An ethical hacker, a developer, a system engineer and an auditor walk into a bar…you think it‘s a joke, right?
It is not the typical set of people having a drink at the bar. And from a professional point of view and with 20+ years of experience in IT and security, I have not seen a lot of people or teams combining these skills. [I didn’t mention the lawyer,… he was late and paid the bill.] But hey, you can bet on it that it will become the new normal.
What seems a completely different set of skills at first sight, is a very compatible set of skills — you will need to protect your systems and data from cybercriminals or people with malicious intent that are very persistent to get in. Criminality has been there for ages, but what is different in the current era of cloud computing?
The Cloud Paradigm Shift
While shared and redundant infrastructure already exists from the start of computing, the X-as-a-service model is barely 10 years old — Microsoft Skydrive (predecessor of OneDrive) started in 2008, Google docs stems from October 2012. I do not want to dive into the “cloud” characteristics, but these five characteristics are relevant for this article, as defined by NIST and generally accepted as definitions: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. But most importantly, it is built on “(1) fast wide-area networks, (2) powerful, inexpensive server computers, and (3) highperformance virtualization for commodity hardware.”
For more information: https://csrc.nist.gov/projects/cloudcomputing. I also recommend reading the ENISA Cloud computing risk assessment, because that is a very useful baseline to protect your IT infrastructure, both in cloud as in your physical data center.
Please also realize, at any time in the past, current, and future, that criminals have the same means at their disposal. But the dark side does not have any ethical limitations, so they always have a head start. Of course, cloud has caused a major shift in business and IT, but most importantly in mindset. And the next technology wave is already swelling, IoT (Internet of Things).
When talking IoT, you will think about smart watches, fridges, intelligent TV’s, home control devices, kids toys; in general any internet connected personal device for personal use.
But IoT (Internet of Things) in a larger interpretation is not limited to only personal devices with internet connectivity. These smart devices are also used in enterprise environments, like manufacturing, traffic control, waste control, heating systems, drinking water systems, radar systems, electricity generation and distribution. Then “simple” IoT becomes IIoT, Industrial Internet of Things. It still has to be seen where (I)IoT is going and what other waves will emerge.
But if you take a step back and look at the common denominators in these technology waves, you see that it always comes down to the same components you need to protect.
- Infrastructure (including networking, computing/ processing, and storage)
The security was, is, and will be simply the same, it is only shapeshifting.
Just as an example, it is worth looking at the OWASP Top 10 for web application security risks (Source: https://owasp. org/www-project-top-ten/). The number one, Injection attack, is as old as we store data. That says a lot. Why does that matter? Well, this is where the “blacks hats” will be, one way or another. And if you want to protect yourself, your peers, your infrastructure, you need to think like a hacker.
Thinking like a Hacker
What is a “black hat” exactly? They have malicious intent, to harm you, destroy, or steal data. It is the opposite of “white hat” hackers who are ethical hackers who have a code of ethics, with no intention to harm. And in between, “grey hats,” that might shift between these two, not always clear on which side they are.
There are various possible reasons of existence for hackers: making money with unethical business (like extorsion, ransom, etc.), holding a grudge against someone (for example former employer or partner), etc.
Understanding the Threat Landscape
So, step 1 in building protection is to understand how this “business” works. Connect to some cyberthreat intelligence news channels. And just a practical hint: figure out how interesting your business would be for a hacker. What are your company’s crown jewels, the primary assets (services, information, technology, or people) you want to protect. That is a start of a risk management.
The Typical Steps in a Hack
I do not want to fully elaborate an ethical hacker course in this article, but if you understand the typical steps in the hacking approach, you might be able to break them or at least slow them down. Make the hacker’s life as miserable as possible.
- Reconnaissance (a.k.a footprinting): Gathering information about the target and the victim. This is mostly a passive phase, meaning you do not connect to the victim directly, but rather collect information via internet, search engines, social media, official records, DNS information, etc.
- Scanning: Using the basic information to get more precise details where to attack. Keep in mind when you connect directly to the target systems, the chance of being detected increases, while you normally want to avoid to get detected and get caught.
- Enumeration: Extracting information, collecting useful information like user names, passwords, system identification, network information, etc.
- Hacking: Forcing entry into the system
- Escalation of privilege: Growing the power you have, either in the system you have entered (e.g., becoming root administrator) or by moving to another system and increasing your power (e.g., moving from a member server to a domain controller with domain administrator rights)
- Remove evidence: As mentioned before, you want to stay undiscovered. In many cases, interaction with or on the system, creates evidence and logs of your activity. You want to get rid of that!
- Persistence: Stay in the system, keep control over the system, come back when you want. In most cases, you will open up the access or keep it open to return at a later stage. It is way more efficient than rebuilding the entire attack phase again. A bit of efficiency helps.
