Ethical hacking

Ethical hacking

by C. C. Palmer

The explosive growth of the Internet has broughtmany good things: electronic commerce, easyaccess to vast stores of reference material,collaborative computing, e-mail, and newavenues for advertising and informationdistribution, to name a few. As with mosttechnological advances, there is also a dark side:criminal hackers. Governments, companies, andprivate citizens around the world are anxious tobe a part of this revolution, but they are afraidthat some hacker will break into their Web serverand replace their logo with pornography, readtheir e-mail, steal their credit card number froman on-line shopping site, or implant software thatwill secretly transmit their organization’s secretsto the open Internet. With these concerns andothers, the ethical hacker can help. This paperdescribes ethical hackers: their skills, theirattitudes, and how they go about helping theircustomers find and plug up security holes. Theethical hacking process is explained, along withmany of the problems that the Global SecurityAnalysis Lab has seen during its early years ofethical hacking for IBM clients.

The term “hacker” has a dual usage in the com-puter industry today. Originally, the term was

defined as:

HACKER noun 1. A person who enjoys learning thedetails of computer systems and how to stretchtheir capabilities—as opposed to most users ofcomputers, who prefer to learn only the minimumamount necessary. 2. One who programs enthu-siastically or who enjoys programming rather thanjust theorizing about programming.1

This complimentary description was often extendedto the verb form “hacking,” which was used to de-

scribe the rapid crafting of a new program or themaking of changes to existing, usually complicatedsoftware.

As computers became increasingly available at uni-versities, user communities began to extend beyondresearchers in engineering or computer science toother individuals who viewed the computer as a cu-riously flexible tool. Whether they programmed thecomputers to play games, draw pictures, or to helpthem with the more mundane aspects of their dailywork, once computers were available for use, therewas never a lack of individuals wanting to use them.

Because of this increasing popularity of computersand their continued high cost, access to them wasusually restricted. When refused access to the com-puters, some users would challenge the access con-trols that had been put in place. They would stealpasswords or account numbers by looking over some-one’s shoulder, explore the system for bugs thatmight get them past the rules, or even take controlof the whole system. They would do these things inorder to be able to run the programs of their choice,or just to change the limitations under which theirprograms were running.

Initially these computer intrusions were fairly benign,with the most damage being the theft of computertime. Other times, these recreations would take the

rCopyright 2001 by International Business Machines Corpora-tion. Copying in printed form for private use is permitted with-out payment of royalty provided that (1) each reproduction is donewithout alteration and (2) the Journal reference and IBM copy-right notice are included on the first page. The title and abstract,but no other portions, of this paper may be copied or distributedroyalty free without further permission by computer-based andother information-service systems. Permission to republish anyother portion of this paper must be obtained from the Editor.

IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001 0018-8670/01/$5.00 © 2001 IBM PALMER 769

form of practical jokes. However, these intrusions didnot stay benign for long. Occasionally the less talented,or less careful, intruders would accidentally bring downa system or damage its files, and the system adminis-trators would have to restart it or make repairs. Othertimes, when these intruders were again denied ac-cess once their activities were discovered, they wouldreact with purposefully destructive actions. When thenumber of these destructive computer intrusions be-came noticeable, due to the visibility of the systemor the extent of the damage inflicted, it became“news” and the news media picked up on the story.Instead of using the more accurate term of “com-puter criminal,” the media began using the term“hacker” to describe individuals who break into com-puters for fun, revenge, or profit. Since calling some-one a “hacker” was originally meant as a compliment,computer security professionals prefer to use theterm “cracker” or “intruder” for those hackers whoturn to the dark side of hacking. For clarity, we willuse the explicit terms “ethical hacker” and “crim-inal hacker” for the rest of this paper.

What is ethical hacking?

