Mr. Schreiber, as a tester of IT security and an expert on hacking, you certainly know your opponents. What motivates a hacker?
Schreiber: Well, in this case we must first differentiate the type of perpetrator involved. The vast majority of hackers are what we call “script kiddies,” teenagers or students without a lot of knowledge who use programming components available on the Internet to piece together a virus and then release it. They can also create damage by exchanging texts or a photograph on a Web site.
That sounds like the unintended result of a youngster’s prank.
Schreiber: Yes, most of the script kiddies are high-spirited. They think of their actions as a sport, vie for attention, and really can’t judge the exact effects of their activities. But these unintended disruptions do create significant damage – when an Internet store is paralyzed, for example. Some of these beginners expand their technical knowledge and then become real hackers. But the goal of creating specific damage in a specific company is more likely to be the work of a traditional insider or a professional industrial spy with a great deal of criminal energy.
Can anyone estimate how many hackers there are who must be taken seriously?
Schreiber: Since we’re dealing with a grey zone, there are no official numbers and I cannot share with you some estimates that have a good foundation. However, because of our profession, we are forced to look at the hacker scene and attend the relevant meetings. A recent event in The Netherlands drew some 3,000 participants. Of course, this number is just an approximate size.
What are the perpetrators after when they break into a company’s network? Destruction or theft of data?
Schreiber: For professionals, it is much more attractive to investigate a company and copy confidential data in secret – from the e-mail sever, for example. In the full sense of the term, it’s a golden opportunity for the competition.
Does that mean that data is offered to the competition, or that the competition itself engages a professional hacker?
Schreiber: Both. Some hackers work at their own initiative and then offer to sell the data back to the company or to its competition. But there have also been – and still are – cases in which the competition itself has engaged the services of a hacker for a specific reason. Battles do not always occur in the marketplace fairly, and, along with corruption, economic espionage has become a major problem.
Then what kind of protection is available at all?
Schreiber: There are two decisive success factors in the ongoing race, which is similar to a cat-and-mouse game between hackers and network administrators. First, effective protection naturally presupposes a secure IT infrastructure. Second, the secure infrastructure requires trustworthy and loyal employees. And note that as loyal as the employees might be, they can also make mistakes. That’s why the system absolutely requires virus protection and a firewall. An intrusion detection system would be an ideal supplement. The old and familiar principle also applies to IT security: a chain is only as strong as its weakest link. In our experience, company networks are about 99% secure, but that other 1% is susceptible to attack and represents an exposed area for intruders. We try to track down the remaining weak point with penetration tests.
What does that kind of penetration test look like, and how is it performed?
Schreiber: Each situation is different, and the test itself depends upon the individual conditions and wishes. Should the entire system undergo testing, or just specific components? Should the test attack come from the Internet or from the company’s network? Should the test be quick or particularly intense? Depending upon the complexity of the IT system and the preparation involved, a test can take anywhere from 3 to 20 days. The test can be executed automatically, manually, or with a combination of both approaches.
What are the advantages of automatic and manual tests?
Schreiber: For automatic tests, the security scanners available on the market include many good products. In my experience, an important criterion for evaluating a product’s quality is the ability to see the source code. In regard to this question, I generally tend toward open source software. Whether they’re free or available commercially, these scanners can use the Internet or a company network very well to test if the systems being examined are susceptible to attack. But they provide only a general overview of the status of the security in a company’s network because they’re incapable of testing tailor-made, individual software or industry solutions without large market penetration. A detailed view of a company’s IT security requires a manual analysis. To attain such a view, we use the hacker software available on the Internet and tools that we must develop ourselves.
And what forms do the tests take?
Schreiber: One criterion is the desired level of aggressiveness for the tests. If a given system is not allowed to fail, we limit ourselves to soft tests. Otherwise, we use denial-of-service (DoS) attacks that assault the availability of systems to see if a system can be shut down. Another criterion is the level of the attacker’s knowledge. In a white box test, the customer gives the attacker internal information, such as documentation on process descriptions, communications streams, firewalls, and network plans. Armed with this information, an attacker can undertake a great number of targeted attacks. In a black box test, however, we know nothing about the company network; the attacker is fishing in the dark at the beginning.
How do attackers proceed in that situation?
They try to find the crossovers to the Internet. For example, they can query the RIPE database or DNS server, research newsgroup archives, or perform a mail bouncing test and analyze the results to obtain the IP addresses. Once attackers have that information, they have a good starting point to attempt an attack on the company network.
What do you have to consider when planning a project?
Schreiber: One question is whether the test is to occur with or without notice. Another is whether the test should be performed once or at regular intervals.
What’s your success rate? How often can you hack into a system?
Schreiber: That depends upon the character of the test. Generally, the most successful attacks occur at the level of Web applications. We can get into the network in about 90% of cases. We can usually ferret out information. We recently had a case where we could read information, but were unable to write data.
What are the results of such test attacks?
Schreiber: It’s usually the small, inconspicuous details that make a network susceptible. A typical example would be the case in which a company has outfitted a router with filtering rules between the network and the Internet. The filtering rules were created, but were never activated. Based upon this small element of inattentiveness, the company’s entire network was left without any protection whatsoever from potential attackers. It’s one typical weakness: protective measures are present, but incorrectly configured. Or the system might have already been made waterproof, but a small modification within the complex system – perhaps the opening of another port – creates a new security weakness. If a hacker with criminal intent discovers the weakness, the very existence of the company can be jeopardized.
What recommendations do you have for companies to achieve the highest possible level of IT security?
Schreiber: The most important recommendations for maintaining an IT network would be to use as few network protocols as possible, reduce complexity wherever possible, and increase robustness and redundancies. Additional criteria would include paying attention to product quality and quality assurance, using only qualified personnel, not opening any unnecessary software or unused ports, and operating as restrictively as possible with user rights. Those are solid preconditions for IT security. And of course, testing the complete system, retesting it, and then testing it yet again – especially after something as been completely or partially reconfigured.
Then how secure are your own systems?
Schreiber (laughs): Well, because of my profession, I’m paranoid enough to keep my own system at the best possible level of security.
What do you use to protect yourself and your company?
Schreiber: Actually, just the usual security measures: a multilevel firewall, personal firewalls, and the best security guarantee of all – well-trained employees who are aware of the problem and who think and work with as much paranoia as I do.