i

INFORMATION SECURITY MANAGEMENT

MSc IT Assignment 2013 Critique the employment of ethical hacking as a

way of reviewing and strengthening the security of information systems.

Hansa K. Edirisinghe BSc (Hons) University of Portsmouth, UK

MSc IT - Cardiff Metropolitan University, UK

24th February 2013

This report discuses the employment of ethical hacking through a disciplined, systematic analysis as a way of reviewing and strengthening the security of information systems. The preliminary

objective of this study is therefore to understand the concept of Ethical Hacking.

ii

Abstract

This report discuses the employment of ethical hacking through a disciplined, systematic

analysis as a way of reviewing and strengthening the security of information systems. The

preliminary objective of this study is therefore to understand the concept of Ethical Hacking.

In the process, it provides a basic idea of Information systems and its importance to an

organization and its business; the importance of information security; the danger of hacking

attacks and it its impact on finance and business setting of the organization; and different

types of hackers. Later it gives a comprehensive description about Ethical Hacking and the

importance of it to the security of Organizational Information Systems comprised with the

literature evidence and statistics.

The pros and cons of Ethical Hacking; the advantages of the employment of Ethical Hacker;

the difficulties which companies faced when hiring Ethical Hackers also discussed in this

report. Since the Ethical Hacker taken care of multiple aspect of the system security, the

report will discuss the approach of strengthening the security from source code level of the

applications; the network infrastructure of the Information system; the web server, web

application and web services level of the Information system; The database level of the

applications; the email server to malicious code protection of the Information system;

wireless and mobile application level of the Information system and it has already discussed

about the Ethical Hackers responsibilities when installing “new releases”, “version upgrades”

and “bug fixes” to the Information System. Since it is a major critical factor to ensure the

security of client’s information, the report has discussed the Ethical Hackers involvement of

that function as well.

The overall report analyzes/evaluates the above key points of how the employment of Ethical

Hacker could strengthen the security and review the protection of Information System.

iii

Table of Contents

1.0 Introduction .................................................................................................................... 1

1.1 Information System .................................................................................................... 1

1.2 Information Security .................................................................................................. 1

1.3 Types of Hackers ........................................................................................................ 2

2.0 Literature review ............................................................................................................ 4

2.1 Major hacking attacks ................................................................................................ 4

2.2 Ethical hacking ........................................................................................................... 5

2.3 Employment of Ethical hacker ................................................................................... 5

3.0 Pros and cons of ethical hacking .................................................................................... 6

3.1 Advantages of ethical hacking ................................................................................... 6

3.2 Barriers to ethical hacking.......................................................................................... 7

4.0 Reviewing and strengthening the security of IS – the role of EH ................................. 8

5.0 Evaluation & Recommendation ................................................................................... 10

6.0 Conclusion ................................................................................................................... 11

7.0 Bibliography ................................................................................................................ 12

iv

Table of Figures

Figure 1.1 : An organization's IT components, platform, IT services and IT infrastructure. ... 2

Figure 2.1 : Cyber Attacks- 2012 .............................................................................................. 4

1

1.0 Introduction

Almost every industry has a high dependability on information system. Emerging technology

has changed the typical life style of the people drastically. The traditional paper based

solutions has almost become abandoned and people move towards the electronic based life

styles thus electronic equipments and systems play a major role in modern technology. Since

the technology help improve the effectiveness and efficiency, people are attracted to

electronic information systems and virtual databases to make their life easier. This report is a

discourse of disciplined, systematic analysis of employment of ethical hacking as a way of

reviewing and strengthening the security of information systems.

1.1 Information System

Information System (IS) usually consists of the components that involves in processing data

and produce information. Though the technical representation of IS sounds simple as above

it is one of the main area that directly affect to the growth and existance of business.

IS is an integrated, user-machine system for providing information to support operations,

management and decision-making functions in an organization. The system utilizes computer

hardware and software; manual procedures; models for analysis, planning, control and

decision making; and a database. (Davis & Olson, 2000)

In an environment where the business depends on an IS, the system owners should take care

of the quality, durability and security of the system. Although the system is operationally in

good condition outsiders can easily harm the company’s IS if it is not secured well.

