IT Industry Survey

Ethical Hacking
By Rick Blum, Director, Strategic Marketing

Highlights
• Only six percent of respondents think there is no chance that their networks or applications will be hacked in the
coming year. Those with an ethical hacking budget reduce the perceived chance of being hacked by nearly one-third.

• The top three benefits of ethical hacks, in order of importance, are improving overall security posture, protecting
against theft of intellectual property and fulfilling regulatory/legislative mandates.

• A majority of IT organizations conduct ethical hacks on wireline and wireless networks, applications and operating
systems either annually or more frequently. However, in each of these categories, between 14 and 21 percent of
respondents never conduct ethical hacks. The main reasons for not doing so are because management does not
value this service and they don’t have the manpower and/or skills to fix potential vulnerabilities.

• Respondents who have conducted an ethical hack in the last year have found serious vulnerabilities most often in
applications and operating systems.

• Network testing is the most important type of ethical hack for keeping information assets secure–considered
critical by 60 percent of respondents.

• Lack of experienced staff is most often cited (by 53 percent of respondents) as a significant barrier to conducting
ethical hacks internally or improving ethical hacking capabilities.

• Cost is by far the most common barrier to using an ethical hacking vendor, though most respondents have used
this service in the past.

The Bottom Line

IT networks are the vascular system of today’s businesses, providing pathways for information to flow throughout the
organization. However, when these pathways are penetrated, they also provide attackers access to those assets, as well
as the means to cripple IT systems and applications. Therefore, just as we as individuals get regular check-ups to
maintain good health, it is critical for IT organizations to regularly be testing for weaknesses in networks, systems and
applications that would allow access to information assets. Based on the results of this survey, IT security managers
should heed the following:

• Nearly all IT systems have a vulnerability that can be exploited by a hacker intent on stealing information or
causing damage. Whether this vulnerability is an unpatched application, a misconfigured router or rogue modem,
unless you look, you’ll never know it’s there … not until your servers suddenly go down or proprietary information
shows up on the Internet.

• Most IT organizations will conduct ethical hacks to search for vulnerabilities at least annually, although
approximately one third of IT organizations wisely test wireline networks and operating systems quarterly.
Although these can be done using internal resources, a third-party vendor provides a more unbiased view.

• With IT budgets tight right now, prioritize various types of ethical hacks by potential loss impact. Wireline networks
and systems should be at the top of your list.

• When hiring an ethical hacking vendor, first decide whether you want to work with one vendor on an ongoing
basis, or instead rotate vendors to insure against any weaknesses a single vendor may have. Without a strategy, the
cost and value of each purchase decision is left to chance.
Ethical Hacking Introduction
Identifying vulnerabilities in networks, applications and systems before they can be
exploited is a critical step in preventing exposure of sensitive data, which can severely
damage a corporation’s reputation. Smart IT organizations manage risk by conducting
ethical hacks on a regular basis in order to identify vulnerabilities that need remediation,
thus improving their security posture.

From February 17 through March 31, 2009, BT conducted a Web-based survey on Ethical
Hacking, which was completed by 222 IT professionals around the globe. This survey was
designed to yield valuable insights into the usage of ethical hacking to improve network,
systems and application security. Results of this survey are also compared, when
appropriate, to the results of two previous ethical hacking surveys conducted by BT
(formerly BT INS) published in January 2005 and March 2007.

For this survey, ethical hacking, also called penetration testing, was defined as a method
for verifying the true state of security controls for the protection of assets and
information by simulating an attack on a network in a controlled and safe manner. Ethical
hacks are typically conducted by a third party in a manner similar to naturally occurring
attacks to provide an unbiased assessment of the security of a system and the viability of
implemented controls, although they may be conducted using internal resources. The
primary types of ethical hacks are:

• Application testing - uncovers design and logic flaws in applications that could
result in the compromise or unauthorized access of your networks, systems,
applications or information.

• Network testing - identifies vulnerabilities in external and internal networks,

services, protocols, convergence solutions and systems and devices, including VPN
technologies.

• Code review – examines the source code that is part of the authentication system
and identifies the strengths and weaknesses of the software modules.

• Wireless network testing – determines your network's vulnerability to an attacker

with radio access to the wireless network space.

• War dialing - identifies unauthorized modems that endanger the corporate infrastructure.

• System hardening - analyzes possible configuration issues, running services, and

vulnerabilities that reside on the system.

