Description
"Ethical Hacking” is a prevalent example of improved Information Systems in the present world.
Business Ethics
Report on
Ethical Hacking
Ethical Hacking Table of Contents
Introduction..........................................................................................................................................3 Relevance, Need and Urgency.............................................................................................................5 Ethical hacking and Business Ethics..................................................................................................10 Problems and Challenges of Ethical Hacking....................................................................................13 Recommendations and suggestions....................................................................................................15 The Group Process (Group 9, Section A)...........................................................................................16 References..........................................................................................................................................17
Page 2 of 15
Ethical Hacking
Introduction
A hacker is someone who enjoys exploring the mechanism of operation of things. They aim at exploring programmable systems to learn how to stretch their capabilities. 1 The 3 main points of attack by a hacker are the operating system, the network and the application category. A person who breaks into computer or networks with the intention of deleting, changing or stealing information is a cracker. The most common ways of hacking are through spam. Phishing and attacks on digital homes where every electrical gadget is connected to the internet are the latest threats. Ethical hacking is comparable to white hat hacking or computer penetration testing.1 Ethical hacking can be a tool for identifying how vulnerable a system is to the latest cracking threats. An ethical hacker evaluates the vulnerabilities, points them out and suggests changes to systems. A point to be noted here is that ethical hacking, though used to increase the safety of computer systems or networks is still considered as hacking. This is because it involves using the knowledge of computer systems to crack them. The most notable study in this field was done by Farmer and Venema who discussed the idea of using the techniques of the hacker to assess the security of systems. The paper was published in 1993 and the first automated tool named SATAN was created that succeeded in identifying the vulnerabilities and giving advice on how to eliminate them.1 Thus, vulnerability assessment which involves detecting all vulnerabilities in the system or network is carried out. This is followed by penetration testing which attempts to simulate an actual attack on the system. The various other kinds of tests include remote network, remote dial-up network, local network, stolen laptop computer, social engineering and physical entry. Ethical hackers have very strong programming and computer networking skills, must be trustworthy, and should have detailed knowledge of computer hardware and have immense patience. An interview with Ankit Fadia, the famous Indian hacker, reveals that in contrast with ethical hackers, crackers are primarily motivated in hacking just for “the kicks”. The very thought that they can do things that others can’t gets them going.2 Some of the issues that are associated with ethical hacking are the use of data by the hackers. There are several legal and contractual risks associated with sharing of data with ethical hackers. Many managers are now prohibiting the use of live data by development testers. An understanding of the types, source, use of data and the factors that determine specific laws and contracts is a must.3 For example, whether it is ethical for an ethical hacker to have access to a person’s date of birth, depends on each of the above mentioned factors. In addition, there must be some understanding of Page 3 of 15
Ethical Hacking
the assessment technique that is being used by the ethical hacker. This will allow an easy determination of which laws or contracts govern the assessment technique being used. Eastern Europe and Asia are the major locations where hacking is at its peak. With increasing globalization and development of new technologies, the world is becoming flat. However, along with all these positive developments, hacking attacks are increasing by the day. Ethical hacking is therefore an area of great attention in the times to come. Hacking is performed by: 1. White hat or computer professionals: these hack computers with due permission from system administrator or person in command of the IT department for the organization. The main purpose behind ethical hacking is to check for the vulnerabilities that can be present in the system. There might be firewalls, intrusion detection systems and other antivirus systems that might be present to safeguard the system from malicious activities but intruders find ways to penetrate the security. This is the job of white hat hackers to look out for the vulnerabilities and suggest changes to systems that make them less likely to be penetrated by black hats. 2. Black hats: these are hackers who penetrate system securities to obtain secured information, to breakdown system capacity or to crash them. This does not fall into the category of ethical hacking but is unethical hacking. In India ethical hacking got relevance when RBI issued mandate requiring banks to undergo ethical hacking and check the IT infrastructure before applying for internet banking.
Page 4 of 15
Ethical Hacking
Relevance, Need and Urgency
Relevance
Volatile growth of internet has increased e-commerce and subsequently communication but at the same time there is an increased risk of client, employee, customer and research information being exposed. Many companies are of the opinion that investing in ethical hacking is waste of time and money but reality is that is ignorance can cost company million of dollars. There is a dire need for system being checked by experts so that system can be rendered secured and prevents information from getting leaked into unwanted hands. Ethical hackers make sure that any of these vulnerabilities are fixed and problems plugged to protect data from fraudulent use. Intruders hack files of the employees, customers and other stakeholders and upload viruses that can corrupt the entire network. This can lead to loss of not only important information but can also cost company many of its clients who stop company trusting with important information. To give a brief view of different types of attacks which a hacker can host on the system are: 1. IP spoofing: it results in system to crash or lock up. 2. Session hijacking: here session is stolen between client and server and important credit card details during money transaction can be stolen. 3. Password cracking: it is to crack the username and password so as to log into system. 4. Denial of service attacks: these are basically aimed at jamming the network so that communication gets congested and system crashes. 5. Backdoors and Trojans: this installs virus and other malwares on the systems which replicate and corrupt system files or passively pass important information to intruder. The list is not exhaustive but it does demonstrate the relevance of ethical hacking without which organizations will expose their systems, information and reputation at stake.
