External attacks on a network can provide information that enables physical attacks. As Bonvillain puts it, “A small information leak on the Internet can cause huge vulnerability on the social-engineering end.” In one case, an external probe via a Web site gained him access to a supposedly secure database that contained facsimiles of the signatures of a client’s business partners. With those signatures and other information about the partners, “I could probably walk in the front door posing as someone from a partner company.”
Once in the door, a hacker bent on mischief can wreak havoc upon a company’s network, even without getting to its central servers. Working for a client in Las Vegas, Bonvillain once used a Web site to gain unauthorized access to the company’s intranet. From there, he and some cohorts were able to order corporate T-shirts that allowed them to dress like employees. Wearing the T-shirts, “we found the outdoor area where the smokers went, then rode their shirttails into the building. In 10 minutes I found an open conference room, plugged a laptop into a port, and compromised the Oracle database.”
What techie wouldn’t want a cloak-and-dagger job like this? The firms say their applicants include people with extensive backgrounds in corporate or government IT security and those who have received special training in postgraduate programs at places like Carnegie Mellon University and Georgia Tech. Boecher says he sends even experienced new hires to the SANS Institute, a Bethesda, Maryland, computer-security academy, for advanced hacking training.
Besides a degree in computer-science, George says he also looks for people whose technical credentials are coupled with a liberal arts background. After you have penetrated the client’s network, conned his people, and snuck into his building, there remains the matter of breaking the bad news in a constructive way. After the Sneaky Pete part of the job is done, George says, “We need people who can communicate the findings with”—he reaches for the right word—“sensitivity.”
« Previous Page 1 | 2 | 3 | 4
Leonard Jacobs, president and CEO of Netsecuris, Inc., in Savage says that a penetration test usually involves three steps. In the first stage, which he calls “footprinting,” he looks for information about the client’s computer system that exists in the public domain. This can be as simple as perusing the “careers” section of a corporate Web site. “Are they looking for a network administrator with Unix experience? Then I know they use Unix, not Windows,” Jacobs says.
The second step is “scanning,” in which various kinds of testing software are used to detect open ports into the organization’s network. These usually are found in Web, e-mail, or file transfer protocal servers. Two questions arise: Are any unnecessary ports open? And how well protected are the necessary ones?
Step three is “exploitation,” the actual penetration test to see whether vulnerabilities found in the system can be used to crack into the firm’s network. Attempts can be made via external computer attacks on open ports, by physical intrusion (what Jacobs calls, “dressing up as the UPS guy” to get into the client’s building), or by various “social engineering” gambits that exploit the credulity of the client’s employees.
—J. G.
