The Influence of Information Technology on Business - Research Paper Example

An In-depth Analysis on the Influence of Open Source System Penetration Tools on Cyber-crime Anonymous A. Non, Charles O. Cromwell (List on this line using 12 point Times New Roman font – use a second line if necessary) Company/Institution Name, City, Country, Postcode (authors affiliation(s) listed here in 12 point Times New Roman font – use a second line if necessary) Abstract- Cyber attacks on the organisation will not only impede their success, but could also put a big question mark over their survival. To avert this kind of worst case scenario, organisations and other entities will constantly test their IT infrastructure through various means, thereby strengthening and protecting it from threats. One of the key IT based testing process, which is aptly finding loopholes and thereby optimally plugging it is the Penetration Testing process, as well as vulnerability scanners. These tools are used by legitimate security consultants or testers with organisation’s authorization to launch a stimulated cyber attack on the organisation’s IT systems. These attacks could pinpoint the vulnerable areas, and could also aid in mitigating them. Organisations from various sectors are incorporating solutions these tools to develop foolproof protection system. Many reputable industry standards are also prescribing penetration testing as one of the key security exercise. Still, there is scepticism regarding genuineness of this process, as there are chances of agencies or individual testers turning negative and compromising organisations’ critical assets. To prevent such eventualities, there are adequate legal provisions; in addition organisations and security consultants need to come up with protocols or steps, which ensure secure and safe testing. 1. Introduction Any organisation, irrespective of the ‘domains’ they are placed in, will be vulnerable to cyber attacks, especially the ones which are maximally dependent on Information technology. These organisations will be threatened by individuals with apt technical knowledge and other inside information. Their intentions may vary from wrecking the organisation to stealing critical assets. When this type of cyber crime occurs, the organisation could suffer heavy financial losses and more than that could have doubtful future, as its key assets will be compromised aiding its competitors. Disgruntled employees or employees with ‘spying role’ could wreck the organisation by altering or breaking down the IT infrastructure, and also by bringing in IT tools from outside to disable it. Apart from those employees, external ‘elements’ in the form of hackers, cyber thieves, competitors’ aids, etc, could intrude or cyber attack the organisation. 2. Background and its widespread use To actualize a foolproof protection system, organisations has to find out the loopholes or the vulnerable areas in its IT infrastructure. Because, once the weak points are identified, organisations will become even more capable of addressing the loopholes, and thereby implement a better structured system, which is more resilient against potential hackers or attackers. This is where the Penetration testing process and other scanners comes into the picture. A penetration testing process, or occasionally called pentest, is a process under which the security of an IT infrastructure or a computer system is evaluated by simulating a cyber attack from a known malicious source. In April 1995, Dan Farmer and Wietze Venema released a program called Security Administrator Tool for Analyzing Networks, shortened to SATAN. Written largely in PERL, it was designed to automate the process of testing systems for security vulnerabilities, and also picked up large amounts of general network information, such as which hosts are connected to subnets, what types of machines they are, etc. (Sommer, 2006, p.69). Apart from this, there are number of updatable commercially available scanners including vulnerability and port scanners, which can update itself with the known hardware and software vulnerabilities. That is, these tools will also test the system for any risks and could even suggest corrective options. For example, the information provided by such scanning tools provides technical details of the vulnerability and at the same time also gives instructions as to how to eliminate the vulnerabilities by altering configuration settings. (Federal Office for Information Security, 2003). 