With the growth of the Internet, computer securityhas become a major concern for businesses and gov-ernments. They want to be able to take advantageof the Internet for electronic commerce, advertis-ing, information distribution and access, and otherpursuits, but they are worried about the possibilityof being “hacked.” At the same time, the potentialcustomers of these services are worried about main-taining control of personal information that variesfrom credit card numbers to social security numbersand home addresses.2

In their search for a way to approach the problem,organizations came to realize that one of the bestways to evaluate the intruder threat to their inter-ests would be to have independent computer secu-rity professionals attempt to break into their com-puter systems. This scheme is similar to havingindependent auditors come into an organization toverify its bookkeeping records. In the case of com-puter security, these “tiger teams” or “ethical hack-ers” 3 would employ the same tools and techniquesas the intruders, but they would neither damage thetarget systems nor steal information. Instead, theywould evaluate the target systems’ security and re-port back to the owners with the vulnerabilities theyfound and instructions for how to remedy them.

This method of evaluating the security of a systemhas been in use from the early days of computers.In one early ethical hack, the United States Air Forceconducted a “security evaluation” of the Multics op-erating systems for “potential use as a two-level(secret/top secret) system.” 4 Their evaluation foundthat while Multics was “significantly better than otherconventional systems,” it also had “ . . . vulnerabil-ities in hardware security, software security, and pro-cedural security” that could be uncovered with “arelatively low level of effort.” The authors performedtheir tests under a guideline of realism, so that theirresults would accurately represent the kinds of ac-cess that an intruder could potentially achieve. Theyperformed tests that were simple information-gath-ering exercises, as well as other tests that were out-right attacks upon the system that might damage itsintegrity. Clearly, their audience wanted to knowboth results. There are several other now unclassi-fied reports that describe ethical hacking activitieswithin the U.S. military.5–7

With the growth of computer networking, and of theInternet in particular, computer and network vul-nerability studies began to appear outside of the mil-itary establishment. Most notable of these was thework by Farmer and Venema,8 which was originallyposted to Usenet9 in December of 1993. They dis-cussed publicly, perhaps for the first time,10 this ideaof using the techniques of the hacker to assess thesecurity of a system. With the goal of raising the over-all level of security on the Internet and intranets, theyproceeded to describe how they were able to gatherenough information about their targets to have beenable to compromise security if they had chosen todo so. They provided several specific examples ofhow this information could be gathered and exploitedto gain control of the target, and how such an attackcould be prevented.

Farmer and Venema elected to share their reportfreely on the Internet in order that everyone couldread and learn from it. However, they realized thatthe testing at which they had become so adept mightbe too complex, time-consuming, or just too boringfor the typical system administrator to perform ona regular basis. For this reason, they gathered up allthe tools that they had used during their work, pack-aged them in a single, easy-to-use application, andgave it away to anyone who chose to download it.11

Their program, called Security Analysis Tool for Au-diting Networks, or SATAN, was met with a greatamount of media attention around the world. Mostof this early attention was negative, because the tool’s

PALMER IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001770

capabilities were misunderstood. The tool was notan automated hacker program that would bore intosystems and steal their secrets. Rather, the tool per-formed an audit that both identified the vulnerabil-ities of a system and provided advice on how to elim-inate them. Just as banks have regular audits of theiraccounts and procedures, computer systems alsoneed regular checking. The SATAN tool provided thatauditing capability, but it went one step further: italso advised the user on how to correct the prob-lems it discovered. The tool did not tell the user howthe vulnerability might be exploited, because therewould be no useful point in doing so.

Who are ethical hackers?

These early efforts provide good examples of eth-ical hackers. Successful ethical hackers possess a va-riety of skills. First and foremost, they must be com-pletely trustworthy. While testing the security of aclient’s systems, the ethical hacker may discover in-formation about the client that should remain se-cret. In many cases, this information, if publicized,could lead to real intruders breaking into the sys-tems, possibly leading to financial losses. During anevaluation, the ethical hacker often holds the “keysto the company,” and therefore must be trusted toexercise tight control over any information about atarget that could be misused. The sensitivity of theinformation gathered during an evaluation requiresthat strong measures be taken to ensure the securityof the systems being employed by the ethical hack-ers themselves: limited-access labs with physical se-curity protection and full ceiling-to-floor walls, mul-tiple secure Internet connections, a safe to hold paperdocumentation from clients, strong cryptography toprotect electronic results, and isolated networks fortesting.