Consequently, it could directly spoil the entire business. Therefore Information security is a

major and critical factor in IS.

1.2 Information Security

Modern companies have their own “Security Policies” to overcome potential security threats.

There are different security policies such as Cyber security. The impact of security threats is

plainly visible when analyzing the statistics and is discussed in details in the literature

review. Large scale organizations and government ministries are usually highly vulnerable

for Security Threats.

Information security plays critical role between the organizational information system and

basic IT components. Similarly, information security is important for the IS as far as system

development and data management is concerned as illustrated in Figure 1.1.

2

Figure 1.1 : An organization's IT components, platform, IT services and IT infrastructure.

Source : (Rainer & Cegielski, 2011)

It is necessary that the IS should be protected from the potential external threats while

managaging the organizational IS. Therefore the company security system should be strong

enough to protect the system form external hacking attack, unautherized access and

malwhares. Accordingly,the company security policy should be capable in order to prevent

from possible risks of Social engineering and data theft.

1.3 Types of Hackers

Out of all the types of security threats, hacking is the most common and critical threat for IS.

Hacking usually take advantages from weaknesses of the system. According to main purpose

of employing hackers, they are divided in to three parts. i.e. Black Hat hackers; White Hat

hackers; and Gray Hat hackers.

Black hat hackers are known as criminal hackers. They violate the system’s security for their

personal gains or someone else’s needs. Usually these attacks are illegal. They break-in to

organizational systems, put viruses and malwares to the system, steal or destroy the

organization’s critical data and sometimes jam the system to prevent from future use. Some

hackers are hacking just for fun. But most of them do it for the financial benefits.

Unlike Black hats, White hat hackers do not attempt to any illegal activity by hacking. They

are hired by organizations to test the vulnerability of their own IS. They are essentially

specialist in hacking and use a range of hacking techniques in different level to hack a

system, find vulnerable areas and provide solutions and expert knowledge prior taking place

of attacks and advice how to take actions to prevent from future attacks.

3

Since hacking becomes a major challenge for IS companies’ recruit the white hat hackers as

internal employees for high salary scales. Therefore the job description of these employees

reflects the functions of a white hat hacker. Accordingly the personnel who perform such

duty are termed as Ethical Hackers (EH).

Gray Hat is a combination of both black hat and white hat. There is no specific gain for these

hackers except to show their strengths in hacking. They deem to be acting illegally, though in

good will, or to show how they disclose vulnerabilities in some circumstances.

4

2.0 Literature review

According to the 2012 Cyber Attacks Timeline Master Index of hackmageddon.com, it is

reveled that, at least three or more critical hacking attacks have been reported a day. Some of

these attacks made huge damages to the organizations.

Figure 2.1 : Cyber Attacks- 2012

Source : (Passeri, 2013)

The statistics reveals that most of these attacks are Cyber Crimes and Hacktivism. The

targeted categories for many of these attacks were country’s governments, Banks and e-

commerce websites.

2.1 Major hacking attacks

There were famous Black hat hackers in the history who have done massive damages to the

leading organization in the world. “Operation Aurora” is one of the major attacks in 2010

that targeted Google and 33 US Technological companies. It was reported that, Kevin

Mitnick was arrested in 1995 for hacking IBM, Motorola, NEC, Nokia, Sun Microsystems

and Fujitsu Siemens, Pacific Bell, FBI, Pentagon and Novell. A British hacker Gary

McKinnon is known as the “biggest military computer hacker of all time” that caused

damage amounting more than $700,000 to U.S. military systems. Rediff News website stated

on October 5, 2012 that there were 42 million Indians hit by cyber crimes and the recorded

loss was $8 billion within the past 12 months. (Nanjappa, 2012)

Apart from these foreign attacks, the Sri Lankan army website was reported hacked in 2009

as a result of terrorist activities.

