Ethical Hacking in Today’s Society Patrick Bryant
ECPI UNIVERSITY
IS530
May 12, 2012
DR. BRYANT

Abstract

Over the years technology has advanced just as Moore’s Law has predicted. Not only does the technology double every year in a compounding way, but those who understand these concepts grow as well. These talented individuals can be looked at from several different viewpoints and depending on who that person may be could in fact determine whether it is a positive viewpoint or a negative one. In this paper I will prove why it is necessary to have Ethical Hackers in today’s security models and how they have come a long way to improve how our information systems operate in a more secure manner.

Ethical Hacking in today’s Society Hacker’s for years have been able to do things that the normal individuals have never even thought of pursuing and for several different reasons. There are several different types of hackers out there, but they all have one thing in common and that is their knowledge of Information System exploits and vulnerabilities. The constant issues highlighted by the media always reporting some type of cyber crime, a study showing that nearly 90% of attacks happen on the inside (Durant, 2007). The biggest key is that of understanding the hacker’s true intention and determining whether or not it was ethical or malicious. This leads us to first understand what an ethical hacker is and help determine their purpose is a positive venture when wanting to run your organization in a more secure manner.
Who is the Ethical Hacker?
The term “White Hat” has been slang term that often refers to an ethical hacker, who tends to be a computer security expert. These types of hackers have been known to specialize in penetration testing and help to ensure the security of an organization’s information system. This is unlike other type of hacker’s such as the “BLACK HAT” and the “GREY HAT”. Ethical hackers also carry several other specialized skills such as strong programming skills, networking skills and have been in vetted in the information technology industry for years. One of the more critical traits that all hackers tend to have is patience and has been known to work on difficult tasks outside of normal working hours. Most successful or savvy computer professionals often keep up with new technologies even if they are unfamiliar with such technologies they will take the time to research them to fully understand it. Keeping up with these technologies can not only be time consuming for ethical hackers but understanding the criminal’s that use them in malicious ways can be a lot for one person to manage. With all of these qualities being said, the most important quality that could change a hiring manager’s consideration for selecting a person is trust and a clean background. The best candidates tend to carry not only a clean history, but a higher level of clearance than most generic computer professionals do not require. The difference could range in a background investigation from a Secret clearance to a Top Secret clearance when determining the depth of an investigation. (IBM JOURNAL, VOL 40)
What makes Ethical Hacking Ethical?
Hacking in general is wrong for any one person to have some sort of gain whether it is financial or personal. Ethical hacking is often performed by trusted “White Hats” to determine an organization’s vulnerabilities in their internal information systems. Most companies will utilize an outside contractor or even a fulltime employee to ensure that their systems are secure as vulnerabilities are announced. The concept of ethical hacking is still considered hacking due to the end result of an information system being compromised, penetrated, and potentially crashed. This type of hacking becomes ethical because it is used to increase the safety of not only the organization, but to reduce the risk of the users within it. It is fairly understood that it takes a criminal to catch a criminal these days. With this type of reasoning if a grey hat hacker can possibly break into a system then most certainly a “Black Hat” hacker can with malicious intentions. With the goal being able to use present programs running to break into the system, the ethical hacker does this only at the request of the company that actually owns the information system. Organizations tend to do this on a regular basis so that any existing vulnerabilities to their systems can be patched and protected. (Ellis-Christensen, 2012) Once a contractual agreement has been signed by both parties, the penetration testing may begin. Unfortunately an ethical hacker could have a criminal hacker monitoring their ethical hack exposing sensitive information and vulnerabilities. Normally complete logs of the tests performed are always kept on record for not only the final report, but in the event something unusual happens. The testing can be hard to conceal within the organization because employees may tip off another employee. The penetration test is also subjective to system crashes, degraded networks, denial of service, and log-file explosions. Whenever a testing of system discovers vulnerability, the test should not be stopped, but further investigated to see how many others exist. Plenty of time should be allowed to not only conduct the testing. Nearly all information systems have some sort of vulnerability that can be exploited by a hacker whether it is an unpatched application, misconfigured router, or even a rogue modem. It is just a matter of time for either a White Hat or Black Hat to find the exploit during a penetration test. From February 17 until March 31st 2009 BT Professional services conducted a web-based survey on Ethical Hacking that involved 222 IT professionals from around the world. In the survey, the penetration testing was defined as a method of identifying the current state of security controls. (Blum, 2009)

Ethical hacking is normally done by a third party to get an unbiased assessment of the security controls and viability of the controls that are in place on the system at that time. The more focused ethical hacks are:

