ETHICAL HACKING

Ethical hacking

 

The explosive growth of the Internet has brought many good things: electronic commerce, easy access to vast stores of reference material, collaborative computing, e-mail, and new avenues for advertising and information distribution, to name a few. As with most technological advances, there is also a dark side: criminal hackers. Governments, companies, and private citizens around the world are anxious to be a part of this revolution, but they are afraid that some hacker will break into their Web server and replace their logo with pornography, read their e-mail, steal their credit card number from an on-line shopping site, or implant software that will secretly transmit their organization’s secrets to the open Internet. With these concerns and others, the ethical hacker can help. This paper describes ethical hackers: their skills, their attitudes, and how they go about helping their customers find and plug up security holes. The ethical hacking process is explained, along with many of the problems that the Global Security Analysis Lab has seen during its early years of ethical hacking for IBM clients.

T

he term “hacker” has a dual usage in the computer industry today. Originally, the term was

defined as:

HACKER noun1.Apersonwhoenjoyslearningthe details of computer systems and how to stretch their capabilities—as opposed to most users of computers,whoprefertolearnonlytheminimum amount necessary. 2. One who programs enthusiasticallyorwhoenjoysprogrammingratherthan just theorizing about programming.¹

This complimentary description was often extended to the verb form “hacking,” which was used to deby C. C. Palmer

scribe the rapid crafting of a new program or the making of changes to existing, usually complicated software.

As computers became increasingly available at universities, user communities began to extend beyond researchers in engineering or computer science to other individuals who viewed the computer as a curiously flexible tool. Whether they programmed the computers to play games, draw pictures, or to help them with the more mundane aspects of their daily work, once computers were available for use, there was never a lack of individuals wanting to use them.

Because of this increasing popularity of computers and their continued high cost, access to them was usually restricted. When refused access to the computers, some users would challenge the access controls that had been put in place. They would steal passwordsoraccountnumbersbylookingoversomeone’s shoulder, explore the system for bugs that might get them past the rules, or even take control of the whole system. They would do these things in order to be able to run the programs of their choice, or just to change the limitations under which their programs were running.

Initiallythesecomputerintrusionswerefairlybenign, with the most damage being the theft of computer time. Other times, these recreations would take the

0018-8670/01/$5.00 © 2001 IBM

rCopyright 2001 by International Business Machines Corporation. Copying in printed form for private use is permitted withoutpaymentofroyaltyprovidedthat(1)eachreproductionisdone without alteration and (2) the Journal reference and IBM copyright notice are included on the first page. The title and abstract, but no other portions, of this paper may be copied or distributed royalty free without further permission by computer-based and other information-service systems. Permission to republish any other portion of this paper must be obtained from the Editor.

form of practical jokes. However, these intrusions did notstaybenignforlong.Occasionallythelesstalented, orlesscareful,intruderswouldaccidentallybringdown a system or damage its files, and the system administratorswouldhavetorestartitormakerepairs.Other times, when these intruders were again denied accessoncetheiractivitieswerediscovered,theywould reactwithpurposefullydestructiveactions.Whenthe numberofthesedestructivecomputerintrusionsbecame noticeable, due to the visibility of the system or the extent of the damage inflicted, it became “news” and the news media picked up on the story. Instead of using the more accurate term of “computer criminal,” the media began using the term “hacker”todescribeindividualswhobreakintocomputersforfun,revenge,orprofit.Sincecallingsomeonea“hacker”wasoriginallymeantasacompliment, computer security professionals prefer to use the term “cracker” or “intruder” for those hackers who turn to the dark side of hacking. For clarity, we will use the explicit terms “ethical hacker” and “criminal hacker” for the rest of this paper.

What is ethical hacking?