2.1. Penetration Process Penetration and scanners includes a set of processes or protocols, which are devised from the perspective of the attacker and how they will try to intrude a network with negative intent. These protocols are then applied to a network, and the process of penetration involves analysing the system and finding potential vulnerabilities, which are caused by poor or improper system configuration, known and/or unknown hardware or software flaws, etc. (Godbole, 2009, p.45). In addition, Penetration testing services offered by security consultancies will include checking a businesss firewall, looking for weaknesses in its internet gateway or website, etc. (Sommer, 2006, p.71). After the analysis is done, any security risk will be provided to the system or organisation’s owner, along with the assessment of the risks, and importantly mitigation solution or solutions. Fig.1 Penetration Testing approach diagram (Geer and Hawthorne, 2002) 2.2. Vulnerability Scanners On the same lines, but with a different end result, vulnerability scanners are also used by various organisations, thereby making it also a widespread application. That is, vulnerability scanners are computer programs, which are specifically designed to assess IT infrastructure or any computer systems for any loopholes, but without simulating any direct attack. There are various types of vulnerability scanners that are available including Port scanner, Network enumerator, Web application security scanner, etc. Although, the functionality of all these scanners could vary, they accomplish the main task of enumerating the vulnerable areas in the IT infrastructure. Among these scanners, port scanners are used in a widespread manner to test a server or even host for open ports, and this way IT person or testers can identify the running services on a host, thereby preventing it from any compromise, through security policies. A port scan is stated as “An attack that sends client requests to a range of server port addresses on a host, with the goal of finding an active port and exploiting a known vulnerability of that service.” (Degu and Bastein, 2003, p.418). 2.3. Pentest vs. Vulnerability Scanners Although, pentest and vulnerability scanners are used in a widespread manner, penetration test is regarded as a far effective process as there is no breaking into the system in the case of scanners. That is, scanners could only show the presence of vulnerabilities, while the Pentest can conclusively demonstrate those vulnerabilities. Few testers use commercial vulnerability scanners to try to test or penetrate systems. Most commercial scanners are like Swiss army knives-they perform many functions, but dont do any one function particularly well, so their usefulness in a penetration test is limited. (Lucas and Moeller, 2004, p.135). Importantly, Penetration testing necessitates a lot more planning, care, effort, time, etc than vulnerability scanning, and so the results of Pentests will be more reliable, valid and valuable for the businesses. Thus, penetration testing has evolved from what was in the mid-90s, a dangerous or even an unethical activity, into a proven, widely accepted and widespread activity, practiced by many businesses. 3. Development of protection systems Organisations could think that having just the Windows firewall option and regular changing of passwords will be adequate to ensure their security, and prevent any intrusion or data theft from hackers. The fact is, many organisations underestimate the security threats they face, and overestimate the ability and resources their internal IT staff have to address it. (ISS White Paper). This assumption is wrong and could also be self-defeating because there are highly skilled hackers and also there could be disgruntled employees or even detrimental competitors, who can break into key IT infrastructures, retrieve necessary information and put the organisation in a downhill path. Thus, it is paramount that organisations, which rely on IT, should develop optimum protection systems, and which have to be tested and updated regularly. Organisations and its IT personnel should take care or fulfil four major aspects to develop an optimal protection systems, and they are Penetration testing, intrusion detection, incidence response and legal/audit compliance. (Lubis et. al, 2010). As penetration testing process can pinpoint all the vulnerabilities, it can aid a lot in developing effective protection systems. Pentest professionals, with the permission of the organisation, can test all the key and even supposedly secured parts of the IT infrastructure, and give a report mainly from an outside criminals perspective, so that the necessary protection systems are developed. To develop apt protection systems, organisations have to allocate the IT department adequate financial resources. This penetration testing process can create a kind of Compelling Event. “Well-documented results from a penetration test that expose the susceptibility of customer data, human resources records or even executive e-mail accounts create compelling events that any executive concerned with company finances, liability or reputation needs to know.”