The survey was posted on the BT Professional Services Web site. Invitations to participate in
the survey were also sent to subscribers of BT’s customer newsletter. All Web survey responses
were automatically collected into a survey tool. Any questions skipped or incorrectly
answered by survey respondents were not included in the tabulations. Not-applicable
responses were also not included in the tabulations. Each chart includes the number of valid
responses for that particular question (e.g., N=100 indicates 100 responses). Percentages
shown in some charts may not sum to 100 percent due to rounding.

May 2009 BT 2
Ethical Hacking

Hacking Success
As the incidence of networks being compromised continues to make the news on an almost daily basis, it is clear that
making networks–and the applications that run over them–invulnerable to attack is extremely difficult. Recognizing this
reality, 94 percent of survey respondents acknowledge that there is some likelihood that their network will be
successfully hacked in the next 12 months, about on par with expectations of respondents to the 2007 survey.

However, the steady drumbeat of network

incursions has lowered the percentage of
respondents who believe that the chance of
being successfully hacked is relatively low,
i.e., only 1-10 percent. In fact, only 38
percent of respondents fall into this
category, down from 46 percent in the
2007 survey and 41 percent in the 2005
survey. Whether this decline is due to a
more realistic view, or the recognition that
attackers are becoming more proficient, the
trend is distinctly in the wrong direction.

The silver lining to this dark cloud is that

there is a way to reduce the likelihood of
being successfully hacked, and that is to
conduct regular ethical hacks. This is
borne out by comparing the perceptions
of respondents who have an ethical
hacking budget to those who don’t. On
average, the latter group believes that
they have a 38 percent chance of their
networks and/or applications being
hacked in the next 12 months. However,
on average, respondents with an ethical
hacking budget believe that they have
only a 26 percent chance of being hacked.
Clearly, setting aside some of the security
budget for ethical hacking raises the
perception (and in most cases the reality)
of being less vulnerable to hacks.

May 2009 BT 3
Ethical Hacking

Network testing, application testing, system hardening and wireless network testing have all been conducted in the last
two years by a high percentage (80 percent or more) of respondents’ IT organizations. Code review (70 percent) and
war dialing (59 percent) are conducted less often, though both by a significant number of IT organizations.

On the flip side, 42 percent of respondents’ IT organizations have not conducted war dialing, sometimes called modem
scanning, in more than two years, and 30 percent have not conducted a code review in that same time period. While
the former can be time-consuming, just one unauthorized modem can jeopardize the entire network infrastructure,
which makes it well worth checking on a regular basis.

To better protect their networks (wireline

and wireless), operating systems and
applications from attack, a majority of
respondents’ IT organizations conduct
each of four types of ethical hacks,
although with varying degrees of
regularity. These include ethical hacks that
are conducted by the IT organization or by
a third party.

Wireline networks and operating systems

are most frequently subject to ethical
hacks–approximately one-third of
respondents on a quarterly basis, and
another 14-15 percent on a semi-annual
basis. The percentage of respondents who
conduct these hacks on a quarterly basis is
up slightly from 2007, though not quite
enough to deem this uptick significant.

Applications and wireless networks don’t

receive quite as much attention, with only
about one quarter being ethically hacked
on a quarterly basis. These figures are
almost unchanged from the 2007 survey.
In fact, both of these have a slightly
higher percentage of respondents who
never conduct hacks, although, again, not
a large enough difference to indicate a
significant change.

As might be expected, a much higher

percentage of respondents (54 percent) who
conduct ethical hacks quarterly on both
their wireless and wireline networks believe
that the chance of being successfully hacked
in the next year is 10 percent or less than
the percentage of respondents (21 percent)
who never conduct ethical hacks on either
of these networks.

May 2009 BT 4
Ethical Hacking

We then asked those respondents whose IT organizations never conduct ethical hacks in any one of these four categories
what contributes to this deficit. The most common reason (selected by 59 percent of respondents) is simply that
management does not understand the value of ethical hacks and, presumably, will not allocate the time and money
required to conduct them. Surprisingly, despite the extremely negative publicity that accompanies a data breach,
management’s perception of the value of ethical hacking has been waning since 2005. Security professionals need to
reexamine how they are presenting ethical hacking to management, perhaps with greater focus on business consequences.