* Application testing- uncovers design and logic flaws in applications that couldresult in the compromise or unauthorized access of your networks, systems,applications or information. * Network testing- identifies vulnerabilities in external and internal networks,services, protocols, convergence solutions and systems and devices, including VPNtechnologies. * Code review- examines the source code that is part of the authentication systemand identifies the strengths and weaknesses of the software modules. * Wireless network testing -determines your network's vulnerability to an attackerwith radio access to the wireless network space. * War dialing - identifies unauthorized modems that endanger the corporate infrastructure. * System hardening - analyzes possible configuration issues, running services, andvulnerabilities that reside on the system. (Blum, 2009)

The biggest advantage to having ethical hacks done internally or by a third party is that each IT group can work more closely with the exploits and understand the vulnerability to be able to increase their knowledge of future exploits and hacks on their own information systems. There are several barriers that BT’s survey was able to acknowledge in this survey conducted in 2009 that pertain to the current day despite Morris’s Law. (Blum, 2009)

Who are ethical hackers?
People tend to get involved in the field of ethical hacking for several different reasons and are derived from several different backgrounds. Most ethical hackers haves some educational experience in computer science and most cases they were also a “Black Hat” hacker at one time. Some scenarios that exist today are that all hackers were considered criminals at one time and may have served jail time for some of the things they have done in their past. This brings us back to what were discussing prior, that it takes a criminal to catch a criminal. Instead of the person serving a substantial amount of jail time, the hacker was given a second chance to put their skills to a more positive and productive way in society. The IT industry has had more than its fair share of black hats who now become one of the most respected of Ethical hackers. The creator of one of the most dangerous worms the Internet has ever seen is now a professor at a prestigious college playing a more positive role in society.
Robert Morris wrote a worm while he was a student at Cornell. Originally it was intended to see how large the Internet was, but it replicated so quickly it slowed down over 6,000 machines. As a result of this crime, he was the first person prosecuted under the 1986 Computer Fraud and Abuse Act. The Morris worm landed Robert 400 hours of community service and $10,500 in fines. He is now a tenured professor at the MIT Computer Science and Artificial Intelligence Laboratory. Morris principally researches computer network architectures including distributed hash tables such as Chord and wireless mesh networks such as Roofnet. ( IT Security Editors , 2009) Morris is just one of millions that had a skill set and decided to use it for better reason. Everyday more and more IT proffesionals are trained to be just as savvy with information systems as Morris was.

Where do they get their training?
One of the bigger issues in training students today is the fact that you are giving an individual a weapon. With this weapon the student has the control to decide whether or not they will use it for good or bad intentions. They can either take what they have learned and use it for the good of society or they can turn around and commit heinous crimes. To have an instructor teach a student how to hack and find out that the student indeed used it to commit a criminal offense could most indefinitely defeat the purpose why the instructor was teaching the class in the first place. It is almost unimaginable what a student may do with some of the mentalities some students have in today’s society. In our own hometowns we can point out these types of criminal acts whether it was a slaughter of students in a college or burglarizing someone’s home during the holiday season. We must be cautious with what individuals are taught in schools. I feel that eventually students will have to have a clean record and more constraints will have to be put in place to keep computer criminal activity from rising after this type of training becomes more and more available. It is a must for a school to keep students from doing these activities and to further invoke more defined policies protect the institution.
No matter what their age, institutions are susceptible to having a few bad apples. The students could be as young as ten years old trying to manipulate software or video games. Defcon recently held a training conference to teach young kids about security and how to hack. The young children “implemented games like deciphering clues, picking locks, coaxing information out of people and reading subtle facial expressions. They also learned how to hack hardware, software and websites.” (Usigan, 2011) There are several avenues for a person that is interested in the Network Security field to be able to find the skill set to be able to be an ethical hacker, but it may be somewhat costly.
SANS Institute for example is one of the largest cooperative research and education organizations that now reach more than 165,000 professionals around the world. Training can be taken in several different environments. SANS offers a classroom setting, self paced over the Internet, or in mentored settings in cities all over the world. (SANS INSTITUTE, 2012)