Ethical hackers typically have very strong program-ming and computer networking skills and have beenin the computer and networking business for severalyears. They are also adept at installing and main-taining systems that use the more popular operatingsystems (e.g., UNIX** or Windows NT**) used on tar-get systems. These base skills are augmented withdetailed knowledge of the hardware and softwareprovided by the more popular computer and net-working hardware vendors. It should be noted thatan additional specialization in security is not alwaysnecessary, as strong skills in the other areas implya very good understanding of how the security onvarious systems is maintained. These systems man-agement skills are necessary for the actual vulner-

ability testing, but are equally important when pre-paring the report for the client after the test.

Finally, good candidates for ethical hacking havemore drive and patience than most people. Unlikethe way someone breaks into a computer in the mov-

ies, the work that ethical hackers do demands a lotof time and persistence. This is a critical trait, sincecriminal hackers are known to be extremely patientand willing to monitor systems for days or weekswhile waiting for an opportunity. A typical evalua-tion may require several days of tedious work thatis difficult to automate. Some portions of the eval-uations must be done outside of normal workinghours to avoid interfering with production at “live”targets or to simulate the timing of a real attack.When they encounter a system with which they areunfamiliar, ethical hackers will spend the time tolearn about the system and try to find its weaknesses.Finally, keeping up with the ever-changing world ofcomputer and network security requires continuouseducation and review.

One might observe that the skills we have describedcould just as easily belong to a criminal hacker asto an ethical hacker. Just as in sports or warfare,knowledge of the skills and techniques of your op-ponent is vital to your success. In the computer se-curity realm, the ethical hacker’s task is the harderone. With traditional crime anyone can become ashoplifter, graffiti artist, or a mugger. Their poten-tial targets are usually easy to identify and tend tobe localized. The local law enforcement agents mustknow how the criminals ply their trade and how tostop them. On the Internet anyone can downloadcriminal hacker tools and use them to attempt tobreak into computers anywhere in the world. Eth-ical hackers have to know the techniques of the crim-inal hackers, how their activities might be detected,and how to stop them.

Just as in sports or warfare,knowledge of the skills

and techniques of your opponentis vital to your success.

IBM SYSTEMS JOURNAL, VOL 40, NO 3, 2001 PALMER 771

Given these qualifications, how does one go aboutfinding such individuals? The best ethical hacker can-didates will have successfully published research pa-pers or released popular open-source security soft-ware.12 The computer security community is stronglyself-policing, given the importance of its work. Mostethical hackers, and many of the better computer andnetwork security experts, did not set out to focus onthese issues. Most of them were computer users fromvarious disciplines, such as astronomy and physics,mathematics, computer science, philosophy, or lib-eral arts, who took it personally when someone dis-rupted their work with a hack.

One rule that IBM’s ethical hacking effort had fromthe very beginning was that we would not hire ex-hackers. While some will argue that only a “realhacker” would have the skill to actually do the work,we feel that the requirement for absolute trust elim-inated such candidates. We likened the decision tothat of hiring a fire marshal for a school district: whilea gifted ex-arsonist might indeed know everythingabout setting and putting out fires, would the par-ents of the students really feel comfortable with sucha choice? This decision was further justified whenthe service was initially offered: the customers them-selves asked that such a restriction be observed. SinceIBM’s ethical hacking group was formed, there havebeen numerous ex-hackers who have become secu-rity consultants and spokespersons for the news me-dia. While they may very well have turned away fromthe “dark side,” there will always be a doubt.

What do ethical hackers do?

An ethical hacker’s evaluation of a system’s securityseeks answers to three basic questions:

● What can an intruder see on the target systems?● What can an intruder do with that information?● Does anyone at the target notice the intruder’s at-

tempts or successes?

While the first and second of these are clearly im-portant, the third is even more important: If the own-ers or operators of the target systems do not noticewhen someone is trying to break in, the intruderscan, and will, spend weeks or months trying and willusually eventually succeed.