With the growth of the Internet, computer security has become a major concern for businesses and governments. They want to be able to take advantage of the Internet for electronic commerce, advertising, information distribution and access, and other pursuits, but they are worried about the possibility of being “hacked.” At the same time, the potential customers of these services are worried about maintaining control of personal information that varies from credit card numbers to social security numbers and home addresses.²

In their search for a way to approach the problem, organizations came to realize that one of the best ways to evaluate the intruder threat to their interests would be to have independent computer security professionals attempt to break into their computer systems. This scheme is similar to having independent auditors come into an organization to verify its bookkeeping records. In the case of computer security, these “tiger teams” or “ethical hackers” ³ would employ the same tools and techniques as the intruders, but they would neither damage the target systems nor steal information. Instead, they would evaluate the target systems’ security and report back to the owners with the vulnerabilities they found and instructions for how to remedy them.

This method of evaluating the security of a system has been in use from the early days of computers. Inoneearlyethicalhack,theUnitedStatesAirForce conducted a “security evaluation” of the Multics operating systems for “potential use as a two-level (secret/topsecret)system.” ⁴ Theirevaluationfound thatwhileMulticswas“significantlybetterthanother conventional systems,” it also had “ . . . vulnerabilitiesinhardwaresecurity,softwaresecurity,andprocedural security” that could be uncovered with “a relativelylowlevelofeffort.”Theauthorsperformed their tests under a guideline of realism, so that their results would accurately represent the kinds of access that an intruder could potentially achieve. They performed tests that were simple information-gathering exercises, as well as other tests that were outright attacks upon the system that might damage its integrity. Clearly, their audience wanted to know both results. There are several other now unclassified reports that describe ethical hacking activities within the U.S. military.^{5 – 7}

Withthegrowthofcomputernetworking,andofthe Internet in particular, computer and network vulnerabilitystudiesbegantoappearoutsideofthemilitary establishment. Most notable of these was the work by Farmer and Venema,⁸ which was originally posted to Usenet⁹ in December of 1993. They discussed publicly, perhaps for thefirst time,¹⁰ this idea of using the techniques of the hacker to assess the securityofasystem.WiththegoalofraisingtheoveralllevelofsecurityontheInternetandintranets,they proceeded to describe how they were able to gather enoughinformationabouttheirtargetstohavebeen able to compromise security if they had chosen to do so. They provided several specific examples of howthisinformationcouldbegatheredandexploited to gain control of the target, and how such an attack could be prevented.

Farmer and Venema elected to share their report freely on the Internet in order that everyone could read and learn from it. However, they realized that the testing at which they had become so adept might be too complex, time-consuming, or just too boring for the typical system administrator to perform on a regular basis. For this reason, they gathered up all the tools that they had used during their work, packaged them in a single, easy-to-use application, and gave it away to anyone who chose to download it.¹¹ Theirprogram,calledSecurityAnalysisToolforAuditing Networks, or SATAN, was met with a great amount of media attention around the world. Most ofthisearlyattentionwasnegative,becausethetool’s capabilities were misunderstood. The tool was not an automated hacker program that would bore into systems and steal their secrets. Rather, the tool performed an audit that both identified the vulnerabilitiesofasystemandprovidedadviceonhowtoeliminatethem.Justasbankshaveregularauditsoftheir accounts and procedures, computer systems also needregularchecking.The SATAN toolprovidedthat auditing capability, but it went one step further: it also advised the user on how to correct the problems it discovered. The tool did not tell the user how the vulnerability might be exploited, because there would be no useful point in doing so.

Who are ethical hackers?

These early efforts provide good examples of ethical hackers. Successful ethical hackers possess a variety of skills. First and foremost, they must be completely trustworthy. While testing the security of a client’s systems, the ethical hacker may discover information about the client that should remain secret. In many cases, this information, if publicized, could lead to real intruders breaking into the systems, possibly leading to financial losses. During an evaluation, the ethical hacker often holds the “keys to the company,” and therefore must be trusted to exercise tight control over any information about a target that could be misused. The sensitivity of the information gathered during an evaluation requires that strong measures be taken to ensure the security of the systems being employed by the ethical hackers themselves: limited-access labs with physical security protection and full ceiling-to-floor walls, multiplesecureInternetconnections,asafetoholdpaper documentation from clients, strong cryptography to protect electronic results, and isolated networks for testing.

