Page 1
i
INFORMATION SECURITY MANAGEMENT
MSc IT Assignment 2013 Critique the employment of ethical hacking as a
way of reviewing and strengthening the security of information systems.
Hansa K. Edirisinghe BSc (Hons) University of Portsmouth, UK
MSc IT - Cardiff Metropolitan University, UK
24th February 2013
This report discuses the employment of ethical hacking through a disciplined, systematic analysis as a way of reviewing and strengthening the security of information systems. The preliminary
objective of this study is therefore to understand the concept of Ethical Hacking.
Page 2
ii
Abstract
This report discuses the employment of ethical hacking through a disciplined, systematic
analysis as a way of reviewing and strengthening the security of information systems. The
preliminary objective of this study is therefore to understand the concept of Ethical Hacking.
In the process, it provides a basic idea of Information systems and its importance to an
organization and its business; the importance of information security; the danger of hacking
attacks and it its impact on finance and business setting of the organization; and different
types of hackers. Later it gives a comprehensive description about Ethical Hacking and the
importance of it to the security of Organizational Information Systems comprised with the
literature evidence and statistics.
The pros and cons of Ethical Hacking; the advantages of the employment of Ethical Hacker;
the difficulties which companies faced when hiring Ethical Hackers also discussed in this
report. Since the Ethical Hacker taken care of multiple aspect of the system security, the
report will discuss the approach of strengthening the security from source code level of the
applications; the network infrastructure of the Information system; the web server, web
application and web services level of the Information system; The database level of the
applications; the email server to malicious code protection of the Information system;
wireless and mobile application level of the Information system and it has already discussed
about the Ethical Hackers responsibilities when installing “new releases”, “version upgrades”
and “bug fixes” to the Information System. Since it is a major critical factor to ensure the
security of client’s information, the report has discussed the Ethical Hackers involvement of
that function as well.
The overall report analyzes/evaluates the above key points of how the employment of Ethical
Hacker could strengthen the security and review the protection of Information System.
Page 3
iii
Table of Contents
1.0 Introduction .................................................................................................................... 1
1.1 Information System .................................................................................................... 1
1.2 Information Security .................................................................................................. 1
1.3 Types of Hackers ........................................................................................................ 2
2.0 Literature review ............................................................................................................ 4
2.1 Major hacking attacks ................................................................................................ 4
2.2 Ethical hacking ........................................................................................................... 5
2.3 Employment of Ethical hacker ................................................................................... 5
3.0 Pros and cons of ethical hacking .................................................................................... 6
3.1 Advantages of ethical hacking ................................................................................... 6
3.2 Barriers to ethical hacking.......................................................................................... 7
4.0 Reviewing and strengthening the security of IS – the role of EH ................................. 8
5.0 Evaluation & Recommendation ................................................................................... 10
6.0 Conclusion ................................................................................................................... 11
7.0 Bibliography ................................................................................................................ 12
Page 4
iv
Table of Figures
Figure 1.1 : An organization's IT components, platform, IT services and IT infrastructure. ... 2
Figure 2.1 : Cyber Attacks- 2012 .............................................................................................. 4
Page 5
1
1.0 Introduction
Almost every industry has a high dependability on information system. Emerging technology
has changed the typical life style of the people drastically. The traditional paper based
solutions has almost become abandoned and people move towards the electronic based life
styles thus electronic equipments and systems play a major role in modern technology. Since
the technology help improve the effectiveness and efficiency, people are attracted to
electronic information systems and virtual databases to make their life easier. This report is a
discourse of disciplined, systematic analysis of employment of ethical hacking as a way of
reviewing and strengthening the security of information systems.
1.1 Information System
Information System (IS) usually consists of the components that involves in processing data
and produce information. Though the technical representation of IS sounds simple as above
it is one of the main area that directly affect to the growth and existance of business.
IS is an integrated, user-machine system for providing information to support operations,
management and decision-making functions in an organization. The system utilizes computer
hardware and software; manual procedures; models for analysis, planning, control and
decision making; and a database. (Davis & Olson, 2000)
In an environment where the business depends on an IS, the system owners should take care
of the quality, durability and security of the system. Although the system is operationally in
good condition outsiders can easily harm the company’s IS if it is not secured well.
