House Committee on Veterans' Affairs Banner. Click here for our home page.

About the Chairman | About the Committee | Committee News | Committee Hearings | Committee Documents | Committee Legislation | VA Benefits | VA Health Care | Veterans' Links | Democrat's Home Page | Contact the Committee

1What is Ethical Hacking,  

What are the Benefits,

and

How Should Ethical Hacking Be Done 

Testimony by

Ken Brandt, Managing Director of Tiger Testing

30 Wall Street, New York, NY  10005 

Before the

Subcommittee on Oversight and Investigation

Committee of Veterans Affairs

United States House of Representatives 

April 4, 2001

 

I would like to thank the Subcommittee for the opportunity to testify today.  The United States leads the Information and Internet Age, and as a result, must lead in resolving the associated Internet, system security, and privacy issues.  This is a challenge for both the private and public sectors.  The Subcommittee’s highlighting of these issues today is a great example of Congressional leadership. 

As leaders in the field of ethical hacking, we at Tiger Testing are honored and excited about providing the Subcommittee with this overview and explanation of ethical hacking.   

What is Ethical Hacking 

Ethical hackers test Internet security.  They answer the question:  how safe is your web site from computer hackers?   Ethical hackers test everything related to the safety and security of a web site, including related services (FTP, Mail, HTTP, etc.), the associated IP addresses, and the underlying systems.   

Ethical hacking is also known as vulnerability assessment, web site security testing, network security assessment, red teaming, and several other names.  Ethical hacking allows system owners and operators to learn about security gaps and potential breaches of privacy, so that they can be corrected, rather than leave them open for potential abuse. 

Ethical hacking is a key component of congressionally mandated risk assessment.  Congress requires government agencies, financial firms, and health care organizations to develop and implement security policies to safeguard information and privacy, and then test to be sure that information and privacy are actually being safeguarded.  By testing web site security, ethical hackers also answer the questions: Is information really secure and is privacy really protected?  

The “ethical” part of ethical hacking means three important things: integrity, transparency, and independence. 

  • First and foremost “ethical” means integrity.  Ethical hackers are not ex-hackers with criminal records or a past that includes breaking into systems or defacing web sites.  Ethical hackers can pass very thorough background checks and have backgrounds in systems engineering, systems audit, and systems security. 
  • Second, “ethical” means a transparent non-invasive process.  Ethical hackers don’t do anything to change, slow down, or damage their clients’ systems.   An ethical hacker does not write to or modify clients’ computer code and never reduces their clients’ network response time.  System security and privacy gaps (including Denial of Service vulnerabilities) can, and should, be identified without causing any damage.
  • Third and equally important is independence.  Ethical hackers don’t have any conflicts of interest.  Ethical hacking is performed by firms that are not in the business of selling auditing, consulting, hardware, software, firewall, hosting, and/or networking products and services.  An ethical hacking firm avoids the conflict of interest of testing system security measures that they recommend, install, or sell.

The Benefits of Ethical Hacking 

The benefits of ethical hacking are just as straightforward.  A “virtuous cycle” of ethical hacking, fixing of system security holes, more ethical hacking, more fixing of system security holes, etc. results in greater information security and stronger privacy protection.    

The ethical hacking / fixing the security holes cycle must be an ongoing cycle in order for it to work.  Security gaps can open up as a result of system changes and/or advances in hacker technology.  Testing and fixing on an ongoing basis is the only way to identify and fix security gaps that may be opening up.  Hackers don’t try to access confidential and private information just once in a while, so testing and fixing shouldn’t take place just once in a while. 

How Ethical Hacking Should Be Done 

The ethical hacking approach and deliverables outlined below were developed by Tiger Testing and used as the basis of industry standard best practices being published shortly for both the Internet legal field and the system security field.

APPROACH 

Ethical hacking should utilize an eight step approach to both maximize the quality of the testing and minimize the need for client resources.  

1. Test Remotely

Testers do not have to come onsite at a client in order to test the client’s web site security.  Remote testing should not require any client: advance preparation, staff time, system changes, system time, or facilities space.  The risk being tested is external, so the testing should be performed externally.  A secondary advantage of remote testing is that the client does not need to incur any of the security risks associated with having outside consultants onsite. 

2. Test Transparently

Security vulnerabilities (i.e. the ability to cause a Denial of Service, gain root access to key systems, alter web pages, etc.) can, and should, be identified without doing any damage.  Testing should not involve writing to or modifying client systems, and should not reduce client systems’ response time. 