5

2.2 Ethical hacking

Ethical hacking is a modern security technique that exists in certain countries such as USA

and Europe. These countries have gained successful results by employing this concept. Some

of the large organizations in Sri Lanka also practice Ethical Hacking for the protection of

there IS. Being a highly paid and responsible job there is a huge demand for the profession of

EH. Due to this emerging demand there are several certification criteria have been introduced

in order to recognize/certify the knowledge, skills, and professional qualifications pertaining

to EH.

2.3 Employment of Ethical hacker

The main job function for EH is to do vulnerability testing on the organizational IS for both

Internal and external thus identify the vulnerabilities and evaluating fixes (patches) of

vulnerabilities and malicious code. In order to do those the EH should be highly competent in

computer literacy, software, hardware and network.

This is a highly important employment thus, EH should understand the significance of the

job and deliver the duties with utmost care and vigilance. One mistake may cost a huge

damage to the company and the EH should be a trustworthy person. He/she should be self

motivated, effective, efficient, and intelligent decision maker as well.

According to an article of The Times of India on May 14, 2012, last year ethical hacking was

estimated to be a US$ 3.8 billion industry in the US alone. According to Nasscom, India will

require at least 77,000 ethical hackers every year whereas we are producing only 15,000 in a

year, currently. Frost & Sullivan have estimated that there are 2.28 million information

security professionals worldwide which is expected to increase to nearly 4.2 million by 2015.

(Dewan, 2012)

When it comes to remuneration, the article also status that a fresher may work as an intern for

a couple of months and can start with a minimum of Rs 2.5 lakh per annum. With one year of

experience, one can expect upto Rs 4.5 lakh per annum. Those with work experience five

years or more can get from 10-12 lakh per annum. (Dewan, 2012)

Thus these statements provide evidence about the importance, demand and commercial value

of EH in the industry.

6

3.0 Pros and cons of ethical hacking

EH carry out a critical job thus the safety of business and reputation of the organization

ultimately depends on EH. By employing an EH, in fact the organization creates a person

who can either protect or destroy the organization overnight.

3.1 Advantages of ethical hacking

EH acts proactively thus is capable of identifying a potential risk of theft well in advance. By

conducting internal and external vulnerability testing EH find the weaknesses of the company

information system. This facilitates proactive actions as the organization can take necessary

precautions to prevent the IS from potential hackers. In addition to seize unethical hacking,

the EH could create traps to monitor the hacking attempts. This facilitates the respective

company to take legal actions against hackers. It may discourage the hacker in making

attempts of hacking. Therefore ethical hacking helps to address the loopholes in the IS in

advance.

The confidentiality of the data is the key especially in Banking and financial establishments

that usually are major targets for hacking. If hacker access to such system, the hacker can

change, destroy or pilfering the critical information. It might damage for the entire business

setup of the organization. But Ethical hacking can professionally prevent hackers accessing

to the system.

Web domain hacking is a common threat for every organization. It is harmful for the

company reputation and image if the hackers manage to succeed their attempt. However, EH

can prevent defacement of websites.

Hacking is technically a broader subject. Even though there are identified tools and

techniques, it is an evolving subject and hackers usually keep on experimenting new

techniques forever. An EH expert is therefore a person who plays the role of an inventor.

He/she explore every possibility attacks and void all the potential opportunities as far as

hackers are concerned. Therefore EH has to identify and analyze the potential risks and

control vulnerable areas. The hands on experience of doing these tasks could evolve the

employee’s personal skills, technical skills and management skills.

The value that EH could create to an organization will often increase with the skills and

knowledge EH gained by working. This upgraded skills eventually become an asset to the

organization creating a competitive edge.

7

3.2 Barriers to ethical hacking

Unlike most of other professions, everything depends on the trustworthiness in ethical

hacking. While certain terms and conditions could control the employee to some extent, EH

has the full control of the organizational information system. Therefore EH can access,

modify or delete anything in the system and knows the both strengths and weaknesses of the

system. Creation of such individual could eventually be a threat to the organization.

Since there is a higher demand for ethical hackers, it is so expensive to hire or recruiting

them as an employee. Therefore the small-scale organizations might not be capable of

recruiting EH since the recruitment is costly.