Page 5 of 15
Ethical Hacking
Need
1. If ethical hacking is done in a controlled environment it helps ethical hackers determine to what extent is the system vulnerable to latest cyber attacks. 2. Unethical hackers are in constant hunt to penetrate the security of the system and keep on devising new ways to do so. Thus it mandates to use ethical hackers to think in a manner black hat hackers think and fix the vulnerabilities. 3. With new viruses being unleashed every now and then, it becomes mandatory for firms to carry out continuous or periodic security checks. 4. Like business organizations and banks have regular audits to check the bookkeeping records, accounts and procedures, computer systems also need regular checking. 5. Also the ethical hacking requires ethical hackers who are trustworthy. They will be exposed to lot of sensitive information which if misused a cost company a fortune. Hence ethical hackers need to be selected on a priority basis. Indian corporation should invest in ethical hacking and penetration reviews of IT infrastructure: a. To prevent defacement of corporate websites with vulgar images and obscene text. b. To protect confidential client or financial data from being compromised. c. To prevent IT assets from being used as launch pad for virus attacks. d. To comply with industry and other IT regulatory frameworks. e. To validate risk assessment. Increase use of internet and security concerns has generated the need for ethical hacking. There have been different types of organizations which exemplifies the need for ethical hacking: 1. Medical institutions contain private data which needs to be protected from getting hacked. 2. Government organizations like defense, telecom, and railways have large chunks of data which needs to be protected from being stolen and also there is a need to prevent this data from getting manipulated. “As per Computer Emergency Response Team India (CERT-In), which is a referral agency to report computer security incidents in the country, a total of 612 Indian websites have been defaced during March 2008.” 4
Page 6 of 15
Ethical Hacking
3. Ministry sites which have become constant source of getting hacked in recent times have shown potential interest for ethical hackers so that these can be protected which is of national importance. 4. There are many organizations like banks and other consumer sites which store important personal information that needs to be safeguarded and are of interest for intruders.
Some statistics to show the need of ethical hacking: 1.
Number of Cases of Fraudulent Withdrawal of Money from Banks* through Internet/Online
(2006-2007 to 19.02.2009) Year 2006-07 2007-08 2008-09 (19.02.2009)
Banking
No. of Cases 147 374 210
in
Amount (Rs. in Lakh) 107.83 320.80 603.39
India
As can be seen number of cases has increased in a span of three years 5.
Figure 2: Trend in defacement of Indian Web sites 2000-2002.
These figures show some interesting trends. For Indian defacements, the month of December seems to show an increase in activity compared to previous months. Another interesting point is the general peak in the activity of Indian defacement around the months of January and August. This is probably due to the fact that the Page 7 of 15
Ethical Hacking
defacers try to coincide with the defacements with Indian Republic Day (26 January) and Independence Day (15 August). 6 2. “July 2010 was the month for phishing attacks on Indian banks. A three
percent increase in phishing attacks on Indian banks from the previous month has been observed. In particular, Symantec has observed phishing websites that spoofed the Oriental Bank of Commerce—several phishing URLs spoofing the bank were reported in the month of July.” 7
Page 8 of 15
Ethical Hacking
Urgency
In the competitive world of fierce internet competition, it is forcing companies to host websites and offer services online without properly checking the security of the sites. Current software engineering practices used by vendors do not produce systems that are free from security holes. Organizations are not capable enough to minimize the security threats. Also, cyber laws and information security acts are still in evolving state. It thus renders organizations to give serious thought to ethical hacking so as not to leave any stone unturned and see to it that none of the vulnerabilities are left unfixed. Various industries are also moving towards more complex client server architecture and distributed systems. But security movements are not keeping pace with such advances and thus, new vulnerabilities are constantly discovered. Addition to this wireless connectivity and automation has increased security threat many folds. Integration and compatibility of so many systems definitely will give rise to serious security threats. Thus security cannot be addressed by simply using firewalls, IDS systems and other specialized software. Ethical hacking has to play a very major role in safeguarding business against malicious users.
Page 9 of 15
Ethical Hacking
Ethical hacking and Business Ethics
Ethical Hacking comprises of a network and computer expert whose work is to judge and seek vulnerabilities and loopholes in any security system and attack the same. They do this on behalf of their owners who in turn look to strengthen the system and safeguard it from malicious hackers. In short this form of hacking may also be termed as penetration testing or intrusion testing. It is all about helping their customers or clients plugging up their security holes. There are various fields of business under which Ethical Hacking works.
Normative Ethical theories 8
These focus on individual freedom and responsibility towards moral decision making. Conscience plays a major role in determining any form of normative ethics. Apart from that individual or societal culture and religious inclinations also affect the same. This may be termed as the “Traditional” way of following business ethics.
