Penetration Testing: The Legal Way to Hack

The penetration test is the activity in which a security vendor or white hat hacker will deploy their skills acquired from training, certification and practical experience. The aim of the penetration test is to discover system or network vulnerabilities and exploit those vulnerabilities with the consent of the system owner(s). The penetration test scans for vulnerabilities and looks to actively exploit any uncovered vulnerabilities; it is a complement to the vulnerability scanners used during a vulnerability assessment. The penetration test helps identify which vulnerabilities are real and discern whether they can actually be exploited. “Vulnerability scanners can tell what potential risks are, but pen tests can provide the actual facts about the risks, including if they are exploitable and what information could be exploited if they were” (Howarth, 2010a, para. 2).

There are many different flavors of pen testing. A manual or automated test may be executed. The manual test is more involved and typically more costly if an outside authority is used as it requires significantly more expertise than an automated test. The automated testing approach is carried out via the logic, rules and or AI embedded in a software product. One such commercial product on the market is SAINTexploit, which not only exposes vulnerability points but also exploits those vulnerabilities to prove their existence. SC Magazine for security professionals rates SAINTexploit as an overall 4.75/5 star product for automated penetration testing. The annual cost of the product is $8,745 for 1,000 unique targets; the product must be renewed annually for continued usage (Stephenson, P., 2013). “Automated tools can provide a lot of genuinely good information, but are also susceptible to false positives and false negatives, and they don’t necessarily care what your agreed-upon scope says is your stopping point” (Walker, M., 2013, Chapter 11).

The two types of penetration testing as defined by the EC-Council (the certification body for the Certified Ethical Hacker designation) are external and internal. External assessments test and analyze publicly available information, as well as conduct scanning and exploits from outside the network perimeter. The internal assessment is the opposite and is performed from within the network perimeter.

The concept of black, white and grey box testing also come into play with respect to determining what information is known beforehand in order to carry out the penetration test. Walker (2013) notes that in a black box test the attacker has no information of the system or infrastructure beforehand. The black box test requires the longest to accomplish and is the closest simulation to an actual attack. White box testing simulates an insider with complete knowledge of the systems and infrastructure, who carries out the penetration test. Finally the grey box test provides limited information on the targeted systems and/or infrastructure.

Another parameter that can make the pen test more closely resemble real world conditions is the incorporation of social engineering. The white hat is given permission to use phishing attacks in order to gain access to passwords or other sensitive information. With phishing, the ethical hacker can design any number of email messages, websites, or even utilize phone calls under false pretenses in order to get a user to install malicious software or hand over sensitive information. The organization can gauge the results of these controlled social engineering attacks to see which users need a refresher in the company security policy or to determine if the current security policy is effective.

An organization carrying out an external penetration test by using an outside company should have the scope and the rules of the test clearly defined in contractual or service level agreement terms. In the event of a disruption of service or any other catastrophic event, both parties should know ahead the responsible party for correcting any issues. Graves (2010, Chapter 15) asserts that the documents necessary to have signed from the client before conducting a white hat a penetration test are:

  • “Scope of work, to identify what is to be tested”
  • “Nondisclosure agreement, in case the tester sees confidential information”
  • “Liability release, releasing the ethical hacker from any actions or disruption of service caused by the pen test”

Although penetration testing is widely used by organizations to test for system, network or human vulnerabilities there are some limitations to their effectiveness. All of the potential varying client parameters around the pen test (e.g. financial systems are out of scope, no social engineering, etc..) can work to hide exploits that would still be vulnerable to an actual black hat attack. Real world attacks can use a combination of social engineering, physical, and electronic methods often coordinated by an experienced team. The aforementioned combination of methods and expertise is very hard to simulate in a controlled environment. “The [enterprise’s] board and other stakeholders will not care about a clean network pen test if an attacker enters the building and, through a combination of social engineering and other low-tech gadgets like the hidden camera tie, steals your protected information” (Barr, J., 2012b).

