Академический Документы
Профессиональный Документы
Культура Документы
Ethical Hacking
By Rick Blum, Director, Strategic Marketing
Highlights
• Only six percent of respondents think there is no chance that their networks or applications will be hacked in the
coming year. Those with an ethical hacking budget reduce the perceived chance of being hacked by nearly one-third.
• The top three benefits of ethical hacks, in order of importance, are improving overall security posture, protecting
against theft of intellectual property and fulfilling regulatory/legislative mandates.
• A majority of IT organizations conduct ethical hacks on wireline and wireless networks, applications and operating
systems either annually or more frequently. However, in each of these categories, between 14 and 21 percent of
respondents never conduct ethical hacks. The main reasons for not doing so are because management does not
value this service and they don’t have the manpower and/or skills to fix potential vulnerabilities.
• Respondents who have conducted an ethical hack in the last year have found serious vulnerabilities most often in
applications and operating systems.
• Network testing is the most important type of ethical hack for keeping information assets secure–considered
critical by 60 percent of respondents.
• Lack of experienced staff is most often cited (by 53 percent of respondents) as a significant barrier to conducting
ethical hacks internally or improving ethical hacking capabilities.
• Cost is by far the most common barrier to using an ethical hacking vendor, though most respondents have used
this service in the past.
• Nearly all IT systems have a vulnerability that can be exploited by a hacker intent on stealing information or
causing damage. Whether this vulnerability is an unpatched application, a misconfigured router or rogue modem,
unless you look, you’ll never know it’s there … not until your servers suddenly go down or proprietary information
shows up on the Internet.
• Most IT organizations will conduct ethical hacks to search for vulnerabilities at least annually, although
approximately one third of IT organizations wisely test wireline networks and operating systems quarterly.
Although these can be done using internal resources, a third-party vendor provides a more unbiased view.
• With IT budgets tight right now, prioritize various types of ethical hacks by potential loss impact. Wireline networks
and systems should be at the top of your list.
• When hiring an ethical hacking vendor, first decide whether you want to work with one vendor on an ongoing
basis, or instead rotate vendors to insure against any weaknesses a single vendor may have. Without a strategy, the
cost and value of each purchase decision is left to chance.
Ethical Hacking Introduction
Identifying vulnerabilities in networks, applications and systems before they can be
exploited is a critical step in preventing exposure of sensitive data, which can severely
damage a corporation’s reputation. Smart IT organizations manage risk by conducting
ethical hacks on a regular basis in order to identify vulnerabilities that need remediation,
thus improving their security posture.
From February 17 through March 31, 2009, BT conducted a Web-based survey on Ethical
Hacking, which was completed by 222 IT professionals around the globe. This survey was
designed to yield valuable insights into the usage of ethical hacking to improve network,
systems and application security. Results of this survey are also compared, when
appropriate, to the results of two previous ethical hacking surveys conducted by BT
(formerly BT INS) published in January 2005 and March 2007.
For this survey, ethical hacking, also called penetration testing, was defined as a method
for verifying the true state of security controls for the protection of assets and
information by simulating an attack on a network in a controlled and safe manner. Ethical
hacks are typically conducted by a third party in a manner similar to naturally occurring
attacks to provide an unbiased assessment of the security of a system and the viability of
implemented controls, although they may be conducted using internal resources. The
primary types of ethical hacks are:
• Application testing - uncovers design and logic flaws in applications that could
result in the compromise or unauthorized access of your networks, systems,
applications or information.
• Code review – examines the source code that is part of the authentication system
and identifies the strengths and weaknesses of the software modules.
• War dialing - identifies unauthorized modems that endanger the corporate infrastructure.
The survey was posted on the BT Professional Services Web site. Invitations to participate in
the survey were also sent to subscribers of BT’s customer newsletter. All Web survey responses
were automatically collected into a survey tool. Any questions skipped or incorrectly
answered by survey respondents were not included in the tabulations. Not-applicable
responses were also not included in the tabulations. Each chart includes the number of valid
responses for that particular question (e.g., N=100 indicates 100 responses). Percentages
shown in some charts may not sum to 100 percent due to rounding.