1. Utilitarianism View As per this theory, Ethical decision making solely rests on their results and outcomes. The individual looks to serve the greatest good to the society and its elements, in greatest numbers. This view in a way is also consistent with the goal of profit maximization as well. Ethical hackers look to prevent future hackings when it comes to the security of data of their customers. They focus on the good of maximum of their clients and work towards the betterment of their security. This exercise prevents malicious hackers from intruding into systems and harming the data and information stored for business purposes. Page 10 of 15
Ethical Hacking
2. Kantianism View As per this theory, individuals look to serve the society as a part of their duty and responsibility. This also states that the actions executed by them should be universally accepted and agreed upon by the society. Ethical hacking does not score full marks when it comes to application of the Kantianism Principle because there still remains a certain section of the business society that does not affirm to the same. On the other hand ethical hackers take intrusion testing as a part of their job or duty assigned to them by their superiors. This is elucidated by the fact that they have clear permissions from their customers to do their job. 3. Egoism This aspect of Business ethics refers to the situation in which the individual seeks to satisfy his / her personal goals and objectives. Strictly focused on self interest and personal inclinations, the individual displays a behavior that is aligned with his benefits, pleasure and greatest self betterment. The ethical hacker in this situation is highly attracted towards IT infrastructure and networks. He looks to develop his understanding of the security policies of organizations and how the data management and information systems function.
Implications of Ethical theories 8
Apart from the aforesaid normative theories of Business Ethics, the Ethical Hacker influences processes and techniques in various fields namely • Marketing – Sticking to ethical pricing and refraining from manipulation of networks in order to breach secured competitor databases. • Human Resources – Maintaining proper balance of power between the organization and the hacker despite critical information sharing. • Consumer Protection – Fairness of employment contract and adhering to privacy rules and regulations. • Environmental issues – Complete online and computerized duties that require a large amount of power and electricity to run machines and data servers. Page 11 of 15
Ethical Hacking
• Corporate Ethics – Prevention of misuse of copyrighted intellectual property of organizations • Globalization – Linking the company projects and exercises to the outer world beyond the span of a country or region by placing improved security systems with a prior knowledge of prospective breaches. Issues related to terrorism and wars are globally affected by the works of ethical hackers.
Stakeholders of Ethical Hacking 9
1. Corporate organizations 2. Police Agencies 3. National / State governments 4. Private Security Agencies 5. Banks and Financial Institutions 6. Telecom Operators 7. IT-BPO firms / Call Centers
Potter box – Ethical Hacking
Page 12 of 15
Ethical Hacking
Problems and Challenges of Ethical Hacking
Ethical hackers are the hackers employed by companies to protect their software and data against the hackers. They belong to the same group of hackers but they use their skills and intelligence not for destruction but for protection. This is basically the main difference between an ethical hacker and an unethical hacker. As an ethical hacker knows all about hacking, his skills and knowledge come out to be very handy to the companies to protect their data against any kind of hacking or leakage of data. It basically helps to boost up the security. But, with the positives also comes the problems. The following are the problems that the companies and the hacker face in implementing ethical hacking.The firm put a lot of trust on the person whom they employ as an ethical hacker. They have to divulge all their data and information to them; he has access to all the security codes and passwords. Thus the firm is putting a lot of blind faith in the ethical hacker. And they have to solely depend on his words and face the consequences of his action if his intentions turn malicious. The following are some of the examples of his intentions turning malicious putting the company in jeopardy. Software selling: - the hacker has access to all the information and data as he knows all the security codes and password. One of the ways in which he can harm the employer’s company is by selling of software which they use for protection or which they have developed to use in their operating systems. Ethics of ethical hacker: - Although being termed as an ethical hacker, questions may arise on the ethics of an ethical hacker. It may so happen he may leak important information to other firms and get money from them and also be employed under the current firm and get money from them for his job. Thus getting dual sources of incomes and destroying the current employer. An ethical hacker does not destroy at large but protects. But in such cases he would be no less than an unethical hacker. Risk of losing all info: - Though the person employed is an ethical hacker and he gets paid for protecting the data and software of the employer’s company, it may so happen that he may still give out all the data and information to a rival company for more money without informing the previous employer. In such a case the basic employer faces a big risk of losing out on a lot of data and information to the rival and the rival may get a leeway. Other competitors: - Other competitors may try to lure the hacker by offering him more money than the employer and thus getting him to join their firm and also do some damage to the current employer. It is also to be noted that in many cases, the age of the ethical hacker is quite less, i.e. he Page 13 of 15
Ethical Hacking
would be quite young. Such young minds can be manipulated very easily and they can be made to do anything if they are ready to hear you out. Competitors may sometimes take advantage of such things and harm the company. Public image: - Hacking as such is not viewed as a very good concept. The image of hacking is similar to destruction and crime in the minds of the general public. Though most of them know what is hacking and what is ethical hacking and how it can be used, not everyone is comfortable with the idea of hacking or being hacked. Besides, the general public at large doesn’t always know what goes in making the company run every day. So, if the customers of say, a telecom company, come to know that the company employees ethical hackers, they may take it otherwise and get uncomfortable with the idea of their private information getting tapped, hacked and viewed by some other person. This will not actually deter the company from using ethical hackers because of its needs but the general perception about the company may change in the minds of people if proper knowledge is not given to them. New technology: - The hacking team of a company may face a challenge if some new technology is invented someday suddenly which can help penetrate inside the systems of the company. So if the hacking team is not up to date with the new technologies then the company may face a challenge. Hacker: - The hacker may himself face a lot of problems when the company’s information actually gets leaked. Even if the hacker would not have committed a crime, he will have to face a lot of scrutiny and investigation. He may also be put behind bars. They don’t have such protection at large because it is always very difficult to prove his innocence given the kind of profession he is in.