Ethical hackers typically have very strong programming and computer networking skills and have been in the computer andnetworking business for several years. They are also adept at installing and maintaining systems that use the more popular operating systems(e.g., UNIX**orWindows NT**)usedontarget systems. These base skills are augmented with detailed knowledge of the hardware and software provided by the more popular computer and networking hardware vendors. It should be noted that an additional specialization in security is not always necessary, as strong skills in the other areas imply a very good understanding of how the security on various systems is maintained. These systems management skills are necessary for the actual vulnerability testing, but are equally important when preparing the report for the client after the test.

Finally, good candidates for ethical hacking have more drive and patience than most people. Unlike thewaysomeonebreaksintoacomputerinthemov-

 

Just as in sports or warfare, knowledge of the skills

and techniques of your opponent

is vital to your success.

 

ies, the work that ethical hackers do demands a lot of time and persistence. This is a critical trait, since criminal hackers are known to be extremely patient and willing to monitor systems for days or weeks while waiting for an opportunity. A typical evaluation may require several days of tedious work that is difficult to automate. Some portions of the evaluations must be done outside of normal working hours to avoid interfering with production at “live” targets or to simulate the timing of a real attack. When they encounter a system with which they are unfamiliar, ethical hackers will spend the time to learnaboutthesystemandtrytofinditsweaknesses. Finally, keeping up with the ever-changing world of computer and network security requires continuous education and review.

One might observe that the skills we have described could just as easily belong to a criminal hacker as to an ethical hacker. Just as in sports or warfare, knowledge of the skills and techniques of your opponent is vital to your success. In the computer security realm, the ethical hacker’s task is the harder one. With traditional crime anyone can become a shoplifter, graffiti artist, or a mugger. Their potential targets are usually easy to identify and tend to be localized. The local law enforcement agents must know how the criminals ply their trade and how to stop them. On the Internet anyone can download criminal hacker tools and use them to attempt to break into computers anywhere in the world. Ethicalhackershavetoknowthetechniquesofthecriminal hackers, how their activities might be detected, and how to stop them.

Given these qualifications, how does one go about findingsuchindividuals?Thebestethicalhackercandidates will have successfully published research papers or released popular open-source security software.¹² Thecomputersecuritycommunityisstrongly self-policing, given the importance of its work. Most ethicalhackers,andmanyofthebettercomputerand network security experts, did not set out to focus on theseissues.Mostofthemwerecomputerusersfrom various disciplines, such as astronomy and physics, mathematics, computer science, philosophy, or liberal arts, who took it personally when someone disrupted their work with a hack.

One rule that IBM’s ethical hacking effort had from the very beginning was that we would not hire exhackers. While some will argue that only a “real hacker” would have the skill to actually do the work, we feel that the requirement for absolute trust eliminated such candidates. We likened the decision to thatofhiringafiremarshalforaschooldistrict:while a gifted ex-arsonist might indeed know everything about setting and putting out fires, would the parentsofthestudentsreallyfeelcomfortablewithsuch a choice? This decision was further justified when theservicewasinitiallyoffered:thecustomersthemselvesaskedthatsucharestrictionbeobserved.Since IBM’s ethical hacking group was formed, there have been numerous ex-hackers who have become security consultants and spokespersons for the news media.Whiletheymayverywellhaveturnedawayfrom the “dark side,” there will always be a doubt.

What do ethical hackers do?

An ethical hacker’s evaluation of a system’s security seeks answers to three basic questions:

● What can an intruder see on the target systems? ● What can an intruder do with that information? ● Does anyone at the target notice the intruder’s attempts or successes?

While the first and second of these are clearly important,thethirdisevenmoreimportant:Iftheowners or operators of the target systems do not notice when someone is trying to break in, the intruders can, and will, spend weeks or months trying and will usually eventually succeed.