May 2009 BT 2
Ethical Hacking
Hacking Success
As the incidence of networks being compromised continues to make the news on an almost daily basis, it is clear that
making networks–and the applications that run over them–invulnerable to attack is extremely difficult. Recognizing this
reality, 94 percent of survey respondents acknowledge that there is some likelihood that their network will be
successfully hacked in the next 12 months, about on par with expectations of respondents to the 2007 survey.
May 2009 BT 3
Ethical Hacking
Network testing, application testing, system hardening and wireless network testing have all been conducted in the last
two years by a high percentage (80 percent or more) of respondents’ IT organizations. Code review (70 percent) and
war dialing (59 percent) are conducted less often, though both by a significant number of IT organizations.
On the flip side, 42 percent of respondents’ IT organizations have not conducted war dialing, sometimes called modem
scanning, in more than two years, and 30 percent have not conducted a code review in that same time period. While
the former can be time-consuming, just one unauthorized modem can jeopardize the entire network infrastructure,
which makes it well worth checking on a regular basis.
May 2009 BT 4
Ethical Hacking
We then asked those respondents whose IT organizations never conduct ethical hacks in any one of these four categories
what contributes to this deficit. The most common reason (selected by 59 percent of respondents) is simply that
management does not understand the value of ethical hacks and, presumably, will not allocate the time and money
required to conduct them. Surprisingly, despite the extremely negative publicity that accompanies a data breach,
management’s perception of the value of ethical hacking has been waning since 2005. Security professionals need to
reexamine how they are presenting ethical hacking to management, perhaps with greater focus on business consequences.
May 2009 BT 5
Ethical Hacking
We then asked respondents who have conducted at least one ethical hack in the last year either internally or using a third
party to tell us for each of the four categories if the vulnerabilities they found were insignificant, moderate or serious.
Overall, wireline and wireless networks are the most secure, with 48 percent of the former and 45 percent of the latter
having no significant vulnerabilities. An additional 45 percent and 43 percent, respectively, had vulnerabilities with only
moderate impact.
Applications and operating systems did less well, although only by a small percentage. Thirty-four percent of
applications had no vulnerabilities found, compared to 31 percent of operating systems. Forty-six percent of the former
had moderate vulnerabilities, while 49 percent of the latter had the same. As a cautionary note, though, on average 15
percent of respondents who have conducted an ethical hack in the last year found a serious vulnerability. We suspect
that percentage is even higher among respondents who have not conducted ethical hacks recently.
May 2009 BT 6
Ethical Hacking
Application testing and wireless network testing are a bit less important than network testing and system hardening,
although both are considered critical or very important by more than three quarters of respondents. Code review is
considered critical by 28 percent of respondents, and war dialing is critical for 21 percent. War dialing is the only type of
ethical hack that more than six percent of respondents (17 percent) deem not at all important to keeping their
information assets secure.
May 2009 BT 7
Ethical Hacking
Though the primary function of ethical hacks is to uncover vulnerabilities, there are a number of corollary benefits that
can be derived from this activity. With that in mind, we presented respondents with a list of eight potential benefits that
could result from conducting an ethical hack, and asked them to rank the top three in order of importance.
Not surprisingly, improving their overall security posture is the number one benefit by a wide margin, being listed in the
top three by 85 percent of respondents, and the most important benefit by more than 43 percent. These percentages
are similar to the results in both the 2005 and 2007 surveys, except that the percentage of respondents ranking it
number one jumped from 35 percent (in both surveys) to 43 percent.