Usually, it is difficult to employ an EH in an organization because finding a trustworthy

person who equally coupled with expert skills in hacking is a tough task.

Just the trustworthiness is not enough for the profession of EH. The person should be

competent and specialist in the field and innovative person as well. Identifying such a

revolutionary figure is not an easy task.

Although it is difficult to find the most suitable person it is equally difficult to ensure that the

person will not leave the company shortly. Frequent employee turnover may cause problems

to the organization especially in this field and to the security of IS.

8

4.0 Reviewing and strengthening the security of IS – the role of EH

It is evident from above discussion that EH should play a proactive role thus should

necessarily be vigilant in every activity of the Organizational IS. An efficient and effective

EH’s duty does not limit to mere performance of routine work schedule but a genuinely task

oriented, self motivated, devoted and highly disciplined functionality.

There is no control once the hacker accessed the system irrespective of the hidden objectives

(whether malicious or innocent). Whatever the objective it would be, a hacker usually has an

expert knowledge in IT field. Therefore the service of even smarter EH is needed to catch or

deny access of criminal hackers.

EH should conduct external and internal vulnerability testing and network penetration testing

frequently. Once identified a vulnerable area of the system EH should identify the potential

threats to that particular area and through a systematic analysis, assess the maximum

potential damage the hacker may perform. Once a risk assessment is made EH should plan a

suitable approach according to his/her analytical observations etc. and propose necessary

precautions. Thereafter EH may instruct/supervise the technical staff to fix the problem area

immediately. The time would be a very critical factor during this process thus the personal

qualities of EH mentioned above would be the key. Once the issues are fixed, EH should

review the system and ensure the intended protection to the system is well in place. The

system should be frequently reviewed, instead of once or twice, in order to verify/strengthen

the protection and even from future attacks as well.

IS consists of both software and hardware. Therefore the security of system’s network

infrastructure & database should be frequently reviewed. The EH should foresee and analyze

potential risks when changing or enhancing the current network infrastructure, upgrading or

installing new hardware to IS and enhancing the databases. A proper guidance should be

provided by EH while taking these actions and make sure the change or enhancement does

create opportunities or open a pathway to hackers.

In addition to the threats on the entire IS, EH should pay attention to the organizational web

applications and web services. It is necessary to test for vulnerabilities and analyze potential

threats to the web. EH should always monitor the unethical activities particularly by the

external users on the website. Despite the due protection is applied, hacker sometimes may

break into the system in an unexpected way. Therefore EH should maintain a tracking and

alerting system to catch the attackers with minimum damage to the system “before it is too

late”. Once the damages are being repaired EH should reassure the security and strengthen

the security as much as possible.

The role of EH will not perform under any other common software methods. For an example,

White Box testing checks whether the source code is working and whether there are any

code errors or unhandled exceptions. But it does not check the level of vulnerability for

9

hacking attacks to the source code. Therefore EH should frequently review the source code

of applications. While reviewing the excising source codes, EH should analyze the

vulnerabilities of “new releases”, “version upgrades” or “bug fixes” which installed to IS

from their source code level.

In today’s mobile era many organizations have developed wireless and mobile applications

which could directly communicate with the organizational IS. Although system monitors all

the connected wireless devices it does not help to protect the system from hackers. It

provides evidence to catch the hacker only after the attack is been done. EH’s role is to

identify the vulnerabilities for wireless attacks and should properly test and review the

mobile applications which are capable of accessing the system. Portable devices such as

mobiles and laptops could be easily stolen. So EH must be vigilant on the physical safety of

company portable devices.

Nearly 60% of malicious codes are coming through emails. Some hackers trace the system

information through malicious codes. Therefore, EH should make an extra effort to safeguard

the organization’s email server. EH should provide necessary advices to the technical staff to

detect the threats prior to an infection. It is important to educate the email users not to open

the spam and ambiguous mails. It will be an effective precaution to strengthen the safety of

IS.

Similar to the company internal information, the whole organization is responsible to protect

the client’s information provided for different business reasons. In certain business

environments the client is compelled to provide very confidential/critical data based on trust.