Page 14 of 15
Ethical Hacking
Recommendations and suggestions
Ethical hackers are capable of performing varying kinds of security related exercises and activities to ensure that the system is not penetrated by external malicious hackers. This process includes testing the steps taken by the unethical hackers and verifying whether the existing system or even the modified one is capable to withstand breaching attempts. Managers in organizations take this issue on a priority basis and appointment of ethical hackers must be done after a proper due diligence process. The past history of the hacker should also be taken into consideration to check for any unethical incident and verify his credibility. Hackers should be well infused with “Business Ethics” rules and standards of Honesty, Integrity, Transparency, Accountability and Responsibility. Ethical hackers should be loyal to their employers in form of data security and information transfers through the network of the organization. Managers should also look to it that ethical hackers are made a part of the system development life cycle right from the requirement analysis stage. This makes them more accountable and responsible towards the penetration testing procedures. He also is able to understand the system better and allows him to put in place more innovations for the same. Another aspect to decision making will include legal recruitment guidelines and terms, proper compensation and lucrative benefits that will enable the ethical hacker to stay firm with the employer for a longer duration. This will result in sustainable improved and effective services. Stable performance management and appraisal procedures should also be made effective so that the ethical hacker sees himself rising up the hierarchy related to his job band. Monitoring of the activities that the ethical hacker executes is another task that the manager needs to take into account. This will make the system and process more lucid and accountable to the employer.
Page 15 of 15
Ethical Hacking
The Group Process (Group 9, Section A)
We were assigned the topic of “Ethical Hacking” which is a prevalent example of improved Information Systems in the present world. With excessive use of the internet and the World Wide Web, accessing data has been very easy and interesting which has led to rise of several communities of hackers. This project has given us an opportunity to learn about the various aspects of the same and analyze the implications on the present Information Age. Our group consisted of five members and we devised the strategy of sectioning and distributing the required information among all of us. Apart from the large amount of information available on the web, we made use of the extensive library facilities as well. The work division was as follows: 1. Aparajita Bose: Introduction to “Ethical Hacking” 2. Rahul Garg: Need, Relevance and Urgency of “Ethical Hacking” in present scenario 3. Joy Mukherjee: Application of “Ethical Hacking” using core “Business Ethics” concepts 4. Tuhi Thakker: Problems and Challenges of “Ethical Hacking” 5. Sushanth Kodela: Recommendations and Managerial implications of “Ethical Hacking” Each of the assigned members made it a point to search and collect relevant information about their topics and prepare the draft report. When all of them accomplished their assigned micro tasks, the members met approximately once in a week to discuss and brief each other about their learning. This made the topic clearer and easier for the “recommendations and suggestions” to be prepared lucidly. Not much of information was readily available over the internet and library resources so the members had to resort to more of brain storming and analytical approach towards the applications and impact of “Ethical Hacking” as an organizational strategy.
Page 16 of 15
Ethical Hacking
References
1. Ethical Hacking ensuring non-vulnerability of systems to security attacks, Retrieved on 27 February, 2011 from http://www.docstoc.com/docs/36717713/Ethical-Hacking 2. Q&A: The Ethical Hacker: Ankit Fadia, Retrieved on 3 March, 2011 from http://web.ebscohost.com/ehost/pdfviewer/pdfviewer?hid=107&sid=3b3d4025-a9bf473b-b64a-0000fe89f9fb%40sessionmgr113&vid=4 3. Data Security and Ethical Hacking, Retrieved on 28 February, 2011 from http://web.ebscohost.com/ehost/detail?hid=107&sid=3b3d4025-a9bf-473b-b64a0000fe89f9fb%40sessionmgr113&vid=4&bdata=JnNpdGU9ZWhvc3QtbGl2ZQ%3d %3d#db=bth&AN=34546846 4. Defacement of government sites on rise (14/05/2008), Retrieved on 2 March, 2011 from http://www.merinews.com/article/defacement-of-government-sites-on-rise/133977.shtml 5. cases of fraudulent withdrawal of money through internet, Retrieved on 4 March, 2011 from http://www.indiastat.com/CrimeandLaw/6/CyberCrimes/347183/458334/data.aspx 6. 2002), Analysis of defacement of Indian Websites by K.N. Srijith( 29 November, Retrieved on 4 March 2011 from
http://131.193.153.231/www/issues/issue7_12/srijith/index.html 7. Symantec-Phishing attacks on Indian Banks on the rise( 8/7/2010), Retrieved on 8 march,2011 from http://www.virus.gr/portal/en/content/symantec-phishing-attacksindian-banks-rise 8. ‘Business Ethics and Corporate Governance’ by AC Fernando, Second Impression 2011 9. Using the Potter Box to make ethical decisions(13/02/2007), Retrieved on 5 March, 2011 http://www.associatedcontent.com/article/141131/using_the_potter_box_to_make_ethical .html
Page 17 of 15
doc_123453560.doc
"Ethical Hacking” is a prevalent example of improved Information Systems in the present world.
