- Ethical hack
Ethical hack or penetration test is performed on enterprise applications by a third party to find vulnerabilities in the application so that they can be remidiated before a new application goes live in production. This is also done on existing applications, typically on a yearly basis, to find out vulnerabilities so that they can be fixed.
Introduction
Ethical hacking is essentially the act of unearthing vulnerabilities in a web based application before going live so that they can be fixed before being accessed by anyone. People who do it are IT professionals, not by hackers with darker intentions. Many companies use different third party providers for ethical hacking services. For example, one large bank or large internet vendor might utilize outside professional services yearly to test their major applications yearly, using a different firm each time. The idea is to get a different perspective, because methodologies differ from firm to firm, not to mention the different habits of the people performing the test.
While published text, articles and books abound on how to conduct EH test, there is hardly any material available to help large corporations show a way to monitor and implement remediation for the EH findings across thousands of web applications runnings on possibly tens of servers. This article attempts to throw some light on that process.
When is it done
For new web applications, the penetration testing is typically done before it is moved to production. Typically the system will be deployed on a pre-production environment where the penetration testing on it will be done. Note that in almost all cases big organizations give this job to an outside vendor. The outside vendor conducts penetration testing and produces a nice PDF report on the test and passes it to the corporation.
It is common for potential clients to delay the evaluation of their systems until only a few weeks or days before the systems need to go on-line. Such lastminuteevaluations are of little use, since implementations of corrections for discovered security problems might take more time than is available and mayintroduce new system problems.
The Final Report
The final report is a collection of all of the ethical hacker’s discoveries made during the evaluation. Vulnerabilities that were found to exist are explained and avoidance procedures specified. If the ethical hacker’s activities were noticed at all, the response of the client’s staff is described and suggestions for improvements are made. If social engineering testing exposed problems, advice is offered on how to raise awareness. This is the main point of the whole exercise: it does clients no good just to tell them that they have problems. The report must include specific advice on how to close the vulnerabilities and keep them closed. The actual techniques employed by the testers are never revealed. This is because the person delivering the report can never be sure just who will have access to that report once it is in the client’s hands. For example, an employee might want to try out some of the techniques for himself or herself. [ [http://media.wiley.com/product_data/excerpt/4X/07645578/076455784X.pdf ] ]
It is worthwhile to remember that although high priced consultants run EH Test for you and generate a thick report, it must contain precisely defined actionable remediation steps. If it has too many false positivies and false negatives, no real vulnerabilities are acted on.
Evaluating results
After the EH report is obtained, the findings need to be evaluated and the findings need to be co-related. Corelating specific vulnerabilities discovered is a skill that gets better with experience. Over time, one ends up knowing their systems as well as anyone else. This makes the evaluation process much simpler moving forward.
EH Reports contain all the issues discovered for the system being tested. It will at the very minimum contain a thorough description of the issues discovered as well as a precisely described remediation. It also contains [http://www.foundstone.com/us/pdf/techcon/risk_assessment.pdf severity level of vulnerability] , often classified as High, Medium and Low.
Fixing EH issues
Note that for any large corporation, the goal of this exercise is to remediate all the findings in the EH reports. This is a monumental task. Since any major organization hosts thousands or tens of thousands of sites (applications) spread across hundreds of servers, they will be required to handle as many EH reports and remediate the findings quickly so that (1) the new sites can be moved from pre-production to production and (2) existing sites can continue to operate before existing vulnerabilities are exploited by anyone. Since these days any major global organization will have operations -- therefore web hosting infrastructures -- in America, Europe and Asia, the findings will typically have to be remediated by respective organizations owning the particular hosting infrastructure.That is why, remediating EH findings within an organizations is a very complex operation involving coordination among several groups.
The "Open" items need to be monitored to ensure that they are closed. Depending on their risk factor (high, medium, low), the stipulated time to fix issues will vary. Obviously, the high risk items ought to be addressed faster than the "low" risk items.
Tracking the EH Findings
After finishing ethical hack tests for a site, it is necessary to implementremediations to the open findings to make sure that the site secure. Typically, in very large corporations there is a central Security or Vulnerability Assessment Team that organizes external EH testing for all sites and gathers EH reports. It then monitors the findings and coordinates remediations. Typically, the Security Team will contact the Development Manger of the site and ask them to remediate the findings and when they are remediated to the satisfaction of the Security Team, the site is cleared for Production deployment. The Development Team applies the technical solution to the findings, typically through its engineers and systems administrators.The Development Team should create a database of all EH findings for all its sites to effectively monitor the findings and also to make sure that for a particular issue, the same solution is applied to all its sites. Unless a database is maintained, it is very difficult to do that effectively. This is especially true for large corporations.
Creating Internal Database for monitoring
So, if you are working for a large global organization and hosting several thousand applications, how are you going to make sure that the findings are remediated? That findings in hundreds of EH reports are being worked on by respective groups? Usually, the best idea is to have a centralized team responsible for collecting all EH reports. They can then create a database of all the findings where one row of data would correspond to an EH finding. Progress on remediation can be monitored against the database. If an item is being worked on, it can be labelled "open" or "In Progress". If an item has been remediated successfully, it can be labelled "complete" or "closed."
Now, it must be pointed out here is that the EH findings are extremely confidential from security perspective. They cannot be divulged to anybody outside the team without proper verification and making sure that a proper procedure is in place.
Vendors and Tools
* [http://www.primeon.com/press/Sample_exec_summ.pdf DeepSource - a comprehensive methodology for EH testing by Primeon]
* [https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^14344_4000_100__ HP Application Security Products - HP Application Security Resource Library]
* [http://www.foundstone.com Foundstone - Leading vendor]ee also
*
Software testing
*Static code analysis
*Performance analysis External links
* [http://www.research.ibm.com/journal/sj/403/palmer.html "Ethical hacking" - Introduction to Ethical Hacking]
* [http://h71028.www7.hp.com/enterprise/downloads/webapphack.pdf "Web Application hacking" - Basics of Web Application Ethical Hacking]
* [http://www.primeon.com/press/Sample_exec_summ.pdf "Vulnerability Assessment Executive Summary WebPower Application" - Shows EH testing within the Framework of Application VA testing]
* [http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci968789,00.html "Ethical hacking: The other side of the fence" - Discusses the process of evaluating outside firm for EH testing]
* [http://www.amazon.com/dp/084931609X "The Ethical Hack - A Framework for Business value Penetration Testing, Book by James S. Tiller"]
* [http://media.wiley.com/product_data/excerpt/4X/07645578/076455784X.pdf "Hacking For Dummies By Kevin Beaver"]
Wikimedia Foundation. 2010.
