attack is an extremely important aspect of these tests. It reveals the ability of the

company to recognize an attack and respond to it – T.J Maxx would have failed. Shock

value awakens it to the dangers that it is vulnerable to and the importance of dealing with

them. The direct financial benefits a business may see are that it expends a significantly

smaller amount of internal resources and a lower price. The method is not necessarily the

cause of the low coverage in penetration testing, but rather organizations halting testing

10

upon discovering a hole in their system.

The next diagram, provided in McElligott’s article, further elaborates on the

differences in the coverage of the two types of security testing. Testing scope is broad in

vulnerability as opposed to penetration that focuses on specific issues. Relevance is

again more specific in penetration testing allowing prioritizing of fixes. Since

vulnerability assessments are broad and theoretical, their reliability is not as great as

penetration whereas penetration exploits specific vulnerabilities and precisely identifies

them. Penetration tests examine relationships between networks, but vulnerability

assessment does not. Remediation is limited in vulnerability assessment and often results

in widespread patches. Penetration testing is specific enough to allow only necessary

patches. Vulnerability, unlike penetration testing, does not simulate real world attacks on

systems. Security risk assessment only identifies missing patches, whereas penetration

testing bases its recommendations on tangible threats.

11

12

Ethical Hacking: Know Your Enemy

The theory behind penetration testing or ethical hacking is simple; know your

enemy – just like in war and sports. Ethical hackers know the tricks that crackers and

rogue insiders use and exploit. They both explore the security of a system based on their

knowledge and use of tools to discover holes. This similar nature of two kinds of hackers

alarms organizations. It is important to remember ethical hackers are not crackers and do

not usually have a past of criminal hacking.

Most security assessing companies will not hire an ex cracker onto their team.

This is due to the lack of trust and customer distaste for allowing an individual with that

background work on sensitive systems. Ethical hackers have different histories, but all

have one factor in common, being trustworthy. They cannot maliciously cause any

damage, steal client information, or perform any malicious acts in their search for holes.

All the work they perform must remain confidential and any problems discovered must

have proper security measures in place to prevent leakage. In addition to being

trustworthy, hackers must possess technical knowledge of systems and crackers tricks.

They tend to have strengths in programming, and networking as well as familiarity with

popular operating systems as well, such as Windows NT. It is common for them to have

previously worked in related fields or to have picked up hacking after having been

victims of attacks.

13

Risks

However innocent the intentions of an ethical hacker are, the client should be

aware of the risks that come along with evaluations. “These risks include alarmed staff

and unintentional system crashes, degraded network or system performance, denial of

service, and log-file size explosions (Palmer).” To mitigate risks, some clients request

that upon discovering a problem hacker’s stop immediately – as opposed to permitting

them to continue investigating the issue they discovered. However, discontinuing the

hack poses two dilemmas. First, it prevents the uncovering of everything a cracker might

find. Secondly, it disillusions the client by allowing him to believe that once there is a

remedy for the hole, the system is safe.

A second major concern is the possibility of a cracker monitoring the system

undergoing testing. The implication is that if an ethical hacker discovered a weakness in

the system, the cracker may see it as well and exploit it. There are a couple of solutions

to this and ways of minimizing potential risk. “The best approach to this dilemma is to

maintain several addresses around the Internet from which the ethical hacker’s

transmissions will emanate, and to switch origin addresses often (Palmer).” If there is

suspicious activity, a crosscheck with the log that the hackers keep for the final report

should clarify the source. Placing intrusion-monitoring software on the clients system is

another option. There are two problems with it though, exposure of the ethical hacker to

employees and possible need for cooperation with the clients internet service provider.

14

Get out of Jail Free Card

The key questions organizations need to ask themselves when opting to work with

ethical hackers are:

1. What are you trying to protect?

2. What are you trying to protect against?

3. How much time, effort, and money are you willing to expend to obtain adequate

protection?

(Palmer)

The first question refers to critical assets whose loss could cause damage for an

organization or its clients. It includes information such as employee names and

addresses, computer network information, and other organizations, with which the

organization collaborates, as well as their image and reputation. The second involves the

possibilities of losing the items in question one, the resulting adverse affects, and issues

of system availability. The third question has three different costs to consider monetary,

usability, and computer / network performance. The more secure a system is, the more

difficult it can be to make it easy to use. Performance refers to the time a system spends

on security resulting in less time spent on user problems.