Business Ethics
Report on
Ethical Hacking
Ethical Hacking Table of Contents
Introduction..........................................................................................................................................3 Relevance, Need and Urgency.............................................................................................................5 Ethical hacking and Business Ethics..................................................................................................10 Problems and Challenges of Ethical Hacking....................................................................................13 Recommendations and suggestions....................................................................................................15 The Group Process (Group 9, Section A)...........................................................................................16 References..........................................................................................................................................17
Page 2 of 15
Ethical Hacking
Introduction
A hacker is someone who enjoys exploring the mechanism of operation of things. They aim at exploring programmable systems to learn how to stretch their capabilities. 1 The 3 main points of attack by a hacker are the operating system, the network and the application category. A person who breaks into computer or networks with the intention of deleting, changing or stealing information is a cracker. The most common ways of hacking are through spam. Phishing and attacks on digital homes where every electrical gadget is connected to the internet are the latest threats. Ethical hacking is comparable to white hat hacking or computer penetration testing.1 Ethical hacking can be a tool for identifying how vulnerable a system is to the latest cracking threats. An ethical hacker evaluates the vulnerabilities, points them out and suggests changes to systems. A point to be noted here is that ethical hacking, though used to increase the safety of computer systems or networks is still considered as hacking. This is because it involves using the knowledge of computer systems to crack them. The most notable study in this field was done by Farmer and Venema who discussed the idea of using the techniques of the hacker to assess the security of systems. The paper was published in 1993 and the first automated tool named SATAN was created that succeeded in identifying the vulnerabilities and giving advice on how to eliminate them.1 Thus, vulnerability assessment which involves detecting all vulnerabilities in the system or network is carried out. This is followed by penetration testing which attempts to simulate an actual attack on the system. The various other kinds of tests include remote network, remote dial-up network, local network, stolen laptop computer, social engineering and physical entry. Ethical hackers have very strong programming and computer networking skills, must be trustworthy, and should have detailed knowledge of computer hardware and have immense patience. An interview with Ankit Fadia, the famous Indian hacker, reveals that in contrast with ethical hackers, crackers are primarily motivated in hacking just for “the kicks”. The very thought that they can do things that others can’t gets them going.2 Some of the issues that are associated with ethical hacking are the use of data by the hackers. There are several legal and contractual risks associated with sharing of data with ethical hackers. Many managers are now prohibiting the use of live data by development testers. An understanding of the types, source, use of data and the factors that determine specific laws and contracts is a must.3 For example, whether it is ethical for an ethical hacker to have access to a person’s date of birth, depends on each of the above mentioned factors. In addition, there must be some understanding of Page 3 of 15
Ethical Hacking
the assessment technique that is being used by the ethical hacker. This will allow an easy determination of which laws or contracts govern the assessment technique being used. Eastern Europe and Asia are the major locations where hacking is at its peak. With increasing globalization and development of new technologies, the world is becoming flat. However, along with all these positive developments, hacking attacks are increasing by the day. Ethical hacking is therefore an area of great attention in the times to come. Hacking is performed by: 1. White hat or computer professionals: these hack computers with due permission from system administrator or person in command of the IT department for the organization. The main purpose behind ethical hacking is to check for the vulnerabilities that can be present in the system. There might be firewalls, intrusion detection systems and other antivirus systems that might be present to safeguard the system from malicious activities but intruders find ways to penetrate the security. This is the job of white hat hackers to look out for the vulnerabilities and suggest changes to systems that make them less likely to be penetrated by black hats. 2. Black hats: these are hackers who penetrate system securities to obtain secured information, to breakdown system capacity or to crash them. This does not fall into the category of ethical hacking but is unethical hacking. In India ethical hacking got relevance when RBI issued mandate requiring banks to undergo ethical hacking and check the IT infrastructure before applying for internet banking.
Page 4 of 15
Ethical Hacking
Relevance, Need and Urgency
Relevance
Volatile growth of internet has increased e-commerce and subsequently communication but at the same time there is an increased risk of client, employee, customer and research information being exposed. Many companies are of the opinion that investing in ethical hacking is waste of time and money but reality is that is ignorance can cost company million of dollars. There is a dire need for system being checked by experts so that system can be rendered secured and prevents information from getting leaked into unwanted hands. Ethical hackers make sure that any of these vulnerabilities are fixed and problems plugged to protect data from fraudulent use. Intruders hack files of the employees, customers and other stakeholders and upload viruses that can corrupt the entire network. This can lead to loss of not only important information but can also cost company many of its clients who stop company trusting with important information. To give a brief view of different types of attacks which a hacker can host on the system are: 1. IP spoofing: it results in system to crash or lock up. 2. Session hijacking: here session is stolen between client and server and important credit card details during money transaction can be stolen. 3. Password cracking: it is to crack the username and password so as to log into system. 4. Denial of service attacks: these are basically aimed at jamming the network so that communication gets congested and system crashes. 5. Backdoors and Trojans: this installs virus and other malwares on the systems which replicate and corrupt system files or passively pass important information to intruder. The list is not exhaustive but it does demonstrate the relevance of ethical hacking without which organizations will expose their systems, information and reputation at stake.