When the client requests an evaluation, there is quitea bit of discussion and paperwork that must be doneup front. The discussion begins with the client’s an-

swers to questions similar to those posed by Gar-finkel and Spafford:13

1. What are you trying to protect?2. What are you trying to protect against?3. How much time, effort, and money are you will-

ing to expend to obtain adequate protection?

A surprising number of clients have difficulty pre-cisely answering the first question: a medical centermight say “our patient information,” an engineer-ing firm might answer “our new product designs,”and a Web retailer might answer “our customer da-tabase.”

All of these answers fall short, since they only de-scribe targets in a general way. The client usually hasto be guided to succinctly describe all of the criticalinformation assets for which loss could adversely af-fect the organization or its clients. These assetsshould also include secondary information sources,such as employee names and addresses (which are pri-vacy and safety risks), computer and network informa-tion (which could provide assistance to an intruder),and other organizations with which this organizationcollaborates (which provide alternate paths into the tar-get systems through a possibly less secure partner’ssystem).

A complete answer to (2) specifies more than justthe loss of the things listed in answer to (1). Thereare also the issues of system availability, wherein adenial-of-service attack could cost the client actualrevenue and customer loss because systems were un-available. The world became quite familiar with de-nial-of-service attacks in February of 2000 when at-tacks were launched against eBay**, Yahoo!**,E*TRADE**, CNN**, and other popular Web sites.During the attacks, customers were unable to reachthese Web sites, resulting in loss of revenue and“mind share.” The answers to (1) should containmore than just a list of information assets on the or-ganization’s computer. The level of damage to anorganization’s good image resulting from a success-ful criminal hack can range from merely embarrass-ing to a serious threat to revenue. As an example ofa hack affecting an organization’s image, on Janu-ary 17, 2000, a U.S. Library of Congress Web sitewas attacked. The original initial screen is shown inFigure 1, whereas the hacked screen is shown in Fig-ure 2. As is often done, the criminal hacker left hisor her nickname, or handle, near the top of the pagein order to guarantee credit for the break-in.


Some clients are under the mistaken impression thattheir Web site would not be a target. They cite nu-merous reasons, such as “it has nothing interestingon it” or “hackers have never heard of my compa-ny.” What these clients do not realize is that everyWeb site is a target. The goal of many criminal hack-ers is simple: Do something spectacular and thenmake sure that all of your pals know that you did it.Another rebuttal is that many hackers simply do notcare who your company or organization is; they hackyour Web site because they can. For example, Web

administrators at UNICEF (United Nations Children’sFund) might very well have thought that no hackerwould attack them. However, in January of 1998,their page was defaced as shown in Figures 3 and4. Many other examples of hacked Web pages canbe found at archival sites around the Web.14

Answers to the third question are complicated by thefact that computer and network security costs comein three forms. First there are the real monetary costsincurred when obtaining security consulting, hiring

Figure 1 Library of Congress Web page before attack


personnel, and deploying hardware and software tosupport security needs. Second, there is the cost ofusability: the more secure a system is, the more dif-ficult it can be to make it easy to use. The difficultycan take the form of obscure password selectionrules, strict system configuration rules, and limitedremote access. Third, there is the cost of computerand network performance. The more time a com-puter or network spends on security needs, such asstrong cryptography and detailed system activity log-ging, the less time it has to work on user problems.

Because of Moore’s Law,15 this may be less of an issuefor mainframe, desktop, and laptop machines. Yet,it still remains a concern for mobile computing.

The “get out of jail free card”

Once answers to these three questions have been de-termined, a security evaluation plan is drawn up thatidentifies the systems to be tested, how they shouldbe tested, and any limitations on that testing. Com-monly referred to as a “get out of jail free card,” this

Figure 2 Hacked Library of Congress Web page


is the contractual agreement between the client andthe ethical hackers, who typically write it together.This agreement also protects the ethical hackersagainst prosecution, since much of what they do dur-ing the course of an evaluation would be illegal inmost countries. The agreement provides a precisedescription, usually in the form of network addressesor modem telephone numbers, of the systems to beevaluated. Precision on this point is of the utmost

importance, since a minor mistake could lead to theevaluation of the wrong system at the client’s instal-lation or, in the worst case, the evaluation of someother organization’s system.