Consequently, it could directly spoil the entire business. Therefore Information security is a
major and critical factor in IS.
1.2 Information Security
Modern companies have their own “Security Policies” to overcome potential security threats.
There are different security policies such as Cyber security. The impact of security threats is
plainly visible when analyzing the statistics and is discussed in details in the literature
review. Large scale organizations and government ministries are usually highly vulnerable
for Security Threats.
Information security plays critical role between the organizational information system and
basic IT components. Similarly, information security is important for the IS as far as system
development and data management is concerned as illustrated in Figure 1.1.
Page 6
2
Figure 1.1 : An organization's IT components, platform, IT services and IT infrastructure.
Source : (Rainer & Cegielski, 2011)
It is necessary that the IS should be protected from the potential external threats while
managaging the organizational IS. Therefore the company security system should be strong
enough to protect the system form external hacking attack, unautherized access and
malwhares. Accordingly,the company security policy should be capable in order to prevent
from possible risks of Social engineering and data theft.
1.3 Types of Hackers
Out of all the types of security threats, hacking is the most common and critical threat for IS.
Hacking usually take advantages from weaknesses of the system. According to main purpose
of employing hackers, they are divided in to three parts. i.e. Black Hat hackers; White Hat
hackers; and Gray Hat hackers.
Black hat hackers are known as criminal hackers. They violate the system’s security for their
personal gains or someone else’s needs. Usually these attacks are illegal. They break-in to
organizational systems, put viruses and malwares to the system, steal or destroy the
organization’s critical data and sometimes jam the system to prevent from future use. Some
hackers are hacking just for fun. But most of them do it for the financial benefits.
Unlike Black hats, White hat hackers do not attempt to any illegal activity by hacking. They
are hired by organizations to test the vulnerability of their own IS. They are essentially
specialist in hacking and use a range of hacking techniques in different level to hack a
system, find vulnerable areas and provide solutions and expert knowledge prior taking place
of attacks and advice how to take actions to prevent from future attacks.
Page 7
3
Since hacking becomes a major challenge for IS companies’ recruit the white hat hackers as
internal employees for high salary scales. Therefore the job description of these employees
reflects the functions of a white hat hacker. Accordingly the personnel who perform such
duty are termed as Ethical Hackers (EH).
Gray Hat is a combination of both black hat and white hat. There is no specific gain for these
hackers except to show their strengths in hacking. They deem to be acting illegally, though in
good will, or to show how they disclose vulnerabilities in some circumstances.
Page 8
4
2.0 Literature review
According to the 2012 Cyber Attacks Timeline Master Index of hackmageddon.com, it is
reveled that, at least three or more critical hacking attacks have been reported a day. Some of
these attacks made huge damages to the organizations.
Figure 2.1 : Cyber Attacks- 2012
Source : (Passeri, 2013)
The statistics reveals that most of these attacks are Cyber Crimes and Hacktivism. The
targeted categories for many of these attacks were country’s governments, Banks and e-
commerce websites.
2.1 Major hacking attacks
There were famous Black hat hackers in the history who have done massive damages to the
leading organization in the world. “Operation Aurora” is one of the major attacks in 2010
that targeted Google and 33 US Technological companies. It was reported that, Kevin
Mitnick was arrested in 1995 for hacking IBM, Motorola, NEC, Nokia, Sun Microsystems
and Fujitsu Siemens, Pacific Bell, FBI, Pentagon and Novell. A British hacker Gary
McKinnon is known as the “biggest military computer hacker of all time” that caused
damage amounting more than $700,000 to U.S. military systems. Rediff News website stated
on October 5, 2012 that there were 42 million Indians hit by cyber crimes and the recorded
loss was $8 billion within the past 12 months. (Nanjappa, 2012)
Apart from these foreign attacks, the Sri Lankan army website was reported hacked in 2009
as a result of terrorist activities.