Whentheclientrequestsanevaluation,thereisquite a bit of discussion and paperwork that must be done up front. The discussion begins with the client’s answers to questions similar to those posed by Garfinkel and Spafford:¹³

1.    What are you trying to protect?

2.    What are you trying to protect against?

3.    How much time, effort, and money are you willing to expend to obtain adequate protection?

A surprising number of clients have difficulty precisely answering the first question: a medical center might say “our patient information,” an engineering firm might answer “our new product designs,” and a Web retailer might answer “our customer database.”

All of these answers fall short, since they only describetargetsinageneralway.Theclientusuallyhas to be guided to succinctly describe all of the critical information assets for which loss could adversely affect the organization or its clients. These assets should also include secondary information sources, suchasemployeenamesandaddresses(whichareprivacyandsafetyrisks),computerandnetworkinformation (which could provide assistance to an intruder), and other organizations with which this organization collaborates(whichprovidealternatepathsintothetarget systems through a possibly less secure partner’s system).

A complete answer to (2) specifies more than just the loss of the things listed in answer to (1). There are also the issues of system availability, wherein a denial-of-service attack could cost the client actual revenueandcustomerlossbecausesystemswereunavailable. The world became quite familiar with denial-of-service attacks in February of 2000 when attacks were launched against eBay**, Yahoo!**, E*TRADE**,CNN**,andotherpopularWebsites. During the attacks, customers were unable to reach these Web sites, resulting in loss of revenue and “mind share.” The answers to (1) should contain more than just a list of information assets on the organization’s computer. The level of damage to an organization’s good image resulting from a successful criminal hack can range from merely embarrassing to a serious threat to revenue. As an example of a hack affecting an organization’s image, on January 17, 2000, a U.S. Library of Congress Web site was attacked. The original initial screen is shown in Figure 1, whereas the hacked screen is shown in Figure 2. As is often done, the criminal hacker left his or her nickname, or handle, near the top of the page in order to guarantee credit for the break-in.

Figure 1 Library of Congress Web page before attack

Someclientsareunderthemistakenimpressionthat their Web site would not be a target. They cite numerous reasons, such as “it has nothing interesting on it” or “hackers have never heard of my company.” What these clients do not realize is that every Web site is a target. The goal of many criminal hackers is simple: Do something spectacular and then make sure that all of your pals know that you did it. Another rebuttal is that many hackers simply do not carewhoyourcompanyororganizationis;theyhack your Web site because they can. For example, Web administratorsat UNICEF ( UnitedNationsChildren’s Fund) might very well have thought that no hacker would attack them. However, in January of 1998 , their page was defaced as shown in Figures 3 and 4. Many other examples of hacked Web pages can be found at archival sites around the Web.¹⁴

Figure 2 Hacked Library of Congress Web page

Answerstothethirdquestionarecomplicatedbythe fact that computer and network security costs come inthreeforms.Firsttherearetherealmonetarycosts incurred when obtaining security consulting, hiring personnel, and deploying hardware and software to support security needs. Second, there is the cost of usability: the more secure a system is, the more difficult it can be to make it easy to use. The difficulty can take the form of obscure password selection rules, strict system configuration rules, and limited remote access. Third, there is the cost of computer and network performance. The more time a computer or network spends on security needs, such as strongcryptographyanddetailedsystemactivitylogging, the less time it has to work on user problems.

BecauseofMoore’sLaw,¹⁵ thismaybelessofanissue for mainframe, desktop, and laptop machines. Yet, it still remains a concern for mobile computing.