References:

Barr, J. G. (a) (November 2012). Recruiting Cyber Security Professionals. Faulkner Information Services. Retrieved March 23, 2013

Graves, K. CEH—Certified Ethical Hacker—Study Guide. Sybex. © 2010. Books24x7. Retrieved March 24, 2013

Howarth.F. (2010). (a) Emerging Hacker Attacks. Faulkner Information Services. Retrieved April 17th, 2013

Stephenson, P. (2013). SAINTmanager/SAINTscanner/SAINTexploit v7.14 Retrieved March 23, 2013 from http://www.scmagazine.com/saintmanagersaintscannersaintexploit-v714/review/3797/

Walker, M. CEH Certified Ethical Hacker: All-in-One Exam Guide. McGraw-Hill/Osborne, © 2012. Books24x7. Retrieved Mar. 24, 2013

Advertisements

More Than You Want to Know About Wal-Mart’s Technology Strategy Part 2

This article is a continuation of my earlier analysis (Part 1 here, continued here at Part 3) where I waded into Wal-Mart’s strategy for technology infrastructure and strategy for IT capability & staffing. Whether you love or hate Wal-Mart, no one can argue that historically the organization has been highly innovative, effective and efficient. In this second part of my three part series I will broach the company’s strategy for information risk and security, stakeholder requirements and project return on investment.

Wal-Mart: Strategy for Information Risk & Security:

Wal-Mart operates a massive information system infrastructure that has been called the largest private computer system in the country. As such, the company must be strategic in implementing the proper information security protocols and vigilant in order to react to attempted compromises to its confidential information. Any compromise of sensitive customer information could lead to a significant expense in compensating affected parties and lead to updating systems, processes and procedures to restore customer confidence. This scenario is especially relevant as Wal-Mart’s extensive point of sale system, from a black hat hacker’s perspective, registers a veritable treasure trove of customer debit, credit and gift card information.

In order to mitigate the aforementioned risks, Wal-Mart has complied with the PCI DSS or Payment Card Industry Data Security Standard. PCI DSS offers, “compliance guidelines and standards with regard to our (Wal-Mart’s) security surrounding the physical and electronic storage, processing and transmission of individual cardholder data” (Wal-Mart Stores Inc., 2016). Some operational system components of PCI DSS include maintaining a secure network via use of firewalls to protect sensitive data, encrypting cardholder data that is transmitted across public networks, regularly updating anti-virus software as well as tracking and monitoring all access to network resources and cardholder data. (PCI Security Standards Council, 2016). Former CIO Turner has stated, “Necessity is the mother of invention, and we’ve invested a lot of knowledge and capital in intrusion detection and playing as much offense as we can to make sure that we’re protecting our company. Personally, every day I spend time on security” (Lundberg, 2002).

From a disaster recovery perspective, Wal-Mart maintains redundant primary and secondary information systems to mitigate the risks of operational downtime and/or significant loss of information. The organization keeps primary and secondary information systems physically separated. In 2005, the company was lauded for its disaster recovery and business continuity efforts in the wake of Hurricane Katrina. The company stood up satellite links for its retail centers enabling those centers to correspond with headquarters despite the loss of phone lines and internet connectivity (Worhten, 2005). Wal-Mart also maintains an Emergency Operations Center (EOC) established in the wake of the September 11, 2001 terror attacks. The organization has a central EOC located at headquarters in Arkansas which works in concert with decentralized EOCs at a division level. During Hurricane Sandy, the organization was successful in moving generators across state lines in order to reopen stores and provide systems operability in a timely manner (PricewaterhouseCoopers, 2005).

Wal-Mart: Strategy for Stakeholder Requirements, Testing & Training/Support:

Wal-Mart’s immense size allows it considerable influence over its supplier stakeholders. Typically, suppliers reside in an inferior position (Wal-Mart can end the supplier relationship or demand sub-optimal concessions from the supplier) which enables the retailing behemoth to dictate industry wide changes in how suppliers and merchants interact. This unbalanced power relationship allows the company to micromanage its supply chain partners from a business process and respective information technology project perspective. When the power balance is more on an equal footing, Wal-Mart is willing to work collectively with a supplier.

