How secure is your Information Systems infrastructure – even the security elements - to external attacks? Have you been able to keep track of information security on an ongoing basis with all the new business and infrastructure changes that have been taking place in the organization? Do you have the right internal controls in place? Is the existing security implementation actually securing what it is supposed to secure?

An "Ethical Hacking Exercise", also known as "Penetration Testing", attempts to answer these questions. It is an acid test for checking the problem areas of an organization’s infrastructure elements and the business risks associated with them. These tests are a detailed check on the robustness of the critical information resources as well as the security elements themselves, in the face of various threats posed.

The services comprising bespoke designed checks on the devices and processes, provides the organization with an element level – network, system, applications and processes – as well as an overall organization level view of the risks that the organization might be carrying.

By undergoing an ethical hacking test an organization should get an idea of the vulnerabilities, which are present on the infrastructure and the information that is exposed to unauthorized external users as a result of these vulnerabilities.

However, the customer must understand the fact that 70 per cent of all security breaches originate from internal users and that an ethical hacking exercise will only reveal the vulnerabilities, which can be exploitable by external users. To understand the vulnerabilities exposed to internal users, the organization must undertake a full-fledged security audit, consisting of security scans, user interviews and penetration testing.

If this exercise is being carried out by an external entity, a comprehensive agreement must be in place to ensure that the organization’s information assets are not harmed in any way. At a bare minimum, the agreement must address the following:

• Non Disclosure Agreement
• Days and Times at which the exercise will be carried out
  
• Infrastructure that will undergo the test
  
• The kind of information/evidence that must be gathered
  

An approach for ethical hacking

An effective penetration testing methodology would consist of an attack based approach to identify the loopholes in the IS ecosystem comprising:

Foot printing: which is the preliminary groundwork needed to gain a firm understanding of the infrastructure under test. This stage would primarily involve network mapping and identification of network address blocks, domain names and registrations, routers, firewalls, proxies, gateways and caching systems, operating systems and application services, active databases services and remote access exposure review.

Port based attack: A cracker identifies open ports to initiate an effective attack. In this stage, the hacking team will attempt to identify all the exposed ports and the services associated with each of the exposed ports. Numerous commercial and open source tools are available for this.

Operating System enumeration: would be the next stage, involving more intrusive probe to check for vulnerabilities associated with wrong configurations, vulnerable user accounts and poorly protected resource shares. The techniques, tools and procedures used for this would depend on the operating system and how well it is protected by the existing perimeter security in the organization.

Services and data pilferage: To prove the vulnerabilities in the system, the person/team hacking would have to collect evidence regarding the same. This would include activities like getting lists of usernames and passwords, getting details about the system configurations, copies of files being used, directory structure, system architecture layout and screen dumps among others.

Checking the security systems: themselves is undertaken as the culmination of the ethical hacking exercise. A firewall is the first perimeter security protection available to any network. Firewall Penetration Testing would enumerate the firewall system by collecting information of the kind of firewall deployed, the underlying operating system and detect vulnerabilities and simulate attacks. This will provide a better understanding of both how well a firewall is installed and how well the security policy is implemented.

Track Purging: This activity is carried to clean the customers’ systems of any script files and other tools installed on the customers’ side. This is carried out to hide the way in which the systems were hacked. Activities during this phase would consist of clearing event logs and removing any files, which might have been installed during the exercise.

Benefits of undergoing an ethical hacking exercise

Real security picture: The ethical hacking service provides a realistic picture of the organization’s security state with vulnerabilities identified. This can help the organization minimize the risk of a hacker causing damage to its networks, hosts and services.

Business relevant information: Post detection of vulnerabilities, a comprehensive analysis of the same is done to filter out only business-relevant risks, prudently arranged in the order of criticality thus making it very "actionable".

A sound starting-point: Ethical hacking gives a valuable starting point to organizations that need to assess the need for security and is the first point in setting a security baseline.

Benchmarking organizational security: The results of the ethical hacking are compared against best standards and the results of other companies to build an indicative benchmark for your security-state.

Sensitive information in a safe manner: Since the entire exercise is carried out under a controlled environment, at agreed times, with appropriate agreements in place, the IS infrastructure is not harmed during the test.