Page 5 of 15
Ethical Hacking
Need
1. If ethical hacking is done in a controlled environment it helps ethical hackers determine to what extent is the system vulnerable to latest cyber attacks. 2. Unethical hackers are in constant hunt to penetrate the security of the system and keep on devising new ways to do so. Thus it mandates to use ethical hackers to think in a manner black hat hackers think and fix the vulnerabilities. 3. With new viruses being unleashed every now and then, it becomes mandatory for firms to carry out continuous or periodic security checks. 4. Like business organizations and banks have regular audits to check the bookkeeping records, accounts and procedures, computer systems also need regular checking. 5. Also the ethical hacking requires ethical hackers who are trustworthy. They will be exposed to lot of sensitive information which if misused a cost company a fortune. Hence ethical hackers need to be selected on a priority basis. Indian corporation should invest in ethical hacking and penetration reviews of IT infrastructure: a. To prevent defacement of corporate websites with vulgar images and obscene text. b. To protect confidential client or financial data from being compromised. c. To prevent IT assets from being used as launch pad for virus attacks. d. To comply with industry and other IT regulatory frameworks. e. To validate risk assessment. Increase use of internet and security concerns has generated the need for ethical hacking. There have been different types of organizations which exemplifies the need for ethical hacking: 1. Medical institutions contain private data which needs to be protected from getting hacked. 2. Government organizations like defense, telecom, and railways have large chunks of data which needs to be protected from being stolen and also there is a need to prevent this data from getting manipulated. “As per Computer Emergency Response Team India (CERT-In), which is a referral agency to report computer security incidents in the country, a total of 612 Indian websites have been defaced during March 2008.” 4
Page 6 of 15
Ethical Hacking
3. Ministry sites which have become constant source of getting hacked in recent times have shown potential interest for ethical hackers so that these can be protected which is of national importance. 4. There are many organizations like banks and other consumer sites which store important personal information that needs to be safeguarded and are of interest for intruders.
Some statistics to show the need of ethical hacking: 1.
Number of Cases of Fraudulent Withdrawal of Money from Banks* through Internet/Online
(2006-2007 to 19.02.2009) Year 2006-07 2007-08 2008-09 (19.02.2009)
Banking
No. of Cases 147 374 210
in
Amount (Rs. in Lakh) 107.83 320.80 603.39
India
As can be seen number of cases has increased in a span of three years 5.
Figure 2: Trend in defacement of Indian Web sites 2000-2002.
These figures show some interesting trends. For Indian defacements, the month of December seems to show an increase in activity compared to previous months. Another interesting point is the general peak in the activity of Indian defacement around the months of January and August. This is probably due to the fact that the Page 7 of 15
Ethical Hacking
defacers try to coincide with the defacements with Indian Republic Day (26 January) and Independence Day (15 August). 6 2. “July 2010 was the month for phishing attacks on Indian banks. A three
percent increase in phishing attacks on Indian banks from the previous month has been observed. In particular, Symantec has observed phishing websites that spoofed the Oriental Bank of Commerce—several phishing URLs spoofing the bank were reported in the month of July.” 7
Page 8 of 15
Ethical Hacking
Urgency
In the competitive world of fierce internet competition, it is forcing companies to host websites and offer services online without properly checking the security of the sites. Current software engineering practices used by vendors do not produce systems that are free from security holes. Organizations are not capable enough to minimize the security threats. Also, cyber laws and information security acts are still in evolving state. It thus renders organizations to give serious thought to ethical hacking so as not to leave any stone unturned and see to it that none of the vulnerabilities are left unfixed. Various industries are also moving towards more complex client server architecture and distributed systems. But security movements are not keeping pace with such advances and thus, new vulnerabilities are constantly discovered. Addition to this wireless connectivity and automation has increased security threat many folds. Integration and compatibility of so many systems definitely will give rise to serious security threats. Thus security cannot be addressed by simply using firewalls, IDS systems and other specialized software. Ethical hacking has to play a very major role in safeguarding business against malicious users.
Page 9 of 15
Ethical Hacking
Ethical hacking and Business Ethics
Ethical Hacking comprises of a network and computer expert whose work is to judge and seek vulnerabilities and loopholes in any security system and attack the same. They do this on behalf of their owners who in turn look to strengthen the system and safeguard it from malicious hackers. In short this form of hacking may also be termed as penetration testing or intrusion testing. It is all about helping their customers or clients plugging up their security holes. There are various fields of business under which Ethical Hacking works.
Normative Ethical theories 8
These focus on individual freedom and responsibility towards moral decision making. Conscience plays a major role in determining any form of normative ethics. Apart from that individual or societal culture and religious inclinations also affect the same. This may be termed as the “Traditional” way of following business ethics.
