Understanding ethical hacking in IT Security

About a year ago, Dutch undercover investigative journalist Alberto Stegeman aired a program on the court security in Utrecht. He was able to use a smartcard issued to those authorised to access government buildings, to enter the court, carrying a fake gun.

He had obtained the smartcard from one of the building’s former staff – and apparently the card was still valid for entry. Many organisations are now aware of the gaps which can arise in their security, both at the physical and logical levels. That’s why ‘ethical hacking’ is currently in vogue.

Hacking exists in a number of forms. Often the objective of hacking is to cause harm, but this is not the case for ‘ethical hacking’. The idea behind ethical hacking is in fact to limit the chance of harm.

Ethical hacking looks at all the systems and network infrastructure in an organisation for possible security holes. Any weaknesses found are not misused, but the department responsible is promptly notified so that they can be fixed immediately. All major accounting firms now employ teams of hackers which can track down such security gaps for clients, such as the Dutch-American firm HackerOne.

User lifecycle

Many organisations are fairly difficult to hack from the outside, but when the hacker is actually within the company’s walls it’s extremely easy to cause damage. For example, if an ex-employee still has a valid access pass and is able to gain entry to his or her computer, it’s pretty simple to steal sensitive information. Most security gaps occur in the user lifecycle process of an employee, often due to transfers or when staff change their jobs or locations.

The user lifecycle encompasses all the steps the user account of an employee goes through in the organisation. Each step has consequences for the authorisations and access rights an employee holds. The first step is to create a user account (creating a digital identity) when the employee is on boarded, so that he or she has access to the network and applications they need.

A physical pass is sometimes then also issued for physical access to the premises. Then, throughout their employment, settings are often changed, for example if the employee is promoted and thus needs other, or further, authorisations. Then finally the user account must be disabled when his or her employment ends.

Accumulation of rights

During the initial registration process, specific authorisations are assigned to an employee. In most cases the same rights are granted as to an employee in a similar job, the so-called template user. When copying the rights from a template user, the new employee may sometimes initially be granted too many rights, since perhaps the template user may have additional access rights.

However this is not usually a problem, because the new staff-member is often not aware that he holds these ‘extra’ rights. Where it does go wrong is when employees move to a different department or location. New authorisations which are required are then added, and old authorisations which are no longer needed for doing the job are not withdrawn. This creates an accumulation of rights.

Different attitude

This accumulation of rights is not apparent to the organisation, because no one in the organisation typically has complete insight into which authorisations employees hold. The organisation is unaware of who has which authorisations, and most likely does not investigate it or perform an audit on a regular basis.

From experience, the IT department knows more or less who has, and needs, which rights, but because of time constraints they only add rights, and don’t withdraw any. The organisation needs to adopt a different attitude, to exercise more control over which authorisations employees hold and what they should hold to be able to do their work, which will reduce the chance of security lapses. An Identity Management solution can facilitate this.

Identity management and role-based access control

One way to reduce the chance of security lapses is to deploy role-based access control (RBAC). With RBAC, employees are assigned authorisations based on the job and role an employee fulfils in the organisation. To this end, the organization draws up an authorisation matrix, which records in detail which systems/applications and rights within applications; for example, write or read rights are associated with a specific job.

Then when an employee is hired he is entered into the HR system, and with user provisioning, a functionality of an identity management system, a network account is created automatically for that employee. The identity management software reads the authorisation matrix for this, and knows exactly which authorisations must be assigned to the account. Deploying RBAC prevents anyone being able to do too much, or for too long, in the network. An employee may only cause harm within the role he fulfils and not outside it.

By linking the identity management system to a pass system, physical access can also be added automatically to the logical access. This is because granting access to physical spaces is actually also part of an employee’s user lifecycle. Issuing an access pass is also linked to an employee’s job or role. Thus, an employee can never gain access to a location where he or she is not working. This is fairly common in healthcare organisations where nursing staff may work in one location one day and in another the next.

Limiting harm

If, despite all the measures, damage is nevertheless done, an identity manager can also help to limit that harm as much as possible. Through a self-service portal, managers are given the ability to withdraw authorisations from staff immediately. This might be necessary, for instance, if employees face immediate dismissal, also called “emergency off boarding” in some organisations.

In such cases the termination process is so abrupt that withdrawing rights cannot be done through the normal operational processes. The dismissal is too urgent, and thus the organisation has the ability to withdraw the rights with one click of a button.

A workflow can be set up, where a security officer could grant final approval before the account is blocked in all applications, along with physical access. It can also be set up so that the account cannot be re-activated again without the approval of a security officer and that the employee cannot simply return to work.

Ethical hacking can track down security holes. An identity management system can help proactively in preventing security holes and can ultimately limit any damage as far as possible. Being confronted with lapses is, of course, never good, but it is certainly important to guarantee data privacy and security.

Robert Doswell is managing director of Tools4ever UK, a division of the global provider of identity and access management solutions provider.