After careful consideration of these questions, follows the creation of a

contractual agreement, often referred to as the “get out of jail free card”. The client and

ethical hacker usually jointly write this contract. It contains a security evaluation plan

that identifies the precise systems to be tested, how to test, and any limitations on that

testing. Additionally, it protects the hacker against prosecution, since the tasks they

perform are illegal in most locations. The “no-holds-barred” approach is the best

evaluation where ethical hackers can attempt anything they wish to attain access to or

15

disrupt the system. The benefits of this approach are that it is realistic, but many

companies are not comfortable with the idea. The most common reason against this

approach is “the target systems are “in production” and interference with their operation

could be damaging to the organization’s interests (Palmer)”. This argument is self-

defeating – crackers are out to do just that and do not follow a clients rules. If the

business is concerned about the damages of downtime, it should test it before a cracker

finds a hole and causes far more damage than the hacker causes.

Another important element of the evaluation plan is the timing. Similar to the

“no-holds-barred” approach, it is most realistic to allow the hacker to test at any time.

However, clients tend to prefer testing outside of normal working hours to avoid serious

downtime or other problems. This restriction does not necessarily negate but does reduce

accuracy as most intruders do their work outside of working hours. Despite the visible

prevalence outside normal hours, daytime attacks can be more easily masked than later in

the day. “Alerts from intrusion detection systems may even be disabled or less carefully

monitored during the day (Palmer)”.

At any time of day, there is a risk of adverse affects on a businesses system. With

that in mind, ethical hackers need access to a contact network when they discover a

problem that needs immediate correction. Still, the business should minimize the amount

of contacts necessary and awareness of employees to the ethical hacker’s activities. This

is to ensure that the evaluation is accurate and reflections actual response time without

giving employees a chance to stay on top of the hacker. Due to the secretive nature of

testing the companies system, if employees stumble upon the hacker they may feel

16

threatened. The management team should reassure their employees that there is no

evaluation on them taking place.

17

The Ethical Hack

The next step in the process after establishment of a contract is the testing.

Ethical hackers attempt to answer three questions about a systems security during the

process. “What can an intruder see on the target systems? What can an intruder do with

that information? Does anyone at the target notice the intruder’s attempts or successes

(Palmer)?” The act of hacking into the system reveals the answer to the first question.

The second would be the damages potentially inflicted by the breach of security and

seriousness of it. The last part assesses the diligence of the company in noticing and

resolving issues, a major benefit of penetration testing.

There are several types of tests hackers are able to perform alone or in

combination: remote network, remote dial-up network, local network, stolen laptop

computer, social engineering, and physical entry. Additionally, due to the blur of the line

between hacking and viruses, hackers test systems vulnerability to these at the request of

the client. It is preferred that the client instead have up to date anti-virus software and a

policy to deal with virus issues. Performing each of these tests can use one of three

perspectives: a complete outsider, a semi outsider, and insider / valid user. A complete

outsider, the most common perceived threat, is someone who has public access via

internet – he should not be able to penetrate anything. A semi-outsider is a user that has

remote access to only specific parts of a network, for example their personal account

information. Lastly, an insider or valid user should only have access to those parts of the

network he was granted. Testing involves exploring the boundaries set and if each type

of user can do more than is defined in their limitations. Below is a description of each of

the standard type of testing.

18

I Remote network

The objective is to measure the exposure of the network resources and online

services to attacks from the Internet. The hacking team evaluates the effectiveness of

network controls such as firewalls.

II Remote dial-up network

This test, often referred to as war dialing, is “the act of using a computer to scan

other computers automatically for accessible modems (Beaver, p115).” The hackers

literally dial phone numbers using special tools. Modems use is often for outbound

access, but there is a chance a hacker can obtain inbound access to a computer, putting

the entire network at risk.

III Local network

During this tests, the hacker acts as an authorized person with access to the

company’s connection. They test the boundaries of the internal network including

firewalls, web servers, and e-mail.

IV Stolen laptop computer

As the title of this test suggests, a laptop is ‘stolen’ from an employee without

warning. The ethical hacker then proceeds to search for things he can access on the

companies network. This is often a problem because individuals tend to store passwords

and other information on their computer so that they do not have to retype it every time

they wish to login.

V Social engineering

Social engineering is all about prying information directly from employees within

the organization. This is the hardest security problem for an organization to eliminate

19

because people and their personalities are involved. Just as a person is likely to assist

someone who appears lost, he is likely to answer innocently asked questions or let

someone without their badge into a building. The only way a company can fight against

such security breaches is by raising risk awareness.

VI Physical entry

This test entails physically intruding on a businesses property by getting around

security and avoiding detection once inside. One tactic for successful penetration is

carrying items that have the businesses logo on it. Special arrangements with security

guards and police may be required due to the nature of this test. The main defenses a

business can have to resist this penetration include security guards, awareness, and access

controls.