Case in point is the lauded cooperation between Procter & Gamble and Wal-Mart in the late 1980’s to implement Retail-Link. Retail-Link was a joint business process and related technology systems project between the two organizations for mutually beneficial gains. Wal-Mart’s in-store point of sale data acted as a pull to automatically trigger manufacturing orders to P&G when stocks were low (Wailgum, 2007). When this concept proved successful, Wal-Mart dictated to 2,000 supplier stakeholders that they must all update their information systems to integrate with Retail-Link. The integration and information sharing with Retail-Link was a boon to Wal-Mart’s suppliers as it provided predictable volumes and constantly humming factories, but the takeaway is that Wal-Mart mandated the terms to stakeholders based upon its asymmetrically favorable power position.

In some cases, Wal-Mart’s technical project mandates to suppliers did not yield mutually beneficial Return on Investment (ROI). An example of this scenario is embodied in the much publicized initiative to have its suppliers adopt RFID in the mid 2000’s. Wal-Mart was seeking to increase its inventory visibility at the warehouse and in its stores. In this case, Wal-Mart did not adequately consider stakeholder technology implementation concerns before issuing its RFID mandate. A supplier is on record stating that the consumer packaged goods industry was not the best early adaptor for RFID and that the small margins and project complexities didn’t offer compelling ROI (Wailgum, 2007). The ROI that could be established from a supplier standpoint was to continue doing business with Wal-Mart while only investing the bare minimum in upgrades required to implement RFID. A Gartner analyst has estimated that the implementation costs of RFID for smaller companies would cost between $100,00 to $300,000, while larger manufacturers could experience investment costs of up to $20 million (Network World, 2008).

Once a critical mass of important supplier stakeholders decided that their operating costs were being negatively impacted, Wal-Mart decided to back down from its mandate. Only when the favorable power dynamic shifted from Wal-Mart to the supplier network, did the company walk back its mandate.

From a development standpoint, Wal-Mart traditionally used the more structured Systems Development Lifecycle (SDLC) methodology. All systems within the company require testing & validation. According to former CIO Turner, “In any development effort, our [IS] people are expected to get out and do the function before they do the system specification, design or change analysis. The key there is to do the function, not just observe it. So we actually insert them into the business roles. As a result, they come back with a lot more empathy and a whole lot better understanding and vision of where we need to go and how we need to proceed” (Lundberg, 2002). Turner also eschews testing systems in low volume stores or with the easiest customers.

Recently, in its more cutting edge Silicon Valley based development division (@WalmartLabs) the company has moved to adopt an Agile development methodology. Agile methodology allows the group to react faster to changing market conditions with respect to the much slower SDLC methodology. This approach is necessary in a cut-throat marketplace where competitors such as Amazon have been using Scrum for over a decade (King, 2014).

Wal-Mart: Project ROI and Key Success Measures:

Despite the less than successful analysis and grasp of intended project benefits related to its RFID initiative, Wal-Mart relies heavily on ROI as a measure of project success. Cost is a major driver of IT related expenses thus a reliance on ROI is a sensible approach. Former CIO Turner has stated that 33% of Wal-Mart development projects are canceled before they are completed and that 56% of completed projects are subjected to budget overruns of 189%. “One of the problems is that a lot of companies don’t require an ROI except for major purchases. ‘At Wal-Mart, everything has to pay its way, even infrastructure [investments]. A lot of people say you can’t cost-justify infrastructure, but you can. There is a way. You have to make ROI the center of what you’re about, to begin to pay your way’” (Power, 1998). At Wal-Mart all technology implementations are assigned a payback analysis and the savings from the analysis must be incorporated into the business plan. A quarterly report on each project is shared at the executive level to ensure that business unit profit and loss statements reflect the investment value that was initially calculated. The mentality at Wal-Mart is a focus on turning information technology from a traditional cost center to a profit center.

Additionally, the centralized information technology group at Wal-Mart does not saddle its divisions with a chargeback funding method. The company takes a holistic enterprise wide view approach with respect to determining which projects make sense for the company. Wal-Mart can be said to employ the corporate budget funding method where IT managers have considerable control over the entire IT budget. When it’s time to implement a project, the divisions with the largest budgets are treated the same as divisions where resources are more scarce. As of 2004, the organization lacked an IT steering committee which helped speed up the project selection process (Sullivan, 2004). The drawback to this funding method approach is that IT competes with all other budgeted items for funds (Pearlson, Galletta & Saunders, 2016).