(ISS White Paper, p.2). Security has to be upgraded and updated according to the evolution of threats. While the in-house IT personnel could be clouded by internal pressures, independent penetration testing team could offer unbiased analysis. These types of independent audits are becoming a key requirement to get cyber-security insurance. Importantly, key regulatory and legislative requirements are stipulating penetration tests as a key necessity for doing safe and secure business. Regulations such as HIPAA (Health Insurance Portability and Accountability Act), Graham Leach Bliley, etc all include security compliance codes. (ISS White Paper). Because of this possibility, many organisations and entities are adopting penetration testing and so it is becoming widespread. For example, all the credit card companies have been adopting penetration testing as part of its established standard, the Payment Card Industry Data Security Standard (PCI DSS). That is, this standard was developed by leading credit-card companies to help merchants to protect sensitive customers credit-card data, and so any company that does transactions via credit cards needs to be PCI compliant. (Vacca, 2010, p.384). As part of PCI DSS compliancy, companies have to carry out both annual as well as ongoing penetration testing, as part of its routine plans and also after system changes. (Manzuik et. al, 2006, p.56). This way, organisations can implement appropriate safety or corrective measures, thereby eliminating or plugging vulnerabilities, which can be exploited by unauthorized hackers or any other third parties. 4. Controls or ‘Policing’ over Penetration testing process Even after the evolvement of genuine testing agencies, organisations could be sceptical about conducting pentests because of the fear that their IT infrastructure could be penetrated by cyber criminals in the guise of testers, and importantly they fear that all their data could be stolen or compromised. To avoid these worst case scenarios, both the organisations as well as the testers are putting in place optimum security controls. In addition, governments of the land and other overseeing agencies are also coming up with laws and standards to curb any illegal behaviour. EC-Council (2010, p.18), one of the reputed professional certification bodies, provides a list of measures that should be taken by the organisation and the testers before pentests. For example, testers should provide details of the team performing the penetration test, and the team members should agree to a background check and reference check to be carried out by the organisation or other third parties. In addition, the testers should provide updated logs and also actions taken as part of the penetration test, with a qualified organisation representative checking those logs and updates. Apart from selecting genuine and trustworthy testers, organisations has to keep a vigil on the testers to find out whether they are stealing or misusing confidential data during the testing process. From the perspective of the testers, laws are clear that to penetration testing, they should get clear authorisation from the target organisation or client. In the absence of such authorisation, the consultant agencies or testers could be held for criminal liability, punishable by a fine and/or imprisonment, under the Computer Misuse Act 1990. (Dautlich, 2004, p.41). 5. Conclusion With information technology becoming an intricate and indispensable part of many organisations’ functioning and success, it has to be secured in an optimum way, for it to aid the organisation effectively. IT infrastructure and networks of organisations functioning in the government, private and even outsourced domains are becoming a target of cyber-attacks. Here, Penetration testing and vulnerability scanners can find all the loopholes and importantly ‘plug’ and secure them. In the future, organisations will implement more advanced IT applications, and in line with those implementations, cyber attackers will also come up with advanced intrusions. So, the testers or security consultants need to upgrade and update their penetration and scanning process, to be an able defender and protector of crucial IT assets REFERENCE Sommer, P. “Criminalising hacking tools.” Digital Investigation, vol. 3, pp. 68-72, 2006. Federal Office for Information Security. Study: A Penetration Testing, 2003. Godbole, N. Information Systems Security: Security Management, Metrics, Frameworks And Best Practices (W/Cd), New Delhi: Wiley-India, 2009. Geer, D. Harthorne, J. Penetration Testing: A Duet. Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC02), Las Vegas, Nevada, 2002. Degu, C. Bastein, G. CCSP Cisco Secure PIX firewall advanced exam certification guide. Cisco Press, 2003. Lucas, J. Moeller, B. The effective incident response team. New York: Addison-Wesley, 2004. ISS White Paper. Penetration Tests: The Baseline For Effective Information Protection Lubis, M. binti Yaacob, NI. binti Reh, H. Abdulghani, MA. “A Study on Implementation and Impact of Google Hacking to Internet Security.” Proceedings of Regional Conference on Knowledge Integration in ICT 2010. Vacca, JR. Managing Information Security. Syngress, 2010. Manzuik, S. Pfeil, K. Gold, A. Gatford, C. Network Security Assessment: From Vulnerability to Patch. Syngress, 2006. EC-Council. Penetration Testing Procedures and Methodologies, London: Cengage Learning, 2010. Dautlich, M. “Penetration Testing- the Legal Implications.” Computer Law & Security Report, vol. 20, no. 1, pp. 41-43, 2004 . Read More