Monday 21 January 2008

The future of (ethical) hacking?

This post is not about where the hacking community is going (whatever that means), but more what I'd like organisations to think about.

I'm particularly proud of one aspect of our service: that we are pragmatic. By this I mean our ability to focus on genuine threats without being lost in the testosterone-driven "I've found the most obscure vulnerability ever" mindset. Wearing a white hat is much more than digging deeper than the next penetration tester - it's also about helping clients to understand where they should put their effort and their budget to get the most appropriate defence.

For me the most obvious illusion is that the important attacks will come from outside the organisation and that they will come via the interweb. If an organised criminal is going to target your organisation, then they're going to take the route that combines the best return on their investment with the highest probability of success (and to some degree the lowest risk). This is a typical business model - just an immoral one in their case.

So where do I believe organisations should focus? On what I'm calling blended attacks - attacks that combine technical skills with social engineering. These are the types of attack which we find work time after time, in the fastest way, with the highest return and with little risk of detection. There's nothing new in this sort of approach (just read Kevin Mitnick), yet the majority of organisations do little or nothing to test for these vulnerabilities.

Here's an example from my own team's experience. Recently, a UK-based insurance company asked us to test their physical security, with the objective of stealing as much information as possible. Andy and I rented a car close to their offices, then I parked in their car park and waited, having dropped Andy off at the side of the building. He was wearing a suit without a jacket, so he looked as if he had just come out from the office. At the rear of the building was a door with a proximity card access control. This door was used by the smokers who (as usual these days) had to visit a little shelter at the rear of the building to get their fix. When one employee finished her cigarette and walked back towards the door, Andy ran after her and, complaining about the weather, asked her to hold the door for him - which of course she did. He was then able to open the door from the inside and let me in. We then played our assigned roles - Andy was the employee and I was the consultant, there to conduct a security audit (of course!). We found the usual suite of meeting rooms and selected one which was empty. Within a couple of minutes I had hooked up my laptop to a network port in the floor, obtained a DHCP address and started my network discovery software. After an hour or so, some genuine employees arrived to use the meeting room - we of course apologised for the double booking and found ourselves another empty room. In total we were on site for five hours and able to grab just about anything we wanted from the network. We were never challenged or asked to show a badge, and at the end of the day we left by the same route we came in. Game over.

There really is no substitute for the "human firewall" and there's definitely no patch for ignorance (it is ignorance, not stupidity in many cases, you know). Using the results of this type of exercise demonstrates to everyone how easy this devastating style of attack can be, and allows the organisation to start the difficult process of security awareness education. And they not only have to educate the office staff, they have to educate the IT folks and the senior managers and board members too.

1 comment:

Vishal Garg said...

Wonderful! That's a real eye opener, and I completely agree that human factor is as important as the technical one.