Project completion dates in the organization’s nomenclature are referred to as “end dates”. All projects are tracked against the end dates and problem projects are scrutinized when they fall behind schedule. When new systems are deployed it is not uncommon for high level management to solicit feedback from line employees involved in using the system. When necessary, personnel are replaced on project teams in order to increase project effectiveness (Lundberg, 2002).

To be continued in Part 3 where I address these three areas:

  • Strategy for Data Acquisition and Impact on Business Processes
  • Strategy for Social Media/Web Presence
  • Strategy for Organizational Change Management, Project Strategy and Complexity

If you’re interested in Business Intelligence & Tableau check out my videos here: Anthony B. Smoak

References:

King, R. (October 2014). Wal-Mart Becomes Agile But Finds Some Limits. Dow Jones Institutional News. Retrieved from Factiva

Lundberg. A. (July 1, 2002). Wal-Mart: IT Inside the World’s Biggest Company. CIO magazine. Retrieved from http://www.cio.com/article/2440726/it-organization/wal-mart–it-inside-the-world-s-biggest-company.html?page=2

Network World. (September, 2008). “Wal-Mart’s RFID revolution a tough sell; Even for the world’s biggest retailer, championing an unproven technology with no clear ROI has been difficult” Retrieved from Factiva on June 13/16

PCI Security Standard Council. (2016). Maintaining Payment Security. Retrieved from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security

PricewaterhouseCoopers. (September, 2013). Interview with Mark Cooper. Walmart takes collaborative approach to disaster recovery. Retrieved from http://www.pwc.com/gx/en/industries/capital-projects-infrastructure/disaster-resilience/walmart-disaster-response-strategy.html

Power, D. (June, 1998). WAL-MART: TECHNOLOGY PAYBACK IS IMPERATIVE. Supermarket News. Retrieved from Factiva

Pearlson, K., Galletta, D., & Saunders, C. (January, 2016). Managing and Using Information Systems: A Strategic Approach, Binder Ready Version, 6th Edition

Sullivan, L. (September 24, 2004). Wal-Mart’s Way: Heavyweight retailer looks inward to stay innovative in business technology. Retrieved 6/17/16 from http://www.informationweek.com/wal-marts-way/d/d-id/1027448?

Wailgum, T. (October 2007). How Wal-Mart Lost Its Technology Edge. Retrieved from http://www.cio.com/article/2437953/strategy/how-wal-mart-lost-its-technology-edge.html

WAL-MART STORES, INC. (January 31, 2016). FORM 10-K. Retrieved from https://www.sec.gov/Archives/edgar/data/104169/000010416915000011/wmtform10-kx13115.htm

Worthen, B. (November 1, 2005). How Wal-Mart Beat Feds to New Orleans. CIO Magazine.Retrieved from http://www.cio.com/article/2448237/supply-chain-management/how-wal-mart-beat-feds-to-new-orleans.html

From White Hat to Cyber Terrorist: The Seven Types of Hackers

The traditional definition of a hacker is someone who uses computers to gain unauthorized access to data. “Hacks” are deployed for various reasons as diverse as the thrill of the conquest, protests, profit or bolstering status within the hacker community. Some security professionals question whether the term “ethical hacker” is a contradiction in terms, as hacking was originally defined as a criminal activity (Wikipedia, Certified Ethical Hacker).

Conrad Constantine a research engineer at the security management company AlienVault states, “The term ‘ethical’ is unnecessary – it is not logical to refer to a hacker as an ‘ethical hacker’ because they have moved over from the ‘dark side’ into ‘the light’… The reason companies want to employ a hacker is not because they know the ‘rules’ to hacking, but because of the very fact that they do not play by the rules” (Bodhani, pg. 66)

There are many subgroups within the hacker community that encompass more than the traditional black hat, white hat dichotomy. Here are a few of the different types of hackers and their aims:

  • White Hat: Commonly referred to as an Ethical Hacker. Holders of the Certified Ethical Hacker (CEH) certification who uphold the values of the EC-Council (aka the International Council of Electronic Commerce Consultants) would be classified as white hat hackers. The aim of the white hat is to legally and non maliciously perform penetration testing and vulnerability assessments against computer systems in order to improve security weaknesses. White hats are typically employed by security consulting firms that perform penetration testing.
  • Black Hat: Commonly referred to as a “cracker”. Black hats are the opposite of a white hat hacker in that black hats attempt to penetrate computer systems illegally and without prior consent. A Black hat hacker is interested in committing a range of cybercrimes such as identity theft, destroying data, destabilizing systems, credit card fraud etc.
  • Grey Hat: The ethics of the grey hat lies somewhere between those of the white hat and black hat hackers. A grey hat may use the tools and skill sets of a black hat to penetrate into a system illegally but will exhibit white tendencies in that no harm is caused to the system. Typically, the grey hat will notify the system owner of any systems vulnerabilities uncovered.
  • Blue Hat: An outside external security professional invited by Microsoft to exploit vulnerabilities in products prior to launch. This community gathers every year in a conference sponsored by Microsoft; the blue signifies Microsoft’s corporate color. “BlueHat’s goal is to educate Microsoft engineers and executives on current and emerging security threats in an effort to help address security issues in Microsoft products and services and protect customers” (Microsoft, 2013, para. 1)
  • Hacktivists: These hackers will compromise a network or system for political or socially motivated purposes. Website defacement or denial-of-service attacks are the favored methods used by Hacktivists (Wikipedia, Hacker (Computer Security)).
  • Script Kiddies: These “hackers” are amateurs who follow directions and use scripts developed and prepared by advanced hackers. The script kiddie may be able to successfully perform a hack but has no thorough understanding of the actual steps employed.
  • Cyber Terrorists: According to the U.S. Federal Bureau of Investigation, cyberterrorism is any “premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by sub-national groups or clandestine agents. Unlike a nuisance virus or computer attack that results in a denial of service, a cyberterrorist attack is designed to cause physical violence or extreme financial harm. According to the U.S. Commission of Critical Infrastructure Protection, possible cyberterrorist targets include the banking industry, military installations, power plants, air traffic control centers, and water systems” (Search Security)

Bodhani, A. (January, 2013). “Ethical hacking: bad in a good way.” Engineering and Technology Magazine, 7(12), Pg.64-64

Cyberterrorism. In Search Security. Retrieved April 16, 2013 from http://searchsecurity.techtarget.com/definition/cyberterrorism

Microsoft. (2013). BlueHat Security Briefings. Retrieved April 16, 2013 from http://technet.microsoft.com/en-us/security/cc261637.aspx

Image courtesy of pat138241 at freedigitalphotos.net

Spear Phishing

Regarding this New York Time article: Hackers in China Attacked The Times for Last 4 Months

Spear phishing attacks against businesses, diplomatic and government agencies seem to be very popular with cyber espionage networks. You only need one person to take the wrong action and the entire system is compromised as the New York Times is discovering.

China in 2012 used spear phishing and a .pdf file that exploited a vulnerability in Windows to launch spear phishing attacks against Tibetan activist groups. Antivirus software did not widely recognize the threats as was the case with the NYT’s imbroglio. [1]

In a similar vein to the attacks on the NYT, targeted spear phishing was used in a very recent incident called Operation Red October (lending to the fact that the attacks emanated from a Russophone country). The malware produced from this attack is called ‘Rocra’ and it is aimed at governments and research institutions in former Soviet republics and Eastern Europe.

The New York Times article states “Once they take a liking to a victim, they tend to come back. It’s not like a digital crime case where the intruders steal stuff and then they’re gone. This requires an internal vigilance model.”

It’s intriguing that the Red October attacks embody the spirit of that quote in the design of its malware:

“Red October also has a “resurrection” module embedded as a plug-in in Adobe Reader and Microsoft Office applications. This module made it possible for attackers to regain control of a system even after the malware itself was discovered and removed from the system.”

This is pretty scary stuff but ingenious nonetheless. Organizations need to take heed and make sure they are doing absolutely everything they can to combat attacks and training users about the dangers of spear phishing.

[1] http://www.scmagazineuk.com/chinese-spears-attack-tibetan-activists/article/231923/

[2] http://www.wnd.com/2013/01/red-october-cyberattack-implodes/