Legal Implications of hacking Whether ethical or not, hacking can have some serious risks for not only the organization, but the penetration tester as well. We discussed earlier how having a contract is a must, but there are several ethical hackers out there that fight for the people that are unable to obtain a contract. They feel that it is their civic duty to protect the people against these companies that refuse to fix their security holes. There has been several instances of a supposed white hat hacker without malicious intent finding vulnerable systems across the internet that are owned by fortune 500 companies. After the hacker makes a discovery they would then proceed to report the finding to the company that owns the system to bring attention to its vulnerability. Unfortunately the submission of how the system was breeched is a confession to a crime that was conducted unlawfully and without the proper legal paperwork in place the individual is subject to legal action or arrest. The company could either thank you for doing the organization a huge favor or could potentially hang you out to dry by initiating legal action against the individual.
A recent case of this happened in February, 2012, where a British student breached security at the social networking site FACEBOOK. Glenn Mangham has done penetration testing on other sites such as Yahoo and gotten a huge slap on the back for finding vulnerabilities in its systems. The student was not as appreciated by facebook when he was able to breach a webserver. Although Mangnam’s intention was to present these vulnerabilities to have them fixed, the prosecution claimed that over $200,000 was spent fixing systems after his hack despite the cost of the actual investigation. The white hat hacker was found guilty by Judge Alistair McCreath, who reprimanded him with 8 months of jail time and the following justification;
"This was not just a bit of harmless experimentation - you accessed the very heart of the system of an international business of massive size."
"This was not just fiddling about in the business records of some tiny business of no great importance and you acquired a great deal of sensitive and confidential information to which you were simply not entitled... Potentially what you did could have been utterly disastrous to Facebook."

There are several others out there that are just as interested as Glen was in recovering security holes. Based on his situation others can now be wary of even thinking of breaching a system without the proper legal protection in place. (Cluley, 2012)
Conclusion
One of the most significant findings to emerge from this research is that ethical hacking can be beneficial in identifying vulnerabilities before they are exploited. In today’s society it can be more beneficial to company to practice due diligence in exposing these security holes. Ethical hacking is legal and performed with the target’s permission. It is part of an overall information risk management program that allows for ongoing security improvements (Beaver, 2005, p. 10). Finally, according to Ed Skoudis, Vice President of Security Strategy for Predictive Systems’ Global A Closer Look 15 Integrity consulting practice, “ethical hacking has continued to grow in an otherwise lackluster IT industry, and is becoming increasingly common outside the government and technology sectors where it began” (SearchSecurity, 2007, p. 1). The question still remains whether or not an Ethical Hacker’s intent is truly a trustworthy one to the organization in the future. I have often wondered after my organization’s penetration testers have completed their findings whether they found everything or even disclosed all of their findings. Phil Zimbardo has made a career on the study of coercion, obedience, and evil. After years of research he has developed a theory on how good people can turn evil. So another valid argument would be; who is to say that an ethical hacker could or could not one day turn malicious just for a higher good?

Works Cited
IT Security Editors . (2009). Top 10 Most Famous Hackers of All Time. Retrieved from www.focus.com: http://www.focus.com/fyi/top-10-most-famous-hackers-all-time/

Blum, R. (2009). Ethical Hacking IT Industry Survey. WORLDWIDE: British Telecommunications.

Cluley, G. (2012, FEBRUARY 20). Jail for 'ethical' hacker who bypassed Facebook security from his bedroom. Retrieved from nakedsecurity.sophos.com: http://nakedsecurity.sophos.com/2012/02/20/jail-facebook-ethical-hacker/

Durant, A. (2007). The Enemy Within. BusinessXL, 48-51.

Elias, M. (2007, March 14). An expert asks: Do we all have an evil, dark side? Retrieved from www.usatoday.com: http://www.usatoday.com/news/health/2007-03-13-zimbardo-evil_N.htm

Ellis-Christensen, T. (2012, May). What Is Ethical Hacking? (Conjecture Corporation) Retrieved from http://www.wisegeek.com/what-is-ethical-hacking.htm

Palmer, C. (2001, MAY). Ethical Hacking. IBM SYSTEMS JOURNAL, 769. Retrieved from http://en.wikipedia.org/wiki/White_hat_(computer_security)

SANS INSTITUTE. (2012, MAY). About the SANS Institute. Retrieved from SANS INSTITUTE: http://www.sans.org/about/sans.php

Usigan, Y. (2011, August 11). Kids learn how to hack at DefCon. Retrieved from www.cbsnews.com: http://www.cbsnews.com/8301-501465_162-20089444-501465.html

The Graduate School of Computer and Information Sciences

Certification of Authorship of FINAL PROJECT – DISS800

Submitted to: Dr. Michael Bryant:
Student’s Name: Patrick Bryant
Date of Submission: MAY 9, 2012
Purpose and Title of Submission: FINAL PROJECT
Certification of Authorship: I hereby certify that I am the author of this document and that any assistance I received in its preparation is fully acknowledged and disclosed in the document. I have also cited all sources from which I obtained data, ideas, or words that are copied directly or paraphrased in the document. Sources are properly credited according to accepted standards for professional publications. I also certify that this paper was prepared by me for this purpose.

Student's Signature: Patrick E Bryant