Figure 3 UNICEF Web page before attack

The “get out of jail free card” Onceanswerstothesethreequestionshavebeendetermined,asecurityevaluationplanisdrawnupthat identifies the systems to be tested, how they should be tested, and any limitations on that testing. Commonly referred to as a “get out of jail free card,” this is the contractual agreement between the client and the ethical hackers, who typically write it together. This agreement also protects the ethical hackers againstprosecution,sincemuchofwhattheydoduring the course of an evaluation would be illegal in most countries. The agreement provides a precise description,usuallyintheformofnetworkaddresses or modem telephone numbers, of the systems to be evaluated. Precision on this point is of the utmost importance, since a minor mistake could lead to the evaluation of the wrong system at the client’s installation or, in the worst case, the evaluation of some other organization’s system.

Figure 4 Hacked UNICEF Web page

Oncethetargetsystemsareidentified,theagreement must describe how they should be tested. The best evaluation is done under a “no-holds-barred” approach. This means that the ethical hacker can try anything he or she can think of to attempt to gain access to or disrupt the target system. While this is themostrealisticanduseful,someclientsbalkatthis level of testing. Clients have several reasons for this, the most common of which is that the target systems are “in production” and interference with their operation could be damaging to the organization’s interests. However, it should be pointed out to such clients that these very reasons are precisely why a “no-holds-barred”approachshouldbeemployed.An intruder will not be playing by the client’s rules. If the systems are that important to the organization’s well-being, they should be tested as thoroughly as possible. In either case, the client should be made fullyawareoftherisksinherenttoethicalhackerevaluations.Theserisksincludealarmedstaffandunintentionalsystemcrashes,degradednetworkorsystemperformance,denialofservice,andlog-filesizeexplosions.

Some clients insist that as soon as the ethical hackers gain access to their network or to one of their systems, the evaluation should halt and the client be notified. This sort of ruling should be discouraged, because it prevents the client from learning all that the ethical hackers might discover about their systems. It can also lead to the client’s having a false sense of security by thinking that the first security hole found is the only one present. The evaluation should be allowed to proceed, since where there is one exposure there are probably others.

The timing of the evaluations may also be important to the client. The client may wish to avoid affecting systems and networks during regular workinghours.Whilethisrestrictionisnotrecommended, it reduces the accuracy of the evaluation only somewhat, since most intruders do their work outside of the local regular working hours. However, attacks doneduringregularworkinghoursmaybemoreeasily hidden. Alerts from intrusion detection systems mayevenbedisabledorlesscarefullymonitoredduring the day. Whatever timing is agreed to, the client shouldprovidecontactswithintheorganizationwho can respond to calls from the ethical hackers if a system or network appears to have been adversely affected by the evaluation or if an extremely dangerousvulnerabilityisfoundthatshouldbeimmediately corrected.

It is common for potential clients to delay the evaluationoftheirsystemsuntilonlyafewweeksordays before the systems need to go on-line. Such lastminute evaluations areof little use, since implementations of corrections for discovered security problemsmighttakemoretimethanisavailableandmay introduce new system problems.

In order for the client to receive a valid evaluation, the client must be cautioned to limit prior knowledge of the test as much as possible. Otherwise, the ethicalhackersmightencountertheelectronicequivalent of the client’s employees running ahead of them, locking doors and windows. By limiting the number of people at the target organization who know of the impending evaluation, the likelihood that the evaluation will reflect the organization’s actualsecuritypostureisincreased.Arelatedissuethat the client must be prepared to address is the relationship of the ethical hackers to the target organization’s employees. Employees may view this “surprise inspection” as a threat to their jobs, so the organization’s management team must be prepared to take steps to reassure them.

The ethical hack itself

Once the contractual agreement is in place, the testing may begin as defined in the agreement. It should be noted that the testing itself poses some risk to the client, since a criminal hacker monitoring the transmissions of the ethical hackers could learn the same information. If the ethical hackers identify a weakness in the client’s security, the criminal hacker could potentially attempt to exploit that vulnerability. This is especially vexing since the activities ofthe ethical hackers might mask those of the criminal hackers. The best approach to this dilemma is to maintainseveraladdressesaroundtheInternetfrom which the ethical hacker’s transmissions will emanate,andtoswitchoriginaddressesoften.Complete logs of the tests performed by the ethical hackers are always maintained, both for the final report and in the event that something unusual occurs. In extremecases,additionalintrusionmonitoringsoftware can be deployed at the target to ensure that all the tests are coming from the ethical hacker’s machines. However, this is difficult to do without tipping off the client’s staff and may require the cooperation of the client’s Internet service provider.