1. Utilitarianism View As per this theory, Ethical decision making solely rests on their results and outcomes. The individual looks to serve the greatest good to the society and its elements, in greatest numbers. This view in a way is also consistent with the goal of profit maximization as well. Ethical hackers look to prevent future hackings when it comes to the security of data of their customers. They focus on the good of maximum of their clients and work towards the betterment of their security. This exercise prevents malicious hackers from intruding into systems and harming the data and information stored for business purposes. Page 10 of 15
Ethical Hacking
2. Kantianism View As per this theory, individuals look to serve the society as a part of their duty and responsibility. This also states that the actions executed by them should be universally accepted and agreed upon by the society. Ethical hacking does not score full marks when it comes to application of the Kantianism Principle because there still remains a certain section of the business society that does not affirm to the same. On the other hand ethical hackers take intrusion testing as a part of their job or duty assigned to them by their superiors. This is elucidated by the fact that they have clear permissions from their customers to do their job. 3. Egoism This aspect of Business ethics refers to the situation in which the individual seeks to satisfy his / her personal goals and objectives. Strictly focused on self interest and personal inclinations, the individual displays a behavior that is aligned with his benefits, pleasure and greatest self betterment. The ethical hacker in this situation is highly attracted towards IT infrastructure and networks. He looks to develop his understanding of the security policies of organizations and how the data management and information systems function.
Implications of Ethical theories 8
Apart from the aforesaid normative theories of Business Ethics, the Ethical Hacker influences processes and techniques in various fields namely • Marketing – Sticking to ethical pricing and refraining from manipulation of networks in order to breach secured competitor databases. • Human Resources – Maintaining proper balance of power between the organization and the hacker despite critical information sharing. • Consumer Protection – Fairness of employment contract and adhering to privacy rules and regulations. • Environmental issues – Complete online and computerized duties that require a large amount of power and electricity to run machines and data servers. Page 11 of 15
Ethical Hacking
• Corporate Ethics – Prevention of misuse of copyrighted intellectual property of organizations • Globalization – Linking the company projects and exercises to the outer world beyond the span of a country or region by placing improved security systems with a prior knowledge of prospective breaches. Issues related to terrorism and wars are globally affected by the works of ethical hackers.
Stakeholders of Ethical Hacking 9
1. Corporate organizations 2. Police Agencies 3. National / State governments 4. Private Security Agencies 5. Banks and Financial Institutions 6. Telecom Operators 7. IT-BPO firms / Call Centers
Potter box – Ethical Hacking
Page 12 of 15
Ethical Hacking
Problems and Challenges of Ethical Hacking
Ethical hackers are the hackers employed by companies to protect their software and data against the hackers. They belong to the same group of hackers but they use their skills and intelligence not for destruction but for protection. This is basically the main difference between an ethical hacker and an unethical hacker. As an ethical hacker knows all about hacking, his skills and knowledge come out to be very handy to the companies to protect their data against any kind of hacking or leakage of data. It basically helps to boost up the security. But, with the positives also comes the problems. The following are the problems that the companies and the hacker face in implementing ethical hacking.The firm put a lot of trust on the person whom they employ as an ethical hacker. They have to divulge all their data and information to them; he has access to all the security codes and passwords. Thus the firm is putting a lot of blind faith in the ethical hacker. And they have to solely depend on his words and face the consequences of his action if his intentions turn malicious. The following are some of the examples of his intentions turning malicious putting the company in jeopardy. Software selling: - the hacker has access to all the information and data as he knows all the security codes and password. One of the ways in which he can harm the employer’s company is by selling of software which they use for protection or which they have developed to use in their operating systems. Ethics of ethical hacker: - Although being termed as an ethical hacker, questions may arise on the ethics of an ethical hacker. It may so happen he may leak important information to other firms and get money from them and also be employed under the current firm and get money from them for his job. Thus getting dual sources of incomes and destroying the current employer. An ethical hacker does not destroy at large but protects. But in such cases he would be no less than an unethical hacker. Risk of losing all info: - Though the person employed is an ethical hacker and he gets paid for protecting the data and software of the employer’s company, it may so happen that he may still give out all the data and information to a rival company for more money without informing the previous employer. In such a case the basic employer faces a big risk of losing out on a lot of data and information to the rival and the rival may get a leeway. Other competitors: - Other competitors may try to lure the hacker by offering him more money than the employer and thus getting him to join their firm and also do some damage to the current employer. It is also to be noted that in many cases, the age of the ethical hacker is quite less, i.e. he Page 13 of 15
Ethical Hacking
would be quite young. Such young minds can be manipulated very easily and they can be made to do anything if they are ready to hear you out. Competitors may sometimes take advantage of such things and harm the company. Public image: - Hacking as such is not viewed as a very good concept. The image of hacking is similar to destruction and crime in the minds of the general public. Though most of them know what is hacking and what is ethical hacking and how it can be used, not everyone is comfortable with the idea of hacking or being hacked. Besides, the general public at large doesn’t always know what goes in making the company run every day. So, if the customers of say, a telecom company, come to know that the company employees ethical hackers, they may take it otherwise and get uncomfortable with the idea of their private information getting tapped, hacked and viewed by some other person. This will not actually deter the company from using ethical hackers because of its needs but the general perception about the company may change in the minds of people if proper knowledge is not given to them. New technology: - The hacking team of a company may face a challenge if some new technology is invented someday suddenly which can help penetrate inside the systems of the company. So if the hacking team is not up to date with the new technologies then the company may face a challenge. Hacker: - The hacker may himself face a lot of problems when the company’s information actually gets leaked. Even if the hacker would not have committed a crime, he will have to face a lot of scrutiny and investigation. He may also be put behind bars. They don’t have such protection at large because it is always very difficult to prove his innocence given the kind of profession he is in.
