Q&A With Doug Warden: 'Ethical Hacking'
Before Doug Warden, instructor with the Southern Alberta Institute of Technology, leads a TechMentor workshop next month on improving enterprise security, he took some time to discuss  with me why your security policy should be designed from the point of view of an attacker.
Q: What does "ethical hacking" mean?
A: Ethical hacking is using the same techniques and tools as an attacker might use to try to find security holes in your own network. We all do lots of work to try to secure our systems, but it's hard to know if we're successful. It's like trying to get a good picture of Sasquatch or a UFO -- it's awfully difficult to prove they don't exist, and you can only prove that they do exist by getting that picture. But what can you do until that happens? Being breached by an attacker is like that -- you think you're secure and then all of a sudden you're in trouble. Ethical hacking is proactively testing your systems for security flaws that might be exploited by an attacker.
Q: Is it better to hire an outsider to ethically hack your network or develop these skills internally?
A: It depends on a number of things. There's good value in having someone come in who's an expert in doing this sort of thing, but I'm a big believer in internal skill development.
The best approach is likely some sort of hybrid, where you do ethical hacking tests and most of your work internally as part of your securing and testing cycle, and then bring in someone from the outside to test it occasionally.
When you bring someone in they don't know your network like you do, and it's possible that you wind up paying for consultants that you become totally dependent on, without growing your skill set. Security is a constant cycle -- you can't just set up a firewall, dust off your hands, walk away and never look at it again. You need to constantly plan, implement and reevaluate your systems. New exploits are constantly coming out and once something is secure, there's no guarantee that it will stay that way.
Q: How do you make sure the ethical hacking skills you've developed in your shop remain ethical?
A: Strict guidelines should be in place regarding what is acceptable behavior. What administrators and testers can -- and can't -- do needs to be clearly outlined in your security policies. Consequences of violating these policies should also be laid out. As techies, we might dislike documentation, but it's really important for the proper operation of any network. Using ethical hacking skills is sometimes a fine line. Using a tool like a protocol analyzer -- such as Wireshark, which I would consider a critical troubleshooting tool -- without proper permission can be frowned on by some companies. You need to be careful about having permission for the tools you use every day as well as where and when it's OK to use them.
Q: How do make sure the hacking techniques you use are the new ones you might be attacked by?
A: This is a fundamental problem. It's very difficult to know what an attack might look like, and the reality is that it's extremely difficult to cover every possible attack, which is what a full-on penetration test will hopefully expose. Like water running downhill, an attack will generally follow the path of least resistance -- but it might also come from some entirely unexpected source, which is why we need to stay on our toes.
My experience is that security is a lot about protecting the low-hanging fruit. It's mostly the easy things we should all be doing to secure ourselves that get missed and leave us exposed. When you do ethical hacking it generally highlights the best practices that we're missing, but it's impossible to know for sure what someone might do when they attack. It isn't very sexy, but making sure things like system updates are done, antivirus is working and installed, and Group Policies are covering fundamental concerns are a lot more important than covering yourself from complex, obscure attack vectors.
Q: Could some of these techniques backfire and leave you exposed or corrupted?
A: If you install a Trojan or backdoor to see if it's possible, you should absolutely make sure they're removed, and be extremely careful about doing any sort of testing on live machines.
The type of ethical hacking I'm generally involved in is the internal sort of testing that we mentioned earlier, and my interest is in more of a "How would this work?" sort of approach. I find that once I've researched how an attack might happen and tried it using an attacker's perspective and tools, I gain a much deeper understanding of both the attack and the way my systems work. When I'm doing this sort of testing I always do it on a test network, not a live machine, and then apply what I've learned to securing my real systems.
Q: How do you make sure the hacking tools in your shop are only used by trusted employees?
A: You need to be vigilant. In addition to the security policies you have outlined defining what is acceptable behavior, you also need to be watching your own network. A common error in securing networks is to focus on the periphery of the network, and not worry about doing intrusion protection or setting Access Control Lists between trusted networks. Studies show that most security breaches are caused -- or performed -- by credentialed employees, rather than by shadowy attackers from the outside. Anything that you detect not coming from a trusted employee should be treated as an attack, whether it comes from inside or outside your network.
Want to learn more? Doug will be speaking at our TechMentor 2012 conference, being held at Microsoft HQ in August.
Posted by Doug Barney on 07/23/2012 at 1:19 PM