Once the target systems are identified, the agreementmust describe how they should be tested. The bestevaluation is done under a “no-holds-barred” ap-proach. This means that the ethical hacker can try

Figure 3 UNICEF Web page before attack


anything he or she can think of to attempt to gainaccess to or disrupt the target system. While this isthe most realistic and useful, some clients balk at thislevel of testing. Clients have several reasons for this,the most common of which is that the target systemsare “in production” and interference with their op-eration could be damaging to the organization’s in-terests. However, it should be pointed out to suchclients that these very reasons are precisely why a

“no-holds-barred” approach should be employed. Anintruder will not be playing by the client’s rules. Ifthe systems are that important to the organization’swell-being, they should be tested as thoroughly aspossible. In either case, the client should be madefully aware of the risks inherent to ethical hacker eval-uations. These risks include alarmed staff and uninten-tional system crashes, degraded network or system per-formance, denial of service, and log-file size explosions.

Figure 4 Hacked UNICEF Web page


Some clients insist that as soon as the ethical hack-ers gain access to their network or to one of theirsystems, the evaluation should halt and the client benotified. This sort of ruling should be discouraged,because it prevents the client from learning all thatthe ethical hackers might discover about their sys-tems. It can also lead to the client’s having a falsesense of security by thinking that the first securityhole found is the only one present. The evaluationshould be allowed to proceed, since where there isone exposure there are probably others.

The timing of the evaluations may also be impor-tant to the client. The client may wish to avoid af-fecting systems and networks during regular work-ing hours. While this restriction is not recommended,it reduces the accuracy of the evaluation only some-what, since most intruders do their work outside ofthe local regular working hours. However, attacksdone during regular working hours may be more eas-ily hidden. Alerts from intrusion detection systemsmay even be disabled or less carefully monitored dur-ing the day. Whatever timing is agreed to, the clientshould provide contacts within the organization whocan respond to calls from the ethical hackers if a sys-tem or network appears to have been adversely af-fected by the evaluation or if an extremely danger-ous vulnerability is found that should be immediatelycorrected.

It is common for potential clients to delay the eval-uation of their systems until only a few weeks or daysbefore the systems need to go on-line. Such last-minute evaluations are of little use, since implemen-tations of corrections for discovered security prob-lems might take more time than is available and mayintroduce new system problems.

In order for the client to receive a valid evaluation,the client must be cautioned to limit prior knowl-edge of the test as much as possible. Otherwise, theethical hackers might encounter the electronic equiv-alent of the client’s employees running ahead ofthem, locking doors and windows. By limiting thenumber of people at the target organization whoknow of the impending evaluation, the likelihoodthat the evaluation will reflect the organization’s ac-tual security posture is increased. A related issue thatthe client must be prepared to address is the rela-tionship of the ethical hackers to the target organi-zation’s employees. Employees may view this “sur-prise inspection” as a threat to their jobs, so theorganization’s management team must be preparedto take steps to reassure them.

The ethical hack itself

Once the contractual agreement is in place, the test-ing may begin as defined in the agreement. It shouldbe noted that the testing itself poses some risk tothe client, since a criminal hacker monitoring thetransmissions of the ethical hackers could learn thesame information. If the ethical hackers identify aweakness in the client’s security, the criminal hackercould potentially attempt to exploit that vulnerabil-ity. This is especially vexing since the activities of theethical hackers might mask those of the criminalhackers. The best approach to this dilemma is tomaintain several addresses around the Internet fromwhich the ethical hacker’s transmissions will ema-nate, and to switch origin addresses often. Completelogs of the tests performed by the ethical hackersare always maintained, both for the final report andin the event that something unusual occurs. In ex-treme cases, additional intrusion monitoring softwarecan be deployed at the target to ensure that all thetests are coming from the ethical hacker’s machines.However, this is difficult to do without tipping offthe client’s staff and may require the cooperation ofthe client’s Internet service provider.