The line between criminal hacking and computer virus writing is becoming increasingly blurred. When requested by the client, the ethical hacker can perform testing to determine the client’s vulnerability to e-mail or Web-based virus vectors. However, it is far better for the client to deploy strong antivirus software, keep it up to date, and have a clear and simple policy in place for the reporting of incidents. IBM’s Immune System for Cyberspace ^16,17 is another approach that provides the additional capability of recognizingnewvirusesandreportingthemtoacentrallabthatautomaticallyanalyzesthevirusandprovides an immediate vaccine.

As dramatized in Figure 5, there are several kinds of testing. Any combination of the following may be called for:

●   Remote network. This test simulates the intruder launching an attack across the Internet. The primary defenses that must be defeated here are border firewalls, filtering routers, and Web servers.

●   Remote dial-up network. This test simulates the intruder launching an attack against the client’s modem pools. The primary defenses that must be defeatedhereareuserauthenticationschemes.These kinds of tests should be coordinated with the local telephone company.

●   Local network. This test simulates an employee or other authorized person who has a legal connection to the organization’s network. The primary defenses that must be defeated here are intranet firewalls,internalWebservers,serversecuritymeasures, and e-mail systems.

●   Stolenlaptopcomputer.Inthistest,thelaptopcomputer of a key employee, such as an upper-level manager or strategist, is taken by the client without warning and given to the ethical hackers. They examine the computer for passwords stored in dial-up software, corporate information assets, personnel information, and the like. Since many busy users will store their passwords on their machine, it is common for the ethical hackers to be able to use this laptop computer to dial into the corporate intranet with the owner’s full privileges.

●   Socialengineering.Thistestevaluatesthetargetorganization’s staff as to whether it would leak information to someone. A typical example of this would be an intruder calling the organization’s computerhelplineandaskingfortheexternaltele
phone numbers of the modem pool. Defending against this kind of attack is the hardest, because people and personalities are involved. Most people are basically helpful, so it seems harmless to tell someone who appears to be lost where the computer room is located, or to let someone into the building who “forgot” his or her badge. The only defense against this is to raise security awareness.

●   Physical entry. This test acts out a physical penetration of the organization’s building. Special arrangements must be made for this, since security guards or police could become involved if the ethical hackers fail to avoid detection. Once inside the building, it is important that the tester not be detected. One technique is for the tester to carry a document with the target company’s logo on it. Such a document could be found by digging through trash cans before the ethical hack or by casually picking up a document from a trash can or desk once the tester is inside. The primary defenses here are a strong security policy, security guards, access controls and monitoring, and security awareness.

Eachofthesekindsoftestingcanbeperformedfrom three perspectives: as a total outsider, a “semi-outsider,” or a valid user.

A total outsider has very limited knowledge about thetargetsystems.TheonlyinformationusedisavailablethroughpublicsourcesontheInternet.Thistest represents the most commonly perceived threat. A well-defended system should not allow this kind of intruder to do anything.

A semi-outsider has limited access to one or more of the organization’s computers or networks. This tests scenarios such as a bank allowing its depositors to use special software and a modem to access information about their accounts. A well-defended system should only allow this kind of intruder to access his or her own account information.

A valid user has valid access to at least some of the organization’s computers and networks. This tests whether or not insiders with some access can extend thataccessbeyondwhathasbeenprescribed.Awelldefended system should allow an insider to access only the areas and resources that the system administrator has assigned to the insider.

