ISACA Journal
Volume 4, 2,014 

Features 

Ethical Hacking: The Next Level or the Game Is Not Over? 

Viktor Polic, Ph.D., CISA, CRISC, CISSP 

Internal audit work plans tend to focus on priorities based on risk with the highest operational impact. For many organizations this results in IT audits focused on financial applications, human resources (HR) applications, enterprise resource planning (ERP) systems and the like. Many other systems remain out of audit scope due to limited audit resources and medium or low priorities in the annual audit plan. Other assurance functions, such as information security, struggle with the same resource constraints. Performing detailed technical information security risk assessments that involve manual tasks, specific skills and tools are costly and, therefore, performed only on those systems exposed to risk with the highest business impact. However, a detailed information security risk assessment in the form of ethical hacking is the most accurate method to estimate risk likelihood.

Information security vendors have recognized the need to optimize the process of managing ethical hacking projects with the goal to reduce their costs. They start offering ethical hacking services in the form of Security as a Service (SecaaS) solutions. The ability to acquire ethical hacking security assessment for information systems with medium or even low business impact would allow organizations to build more complete and accurate risk treatment plans and optimize resources for information security management.

Measuring IT Risk

COBIT 51 recommends following best practices for effective IT risk management:

  1. Make sure the IT risk management framework fits with the risk management objectives of the enterprise. Use similar risk classification principles and, wherever possible, classify and manage IT risk in a business-driven hierarchy, for example:
    • Strategic
    • Program
    • Project
    • Operational
  2. Define standard scales for IT risk assessment, covering impact and probability aligned with the organization’s enterprise risk management (ERM) framework.2
  3. Align the IT risk management appetite and tolerance levels with the ERM framework.

Risk indicators are defined as metrics capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite. If carefully selected and measured with due diligence, these metrics represent a powerful management tool for making strategic decisions in governing the IT function within an enterprise. The following criteria should be taken into account for selection of information-security-related risk indicators: potential impact on vital information assets, efforts required to exploit information systems (IS) vulnerability, reliability of critical IT assets and sensitivity of information.

The likelihood of successfully exploiting a vulnerability is determined by the degree of difficulty in performing the exploit, the skill of the attacker, and the popularity or availability of the vulnerability. A vulnerability that is known to be popular among malicious hackers carries a higher probability of success. Industry-standard tools for assessment of vulnerabilities are software-based vulnerability scanners. These automated tools compare detected applications, operating systems and other components on audited hosts against proprietary or public databases of known vulnerabilities. They provide reports on detected gaps and recommend implementation of security patches, if available, or vendor-suggested work-around solutions. However, they do not put vulnerabilities in a business context and, thus, impact estimates could be misleading. A determined hacker is more likely to exploit even the low-scaled vulnerability if it is on a high-value business asset.

Moreover, automated vulnerability scanners do not provide information on interrelated risk as described in the referenced identity theft case. Their scans are target-centric rather than information-centric or business-process-centric. Therefore, human intervention is required to adjust scanning methodology. Ethical hacking and penetration testing supplements automated risk assessment and adds more certainty in estimation of risk likelihood. When measuring risk, standard deviation from statistical averages of security events occurrence is what counts the most. One needs to better sense outliers, not be surprised when they occur. The primary information security objective is to prevent false negatives rather than false positives. False positives in information security are collateral damage that is reduced by fine-tuning risk mitigation measures in the perpetual process of information security management. False negatives are foreseen, but unexpected, security events that result in impact on business. Particularly critical are extremely rare events with devastating impact, known as black swan events. Due to the lack of information on the past occurrences of such events, it is very difficult to quantify related risk and plan adequate mitigation. Ethical hacking could provide additional perception of such risk by identifying paths that may lead into high-impact breaches of information security or major IT infrastructure interruptions.

In today’s dynamic business environment where boundaries of responsibilities blur in cloud computing, outsourcing and virtualization on all scales, it is difficult to dedicate resources to continuous audit of all IT assets. Moreover, qualified ethical hacking is costly and time-consuming. Nevertheless, there are new tools for information security managers—hybrid solutions in the form of combined automated vulnerability scanners with manual ethical hacking. These less costly SecaaS tools can be used more frequently than dedicated penetration tests. They can be applied as regular periodic security assessments on critical information systems.

The systems that are the best candidates for such audits are web-based information systems. These systems are particularly vulnerable at the application layer.3 The competitive advantage of hybrid vulnerability scanners over traditional automated scanners is in their ability to adapt attack strategies to the most vulnerable components of a target. Ethical hackers working in the back office of a SecaaS provider mimic the approach of malicious attackers. Attackers start with reconnaissance with the objective to collect intelligence about the target. Attackers use port scanning, DNS zoning, web searches for details on the company, its staff, its web identity, forums and social network searches, and other information gathering methods. Automated vulnerability scanners use only those methods that are technically feasible. Advanced correlation techniques are possible only manually.

