Ethical hackers: Finding the cracks before the ‘crackers’

By Erin Ayers on November 19, 2014

Advisen recently spoke to David Bryan, principal security consultant at Trustwave SpiderLabs. As a consultant Bryan helps clients understand what risks they have in their environment, and discusses ways for them to help reduce the risk based on security best practices, and professional experiences.

Advisen: Tell us more about “ethical hacking” and the lab Trustwave has created.

David Bryan: “The idea behind it is that we have a lab where we can set up systems and devices that we can test and identify flaws in those systems. It’s both a venture for ourselves to do research, but also for the public benefit.”

Bryan went on to explain that a criminal hacker or “cracker” is going to exploit system flaws for profit and gain.

“We’re going to use it so we can close that hole,” he said. “The attackers, or the crackers, they have just as much information, but they’re not telling the vendors.” He cited the example of a hacker tampering with ATMs, tricking the system into thinking it is dispensing $1 bills, when in reality it is dispensing $20 bills.

What can you do in the lab that can’t be done onsite for a client?

Bryan: “We can go to town on this lab and not have to worry about knocking things over. The idea is to reduce the risk of a pen test coming along and knocking systems offline.”

Bryan noted that one of the most thorough ways for security firms to evaluate the safety of a business’ data is via penetration testing, or “pen testing.” Ethical hackers can break into a client’s system, see what they can access and how, and bring it back to the client to help them fix the vulnerabilities – without compromising any of the client’s data or systems, something that criminal cyber attackers generally don’t promise.

“Sometimes we have carte blanche access, or we have a targeted range. Pen testing is the idea that we have pretty much unrestricted access,” he said. “It’s a real world scenario where we can then successfully test.”

According to Bryan, vulnerability testing consists of a sweep of the client’s network, but a less intensive test that doesn’t produce actualized risks and isn’t always 100 percent accurate. Security researchers can sense potential vulnerabilities and identify out-of-date services, but the pen test goes further and identifies the actual holes in a system.

How do you determine whether to do a vulnerability test or a pen test?

Bryan: “It depends on the level of engagement for the client. They might say, “Here’s our internal network, go to town.” We’re trying to be very strategic in our pen tests, we don’t want to knock things over. The less scope restrictions you have, the more you’re going to learn about your environment. We can make them aware and help them change, not just at a technical level, but also on a programmatic level.”

How can you ease the fears of clients leery of letting “hackers” into their system, even as a test?

Bryan: “What we do to try to reduce those fears, we let them know we’re using devices with encrypted partitions. There are very tight controls and we work with them. There are no major risks of identity or credit card info being leaked out. We’re trying to simulate the type of attacker they could have. It could be an unprotected Ethernet site, or it could be that they’ve got malware or something that’s phoning home on a laptop.”

What are the most significant threats facing organizations today?

Bryan: “Malware infecting third-party providers. From a retail perspective, that’s something that the attackers have figured out. And our annual Global Security Report cites poor password use. Year after year, people have poor password policies and choose poor passwords. When users choose bad passwords and active directory has weak hashing, it allows hackers to use GPUs [global processing units] to crack passwords at a rate that’s astronomically fast. If you couple those two things together, we have some pretty big holes that need to be plugged.”

Bryan advocated user awareness and using authentication and passphrases – several words that create a sentence that people will remember — instead of traditional passwords. Remediating the malware problem can be aided by “simple things” like being able to scan emails and removing attachments that infect systems.

Insurers have expressed interest in using ethical hacking to better assess cyber risks. Does that sound like a valid option?

Bryan: “That would be very interesting. A pen tester would know within 40 minutes whether a business had a secure or mature information security program. I could totally see that as a way to gauge the maturity of a system, if I was an insurer of someone who was holding credit card data or health data.”

erin.ayers@zywave.com'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].