What is ethical hacking?
With the growth of the Internet, computer securityhas become a major concern for businesses and governments.
They want to be able to take advantage
of the Internet for electronic commerce, advertising,
information distribution and access, and other
pursuits, but they are worried about the possibility
of being “hacked.” At the same time, the potential
customers of these services are worried about maintaining
control of personal information that varies
from credit card numbers to social security numbers
and home addresses.2
In their search for a way to approach the problem,
organizations came to realize that one of the best
ways to evaluate the intruder threat to their interests
would be to have independent computer security
professionals attempt to break into their computer
systems. This scheme is similar to having
independent auditors come into an organization to
verify its bookkeeping records. In the case of computer
security, these “tiger teams” or “ethical hackers”
3 would employ the same tools and techniques
as the intruders, but they would neither damage the
target systems nor steal information. Instead, they
would evaluate the target systems’ security and report
back to the owners with the vulnerabilities they
found and instructions for how to remedy them.
This method of evaluating the security of a system
has been in use from the early days of computers.
In one early ethical hack, the United States Air Force
conducted a “security evaluation” of the Multics operating
systems for “potential use as a two-level
(secret/top secret) system.” 4 Their evaluation found
that while Multics was “significantly better than other
conventional systems,” it also had “ . . . vulnerabilities
in hardware security, software security, and procedural
security” that could be uncovered with “a
relatively low level of effort.” The authors performed
their tests under a guideline of realism, so that their
results would accurately represent the kinds of access
that an intruder could potentially achieve. They
performed tests that were simple information-gathering
exercises, as well as other tests that were outright
attacks upon the system that might damage its
integrity. Clearly, their audience wanted to know
both results. There are several other now unclassified
reports that describe ethical hacking activities
within the U.S. military.5
No comments:
Post a Comment