The next most common reason–also

increasing this year compared to 2007
and 2005–for not conducting ethical
hacks is that the IT organization doesn’t
have the manpower and/or skills to fix
vulnerabilities uncovered during the hack,
which was selected by 44 percent of
respondents. This “see no evil”
justification for not conducting ethical
hacks is one that can come back to bite an
organization. Certainly, if significant
vulnerabilities are found, the will would be
found to fix them

Similarly, 26 percent of respondents say

their IT organizations don’t have the funds
to fix potential vulnerabilities. Again, it’s
likely that funds could be found to fix
significant vulnerabilities. And even if
funds weren’t forthcoming, it would still
be preferable to know the problem than
to have to plead ignorance when an
attack brings down the ecommerce server
for two days.

Many fewer respondents (13 percent) are

concerned about the safety of ethical hacks,
and just four percent are worried that results
of an ethical hack could be embarrassing.
Both of these have declined significantly as
issues over the last four years.

May 2009 BT 5
Ethical Hacking

We then asked respondents who have conducted at least one ethical hack in the last year either internally or using a third
party to tell us for each of the four categories if the vulnerabilities they found were insignificant, moderate or serious.

Overall, wireline and wireless networks are the most secure, with 48 percent of the former and 45 percent of the latter
having no significant vulnerabilities. An additional 45 percent and 43 percent, respectively, had vulnerabilities with only
moderate impact.

Applications and operating systems did less well, although only by a small percentage. Thirty-four percent of
applications had no vulnerabilities found, compared to 31 percent of operating systems. Forty-six percent of the former
had moderate vulnerabilities, while 49 percent of the latter had the same. As a cautionary note, though, on average 15
percent of respondents who have conducted an ethical hack in the last year found a serious vulnerability. We suspect
that percentage is even higher among respondents who have not conducted ethical hacks recently.

May 2009 BT 6
Ethical Hacking

Importance and Benefits of Ethical Hacks

The reason for conducting an ethical hack, obviously, is to keep information assets secure. One survey respondent
stated that “It (ethical hacking) is very important and helps save you money and reputation in the long run.” Not all
types of ethical hacks, however, have equal importance in achieving these goals. For instance, respondents consider
network testing as the most important type of ethical hack, with 60 percent deeming it critical, and another 35 percent
saying it is very important. System hardening is also considered critical by a majority of respondents (53 percent) and
somewhat critical by another 36 percent.

Application testing and wireless network testing are a bit less important than network testing and system hardening,
although both are considered critical or very important by more than three quarters of respondents. Code review is
considered critical by 28 percent of respondents, and war dialing is critical for 21 percent. War dialing is the only type of
ethical hack that more than six percent of respondents (17 percent) deem not at all important to keeping their
information assets secure.

May 2009 BT 7
Ethical Hacking

Though the primary function of ethical hacks is to uncover vulnerabilities, there are a number of corollary benefits that
can be derived from this activity. With that in mind, we presented respondents with a list of eight potential benefits that
could result from conducting an ethical hack, and asked them to rank the top three in order of importance.

Not surprisingly, improving their overall security posture is the number one benefit by a wide margin, being listed in the
top three by 85 percent of respondents, and the most important benefit by more than 43 percent. These percentages
are similar to the results in both the 2005 and 2007 surveys, except that the percentage of respondents ranking it
number one jumped from 35 percent (in both surveys) to 43 percent.

Also placed in their top three benefits by more than half of respondents is protecting against theft of intellectual
property. Twenty-two percent of respondents list this as their top benefit, compared to 34 percent in the 2007 survey
and 23 percent in the 2005 survey. Ranked very closely behind is fulfilling regulatory and/or legislative mandates,
which 20 percent rank number one, up from 12 percent in 2007 and 17 percent in 2005. Taken together, 85 percent of
respondents consider the top benefit of ethical hacks to be one of these three.

Two other benefits were selected by more than a quarter of respondents in their top three: baselining of the current
environment, and validating previous security investments. Providing justification for additional funding and the ability
to do trending analyses are among the top three benefits for less than one out of six respondents.

May 2009 BT 8
Ethical Hacking

Ethical Hacking Strategy

Ethical hacks can be conducted internally by the IT organization or by a third-party. The advantage of having the latter
group conduct the hacks is that it more closely simulates an actual attacker in terms of knowledge of the organization’s
networks and systems. Third parties also usually have greater knowledge of the latest hacking techniques and ploys.
However, many IT organizations still eschew this path–at least for some types of ethical hacks. So we provided a list of
potential barriers to conducting ethical hacks internally, and asked which are significant barriers to either conducting
these activities, or improving their capabilities for conducting them.

