The Ethical Hacking Process
Like practically any IT or security project, ethical hacking needs to be planned in advance. Strategic and tactical issues in the ethical hacking process should be determined and agreed upon. To ensure the success of your efforts, spend time up front planning things out. Planning is important for any amount of testing — from a simple password-cracking test to an all-out penetration test on a Web application.
Formulating your plan
Approval for ethical hacking is essential. Make what you're doing known and visible — at least to the decision makers. Obtaining sponsorship of the project is the first step. This could be your manager, an executive, your client, or even yourself if you're the boss. You need someone to back you up and sign off on your plan. Otherwise, your testing may be called off unexpectedly if someone claims they never authorized you to perform the tests.
The authorization can be as simple as an internal memo or e-mail from your boss if you're performing these tests on your own systems. If you're testing for a client, have a signed contract in place, stating the client's support and authorization. Get written approval on this sponsorship as soon as possible to ensure that none of your time or effort is wasted. This documentation is your Get Out of Jail Free card if anyone questions what you're doing, or worse, if the authorities come calling.
One slip can crash your systems — not necessarily what anyone wants. You need a detailed plan, but that doesn't mean you need volumes of testing procedures. A well-defined scope includes the following information:
- Specific systems to be tested: When selecting systems to test, start with the most critical systems and processes or the ones you suspect to be the most vulnerable. For instance, you can test computer passwords, an Internet-facing Web application, or attempt social engineering attacks before drilling down into all your systems.
- Risks involved: It pays to have a contingency plan for your ethical hacking process in case something goes awry. What if you're assessing your firewall or Web application and you take it down? This can cause system unavailability, which can reduce system performance or employee productivity. Even worse, it could cause loss of data integrity, loss of data itself, and even bad publicity. It'll most certainly tick off a person or two and make you look bad.
- Handle social engineering and DoS attacks carefully. Determine how they can affect the systems you're testing and your entire organization.
- When the tests will be performed and your overall timeline: Determining when the tests are performed is something that you must think long and hard about. Do you perform tests during normal business hours? How about late at night or early in the morning so that production systems aren't affected? Involve others to make sure they approve of your timing.
- The best approach is an unlimited attack, wherein any type of test is possible at any time of day. The bad guys aren't breaking into your systems within a limited scope, so why should you? Some exceptions to this approach are performing DoS attacks, social engineering, and physical security tests.
- How much knowledge of the systems you have before you start testing: You don't need extensive knowledge of the systems you're testing — just a basic understanding. This basic understanding helps protect you and the tested systems.
- What action will be taken when a major vulnerability is discovered: Don't stop after you find one security hole. This can lead to a false sense of security. Keep going to see what else you can discover. You don't have to keep hacking until the end of time or until you crash all your systems; simply pursue the path you're going down until you can't hack it any longer (pun intended). If you haven't found any vulnerabilities, you haven't looked hard enough.
- The specific deliverables: This includes security assessment reports and a higher-level report outlining the general vulnerabilities to be addressed, along with countermeasures that should be implemented.
One of your goals may be to perform the tests without being detected. For example, you may be performing your tests on remote systems or on a remote office, and you don't want the users to be aware of what you're doing. Otherwise, the users may catch on to you and be on their best behavior — instead of their normal behavior.
Executing the plan
Good ethical hacking takes persistence. Time and patience are important. Be careful when you're performing your ethical hacking tests. A hacker in your network or a seemingly benign employee looking over your shoulder may watch what's going on and use this information against you.
It isn't practical to make sure that no hackers are on your systems before you start. Just make sure you keep everything as quiet and private as possible. This is especially critical when transmitting and storing your test results. If possible, encrypt any e-mails and files containing sensitive test information by using Pretty Good Privacy or similar technology. At a minimum, password-protect them.
You're now on a reconnaissance mission. Harness as much information as possible about your organization and systems, which is what malicious hackers do. Start with a broad view and narrow your focus:
1. Search the Internet for your organization's name, your computer and network system names, and your IP addresses.
Google is a great place to start.
2. Narrow your scope, targeting the specific systems you're testing.
Whether you're assessing physical security structures or Web applications, a casual assessment can turn up a lot of information about your systems.
3. Further narrow your focus with a more critical eye. Perform actual scans and other detailed tests to uncover vulnerabilities on your systems.
4. Perform the attacks and exploit any vulnerabilities you've found, if that's what you choose to do.
Assess your results to see what you uncovered, assuming that the vulnerabilities haven't been made obvious before now. This is where knowledge counts. Evaluating the results and correlating the specific vulnerabilities discovered is a skill that gets better with experience. You'll end up knowing your systems much better than anyone else. This makes the evaluation process much simpler moving forward.
Submit a formal report to upper management or to your client, outlining your results and any recommendations you wish to share. Keep these parties in the loop to show that your efforts and their money are well spent.