The line between criminal hacking and computer vi-rus writing is becoming increasingly blurred. Whenrequested by the client, the ethical hacker can per-form testing to determine the client’s vulnerabilityto e-mail or Web-based virus vectors. However, itis far better for the client to deploy strong antivirussoftware, keep it up to date, and have a clear andsimple policy in place for the reporting of incidents.IBM’s Immune System for Cyberspace16,17 is anotherapproach that provides the additional capability ofrecognizing new viruses and reporting them to a cen-tral lab that automatically analyzes the virus and pro-vides an immediate vaccine.

As dramatized in Figure 5, there are several kindsof testing. Any combination of the following may becalled for:

● Remote network. This test simulates the intruderlaunching an attack across the Internet. The pri-mary defenses that must be defeated here are bor-der firewalls, filtering routers, and Web servers.

● Remote dial-up network. This test simulates the in-truder launching an attack against the client’s mo-dem pools. The primary defenses that must be de-feated here are user authentication schemes. Thesekinds of tests should be coordinated with the localtelephone company.


● Local network. This test simulates an employee orother authorized person who has a legal connec-tion to the organization’s network. The primarydefenses that must be defeated here are intranetfirewalls, internal Web servers, server security mea-sures, and e-mail systems.

● Stolen laptop computer. In this test, the laptop com-puter of a key employee, such as an upper-levelmanager or strategist, is taken by the client with-out warning and given to the ethical hackers. Theyexamine the computer for passwords stored in di-al-up software, corporate information assets, per-sonnel information, and the like. Since many busyusers will store their passwords on their machine,it is common for the ethical hackers to be able touse this laptop computer to dial into the corpo-rate intranet with the owner’s full privileges.

● Social engineering. This test evaluates the target or-ganization’s staff as to whether it would leak in-formation to someone. A typical example of thiswould be an intruder calling the organization’scomputer help line and asking for the external tele-

phone numbers of the modem pool. Defendingagainst this kind of attack is the hardest, becausepeople and personalities are involved. Most peo-ple are basically helpful, so it seems harmless totell someone who appears to be lost where thecomputer room is located, or to let someone intothe building who “forgot” his or her badge. Theonly defense against this is to raise security aware-ness.

● Physical entry. This test acts out a physical pene-tration of the organization’s building. Special ar-rangements must be made for this, since securityguards or police could become involved if the eth-ical hackers fail to avoid detection. Once insidethe building, it is important that the tester not bedetected. One technique is for the tester to carrya document with the target company’s logo on it.Such a document could be found by diggingthrough trash cans before the ethical hack or bycasually picking up a document from a trash canor desk once the tester is inside. The primary de-fenses here are a strong security policy, security

Figure 5 Different ways to attack computer security

OUTSIDE BAD GUY

STOLEN LAPTOPS

DMZ

INSIDE BAD GUY

INTRANET

EXTRANET

FIREWALL

WEB

INTERNET

SERVICES


guards, access controls and monitoring, and secu-rity awareness.

Each of these kinds of testing can be performed fromthree perspectives: as a total outsider, a “semi-out-sider,” or a valid user.

A total outsider has very limited knowledge aboutthe target systems. The only information used is avail-able through public sources on the Internet. This testrepresents the most commonly perceived threat. Awell-defended system should not allow this kind ofintruder to do anything.

A semi-outsider has limited access to one or moreof the organization’s computers or networks. Thistests scenarios such as a bank allowing its deposi-tors to use special software and a modem to accessinformation about their accounts. A well-defendedsystem should only allow this kind of intruder to ac-cess his or her own account information.

A valid user has valid access to at least some of theorganization’s computers and networks. This testswhether or not insiders with some access can extendthat access beyond what has been prescribed. A well-defended system should allow an insider to accessonly the areas and resources that the system admin-istrator has assigned to the insider.

