CSC Home PageSkip to Main Content
About Us | Services | Client Results | Insights | Contact Us | Careers
Corporate Governance
Investor Relations
Newsroom
Cycling Sponsorship
Locations
Blogs, Podcasts, Videos & RSS
E-mail Story Story Feedback Print Version
Features
Home Page Home Arrow Features 2002

The Hacker on Your Side
By James Chapple

Reprinted from the Winter 2002 issue of CSC World.

The company’s system was more secure than most. The most critical data were on servers that were locked down, fully patched, and had all unnecessary services removed. All users were required to use strong passwords, and there was no easy way to access the servers directly.

So I broke in indirectly.

Some of the workstations weren’t very secure, because there was no important data on them. But one of those workstations belonged to the system administrator. By remotely reading his keystrokes, it took me less than 30 minutes to get the system login and the password to the key server. Now I could log on to the server as the administrator, with full rights. I could get anything I wanted.

Luckily for that company, I hacked into their network at their request. I had been hired to assess the network’s vulnerabilities, not take advantage of them. So when I got access to the critical servers, I notified the CIO.

I’m what is called an ethical hacker, someone who uses the tools and techniques of the (unethical) hacker to test the security of a system or network. I’ve done this kind of testing for civil and military government agencies and for companies in financial services, manufacturing, health care, and other industries. That experience has shown me what companies should and should not do when they do vulnerability assessments.

Hacking isn’t linear

Let’s start with the company in the example above, which I’ll call Company X. Company X’s network security was better than in most companies, but I was still able to break into it with very little trouble. That’s because, like most companies that have fairly good security, they focused on the firewall and a few key servers. Then they think they’ve protected their entire network.

This approach to security carries over into some of the scanning software used to detect vulnerabilities. Most of these tools are linear, methodically testing one machine after another. When such a tool detects a weakness, it marks it down for further reference, then goes on to the next machine.

A scanning tool like this could not have told Company X’s CIO anything she didn’t already know. It would have reported what everyone already knew: that the workstations were vulnerable. It would not have told the CIO what she needed to know: that those weaknesses, while not serious in themselves, could be used to create much more serious weaknesses.

When I hacked into Company X, I began with a holistic approach, performing an initial, rapid assessment of every system on the network. This revealed that the key servers were fairly secure, but a number of workstations were not. I then adopted a strategy of identifying where these weak points could take me. By looking at the workstation names and accounts, I was able to determine that one of these workstations was used by the system administrator. I then focused on that workstation and was able to capture all keystrokes from the system. Once the administrator used this workstation to remotely connect into the servers, I had all the information I needed.

The weak point isn’t always a workstation. It could be a secondary server, backup system, or networking device. The lesson from this example is that computer security is more than ensuring that a few key machines are secure. Good computer security is a network operation.

The hacker method

Hackers often begin by assessing a target’s vulnerability in the same way the target organization itself would do: by using one of the many commercial, freeware, or independently developed scanning tools. Using the data gathered by the scan, hackers then attempt to exploit the weaknesses they have found. They do not dismiss any weakness as unimportant because the exposed device is unimportant in itself. Instead, they try to leverage a low level of access into a higher level of access.

The first step toward gaining greater access is to gain complete control of the weak device. Although, in most cases, system administrators are not aware that a box on their network is under outside control, hackers usually will cover their tracks by "repairing" the weak device. That is, while the hacker installs a "backdoor" that allows him to retain control over the device, he may also modify log files to remove evidence of his activities and even patch the initial vulnerability that allowed him to gain access.

The hacker is now ready to start gathering the data needed to gain greater access to the network. The next step is to install "sniffer" software that monitors all network traffic and collects such valuable information as user IDs, passwords, and IP addresses. The final step is to use this sniffer data to compromise additional machines on the network. The hacker will also see if this device has access to other systems that he could not access directly.

The hacker perspective

A hacker can tell you what tools alone cannot. Security analysts who do no more than use commercial or shareware scanning tools will make two kinds of mistakes: they will fail to identify weaknesses, as seen above; but they will also report weaknesses that do not exist. No single scanning tool can find all vulnerabilities, and all tools are likely to identify false positives. Further testing is needed to follow up on scanning results, and hackers are especially good at this.

We’ve already seen that tools can identify minor problems, but that only hackers can determine which of those problems can be exploited to cause major problems. By not doing follow-up testing on scanning results, clients may well waste resources fixing weaknesses that are not very serious and may be very difficult to exploit in any case.

False positives — reports of vulnerabilities that really do not exist — are another problem. There are several reasons for false positives: some are artifacts of the interaction between firewall and scanning software (different scanning tools will produce different results on the same firewall); some are reported simply because the security scan was done when the network was busy and routers were congested; others can be produced by the rule-sets of some firewalls and network routing devices.

Analysts who simply hand the client the results of a security scan are doing only half their job. To provide a true overall assessment of the risk to a system, scans must be complemented by follow-up testing. Machines alone cannot defeat human ingenuity, so it’s best to get that ingenuity on your side. To protect your most sensitive data, an old rule still applies (with a slight variation): Set a hacker to catch a hacker.

Related Resources

Read James Chapple’s white paper about CSC’s vulnerability assessments and the ways in which CSC can provide enterprisewide system security solutions.

Learn more about CSC’s information security solutions.


© Copyright 2008 Computer Sciences Corporation | Privacy Policy | RSS