20

Results Once testing is complete, the findings must be analyzed and documented. The

hacker must determine the important vulnerabilities and those that are negligible. There

are tools that can help to assign a ranking based on overall risk, explain the vulnerability,

and provide recommendations and vendors. The typical ranking system is high, medium,

or low. The recommendations are the most important aspect of the final report as the

purpose of testing is to eliminate and holes in a system. The bases of recommendations

are the hacker’s knowledge as a security professional, the tools previously mentioned,

and the context of the vulnerabilities.

The reports produced need to be kept confidential and only provided on a need to

know basis. If leaked there is a risk of competitors, crackers, or insiders (who

intentionally or unintentionally) testing out the actions of the hackers and causing

damage. There are a few tactics available to prevent unapproved use of the report against

the client. The first is ensuring that only those who need to see the report have it directly

delivered to them. Further, the data can be encrypted and password protected, with the

encryption keys and passwords provided on a need to know basis. A second major

recommended safeguard is removing program and data information, such as tools used,

log files, and test data. This will prevent crackers or insiders from following the steps of

the hackers. There is also the option of leaving out the testing steps that leave room for

abuse and only answering questions on the topics as needed.

21

Conclusion

With crackers, insiders, and the numerous tools available, it is important for an

organization to make sure its system is secure. If penetrated, at the minimum there is a

temporary disruption of business processes. At the extreme scale, an organization may

have a situation like TJX where millions upon millions of private data records leaked.

This kind of information loss does not come cheap; as it appears, it will cost TJX tens of

millions of dollars. Security breached organizations will end up in court fighting suits

brought against them by customers, partners, and other affected third parties. They may

also lose their own proprietary information and suffer reputation damage. The only way

to recover from and prevent such losses is taking appropriate security measures. A

vulnerability assessment will provide a broad overview of a systems security.

Penetration testing further exploits the system to ensure that there are no holes or if

discovering any, recommends how to fix them. Penetration testing is the most in depth

and realistic approach to safeguard data. Organizations that are hesitant to employ this

approach should consider why they are nervous. If it is because they do not wish to risk

downtime or damage to their system, the organizations should realize that a cracker can

do the exact same thing but with malicious intentions. It is more hurtful and expensive to

deal with a breach after a cracker has penetrated their system than the proactive approach

of finding the hole and keep it from exploitation. As the world converts information to

electronic data, penetration testing becomes ever more important in an environment that

does not well tolerate security breaches.

22

Works Cited

Bank Group Sues TJX over Data Breach.(Massachusetts Bankers Association, TJX Companies

Inc.)." eWeek (April 25, 2007): NA. Expanded Academic ASAP. Thomson Gale. CIC University of

Illinois Urbana Champ. 3 May. 2007

<http://find.galegroup.com.proxy2.library.uiuc.edu/ips/infomark.do?&contentSet=IAC-

Documents&type=retrieve&tabID=T003&prodId=IPS&docId=A162617285&source=gale&srcprod=E

AIM&userGroupName=uiuc&version=1.0>

Beaver, Kevin. Hacking for Dummies. 2nd ed. Hoboken: Wiley, Inc., 2007.

Jewell, Mark. "Slipup More Likely in Long Hack, Experts Say." Journal Gazette 18 Apr. 2007. 20 Apr.

2007 <http://www.fortwayne.com/mld/journalgazette/business/17095858.htm>.

McElligott, Tim. "Penetration Testing Digs Deeper." Telephony (2006): 40-43.

Palmer, C C. "Ethical Hacking." IBM Systems Journal 40.3 (2001): 769-780.

Schutzmann, Mark. "Vulnerability Management." Protiviti. Seminar in Business Administration 490.

University of Illinois, Urbana Champaign. 8 Feb. 2007.

Volonino, Linda, and Stephen R. Robinson. Principles and Practice of Information Security. Upper Saddle

River: Pearson Education, Inc., 2004. 24-27.

23

Appendix

Abstract ............................................................................................................................... 2 Introduction......................................................................................................................... 3 Business Issues of Concern in Security .............................................................................. 5 Case in Point: TJ Haxx ....................................................................................................... 7 Vulnerability Management vs. Penetration Testing............................................................ 9 Ethical Hacking: Know Your Enemy ............................................................................... 12 Risks.................................................................................................................................. 13 Get out of Jail Free Card................................................................................................... 14 The Ethical Hack............................................................................................................... 17 Results............................................................................................................................... 20 Conclusion ........................................................................................................................ 21 Works Cited ...................................................................................................................... 22