The actual evaluation of the client’s systems proceedsthrough several phases, as described previously byBoulanger.18

The final report

The final report is a collection of all of the ethicalhacker’s discoveries made during the evaluation.Vulnerabilities that were found to exist are explainedand avoidance procedures specified. If the ethicalhacker’s activities were noticed at all, the responseof the client’s staff is described and suggestions forimprovements are made. If social engineering test-ing exposed problems, advice is offered on how toraise awareness. This is the main point of the wholeexercise: it does clients no good just to tell them thatthey have problems. The report must include spe-cific advice on how to close the vulnerabilities andkeep them closed. The actual techniques employedby the testers are never revealed. This is because theperson delivering the report can never be sure justwho will have access to that report once it is in theclient’s hands. For example, an employee might wantto try out some of the techniques for himself or her-

self. He or she might choose to test the company’ssystems, possibly annoying system administrators oreven inadvertently hiding a real attack. The employeemight also choose to test the systems of another or-ganization, which is a felony in the United Stateswhen done without permission.

The actual delivery of the report is also a sensitiveissue. If vulnerabilities were found, the report couldbe extremely dangerous if it fell into the wrong hands.A competitor might use it for corporate espionage,a hacker might use it to break into the client’s com-puters, or a prankster might just post the report’scontents on the Web as a joke. The final report istypically delivered directly to an officer of the clientorganization in hard-copy form. The ethical hack-ers would have an ongoing responsibility to ensurethe safety of any information they retain, so in mostcases all information related to the work is destroyedat the end of the contract.

Once the ethical hack is done and the report deliv-ered, the client might ask “So, if I fix these thingsI’ll have perfect security, right?” Unfortunately, thisis not the case. People operate the client’s comput-ers and networks, and people make mistakes. Thelonger it has been since the testing was performed,the less can be reliably said about the state of a cli-ent’s security. A portion of the final report includesrecommendations for steps the client should con-tinue to follow in order to reduce the impact of thesemistakes in the future.

Conclusions

The idea of testing the security of a system by tryingto break into it is not new. Whether an automobilecompany is crash-testing cars, or an individual is test-ing his or her skill at martial arts by sparring witha partner, evaluation by testing under attack froma real adversary is widely accepted as prudent. It is,however, not sufficient by itself. As Roger Schell ob-served nearly 30 years ago:

From a practical standpoint the security problemwill remain as long as manufacturers remain com-mitted to current system architectures, producedwithout a firm requirement for security. As longas there is support for ad hoc fixes and security pack-ages for these inadequate designs and as long as theillusory results of penetration teams are accepted asdemonstrations of a computer system security, propersecurity will not be a reality. 19


Regular auditing, vigilant intrusion detection, goodsystem administration practice, and computer secu-rity awareness are all essential parts of an organi-zation’s security efforts. A single failure in any ofthese areas could very well expose an organizationto cyber-vandalism, embarrassment, loss of revenueor mind share, or worse. Any new technology has itsbenefits and its risks. While ethical hackers can helpclients better understand their security needs, it isup to the clients to keep their guards in place.

Acknowledgments

The author would like to thank several people: themembers of the Global Security Analysis Lab at IBMResearch for sharing their amazing expertise andtheir ability to make just about anyone understandmore about security; Chip Coy and Nick Simicichfor their trailblazing work in defining IBM’s SecurityConsulting Practice at the very beginning; and PaulKarger for his encyclopedic knowledge of computersecurity research and for his amazing ability to pro-duce copies of every notable paper on the subjectthat was ever published.

**Trademark or registered trademark of the Open Group, Mi-crosoft Corporation, eBay Inc., Yahoo! Inc., E*TRADE Secu-rities, Inc., or Cable News Network LP, LLLP.

Cited references and notes

1. E. S. Raymond, The New Hacker’s Dictionary, MIT Press,Cambridge, MA (1991).

2. S. Garfinkel, Database Nation, O’Reilly & Associates, Cam-bridge, MA (2000).

3. The first use of the term “ethical hackers” appears to havebeen in an interview with John Patrick of IBM by Gary An-thens that appeared in a June 1995 issue of ComputerWorld.