The significant barrier cited most often is

the lack of experienced staff, a problem
for 53 percent of respondents. As
mentioned previously, this is one of the
strengths of ethical hacking vendors.
Closely related to this is a barrier faced by
39 percent of respondents: the amount of
staff training required to be able to
effectively conduct the ethical hack.

But other reasons also plague a large

percentage of respondents’ IT
organizations. Other projects with a
higher priority is a problem for 44 percent
of respondents, unrelenting introduction
of new threats for 41 percent and cost of
ethical hacking products and/or tools for
40 percent.

Other reasons for not using third-parties

are common to many IT projects, i.e.,
justifying costs and benefits to upper
management (35 percent), organizational
and process issues (31 percent) and
difficulty in implementing products
and/or tools (29 percent).

May 2009 BT 9
Ethical Hacking

Most respondents who conduct ethical hacks internally also use third-party vendors of these services. As one
respondent said, “An objective, third-party, ethical hacking assessment is crucial to maintaining a verifiable level of
information security.” In general, ethical hacking vendors promote the following benefits of using their services:

• Ethical hacking specialists have more expertise and tools than in-house resources
• Tests can be conducted with zero-knowledge to truly mimic a random intruder
• Testing can be done without the knowledge of other IT employees

When deciding to use a third-party vendor, there are two typical approaches: 1) choose the best vendor and stick with
them through multiple rounds of ethical hacks over time, and 2) rotate vendors on a regular basis. The thinking behind the
latter strategy is to get different approaches, covering the widest possible range of simulated attacks, thus maximizing the
likelihood of uncovering a vulnerability.

Both approaches have their proponents

and detractors. Respondents, however,
consistently split evenly between
employing one of these two strategies and
having no strategy at all. We can only
assume that those organizations with no
strategy operate on an ad hoc basis,
making a decision whether to use the same
or a new vendor with each ethical hack.
While not necessarily a terrible approach,
proactively selecting a multivendor or
single-source strategy is likely to yield more
benefits than an ad hoc approach.

Of the half of respondents who do have a

defined strategy, again, their approach is
fairly evenly split between rotating
vendors and sticking with just one. And
this has been true for the last two surveys.

We then asked all respondents, whether

they currently use an ethical hacking
vendor or not, to tell us which of four
potential barriers to using these vendors
are significant for them. Slightly more than
one-quarter of respondents do not see any
of these barriers as significant. Of the four,
though, cost is far and away the most
significant, with 62 percent seeing this as a
problem. None of the others register with
as many as one-quarter of respondents.

May 2009 BT 10
Ethical Hacking

Security Budgets
Twenty-six percent of respondents’ IT organizations have annual budgets of less than $500 thousand. Another third fall
in the $500 thousand to $9.9 million range. Twenty-two percent have IT budgets of between $10 million and $49.9
million. The remaining 18 percent of respondents’ IT budgets are $50 million or more.

The vast majority of respondents IT

organizations spend 10 percent or less of
their IT budget on security, i.e., 47
percent spend between one and five
percent, and 36 percent spend between
six and ten percent. Only six percent
dedicate more than 20 percent of their
budget for security.

May 2009 BT 11
Ethical Hacking

In these tight economic times, security budgets are holding up fairly well. Twenty-eight percent of respondents expect
their security budget to increase in 2009 as a percentage of the IT budget, and 24 percent expect it to increase in
absolute dollars.

On the other side of the coin, 22 percent of respondents expect the security budget to decline as a percentage of the IT
budget, and 31 percent expect it to decline in absolute dollars.

A hefty 38 percent of respondents do not

specifically allocate a portion of the
security budget for ethical hacking, more
than in the 2007 and 2005 surveys.
Sixty-nine percent of respondents allocate
from 1-5 percent of their security budgets
for ethical hacking, and 17 percent
allocate from 6-10 percent. At the top
end, just two percent of respondents
spend more than 20 percent of their
budgets on ethical hacking.

May 2009 BT 12
Ethical Hacking

Respondent Comments
• An objective third-party ethical hacking assessment is crucial to maintaining a verifiable level of information
security. Although not all environments may have the financial resources to commission regular and
comprehensive third-party assessments, an effort should be made to at least classify your most sensitive
organizational assets and focus your resources accordingly.

• [Ethical hacking is a] critical component of our overall security program. Keeps our internal, contracted security
guys performing their best; it's a level check.

