INHERENT LIMITATIONS

Touched upon earlier, inherent limitations are boundaries that cannot be crossed in the realm of ethical hacking. Many of these are based on the fundamental differences between a hacker and a security consultant. It can be argued that security profes- sionals who interact with the hacking world can closely mimic a hacker; the reality is a consultant is being paid and the hacker has goals well outside the understanding of others. Inherent limitations are those restrictions that are associated with paying someone to perform an act normally practiced by criminals from a completely different culture and mindset. Following are some of the limitations that are intrinsic to the test:

• Time.The time a real hacker is afforded to collect information, gather tools, test the waters, get to know people, or any other aspect of hacking that can be used to obtained what is desired is arguably limited to only that person’s life expectancy. One could rightly assume time is only a minor obstacle for a hacker and is limited by tenacity, determination, and the state of the target. On one side, time can be an enemy to a hacker because of a missed opportunity, or an ally waiting for the right circum- stances to launch the attack. Both of these attributes are negatives to the tester. A tester must perform an attack in a given timeframe against a company more than likely prepared for the test.

• Money. It should not be assumed that hackers don’t have any money. In reality, depending on the role they may play in organized crime, substantial investments may be made in providing them all the necessary tools and technology to perform their deed. For organized crime, investing $250,000 in a hacker is comparable to investing the same amount in guns or drug refinement equipment. By its very definition, crime syndicates are in the business of crime and invest the necessary funds to make more money. On the other hand, service firms that provide ethical hacking are usually limited by the amount of money they can make in a very competitive industry. Many times they are forced to make strategic investments in tools and people only when necessary and when funds are available. Nevertheless, a typical hacker does not have a great deal of money to put towards attacking others, but resourcefulness, time, and resolve more than make up for the lack of money. Finally, the money an organization is willing to invest in a test will have an impact on the scope and ultimately the inclusiveness of the test. Of course, this is related to time. With unlimited funds, time is not a formidable obstacle.

• Determination. Tenacity can play a significant role in how a hacker approaches a target. A disgruntled employee of a utilities company, Vitek Boden, took 48 attempts before he successfully accessed the SCADA system to release one million liters of sewage into the coastal waters off Queensland, Australia. The persistence of a hacker cannot be truly repli- cated because there are simply different motivators between the attacker and the tester. The tester wakes up in the morning, goes to work, gets a cup of coffee, starts hacking, and at the end of the day goes home with little personal attachment to the engagement. Comparably, strong feelings such as fear, anger, bravado, jealousy, and hatred increase the emotional investment of the hacker resulting in a greater sense of accomplishment in finding the elusive kink in the armor. Without some skin in the game and with limited time, the consultant may overlook an opportunity that may have simply taken more doggedness to uncover.

• Legal Restrictions. Regardless of a legal documentation put in place to protect the tester from typical activities that under normal circumstances would be considered illegal, a virtual line remains separating the typical attack strategy from an act of terrorism. For example, there is a sizable step between installing a Trojan on a remote system and releasing a worm on the Internet. There is a difference between a tester identifying a vul- nerability that has the potential to shut down a city power grid and actually exploiting the vulnerability. It’s doubtful there exists any legal documen- tation that could withstand the intentional act of perceivable terrorism or complete negligence on behalf of the tester in a court of law. Any attack that has the potential for serious damage or personal harm, or negatively affects other people or organizations, is a line a consultant cannot cross, and traditionally he operates to a point well before the virtual line between acceptable and devastation. Of course, this restriction does not apply to a hacker who may go to any length to obtain her goal. Therefore, the legal

ramifications for hacking—at least up until recently—are negligible and represent a minor deterrent to the hacker. The only redeeming feature is that many of the more atrocious acts come with a substantial price if the hacker is caught, reducing the probability of broad devastating attacks, but not eliminating them altogether. Therefore, the tester may have the initial advantage and comfort in knowing he is protected while performing many of the tests, but the extent to which a consultant is willing to exploit a vulnerability is much less than what a determined hacker would do. The initial legal advantage can quickly become an intellectual disadvantage. • Ethics. In every professional’s career he is at one point faced with a

dilemma that forces a decision based solely on his ethics. It’s safe to say that security consultants have ethics in how they work with clients and others in the industry. With the lack of ethics, as with hackers, there are no limitations to the extent they are willing to go to accomplish a mission. Without some form of self-control, the limit is only defined by the readi- ness to expose one’s self to risks. On the surface, risks are being caught and going to jail, but more extreme examples can include the loss of life, as with terrorists. At its most basic element, anything is possible if the attacker is prepared to risk everything, and in a mind with no ethics, there is no logical governance.