Theactualevaluationoftheclient’ssystemsproceeds through several phases, as described previously by Boulanger.¹⁸

The final report

The final report is a collection of all of the ethical hacker’s discoveries made during the evaluation. Vulnerabilitiesthatwerefoundtoexistareexplained and avoidance procedures specified. If the ethical hacker’s activities were noticed at all, the response of the client’s staff is described and suggestions for improvements are made. If social engineering testing exposed problems, advice is offered on how to raise awareness. This is the main point of the whole exercise: it does clients no good just to tell them that they have problems. The report must include specific advice on how to close the vulnerabilities and keep them closed. The actual techniques employed by the testers are never revealed. This is because the person delivering the report can never be sure just who will have access to that report once it is in the client’shands.Forexample,anemployeemightwant to try out some of the techniques for himself or herself. He or she might choose to test the company’s systems, possibly annoying system administrators or eveninadvertentlyhidingarealattack.Theemployee might also choose to test the systems of another organization, which is a felony in the United States when done without permission.

The actual delivery of the report is also a sensitive issue. If vulnerabilities were found, the report could beextremelydangerousifitfellintothewronghands. A competitor might use it for corporate espionage, a hacker might use it to break into the client’s computers, or a prankster might just post the report’s contents on the Web as a joke. The final report is typically delivered directly to an officer of the client organization in hard-copy form. The ethical hackers would have an ongoing responsibility to ensure the safety of any information they retain, so in most casesallinformationrelatedtotheworkisdestroyed at the end of the contract.

Once the ethical hack is done and the report delivered, the client might ask “So, if I fix these things I’ll have perfect security, right?” Unfortunately, this is not the case. People operate the client’s computers and networks, and people make mistakes. The longer it has been since the testing was performed, the less can be reliably said about the state of a client’s security. A portion of the final report includes recommendations for steps the client should continuetofollowinordertoreducetheimpactofthese mistakes in the future.

Conclusions

The idea of testing the security of a system by trying to break into it is not new. Whether an automobile companyiscrash-testingcars,oranindividualistesting his or her skill at martial arts by sparring with a partner, evaluation by testing under attack from a real adversary is widely accepted as prudent. It is, however, not sufficient by itself. As Roger Schell observed nearly 30 years ago:

From a practical standpoint the security problem will remain as long as manufacturers remaincommitted to current system architectures, produced without a firm requirement for security. As long asthereissupportforadhocfixesandsecuritypackages for these inadequate designs and as long as the illusory results of penetration teams are accepted as demonstrationsofacomputersystemsecurity,proper security will not be a reality.¹⁹

Regular auditing, vigilant intrusion detection, good system administration practice, and computer security awareness are all essential parts of an organization’s security efforts. A single failure in any of these areas could very well expose an organization to cyber-vandalism, embarrassment, loss of revenue or mind share, or worse. Any new technology has its benefits and its risks. While ethical hackers can help clients better understand their security needs, it is up to the clients to keep their guards in place.

Acknowledgments

The author would like to thank several people: the members of the Global Security Analysis Lab at IBM Research for sharing their amazing expertise and their ability to make just about anyone understand more about security; Chip Coy and Nick Simicich for their trailblazing work in defining IBM’s Security Consulting Practice at the very beginning; and Paul Karger for his encyclopedic knowledge of computer security research and for his amazing ability to produce copies of every notable paper on the subject that was ever published.

**Trademark or registered trademark of the Open Group, Microsoft Corporation, eBay Inc., Yahoo! Inc., E*TRADE Securities, Inc., or Cable News Network LP, LLLP.

Cited references and notes

1.  E. S. Raymond, The New Hacker’s Dictionary, MIT Press, Cambridge, MA (1991).

2.  S. Garfinkel, Database Nation, O’Reilly & Associates, Cambridge, MA (2000).

3.  The first use of the term “ethical hackers” appears to have been in an interview with John Patrick of IBM by Gary Anthens that appeared in a June 1995 issue of ComputerWorld. 4. P. A. Karger and R. R. Schell, Multics Security Evaluation: Vulnerability Analysis, ESD-TR-74-193, Vol. II, Headquarters Electronic Systems Division, Hanscom Air Force Base, MA (June 1974).

