Ethical hacker provides insight into corporate weak spots

Johnson is an instructor at the SANS Ottawa 2011 training conference, being held Aug. 29 to Sept. 2 by SANS Technology Institute, a computer security college (www.sans.org/ottawa-2011). In his course, Web App Penetration Testing and Ethical Hacking, he teaches students how to defend a company’s web applications against a hacker.

To do that, he says, they must learn how to hack into those web applications, detecting as many problems, or vulnerabilities, as possible.

“To properly defend your systems, you have to understand what the hacker is going to do. If you don’t understand the attacks, there’s no way to effectively defend against them,” says Johnson of Secure Systems, a security consulting business based in Orange Park, Fla.

What makes this hacking “ethical,” of course, is that the company has agreed to the attack and that the goal is not to steal data or harm the business but to protect that company’s network against a real hacker. “We build a scope: What are we allowed to attack? What are we not allowed to attack? We do our best to ensure that we stay within that scope. We only attack what they’ve given us permission for,” Johnson says.

It’s also ethical, he adds, because testers don’t perform attacks that could damage the company’s network. A malicious hacker sometimes performs a denial-of service attack, which prevents the site or service from functioning and stops the company doing business. For ethical hackers, Johnson says, such denial-of-service attacks are out of scope.

“We won’t go in and delete all the data out of a system because that would be destructive, and it wouldn’t serve any purpose. If I find a vulnerability that would allow me to delete the data, I report it. I say, ‘Here’s a problem, and here’s what I could have done. But because I don’t want to screw up your business, I’m not going to delete all your customer data,’” he says.

Johnson says web applications have become a favourite target of hackers. And while most organizations are using applications, which they either expose to outside visitors to do business with or use internally, they don’t know how to protect them. Security teams, focused on traditional network-based attacks, rely on firewalls and anti-virus software. But hackers can still find ways into the company’s information — through a phone number or website address on an online helpdesk, for example.
 
“Most organizations have a firewall: ‘Let’s block network traffic.’ But in almost all cases that firewall allows in-and-out web traffic. So it becomes an entry point into your network, into your organization. That’s why most people should know how to attack it,” he says.

“I get into organizations through their web applications and steal business data, credit card numbers and, here in the U.S., social security numbers. I take it and say, ‘This is what I got, here’s how I got it and here’s how you fix that problem.’”

The conference attracts a wide range of people, Johnson says. Most are in IT and security. Many auditors are interested in extending their Internet knowledge and skills; some of the security managers who attend run teams of people who either do testing or deal with security or operations. The course also attracts a large number of people in law enforcement.

And some students have no background in IT or security at all. Sometimes, he adds, a person has just decided, “I want to be a security person. This is cool. I heard about it, I read an article, and it sounds interesting. It sounds like something I want to do.”