When attackers collect enough information and identify the weakest links, they begin manual attacks. The weakest link in the security chain is typically a component of the information system that is not up to date, with a vulnerable version where publically known exploits already exist. Other weak links could be those that are misconfigured, disclosing unnecessary information or permitting brute-force attacks on authentication systems and other similar types of attacks. However, to be efficient, attacks have to be optimized and adapted to bypass other security controls, such as intrusion detection/prevention systems, firewalls, reverse proxy servers and others. Automated tools cannot adapt their attack scripts for sophisticated evasion techniques. Undoubtedly, malicious hackers can and so can ethical hackers. Advanced hybrid vulnerability scanners such as ImmuniWeb4 offer custom-built scripts in the assessment reports in the form of exploit proof of concept. This is a valuable tool for information security teams to verify the likelihood of risk materializing and to adapt mitigation controls.

In addition, comprehensive vulnerability scanners use industry standards for definition of Common Vulnerabilities and Exposures (CVE) and Common Weaknesses Enumeration (CWE).5 Priority levels of identified vulnerabilities are represented in accordance with the Common Vulnerability Scoring System (CVSS).6 The application of standards in assessment reports ensures that results are comparable with those from other tools and methodologies. Good assessment tools allow for customization of CVSS to adjust reports to the criticality of information assets in the particular business context for each customer. This facilitates comparison of periodic assessments and provides a quick overview of the organization’s risk posture. It also puts an emphasis on the most critical risk and more vulnerable information assets.

Good vulnerability assessment tools also highlight gaps from security standards and industry best practices. In 2011, the European Committee for Standardization adopted standards for burglar-resistant doors and windows.7 According to this standard, doors and windows are classified in six security classes relative to their resistance to burglar attacks. For each security class, the standard defines force and tools used and minimum time of resistance. In the information security area, unfortunately, international standards that define resistance classes to particular levels of attacks do not exist. The ISO/IEC 27002:2005 standard, for example, recommends the best control measures and protection practices in different information security areas. The Payment Card Industry Data Security Standard (PCI DSS) takes a similar approach, defining areas of control for data protection. Certification audits assess the existence of controls, but do not require measurement of their efficiency. Ethical hacking or penetration testing performs measurement of efficiency of existing security controls analogous to the previously mentioned burglar resistance tests. This is an added advantage the hybrid vulnerability assessment scanners have over automated scanning tools.

Automated vulnerability scanners can identify existing security patches from software vendors. However, these are not always provided in a timely manner. Waiting for software vendors to provide a patch could expose critical information to unacceptable risk levels. Alternative risk mitigation measures could reduce exposure of information until security patches become available. Security researchers who discover new vulnerabilities sometimes suggests the selection of appropriate work-around mitigation controls. Ethical hackers participating in hybrid vulnerability assessments typically present several alternative remedies for each risk identified in their reports.

Conclusion

Hybrid vulnerability scanners offered as SecaaS have brought ethical hacking services to the broader market, allowing even small companies to contract such services. At a time when malicious attackers are more frequently part of a determined criminal group, as opposed to the “script kiddies” of yesteryear, availability of such tools permits information security teams to remain proactive. The information security game is not over, it has entered another level.

Endnotes

1 ISACA, COBIT 5, Align, Plan and Organize process, APO12 Manage risk, 2012, www.isaca.org/cobit
2 ISACA, Transforming Cybersecurity Using COBIT 5, 2013, www.isaca.org/cobit
3 The Open Web Application Security Project (OWASP), 2013, www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
4 High-Tech Bridge, 2013, https://www.htbridge.com/immuniweb/
5 MITRE, 2012, http://cve.mitre.org/
6 FIRST, www.first.org/cvss
7 European Committee for Standardization, EN 1630-2011, Pedestrian door sets, windows, curtain walling, grilles and shutters—Burglar resistance—Test method for the determination of resistance to manual burglary attempts, 2011

Viktor Polic, Ph.D., CISA, CRISC, CISSP, has been an information and communication technology professional with the United Nations and several specialized agencies since 1993. His current position is chief of the information security office at the International Labour Organization. Polic is also an adjunct faculty member at Webster University (Geneva, Switzerland), teaching courses on information security and telecommunications within the Computer Science Department of the School of Business and Technology, and serves as a member of the Scientific Committee for Advanced Studies in Information Security at the Department of Management Studies of the Faculty of Economic and Social Sciences at the University of Geneva (Switzerland).

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.