5.     S.M.GoheenandR.S.Fiske,OS/360ComputerSecurityPenetration Exercise, WP-4467, The MITRE Corporation, Bedford, MA (October 16, 1972).

6.     R. P. Abbott, J. S. Chen, J. E. Donnelly, W. L. Konigsford, andS.T.Tokubo,SecurityAnalysisandEnhancementsofComputer Operating Systems, NBSIR 76-1041, National Bureau of Standards, Washington, DC (April 1976).

7.     W. M. Inglis, Security Problems in the WWMCCS GCOS System,JointTechnicalSupportActivityOperatingSystemTechnical Bulletin 730S-12, Defense Communications Agency (August 2, 1973).

8.     D.FarmerandW.Z.Venema,“ImprovingtheSecurityofYour Site by Breaking into It,” originally posted to Usenet (December 1993); it has since been updated and is now available at ftp://ftp.porcupine.org/pub/security/index.html#documents.

9.     See http://www.faqs.org/usenet/.

10.  Who can really determine who said something first on the Internet?

11.  See http://www.cs.ruu.nl/cert-uu/satan.html.

12.  This strategy is based on the ideal of raising the security of the whole Internet by giving security software away. Thus, no one will have any excuse not to take action to improve security.

13.  S.GarfinkelandE.Spafford,PracticalUnixSecurity,FirstEdition, O’Reilly & Associates, Cambridge, MA (1996).

14.  For a collection of previously hacked Web sites, see http:// www.2600.com/hacked_pages/orhttp://defaced.alldes.de.Be forewarned,however,thatsomeofthehackedpagesmaycontain pornographic images.

15.  In 1965, Intel cofounder Gordon Moore was preparing a speechandmadeamemorableobservation.Whenhestarted tographdataaboutthegrowthinmemorychipperformance, he realized there was a striking trend. Each new chip contained roughly twice as much capacity as its predecessor, and each chip was released within 18–24 months of the previous chip. In subsequent years, the pace slowed down a bit, but datadensityhasdoubledapproximatelyevery18months,and this is the current definition of Moore’s Law.

16.  J. O. Kephart, G. B. Sorkin, D. M. Chess, and S. R. White, “Fighting Computer Viruses,” Scientific American 277, No. 5, 88–93 (November 1997).

17.  Seehttp://www.research.ibm.com/antivirus/SciPapers.htmfor additional antivirus research papers.

18.  A. Boulanger, “Catapults and Grappling Hooks: The Tools and Techniques of Information Warfare,” IBM Systems Journal 37, No. 1, 106–114 (1998).

19.  R.R.Schell,P.J.Downey,andG.J.Popek,PreliminaryNotes on the Design of Secure Military Computer Systems, MCI-73-1, ESD/AFSC, Hanscom Air Force Base, Bedford, MA (January 1973).

Accepted for publication April 13, 2001.

Charles C. Palmer IBM Research Division, Thomas J. Watson Research Center, P.O. Box 218, Yorktown Heights, New York 10598 (electronicmail:ccpalmer@us.ibm.com).Dr.Palmermanagesthe NetworkSecurityandCryptographydepartmentattheIBMThomas J. Watson Research Center. His teams work in the areas of cryptography research, Internet security technologies, Java^TM security, privacy, and the Global Security Analysis Lab ( GSAL), which he cofounded in 1995. As part of the GSAL, Dr. Palmer worked with IBM Global Services to start IBM’s ethical hacking practice.Hefrequentlyspeaksonthetopicsofcomputerandnetwork security at conferences around the world. He was also an adjunct professor of computer science at Polytechnic University, Hawthorne, New York, from 1993 to 1997. He holds four patents and has several publications from his work at IBM and Polytechnic.

Share this

tz-ms