3. Test Each Month, Not Once or Twice A Year

Security gaps can open up as a result of system changes and/or advances in hacker technology.  Testing on an on-going basis is the only way to know if new security gaps are opening up.  Hackers don’t try to penetrate systems just once, so testing shouldn’t take place just once. 

4. Test at Varying and Random Times Throughout Each Month

Some security vulnerabilities are more likely to show up when network traffic is heavy (i.e. fragmented packet security gaps) and some are more likely to show up when network traffic is light (i.e. predictable TCP or IP sequences). Tests should be conducted at all different times: weekdays/weekends, days/nights, and holidays/non-holidays. 

5. Use The Right Testing Tools and Use Them Correctly

Both open source and proprietary software tools should be used.  There are over 20 excellent open source testing tools, each of which has different strengths, so each should be utilized.  Each of these tools should be continuously modified and retested prior to it’s use. This optimization should be done at the operating system, configuration, and (if applicable) application level. 

6. Use Testers With Integrity

Giving an ex-hacker a paycheck or a consulting fee doesn’t change his or her ethics.  Penetration testing should be performed by systems engineers and security professionals, rather than ex-hackers.  Organizations should not increase system risk by inviting ex-hackers to perform ethical hacking. 

7. Use Independent Testers

When a firm tests the results of their own advice, products, or services, they always look good.  Ethical hacking should be performed by a firm that is not in the business of selling:  auditing, consulting, hardware, software, firewall, hosting, and/or networking products and services.  Ethical hackers must be independent to avoid this conflicts of interest. 

8. Use External Testers

Internal employees (people who work for the organization who’s web site is being tested) may be reluctant to point out security flaws that: they, their associates, their boss, and/or their system security strategy, may be responsible for.  External penetration testers will be rewarded by their firm for finding security gaps, internal penetration testers are seldom so lucky.  For full reporting, ethical hacking should be performed by an outside firm. 

DELIVERABLES 

The client should provide the testing firm with the URL (web site name) or range of IP addresses to be tested.  No additional information (network topology, architecture, configuration, vendors, versions, etc.) should be required.  For each URL or range of IP addresses to be tested, the testing firm should provide the client with the following monthly deliverables: 

1. Testing

Full high quality testing over the course of each month, as described in the Approach section. 

2. Reporting

A concise monthly report suitable for both senior management and hands-on technologists.  The report should contain:

  1. An executive summary explaining how the testing was performed, what was tested, how many tests were conducted, and the number of security gaps that were identified.
  2. An assessment of the client’s risks. A risk rating should be provided for each of the major types of potential Internet vulnerabilities.
  3. An explanation of each of the client’s system security vulnerabilities.  Each explanation should include both the business risk as well as the technical details. The technical details should be very specific as to which machines, ports, and services, have which security gaps, and how each could be exploited.  However, in order to maintain testing objectivity (see Independence portion of the Approach) the explanations should not include recommendations or consulting advice.
  4. A list of the client’s hosts that are visible to hackers.  This list should include all the machines that are visible, not just those that contain security gaps.
  5. An appendix defining the Internet vulnerabilities tested.  This will provide a frame-work for reviewing the risk assessment and the explanation of each security gap.

3. REVIEW OF FINDINGS

The client may wish to review some of the monthly reports with the testing

firm.  At the client’s option, the testing firm should be ready to discuss any of the reports over the telephone. 

Conclusion 

I hope this overview has been helpful, appreciate Congress’s interest and leadership in this area, and am prepared to answer any questions the Subcommittee may have.

Ken Brandt

Managing Director of Tiger Testing 

Ken Brandt is Tiger Testing’s Chief Executive Officer and one of it’s two co-founders.   Tiger Testing is the premier ethical hacking firm and has offices in New York, NY and just outside of Austin, TX.  Tiger Testing tests the Internet security of financial, media, and technology giants in Asia, Europe, and the United States.  

In addition to his internal responsibilities, Mr. Brandt represents Tiger Testing at two national Internet security organizations: the Partnership for Infrastructure Security and the Center for Internet Security.  Tiger Testing has actively participated in the Partnership since it was formed by the President and the U.S. Chamber of Commerce.  Mr. Brandt is a founding member of the Center for Internet Security. 

Prior to co-founding Tiger Testing, Mr. Brandt was a technology executive with experience managing large system and security projects at major multinational and regional broker/dealers, trading system vendors, banks, investment companies, and market data providers.  

Back to Witness List