Know the Tooling
You can easily find toolkits and ready-to-run virtual machines, which allow you to run the hacker tools with minimum effort.
Just a quick hint: Buy a wireless antenna to sniff networks in promiscuous mode (capturing traffic that is not meant of you); many of the built-in WiFi antennas do not allow promiscuous mode.
Offensive and Defensive
There are two main reasons that you need to know the most used tools and techniques.
- Defend against them (defensive mode)
- Use them against the target (offensive mode)
Just a warning here, you need to have an explicit agreement with the target for the hacking, if not, consider it as illegal. And in many countries it is considered as illegal entry with some serious consequences. It will not surprise you that there are some best practices and guidelines for penetration testing (in short pentest).
While many of the aforementioned approaches demand for in-depth technical knowledge of networking, hardware, software, and system architecture, the hacker also needs an important portion of social skills. In many cases it is WAY easier: contact people directly and ask the information you need. Of course, if you tell them you are a hacker, it will not work. So “social engineering” is used to extract information under false pretenses via phone, via mail, SMS, etc., tricking the victim into disclosing the information you need.
And in some cases, you do not even need to go that far, you can enter the target building, collect information directly… so, even physical reconnaissance is an option for a hack.
Hacking in the Cloud
With cloud, the importance for ethical hacking is only growing. The same principle applies for IoT. The main reason is that cloud is highly volatile in many ways. Your environment is changing continuously. But also, in many cases you lose physical control. Certainly, for public cloud system, you DO NOT OWN the infrastructure anymore. So you need to compensate by:
- Demanding the right to audit, and even the right to pen test (although the latter is usually difficult to achieve)
- Having contractual agreements with vendors to force them to use security best practices like SSDLC (Secure Software Development Life Cycle)
And of course, more and more data is being stored in the cloud, which increases the interest for cybercriminals, as they have a business to run too.
Many public cloud providers have anticipated that demand for control by customers, to validate that their infrastructures, applications, data, and users are secure. For example, check out the following:
- Microsoft Cloud Unified Penetration Testing Rules of Engagement, where you can pentest the Microsoft cloud platform, under certain conditions.
- Amazon AWS https://aws.amazon.com/security/ penetration-testing/
- Google https://support.google.com/cloud/ answer/6262505?hl=en
By the way, more and more companies, like Google, have a bug bounty program that rewards ethical hackers who find weaknesses.
The Hacker and the ISO/IEC 27001 Auditor
You see that a lot of work that the ethical hacker does, is covered by policies. This is where the ISO/IEC 27001 implementer and auditor walk in. There is an important part of ISO/IEC 27001 and the NIST framework that provide guidance to synchronize the work of the ethical hacker, the system engineer, and the ISO/IEC 27001 LI/LA (Lead Implementer or Lead Auditor)
Just to be clear, ISO/IEC 27001 does cover pen testing, validation, and software security, but in a very general way. Important auditor note here: Many security audits provide penetration testing, but on ISO level, an ISO audit should not include Pentesting. That is the customers’ (auditee) responsibility, not for the auditor.
The ISO auditor is checking for compliance, they simply check if the auditee does what they say (implementing security), and say what they do (documentation). For internal audits or specific security audits, under control of the auditee you could consider Pentesting.
The Legislative Road
Under impulse of GDPR, there has been a lot of change on legislative level. On European level, the NIS directive and Cyberact regulation have launched. The NIS is the Directive on security of network and information systems (NIS Directive) and the CyberAct regulation establishes an EU-wide cybersecurity certification framework for digital products, services, and processes. So, you understand that in the near future, there is also a lot of work on the agenda of ethical hackers.
Some Hints and Tips
If you want to make the life of a black hat as difficult as possible, you really should consider the following:
- Stay informed and up to date with current evolutions in cybercrime and technology. Be aware what is coming.
- Hack yourself, before anyone else does.
- Keep your systems up to date, as unpatched systems are the most common root cause for cybercrime.
- Enforce security by design by making sure that your system is designed with security in mind, from the beginning.
- Implement security by default; change default logins and passwords
- Use the Pareto principle (20/80, 20% effort with 80% effect)
- Assume that you are breached — consider you are already hacked. How do you minimize the damage? For example, using functional or network level segmentation can avoid the collateral movement of hackers. Have a responsible disclosure policy; make sure that people notify you FIRST, when they find an issue on your platforms, before they publish the issue. This allows you to patch your systems before publication, minimizing impact.
And if you plan to become an ethical hacker, have some clear ethical guidelines and some contractual rules of engagement. Because in jail, your lawyer won’t pay the bill.
By the way, keep an eye on the PECB course agenda for the launch of their ethical hacker track: https://pecb.com/ en/education-and-certification-for-individuals/ethicalhacking