Ethical hacking sounds like an oxymoron. If you are someone who is responsible for the confidentiality, integrity, and availability of data on your network, isn’t getting hacked the last thing you would want? Don’t worry! Ethical hacking projects (or assessments) don’t involve doing any damage to your network. Sometimes, though, the best way to understand exactly how a real hacker would attack your assets is to simulate a real-world attack. Think of the pain that Target and its customers might have avoided had an ethical hacker alerted them to the vulnerabilities that were ultimately exploited.
Computer security organizations such as Redspin employ experts in the fields of IT security assessments, penetration testing, and application security. These experts have the same skill set that the bad guys use to wreak havoc on computers and apply their knowledge to helping your organization become more secure. This can take the form of many different project scopes – “ethical hacking” is a broad term – but generally refers to an External Penetration Test.
The primary goal of ethical hacking projects is to find the answer to one simple question: if an attacker targeted my network – whether it’s a bored teenager in a basement or a state-funded advanced persistent threat – what would they be able to access? Are my Internet-facing devices secure? Are my software configurations deployed in a sane and secure way? What services are open to remote login from the Internet? Furthermore, if any of these services are breached in any way, what data would be potentially compromised?
Sometimes, ethical hacking projects can take the form of an assessment on an Internet-facing or internal-use web application. These projects are useful to understand an application’s attack surface before actually deploying them into production, or, furthermore, to verify that incremental releases (such as the output of regular code sprints) are not introducing new software vulnerabilities. Common vulnerabilities such as SQL injection, cross-site scripting, cross-site request forgery, and security misconfigurations can be detected, exploited safely, and remediated in a quick and cost-effective way through ethical hacks of web applications.
Ethical hacking, by definition, includes the exploitation of potentially vulnerable systems and applications. This allows you, as a security organization, to understand the real-world impact of an attack. In many ways, an ethical hacking project or a penetration test is a superset of a vulnerability assessment – this is due to the fact that a vulnerability scan must first take place in order to identify known vulnerabilities to be exploited. Redspin engineers utilize an approach beginning with reconnaissance – including port scanning and vulnerability scanning – in order to create a baseline for the network or application architecture. From there, our engineers are able to effectively create a threat model and attempt to breach the perimeter of the target scope. The last part of the assessment – manual exploitation – is what separates the expertise of human engineers with the robotic nature of automated scans: some threat vectors can only be understood by a real person looking at results; these threats includes business logic flaws, inappropriate data leakage, and more. These unconventional attack vectors are particularly important in the case of Web Application Security Assessments, where lateral privilege traversal can be the difference between a minor issue and a critical one.
Ethical hacking is also used by many organizations as a process to verify the security of externally-developed applications or work performed by contractors. Having an objective third party like Redspin vet your infrastructure or application can reveal security vulnerabilities and misconfigurations that were introduced during the deployment of critical technologies. By performing ethical hacking projects, your organization is able to verify that contractors are performing their roles in a secure way.
There is a large array of security services available, and they all play an important role based on the goals your organization is looking to achieve. While there is no single service that can accurately answer every security need, an ethical hacking assessment of your Internet-facing infrastructure or web applications is a solid foundation for an ongoing security program. When considering your security projects for the coming year, don’t shy away from ethical hacking and penetration testing: sometimes, it’s exactly what your organization needs.