WHERE DOES ETHICAL HACKING FIT?

To start this endeavor on the right foot we must first recognize there are two schools of thought on the role ethical hacking plays in the world of information security: a complete approach to security or a part of a much larger security strategy. The two sides of the same coin are founded on how you approach security.

Some see ethical hacking as the overarching umbrella of security. For example, the basis of the rationalization is that if you can expose every vulnerability in a system (a system being a collection of networked computers, applications, services, and data), that system will be more secure with the results of the test used for building a security program. Therefore, the more you exploit a system, the more you know and the more you are aware of your weaknesses—and the impacts if exploited—the more secure you will be. Consider this strategy an ongoing approach to security in the form of exploitation as opposed to observation, with the results being used to generate a security posture based on vulnerability mitigation.

In contrast, some see penetration testing as part of a much more comprehensive security strategy. For example, when performing a risk analysis it is necessary to provide some form of measurement, such as numbers, letters, percentages, or any- thing that can be used to qualify or quantify various information security character- istics. In other words, you have to measure the value of assets, number and types of vulnerabilities, the likelihood of exploitation, level of impact, and relate this back to a metric to be used to make an informed decision. Penetration testing can be used to build a collection of empirical data relating to the need to know the number and types of vulnerabilities. Moreover, by exploiting those vulnerabilities you can deter- mine the level of criticality they represent based on your environment. When this information is fed into a risk analysis process, along with dozens of other forms of data, a comprehensive evaluation is provided a level of accuracy not previously attainable. At the end, a risk analysis, in combination with a security policy, will be used in the building of a security program.

On the surface, these approaches appear nearly identical. However, in practice they materialize as different methods to addressing security and therefore become different animals altogether. One could argue that the popularity of penetration testing today is founded on the relative low cost and instant gratification of a test as opposed to an exhaustive risk analysis. Moreover, the tests are usually pointed at tactical concerns, such as “What is causing me pain today that I can afford to fix?” A risk analysis is taking the position of “What do I need to do to in order to be secure in relation to my business and operational needs?” The former is a snapshot in time taken over and over, whereas the latter is a discipline supported by detailed information.

One should not be considered better than the other, just different. In this book, the concept of ethical hacking is presented as part of a larger program. It is an opportunity to feed a much larger process in an effort to create a sound security program. Ethical hacking is one of many tools that can be used to evaluate the state of a security program, but is not necessarily the foundation on which one should or can be built. The framework presented herein presents penetration testing as a tool that can be employed to support an overall security strategy, taking into consideration many of the other elements common among many accepted security programs.

So, why is ethical hacking so popular? If you spend the bulk of your book- browsing time in the “Computer and Networking” section of your favorite bookstore, it is very likely the subject of hacking will dominate the security shelf. For those seeking a security consulting company to provide hacking services, get prepared for

a slew of candidates, because it seems everyone is lining up to hack your network. Several reasons can be attributed to the frenzy we’re seeing, but for me one seems to stand out. Based on hundreds of conversations with companies throughout the United States and most of Europe, many feel they are practicing sound security and have tamed the beast. Now all that is left for them is to test what was implemented and apply a patch or two. Therefore, penetration testing offers the perfect value zone. It is not overly expensive: the cost of a test will typically fit within most budgets and can be easily expanded or contracted to match available funds. Finally, it provides measured results and appears to clearly expose any weaknesses that may exist. Sounds pretty good, doesn’t it? If you said yes, most people would be in agreement, or at least the amount of time and investment spent in penetration testing as opposed to other forms of security services would suggest most agree: it’s where people are putting the money.

How long will this last? For some it’s a novelty, a new toy to add to the list whereas for others it’s a serious part of their security program. The reality is information security in the technical world is in its infancy and ethical hacking may become a best practice for the foreseeable future. In contrast, we may look back one day and wonder, “What were we thinking!”