Page 9
5
2.2 Ethical hacking
Ethical hacking is a modern security technique that exists in certain countries such as USA
and Europe. These countries have gained successful results by employing this concept. Some
of the large organizations in Sri Lanka also practice Ethical Hacking for the protection of
there IS. Being a highly paid and responsible job there is a huge demand for the profession of
EH. Due to this emerging demand there are several certification criteria have been introduced
in order to recognize/certify the knowledge, skills, and professional qualifications pertaining
to EH.
2.3 Employment of Ethical hacker
The main job function for EH is to do vulnerability testing on the organizational IS for both
Internal and external thus identify the vulnerabilities and evaluating fixes (patches) of
vulnerabilities and malicious code. In order to do those the EH should be highly competent in
computer literacy, software, hardware and network.
This is a highly important employment thus, EH should understand the significance of the
job and deliver the duties with utmost care and vigilance. One mistake may cost a huge
damage to the company and the EH should be a trustworthy person. He/she should be self
motivated, effective, efficient, and intelligent decision maker as well.
According to an article of The Times of India on May 14, 2012, last year ethical hacking was
estimated to be a US$ 3.8 billion industry in the US alone. According to Nasscom, India will
require at least 77,000 ethical hackers every year whereas we are producing only 15,000 in a
year, currently. Frost & Sullivan have estimated that there are 2.28 million information
security professionals worldwide which is expected to increase to nearly 4.2 million by 2015.
(Dewan, 2012)
When it comes to remuneration, the article also status that a fresher may work as an intern for
a couple of months and can start with a minimum of Rs 2.5 lakh per annum. With one year of
experience, one can expect upto Rs 4.5 lakh per annum. Those with work experience five
years or more can get from 10-12 lakh per annum. (Dewan, 2012)
Thus these statements provide evidence about the importance, demand and commercial value
of EH in the industry.
Page 10
6
3.0 Pros and cons of ethical hacking
EH carry out a critical job thus the safety of business and reputation of the organization
ultimately depends on EH. By employing an EH, in fact the organization creates a person
who can either protect or destroy the organization overnight.
3.1 Advantages of ethical hacking
EH acts proactively thus is capable of identifying a potential risk of theft well in advance. By
conducting internal and external vulnerability testing EH find the weaknesses of the company
information system. This facilitates proactive actions as the organization can take necessary
precautions to prevent the IS from potential hackers. In addition to seize unethical hacking,
the EH could create traps to monitor the hacking attempts. This facilitates the respective
company to take legal actions against hackers. It may discourage the hacker in making
attempts of hacking. Therefore ethical hacking helps to address the loopholes in the IS in
advance.
The confidentiality of the data is the key especially in Banking and financial establishments
that usually are major targets for hacking. If hacker access to such system, the hacker can
change, destroy or pilfering the critical information. It might damage for the entire business
setup of the organization. But Ethical hacking can professionally prevent hackers accessing
to the system.
Web domain hacking is a common threat for every organization. It is harmful for the
company reputation and image if the hackers manage to succeed their attempt. However, EH
can prevent defacement of websites.
Hacking is technically a broader subject. Even though there are identified tools and
techniques, it is an evolving subject and hackers usually keep on experimenting new
techniques forever. An EH expert is therefore a person who plays the role of an inventor.
He/she explore every possibility attacks and void all the potential opportunities as far as
hackers are concerned. Therefore EH has to identify and analyze the potential risks and
control vulnerable areas. The hands on experience of doing these tasks could evolve the
employee’s personal skills, technical skills and management skills.
The value that EH could create to an organization will often increase with the skills and
knowledge EH gained by working. This upgraded skills eventually become an asset to the
organization creating a competitive edge.
Page 11
7
3.2 Barriers to ethical hacking
Unlike most of other professions, everything depends on the trustworthiness in ethical
hacking. While certain terms and conditions could control the employee to some extent, EH
has the full control of the organizational information system. Therefore EH can access,
modify or delete anything in the system and knows the both strengths and weaknesses of the
system. Creation of such individual could eventually be a threat to the organization.
Since there is a higher demand for ethical hackers, it is so expensive to hire or recruiting
them as an employee. Therefore the small-scale organizations might not be capable of
recruiting EH since the recruitment is costly.