It is anyway not ethical (and also illegal) to use those data without the owner’s consent,

irrespective whether it is harmful or harmless to the owner of data. The trust between the

organization and client is lost if the client’s critical information goes to wrong hands. In such

situations both the company and client will be in trouble. In one extreme it could be a threat

to the client’s business while the company will lose its client on the other hand. This does not

end there as the company reputation will be seriously damaged through “word of mouth”.

Therefore EH play an indirect role in wellbeing of the clients’ business as well.

10

5.0 Evaluation & Recommendation

When analyzing the role played by EH, it is proved that EH is an essential employment for

an organization especially in the modern era. Organizations globally adapting to the

emerging technology and reduces paper based work considerably. It is very difficult to find

an office without having at least a simple tailor-made system. Some big organizations are

fully automated electronically. While they enjoy many benefits from that, it exposes them to

many threats thus the security of information has become a huge challenge. The human being

is an innovative creature thus no artificial intelligence tool could totally control the

information security. Therefore another human being is required to regularly control such

innovative security threats that have no end.

There should be trustworthiness between the company and its client in securing a business.

Thus the company always bound to protect the critical information of the client that has been

entered into the system for easy recovery. EH is an employment which assures the security of

organizational IS in every aspect. It strengthens the security of the system’s network

infrastructure, Firewalls, mail servers, web applications, mobile application and databases.

Regular monitoring and reviewing make the security more stringent and up-to-date. Regular

track and trace of hacking attempts will discourage the hackers continue their attempts.

Therefore it is highly recommended to have an EH for a medium to large scale organizations.

Small scale organizations too may consider to employ EH after comparing the cost and the

benefits that can acquire by recruiting an EH.

11

6.0 Conclusion

IS security has become a major challenge and organizations are finding solutions to protect

their systems from hackers in an electronic based culture. It is suggested that the ethical

hacking could minimize if not totally eliminated the threat of criminal hackers.

Since ethical hacking is an evolving subject and understanding the effectiveness of ethical

hacking would be vital. Firewalls, password protections, malicious code protections,

encryption and legal barriers could support for IS security in various aspects. These are

manmade fixed protections that cannot be upgraded automatically. This gap can be

successfully bridged by EH because ethical hacking is an effective method that involves live

activities of a human being on continuous basis.

US and European countries effectively use EH. Their companies sustain and make

considerable profits despite the challenges applicable to any modern firm globally. As a

result they usually invest a considerable amount for ethical hacking every year. While

understanding the importance of ethical hacking, some of the giant Asian countries such as

India and China also follow the suit. This clearly shows that the increasing demand for EH

given the daily statistics of reported incidences of cyber attacks on news papers and

international forums.

In respect to analysis of all these factors, it is very clear that the employment of EH is an

important figure for Information security. The functions carried out by EH will effectively

manipulate security of the organizational IS and the EH could effectively review and

strengthen the security of IS.

12

7.0 Bibliography

Davis, G. B., and Olson, M. H., 2000. Management Information Systems. 2nd ed. New Delhi:

Tata McGraw-Hill.

Dewan, D., 2012. Ethical hacking: On the right side of law. [online] The Times Of India.

Available at: <http://articles.timesofindia.indiatimes.com/2012-05-

14/education/31700535_1_ethical-hacker-malicious-hacker-information-security> [Accessed

22 February 2013].

Nanjappa, V., 2012. India needs more than 4 lakh hackers. [online] rediff News. Available

at: < http://www.rediff.com/news/slide-show/slide-show-1-india-needs-more-than-4-lakh-

hackers/20121005.htm> [Accessed 22 February 2013].

Passeri, P., 2013. 2012 Cyber Attacks Statistics. [online] hackmageddon.com. Available at:

<http://hackmageddon.com/2012-cyber-attacks-statistics-master-index/> [Accessed 22

February 2013].

Rainer, K. R., & Cegielski, C. G., 2011. Introduction to Information Systems. 3rd ed. New

Jersey: John Wiley & Sons.