Also placed in their top three benefits by more than half of respondents is protecting against theft of intellectual
property. Twenty-two percent of respondents list this as their top benefit, compared to 34 percent in the 2007 survey
and 23 percent in the 2005 survey. Ranked very closely behind is fulfilling regulatory and/or legislative mandates,
which 20 percent rank number one, up from 12 percent in 2007 and 17 percent in 2005. Taken together, 85 percent of
respondents consider the top benefit of ethical hacks to be one of these three.
Two other benefits were selected by more than a quarter of respondents in their top three: baselining of the current
environment, and validating previous security investments. Providing justification for additional funding and the ability
to do trending analyses are among the top three benefits for less than one out of six respondents.
May 2009 BT 8
Ethical Hacking
May 2009 BT 9
Ethical Hacking
Most respondents who conduct ethical hacks internally also use third-party vendors of these services. As one
respondent said, “An objective, third-party, ethical hacking assessment is crucial to maintaining a verifiable level of
information security.” In general, ethical hacking vendors promote the following benefits of using their services:
• Ethical hacking specialists have more expertise and tools than in-house resources
• Tests can be conducted with zero-knowledge to truly mimic a random intruder
• Testing can be done without the knowledge of other IT employees
When deciding to use a third-party vendor, there are two typical approaches: 1) choose the best vendor and stick with
them through multiple rounds of ethical hacks over time, and 2) rotate vendors on a regular basis. The thinking behind the
latter strategy is to get different approaches, covering the widest possible range of simulated attacks, thus maximizing the
likelihood of uncovering a vulnerability.
May 2009 BT 10
Ethical Hacking
Security Budgets
Twenty-six percent of respondents’ IT organizations have annual budgets of less than $500 thousand. Another third fall
in the $500 thousand to $9.9 million range. Twenty-two percent have IT budgets of between $10 million and $49.9
million. The remaining 18 percent of respondents’ IT budgets are $50 million or more.
May 2009 BT 11
Ethical Hacking
In these tight economic times, security budgets are holding up fairly well. Twenty-eight percent of respondents expect
their security budget to increase in 2009 as a percentage of the IT budget, and 24 percent expect it to increase in
absolute dollars.
On the other side of the coin, 22 percent of respondents expect the security budget to decline as a percentage of the IT
budget, and 31 percent expect it to decline in absolute dollars.
May 2009 BT 12
Ethical Hacking
Respondent Comments
• An objective third-party ethical hacking assessment is crucial to maintaining a verifiable level of information
security. Although not all environments may have the financial resources to commission regular and
comprehensive third-party assessments, an effort should be made to at least classify your most sensitive
organizational assets and focus your resources accordingly.
• [Ethical hacking is a] critical component of our overall security program. Keeps our internal, contracted security
guys performing their best; it's a level check.
• Ethical hacking is a necessity in order to protect company assets and stay close to the reality of unethical hacking.
• It (ethical hacking) is very important and helps save you money and reputation in the long run.
• It (ethical hacking) is the best way to assess the network from an outsider's perspective.
• I think it (ethical hacking) is a must have for any serious organization today.
• It (ethical hacking) should be a critical part of any proactive organization in today's global competitive market.
• It's difficult to see the pimple on our face, but others can see all of our blemishes.
• The issue with 3rd parties in our environment is the overall cost. Our environment is very large and to bring an
outside team in would mean we would have to make them "full time" resources to allow them to do the hacking
within a year of all segments.
• Presentation/delivery of [ethical hacking] results and findings by external providers are "all over the map", with
minimal consistency.
• Tools and 3rd parties are expensive when you have a lot of address space as most are priced by number of IPs
scanned, not actual number of hosts found.
• Social networking sites are a huge factor in contributing to the rise of hacking activities.
• I would love to go through the training, but it's too costly for me personally, and my employer won't [pay for it].
May 2009 BT 13
Ethical Hacking
May 2009 BT 14
Offices worldwide
The services described in this publication are subject to availability
and may be modified from time to time. Services and equipment
are provided subject to British Telecommunications plc’s respective
standard conditions of contract. Nothing in this publication forms
any part of any contract.
05/01/2009