An Ethical Hacking exercise is a simulation of real life attacks and usually involves authorized persons’ use of attacking methods simulating hostile intruders’ or hackers’ techniques. These exercises focus on the external perimeter of the organization.
Leveraging a variety of techniques, these carefully designed/ executed tests, are based on real life experiences and understanding in identifying and addressing vulnerabilities and mis-configurations, which tend to exist in electronic organizational environments and which, if exploited, could cause instability and grant unauthorized access to the attacked organization’s systems and data.
During an Ethical Hacking exercise, our ITHACA Labs® team utilizes a variety of manual and automatic techniques aiming to identify, map, and assess vulnerabilities which could potentially bypass your organization’s perimeter security controls without having physical access to your premises or prior knowledge of your IT set up, by impersonating a malicious intruder or attacker.
To maximize your benefits from such an undertaking, a major part of the relevant undertaking is the design phase, during which the scope of the penetration test is clearly established. This ensures that the components, systems, processes presenting the most critical risk for the organization, are tested.
It is important to note that when executed on a periodic basis, these exercises prove instrumental in helping organizations identify weaknesses in their software applications, network devices, systems, security controls and Information Security Processes, while also confirming or denying specific assumptions that may be held by management in relation to the completeness and robustness of existing controls.
Our Ethical Hacking methodology and approach is a five-step process as described below.
The Re-Testing step is optional for organizations requiring the added assurance that remedial action taken after vulnerabilities and weaknesses have been identified, has been successful in mitigating the relevant risks.
1. Passive Information Gathering
The first step of our methodology is to gather as much information as possible regarding the in-scope systems and network components, without probing the organization’s infrastructure. At this stage, the organization is not able to detect that someone is gathering information about them even if they have the proper security controls in place such as an Intrusion Detection and Prevention system. Information can be gathered from various sources and used in subsequent stages of the exercise, towards deriving more in-depth information useful for the attack.
2. Active Information Gathering
Active information gathering consists of a series of active probes of the targeted network and systems, which the organization may be able to detect. During this step, critical information regarding the in-scope systems and network components are gathered. This information may include the type and version of operating system and software applications running on the network devices and systems etc.
3. Vulnerability Mapping
All information obtained during the previous steps is collated, classified and mapped. At this point it is possible to draw a “map” of the security behavior of the in-scope systems and networks components, which allows us to determine our course of action. This course of action will include our strategy regarding the vulnerability probes and tools, which will be used during the subsequent exploitation phase. Our exploitation strategy will be relating specifically to the in-scope systems and network components and will be aimed at identifying possible weaknesses and vulnerabilities present.
Our exploitation of the vulnerabilities identified and mapped during the previous phases of the ethical hacking process will not be limited to perpetrating isolated attacks aimed at exploiting a single vulnerability. Rather, our “attacks” will be formulated so that they take advantage of a number, or combination of identified weaknesses. By doing so, we can simulate what the maximum effect of the identified vulnerabilities would be on the targeted systems and networks should an orchestrated hacker attack actually takes place.
This stage completes the assessment by verifying which of the potential vulnerabilities and attack paths can actually lead to a security compromise or exposure. For any successful break-in attempts, an estimation of potential damage is made which enables the organization to more accurately assess the threats that are present in their network and systems infrastructure and the extent of business risks based on those threats.
It is important to note that during the different stages of this exercise, all meaningful network traffic is monitored, using network sniffers, to detect any information that may be security-sensitive.
The ethical hacking exercise is concluded with a meeting during which our observations, findings and assessments are presented. During this meeting we will provide you with helpful information and guidelines as to how all-successful break-ins could have been prevented or controlled and answer any questions you may have. In addition, we will furnish you with a detailed report, summarizing our observations and findings along with an overall analysis and correlation of the identified risks and concerns, providing you with a comprehensive view of the level of risk to which the organization is exposed. Constructive recommendations for the mitigation of those risks will also be included.
The intention is to provide the organization with focused in-depth technical explanation of each vulnerability as well as instructions for remediation and recommendations, which address individual weaknesses. We will also provide you with a more holistic view of the risks inherent in your operations, all based on our work, our findings and conclusions.
Before, or even after the submission of the final report, the organization, based on the initial findings report, may take remediation steps and allow the ITHACA Labs® team to re-test after the corrective actions have been completed.
Although optional, this is a very important step as it provides management with the assurance that any identified weaknesses, have been effectively addressed bringing the organization’s risk baseline to the required level. By doing so, management’s due diligence is clearly demonstrated while audit and compliance requirements are duly met.