4. P. A. Karger and R. R. Schell, Multics Security Evaluation:Vulnerability Analysis, ESD-TR-74-193, Vol. II, Headquar-ters Electronic Systems Division, Hanscom Air Force Base,MA (June 1974).

5. S. M. Goheen and R. S. Fiske, OS/360 Computer Security Pen-etration Exercise, WP-4467, The MITRE Corporation, Bed-ford, MA (October 16, 1972).

6. R. P. Abbott, J. S. Chen, J. E. Donnelly, W. L. Konigsford,and S. T. Tokubo, Security Analysis and Enhancements of Com-puter Operating Systems, NBSIR 76-1041, National Bureauof Standards, Washington, DC (April 1976).

7. W. M. Inglis, Security Problems in the WWMCCS GCOS Sys-tem, Joint Technical Support Activity Operating System Tech-nical Bulletin 730S-12, Defense Communications Agency(August 2, 1973).

8. D. Farmer and W. Z. Venema, “Improving the Security of YourSite by Breaking into It,” originally posted to Usenet (Decem-ber 1993); it has since been updated and is now available atftp://ftp.porcupine.org/pub/security/index.html#documents.

9. See http://www.faqs.org/usenet/.10. Who can really determine who said something first on the

Internet?

11. See http://www.cs.ruu.nl/cert-uu/satan.html.12. This strategy is based on the ideal of raising the security of

the whole Internet by giving security software away. Thus,no one will have any excuse not to take action to improvesecurity.

13. S. Garfinkel and E. Spafford, Practical Unix Security, First Edi-tion, O’Reilly & Associates, Cambridge, MA (1996).

14. For a collection of previously hacked Web sites, see http://www.2600.com/hacked_pages/ or http://defaced.alldes.de. Beforewarned, however, that some of the hacked pages may con-tain pornographic images.

15. In 1965, Intel cofounder Gordon Moore was preparing aspeech and made a memorable observation. When he startedto graph data about the growth in memory chip performance,he realized there was a striking trend. Each new chip con-tained roughly twice as much capacity as its predecessor, andeach chip was released within 18–24 months of the previouschip. In subsequent years, the pace slowed down a bit, butdata density has doubled approximately every 18 months, andthis is the current definition of Moore’s Law.

16. J. O. Kephart, G. B. Sorkin, D. M. Chess, and S. R. White,“Fighting Computer Viruses,” Scientific American 277, No.5, 88–93 (November 1997).

17. See http://www.research.ibm.com/antivirus/SciPapers.htm foradditional antivirus research papers.

18. A. Boulanger, “Catapults and Grappling Hooks: The Toolsand Techniques of Information Warfare,” IBM Systems Jour-nal 37, No. 1, 106–114 (1998).

19. R. R. Schell, P. J. Downey, and G. J. Popek, Preliminary Noteson the Design of Secure Military Computer Systems, MCI-73-1,ESD/AFSC, Hanscom Air Force Base, Bedford, MA (Jan-uary 1973).

Accepted for publication April 13, 2001.

Charles C. Palmer IBM Research Division, Thomas J. WatsonResearch Center, P.O. Box 218, Yorktown Heights, New York 10598(electronic mail: [email protected]). Dr. Palmer manages theNetwork Security and Cryptography department at the IBM Tho-mas J. Watson Research Center. His teams work in the areas ofcryptography research, Internet security technologies, JavaTM se-curity, privacy, and the Global Security Analysis Lab (GSAL),which he cofounded in 1995. As part of the GSAL, Dr. Palmerworked with IBM Global Services to start IBM’s ethical hackingpractice. He frequently speaks on the topics of computer and net-work security at conferences around the world. He was also anadjunct professor of computer science at Polytechnic University,Hawthorne, New York, from 1993 to 1997. He holds four patentsand has several publications from his work at IBM and Polytech-nic.


Technology

Ethical hacking