Usually, it is difficult to employ an EH in an organization because finding a trustworthy
person who equally coupled with expert skills in hacking is a tough task.
Just the trustworthiness is not enough for the profession of EH. The person should be
competent and specialist in the field and innovative person as well. Identifying such a
revolutionary figure is not an easy task.
Although it is difficult to find the most suitable person it is equally difficult to ensure that the
person will not leave the company shortly. Frequent employee turnover may cause problems
to the organization especially in this field and to the security of IS.
Page 12
8
4.0 Reviewing and strengthening the security of IS – the role of EH
It is evident from above discussion that EH should play a proactive role thus should
necessarily be vigilant in every activity of the Organizational IS. An efficient and effective
EH’s duty does not limit to mere performance of routine work schedule but a genuinely task
oriented, self motivated, devoted and highly disciplined functionality.
There is no control once the hacker accessed the system irrespective of the hidden objectives
(whether malicious or innocent). Whatever the objective it would be, a hacker usually has an
expert knowledge in IT field. Therefore the service of even smarter EH is needed to catch or
deny access of criminal hackers.
EH should conduct external and internal vulnerability testing and network penetration testing
frequently. Once identified a vulnerable area of the system EH should identify the potential
threats to that particular area and through a systematic analysis, assess the maximum
potential damage the hacker may perform. Once a risk assessment is made EH should plan a
suitable approach according to his/her analytical observations etc. and propose necessary
precautions. Thereafter EH may instruct/supervise the technical staff to fix the problem area
immediately. The time would be a very critical factor during this process thus the personal
qualities of EH mentioned above would be the key. Once the issues are fixed, EH should
review the system and ensure the intended protection to the system is well in place. The
system should be frequently reviewed, instead of once or twice, in order to verify/strengthen
the protection and even from future attacks as well.
IS consists of both software and hardware. Therefore the security of system’s network
infrastructure & database should be frequently reviewed. The EH should foresee and analyze
potential risks when changing or enhancing the current network infrastructure, upgrading or
installing new hardware to IS and enhancing the databases. A proper guidance should be
provided by EH while taking these actions and make sure the change or enhancement does
create opportunities or open a pathway to hackers.
In addition to the threats on the entire IS, EH should pay attention to the organizational web
applications and web services. It is necessary to test for vulnerabilities and analyze potential
threats to the web. EH should always monitor the unethical activities particularly by the
external users on the website. Despite the due protection is applied, hacker sometimes may
break into the system in an unexpected way. Therefore EH should maintain a tracking and
alerting system to catch the attackers with minimum damage to the system “before it is too
late”. Once the damages are being repaired EH should reassure the security and strengthen
the security as much as possible.
The role of EH will not perform under any other common software methods. For an example,
White Box testing checks whether the source code is working and whether there are any
code errors or unhandled exceptions. But it does not check the level of vulnerability for
Page 13
9
hacking attacks to the source code. Therefore EH should frequently review the source code
of applications. While reviewing the excising source codes, EH should analyze the
vulnerabilities of “new releases”, “version upgrades” or “bug fixes” which installed to IS
from their source code level.
In today’s mobile era many organizations have developed wireless and mobile applications
which could directly communicate with the organizational IS. Although system monitors all
the connected wireless devices it does not help to protect the system from hackers. It
provides evidence to catch the hacker only after the attack is been done. EH’s role is to
identify the vulnerabilities for wireless attacks and should properly test and review the
mobile applications which are capable of accessing the system. Portable devices such as
mobiles and laptops could be easily stolen. So EH must be vigilant on the physical safety of
company portable devices.
Nearly 60% of malicious codes are coming through emails. Some hackers trace the system
information through malicious codes. Therefore, EH should make an extra effort to safeguard
the organization’s email server. EH should provide necessary advices to the technical staff to
detect the threats prior to an infection. It is important to educate the email users not to open
the spam and ambiguous mails. It will be an effective precaution to strengthen the safety of
IS.
Similar to the company internal information, the whole organization is responsible to protect
the client’s information provided for different business reasons. In certain business
environments the client is compelled to provide very confidential/critical data based on trust.
