Licensed to hack: Cracking open the corporate world

This is the first of a two-part series on the techniques and tradecraft of ethical hackers. The second part will appear later this week.

All day. Every day. Anyone and anything connected to the net is under attack.

The standard defences, such as antivirus programs, firewalls, spam filters and intrusion detectors will stop most of those attacks reaching their target - be that a person, a computer or a database. Now and then an attack does get through but, if the target is you, the chances are you will spot the fake emails when they land in your inbox.

But what about more sophisticated attacks that are becoming increasingly common? These are the ones in which the bad guys do their homework so messages look like they come from colleagues or quote names, incidents and ID numbers that only insiders would know. Then there are the attacks that use a known vulnerability in widely used software to grab login IDs and use them to crack open a corporate network.

Welcome to the world of the penetration tester.

"They pay us to replicate the same kinds of attacks used by the bad guys, the cyber criminals," said John Yeo, European head of Trustwave's SpiderLabs pen test team, which carries out hundreds of such tests every year.

Pen testers are the ethical hackers who, as their name suggests, try to find ways to penetrate the defences of a company and see if those defences can thwart the most sophisticated attacks.

These skilled security testers, "white-hat hackers" in the jargon, are needed because increasing numbers of cyber thieves do not rely on spam, viruses or phishing emails. They put time, resources and technical skill into their approach.

Many carry out reconnaissance on social media sites such as LinkedIn, bounce emails off a target to get a better sense of how they operate or make a few phone calls hoping to get someone to spill a useful nugget of information. When they strike they often need to send one message sent to a handful of senior executives to reap huge rewards.

"These are not 15-year-olds doing it from their bedrooms," said Mathias Elvang, head of security company Sentor, which also spends a lot of its time trying to get inside corporate networks.

"It's big business." he said.

It is the potential size of the rewards that spurs attackers to keep on trying, he said, and encourages them to take such time and care with their chosen attack methods.

Banks and other financial institutions are top targets, said Christian Angerbjorn, a former in-house pen tester at one of the UK's High Street banks and now security head at IF Insurance.

"The closer you are to cash, the closer you'll be to getting attacked," he said. "The importance lies not in what you are doing but in quantifying the risks you face."

Without such tests, he said, companies can spend a huge amount of money on security tools and training yet be no closer to really understanding whether they are vulnerable. By contrast, a thorough pen test will give them a good sense of what attacks are likely to work and help define the action they need to take to defeat similar attacks.

The aftermath will doubtless involve spending on training, tools and technology but that too can be cheap compared with the alternative.

"However much money you spend on a security, it's usually a lot less than the cost of a breach or incident," he said.

Not all companies use pen tests in such a measured manner, he said. Some are carried out for more urgent reasons.

"If their closest competitor gets compromised they can read up on the attack and use a pen test to see if they are vulnerable in the same way," he said.

That's a real threat, said Mr Elvang, as the company regularly sees an attack on one client replicated soon after on another. And another. Often it can predict who will be next if the attackers are working through net addresses in sequence.

For whatever reason companies get tested, it is the experience of going through it that makes a difference, said Mr Yeo. The emotions people undergo when they discover they have been tricked can be a powerful way to ensure they are not caught out the same way again. And only if staff learn from those lessons will an enterprise be more secure.

"It's very difficult for users and employees to gain the necessary level of awareness and education to stay safe in any other way," he said.

It is this living lesson aspect of a pen test that turns what would otherwise be a mean trick into something positive. After all, setting out to expose a company's security shortcomings using the most sophisticated techniques available hardly seems fair.

That unfairness becomes even more apparent when you realise that the vast majority of penetration tests succeed. Almost none are detected and caught by employees. However, say pen testers, this has more to do with the numbers of people targeted in an organisation and the wide range of tricks brought to bear on them than it does with the bad habits of those staff.

And, for Mr Angerbjorn, a penetration test is more about the test than it is the penetration.

"The question is not whether you can get in, usually you can because the more you dig the deeper you get," he said. "The more important thing is what risks you expose and what damage could that do."