Page 14 of 15
Ethical Hacking
Recommendations and suggestions
Ethical hackers are capable of performing varying kinds of security related exercises and activities to ensure that the system is not penetrated by external malicious hackers. This process includes testing the steps taken by the unethical hackers and verifying whether the existing system or even the modified one is capable to withstand breaching attempts. Managers in organizations take this issue on a priority basis and appointment of ethical hackers must be done after a proper due diligence process. The past history of the hacker should also be taken into consideration to check for any unethical incident and verify his credibility. Hackers should be well infused with “Business Ethics” rules and standards of Honesty, Integrity, Transparency, Accountability and Responsibility. Ethical hackers should be loyal to their employers in form of data security and information transfers through the network of the organization. Managers should also look to it that ethical hackers are made a part of the system development life cycle right from the requirement analysis stage. This makes them more accountable and responsible towards the penetration testing procedures. He also is able to understand the system better and allows him to put in place more innovations for the same. Another aspect to decision making will include legal recruitment guidelines and terms, proper compensation and lucrative benefits that will enable the ethical hacker to stay firm with the employer for a longer duration. This will result in sustainable improved and effective services. Stable performance management and appraisal procedures should also be made effective so that the ethical hacker sees himself rising up the hierarchy related to his job band. Monitoring of the activities that the ethical hacker executes is another task that the manager needs to take into account. This will make the system and process more lucid and accountable to the employer.
Page 15 of 15
Ethical Hacking
The Group Process (Group 9, Section A)
We were assigned the topic of “Ethical Hacking” which is a prevalent example of improved Information Systems in the present world. With excessive use of the internet and the World Wide Web, accessing data has been very easy and interesting which has led to rise of several communities of hackers. This project has given us an opportunity to learn about the various aspects of the same and analyze the implications on the present Information Age. Our group consisted of five members and we devised the strategy of sectioning and distributing the required information among all of us. Apart from the large amount of information available on the web, we made use of the extensive library facilities as well. The work division was as follows: 1. Aparajita Bose: Introduction to “Ethical Hacking” 2. Rahul Garg: Need, Relevance and Urgency of “Ethical Hacking” in present scenario 3. Joy Mukherjee: Application of “Ethical Hacking” using core “Business Ethics” concepts 4. Tuhi Thakker: Problems and Challenges of “Ethical Hacking” 5. Sushanth Kodela: Recommendations and Managerial implications of “Ethical Hacking” Each of the assigned members made it a point to search and collect relevant information about their topics and prepare the draft report. When all of them accomplished their assigned micro tasks, the members met approximately once in a week to discuss and brief each other about their learning. This made the topic clearer and easier for the “recommendations and suggestions” to be prepared lucidly. Not much of information was readily available over the internet and library resources so the members had to resort to more of brain storming and analytical approach towards the applications and impact of “Ethical Hacking” as an organizational strategy.
Page 16 of 15
Ethical Hacking
References
1. Ethical Hacking ensuring non-vulnerability of systems to security attacks, Retrieved on 27 February, 2011 from http://www.docstoc.com/docs/36717713/Ethical-Hacking 2. Q&A: The Ethical Hacker: Ankit Fadia, Retrieved on 3 March, 2011 from http://web.ebscohost.com/ehost/pdfviewer/pdfviewer?hid=107&sid=3b3d4025-a9bf473b-b64a-0000fe89f9fb%40sessionmgr113&vid=4 3. Data Security and Ethical Hacking, Retrieved on 28 February, 2011 from http://web.ebscohost.com/ehost/detail?hid=107&sid=3b3d4025-a9bf-473b-b64a0000fe89f9fb%40sessionmgr113&vid=4&bdata=JnNpdGU9ZWhvc3QtbGl2ZQ%3d %3d#db=bth&AN=34546846 4. Defacement of government sites on rise (14/05/2008), Retrieved on 2 March, 2011 from http://www.merinews.com/article/defacement-of-government-sites-on-rise/133977.shtml 5. cases of fraudulent withdrawal of money through internet, Retrieved on 4 March, 2011 from http://www.indiastat.com/CrimeandLaw/6/CyberCrimes/347183/458334/data.aspx 6. 2002), Analysis of defacement of Indian Websites by K.N. Srijith( 29 November, Retrieved on 4 March 2011 from
http://131.193.153.231/www/issues/issue7_12/srijith/index.html 7. Symantec-Phishing attacks on Indian Banks on the rise( 8/7/2010), Retrieved on 8 march,2011 from http://www.virus.gr/portal/en/content/symantec-phishing-attacksindian-banks-rise 8. ‘Business Ethics and Corporate Governance’ by AC Fernando, Second Impression 2011 9. Using the Potter Box to make ethical decisions(13/02/2007), Retrieved on 5 March, 2011 http://www.associatedcontent.com/article/141131/using_the_potter_box_to_make_ethical .html
Page 17 of 15
doc_123453560.doc