• Ethical hacking is a necessity in order to protect company assets and stay close to the reality of unethical hacking.

• It (ethical hacking) is very important and helps save you money and reputation in the long run.

• It (ethical hacking) is the best way to assess the network from an outsider's perspective.

• I think it (ethical hacking) is a must have for any serious organization today.

• It (ethical hacking) should be a critical part of any proactive organization in today's global competitive market.

• It's difficult to see the pimple on our face, but others can see all of our blemishes.

• The issue with 3rd parties in our environment is the overall cost. Our environment is very large and to bring an
outside team in would mean we would have to make them "full time" resources to allow them to do the hacking
within a year of all segments.

• Presentation/delivery of [ethical hacking] results and findings by external providers are "all over the map", with
minimal consistency.

• Tools and 3rd parties are expensive when you have a lot of address space as most are priced by number of IPs
scanned, not actual number of hosts found.

• Social networking sites are a huge factor in contributing to the rise of hacking activities.

• I would love to go through the training, but it's too costly for me personally, and my employer won't [pay for it].

May 2009 BT 13
Ethical Hacking

About BT About BT IT Industry Surveys

For more than 20 years, BT has provided solutions in U.S. and Canada BT conducts industry survey projects intended to provide IT
that help enterprises effectively use technology to drive business managers with insight into key issues impacting the ability to
growth. The expertise of our employees enables us to help customers develop and deploy IT-infrastructure-dependent business
globalize their businesses in innovative and sustainable ways. Through initiatives. Previous survey report topics include:
strategic development, strong alliances and a diverse collection of best
practices and methodologies, BT has emerged as a leader in networked • Application Impact Assessment
IT services providing professional services and consultancy, managed • Ethical Hacking
services, and full outsourcing for business and IT transformation. • IP Address Management
• IPv6
BT has the experience and knowledge to design, manage and • IT Infrastructure Library (ITIL)
operate solutions that overcome business challenges and create • IT Operations Centers
sustainable value in the areas of: • Malicious Code
• Network Access Control
• Secure Networking – drive cost efficiency and risk reduction • Network and Systems Management Total Cost of Ownership
across security operations while enabling greater support for • Network Quality of Service
compliance and productivity. • Network Security
• Outsourcing and Offshoring
• Mobility - reduce cost and increase productivity through • Patch Management
information access and collaboration regardless of location, by • Performance Management and Engineering
simplifying the complexity attributed to the control and • Server Virtualization
management of mobile assets and expenses. • Service Level Management and Service Level Agreements
• Contact Center - deliver improved customer service while reducing • Storage Networking
costs and increasing operational flexibility and agent productivity. • Unified Communications and Collaboration
• Virtual Private Networks
• Infrastructure Optimization – fully integrate business • Voice Over IP
communications and IT infrastructures onto a single, cost- • Wireless LANs
effective platform to reduce infrastructure complexity while
enabling streamlined centralized management, more To see the results of previous surveys, go to
comprehensive security monitoring and enhanced business http://www.bt.com/us/resources
applications performance.
For more information regarding the IT industry
• Unified Communications – unify complex network environments survey program, please contact:
to connect the people, applications and devices needed to
achieve business goals. Rick Blum
Director, Strategic Marketing
• Audio and Visual Conferencing – enables users to meet with
Email: rick.blum@bt.com
colleagues—anywhere, anytime—using an electronic
communications system such as a phone, personal computer or
specialized video conferencing equipment.

At BT we also know it is important to work with a provider who

understands the nature of your business. We have built an eco-system
of collaborative relationships with companies such as Microsoft, Cisco,
EMC and HP enabling us to deliver integrated solutions that are flexible
and focused on the things that will make your business succeed. In
tailoring our global networked IT services to the needs of our customers,
we offer a unique combination of global reach with local experience and
knowledge, global account management and excellent customer service.

We provide solutions to more than 1,000 customers in the U.S. and

Canada in all major industries, and have been selected as a trusted
partner by many large enterprises including Unilever, Reuters,
Cadbury and Procter & Gamble. For additional information, please
visit www.bt.com/globalservices or contact us at
1-888-767-2988 in the U.S. or 1-408-330-2700 worldwide.

May 2009 BT 14
Offices worldwide
The services described in this publication are subject to availability
and may be modified from time to time. Services and equipment
are provided subject to British Telecommunications plc’s respective
standard conditions of contract. Nothing in this publication forms
any part of any contract.

© British Telecommunications plc 2009

05/01/2009