By Canadian Security
Two things are driving the digital side of security in our industry: the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Payment Card Industry (PCI) Data Security Standard, version 2. Both of them reflect the growing concern that our industry has with the protection of private information. We’ve already talked about firewalls and appliances that perform the function of Data Loss Prevention (DLP). Is there more that a company should do? The answer is unequivocally YES.
By Canadian Security
If you were to engage the services of an “ethical” hacking company, you would employ them in one of two ways. The first would be to see if they can “hack” into or penetrate your corporate systems from the Internet. Since, theoretically, every person on this earth has access to the Internet, you as a company are susceptible to an attack from anywhere. There are people who are running programs every minute of every day looking for companies who are not well protected. This is analogous to leaving the door to your house wide open. When someone with ill intention sees the door open, they know you are an easy target. So, as companies, we tend to secure what are known as the Internet touch points with firewalls and other intrusion detection and prevention devices.
I recommend, however, companies take this to the next level. Employ an ethical hacking firm to test the inner defences of your company. I once hired one to come and plug their laptop into the corporate network. I said to them, bring whatever tools you would like to use, but I am not giving you any valid credentials to the network.
On the assumption that everything in the network is secure (i.e., all servers and workstations are patched to their latest levels), they should not be able to gain access to any information. Besides, I told them, our intrusion detection system should be able to pick up your activities and alert me. Now, by sheer coincidence, the person doing the ethical hacking was located at a spare desk in the Information Systems department.
When I received the ethical hacking report, I was shocked. Yes, all of our servers were patched and were not vulnerable. However, someone in the IT department had put up a test server because they needed to run some tests. Given that it was a test server, they never thought they had to patch it. This server was completely vulnerable and was successfully attacked and taken over by our ethical hackers.
The admin account and password were the same as those of the production servers, and now, all of a sudden, our ethical hackers had the administrative password to ALL the servers. Also, the IP address of this server was on the “safe” list, meaning that the traffic from it was considered safe. This server was used as a launching point into other areas of the network.
To make matters worse, the person who did Network Administration on the firewall and routers was sitting beside the empty desk where the ethical hackers were. He was using SNMP (Simple Network Management Profile), version 1, which sends information across the network in clear text. Our hackers were able to gain the passwords to every network device. Within a few hours, they had the keys to the kingdom. They could easily have taken the complete network down. Before the hackers were hired, the company thought it was secure.
These ethical hackers exposed weaknesses that the company never believed were a problem. Just think of the number of contractors and visitors who can gain access to your network without having any credentials to your network.
When hiring an ethical hacking company, please do your due diligence, and ensure that they are what they say they are: ethical. They can offer a valuable insight into your corporate security profile and move you a long way towards PIPEDA and PCI compliance.