It is anyway not ethical (and also illegal) to use those data without the owner’s consent,
irrespective whether it is harmful or harmless to the owner of data. The trust between the
organization and client is lost if the client’s critical information goes to wrong hands. In such
situations both the company and client will be in trouble. In one extreme it could be a threat
to the client’s business while the company will lose its client on the other hand. This does not
end there as the company reputation will be seriously damaged through “word of mouth”.
Therefore EH play an indirect role in wellbeing of the clients’ business as well.
Page 14
10
5.0 Evaluation & Recommendation
When analyzing the role played by EH, it is proved that EH is an essential employment for
an organization especially in the modern era. Organizations globally adapting to the
emerging technology and reduces paper based work considerably. It is very difficult to find
an office without having at least a simple tailor-made system. Some big organizations are
fully automated electronically. While they enjoy many benefits from that, it exposes them to
many threats thus the security of information has become a huge challenge. The human being
is an innovative creature thus no artificial intelligence tool could totally control the
information security. Therefore another human being is required to regularly control such
innovative security threats that have no end.
There should be trustworthiness between the company and its client in securing a business.
Thus the company always bound to protect the critical information of the client that has been
entered into the system for easy recovery. EH is an employment which assures the security of
organizational IS in every aspect. It strengthens the security of the system’s network
infrastructure, Firewalls, mail servers, web applications, mobile application and databases.
Regular monitoring and reviewing make the security more stringent and up-to-date. Regular
track and trace of hacking attempts will discourage the hackers continue their attempts.
Therefore it is highly recommended to have an EH for a medium to large scale organizations.
Small scale organizations too may consider to employ EH after comparing the cost and the
benefits that can acquire by recruiting an EH.
Page 15
11
6.0 Conclusion
IS security has become a major challenge and organizations are finding solutions to protect
their systems from hackers in an electronic based culture. It is suggested that the ethical
hacking could minimize if not totally eliminated the threat of criminal hackers.
Since ethical hacking is an evolving subject and understanding the effectiveness of ethical
hacking would be vital. Firewalls, password protections, malicious code protections,
encryption and legal barriers could support for IS security in various aspects. These are
manmade fixed protections that cannot be upgraded automatically. This gap can be
successfully bridged by EH because ethical hacking is an effective method that involves live
activities of a human being on continuous basis.
US and European countries effectively use EH. Their companies sustain and make
considerable profits despite the challenges applicable to any modern firm globally. As a
result they usually invest a considerable amount for ethical hacking every year. While
understanding the importance of ethical hacking, some of the giant Asian countries such as
India and China also follow the suit. This clearly shows that the increasing demand for EH
given the daily statistics of reported incidences of cyber attacks on news papers and
international forums.
In respect to analysis of all these factors, it is very clear that the employment of EH is an
important figure for Information security. The functions carried out by EH will effectively
manipulate security of the organizational IS and the EH could effectively review and
strengthen the security of IS.
Page 16
12
7.0 Bibliography
Davis, G. B., and Olson, M. H., 2000. Management Information Systems. 2nd ed. New Delhi:
Tata McGraw-Hill.
Dewan, D., 2012. Ethical hacking: On the right side of law. [online] The Times Of India.
Available at: <http://articles.timesofindia.indiatimes.com/2012-05-
14/education/31700535_1_ethical-hacker-malicious-hacker-information-security> [Accessed
22 February 2013].
Nanjappa, V., 2012. India needs more than 4 lakh hackers. [online] rediff News. Available
at: < http://www.rediff.com/news/slide-show/slide-show-1-india-needs-more-than-4-lakh-
hackers/20121005.htm> [Accessed 22 February 2013].
Passeri, P., 2013. 2012 Cyber Attacks Statistics. [online] hackmageddon.com. Available at:
<http://hackmageddon.com/2012-cyber-attacks-statistics-master-index/> [Accessed 22
February 2013].
Rainer, K. R., & Cegielski, C. G., 2011. Introduction to Information Systems. 3rd ed. New
Jersey: John Wiley & Sons.