ABN: 81 141 521 571

1/11/2016

Edition 2016 Volume 1

PENETRATION TEST: Consensual Hacking

Introduction
It is not unusual these days for
Page | 1 the general press to publish an
article

dealing

with

some

hacker

attack

which

has

impacted many millions of

people.

defence
reduce

technologies
the

risk

to

of

successful attack.
Despite the many millions of
dollars expended on research
and

development

in

IT

As Robert Mueller, the then

security, hackers seem to

director of the FBI, stated in

devise new and unusual

2012:

methods

Borders and boundaries

pose no obstacles for
hackers.

to

successfully

Next Issue
BLOCKCHAINS a
Disruptive
Technology for all
Businesses but
what are the
Legal Implications

attack the IT infrastructure of

commercial
and

organisations
government

The underlying technology

for bitcoins in known as

installations. Further, some

blockchains. Blockchains is

attackers have directed their

a highly secure data

attention to the consumer

structure that allows

with

end of the IT environment

participants to transact any

conflicting laws, different

because the mums and dad

value. It is not just limited

priorities,

diverse

of this sector do not have the

to virtual currencies but can

criminal justice systems.

expertise or funds to deploy

be and will be used across

With each passing day, the

sophisticated

most industries. In doing so

need

technologies.

But

they

continue

to

pose obstacles for global

law

enforcement,

for

and

collective

approachfor

true

collaboration and timely

IT

defence
This

many legal issues will arise

newsletter will concentrate

of which commerce should

on

be aware.

the

government

and

commercial sector of the IT

the greater financial reward

hacking phenomenon; mainly

lies and as such this newsletter

due to the value involved. As

will

Organisations like Symantec,

was stated in the film All the

sectors.

Trend Micro, and Kaspersky

Presidents Men follow the

have

very

money. The Government and

computer

Commercial sector is where

information

sharing

becomes more pressing.

developed

sophisticated

concentrate

Dr. Adrian McCullagh Ph.D., LL.B. (Hons), B.App.Sc. (Computing). Mob: 0401 646 486

on

these

Page | 2

Deployment of
security technology

groups

There are many technologies

acquiring

have

the

data is available then its

intention

of

integrity must be maintained

Intellectual

as the data will be analysed

available to reduce the risk of a

Property such as software

and used as the basis upon

successful

source code; but it need not be

which

decisions

hacking

These

principle

attack.

include,

who

Web

State

Sponsored

group

organisational
will

be

made.

Application Firewalls (WAFs),

involved as there has been an

Finally, the data may be

hardware firewalls, Intrusion

increase in the Industrial

confidential information or it

detection technologies, virus

Thief sector. These people are

could be classified as public

scanners, and access control

highly skilled hackers whose

information.

technologies as well as many

sole

to

information

from

others. Modern corporations

surreptitiously copy source

government

perspective

is

and government organisations

code and sell that illegally

usually information held in

engage

Information

acquired source code to some

some register that is open to

Officers and Chief Security

competitor of the attack target.

the public; whether freely

Officers

Chief
to

manage

their

respective organisations IT
infrastructure

because

this

infrastructure is crucial to the

operations

of

organisations

these
in

the

processing of vast amounts of

vital data.
include

This data could

financial

data,

employee data and customer

data.

Confidential strategic

data could also be involved

such as crucial development
plans and possible takeover
targets or source code to
software that the organisation
may commercialise.
Recently there have been a
number of highly publicised
successful attacks against IT
companies such as software
development

organisations.

Some these attacks have been

attributed to State Sponsored

business

is

Hence, it is generally well

understood that critical IT
infrastructure

and

its

associated commercial data

which in some sectors is
known

as

organisational

crown jewels needs to be

adequately protected against
unauthorised access, copying,
altering or destruction. In IT
security

terms

the

crown

jewels must in order of priority,

be:

Public

available or subject to some

commercial

impost.

An

example of public information

is the ASIC companies register
and an example of corporate
public information is usually
the register open to corporate
investors. Consequently, not
all information held by an
organisation need be secured
on a confidential basis.

For

information that is meant to be

kept confidential then security
of such information is vitally

Available
Maintain integrity, and
Sometimes be subject to
confidentiality.

important. BUT once a secure

If the data is no longer

that someone involved in the

available then it does not

deployment has not either

matter about the other two

accidentally

components.

surreptitiously

The remaining

two components are entirely

framework

has

been

implemented, how does the

organisation satisfies itself

or
left

open

some security vulnerability?

dependent upon availability of

the data in the first place. If the

Dr. Adrian McCullagh Ph.D., LL.B. (Hons), B.App.Sc. (Computing). Mob: 0401 646 486

Page | 3

This is where the use of an

Hacker Classification

opposite to that of black hat

ethical hacking team (EH) can

Black Hat Hackers are people

hackers.

provide

who without authority violate

very

confidence in what has been

the

security

personnel who ethically test IT

deployed.

deployed by an organisation.

systems with authority of the

The violation is principally for

owners of the IT system to

personal gain, such by data

identify vulnerabilities and

harvesting or exploiting some

report

zero day vulnerability. Data

recommendations

harvesting may include the

needs to be done to correct the

copying of credit card details

identified

or social security numbers (if

Now, EH are not engaged to

US systems are involved) or

research the IT system in order

tax file numbers (if Australian

to identify any zero day

systems

vulnerabilities.

the

necessary

Engaging an Ethical
Security Testing Team
There are many organisations
that provide ethical security
testing teams. All of the big 4
accounting

consulting

organisations such Deloitte,

PwC, KPMG and EY as well as
many large IT corporations
such HP, IBM, Dimension
Data and others. There are a
myriad

of

organisations

available to select from; but

who to choose and on what
contractual terms.

computer

are

involved).
also

be

an

industrial thief engaged to

extract

secret

information

corporate

like

take-over

organisation

is

dependent.

organisation is a member of

Such industrial theft activity

CREST Australia (Council of

has expanded through the use

Registered

of state sponsored attacks.

Security

Testers).

This organisation

operates

under

close

association with CREST (UK).

In order to become a member,
members

have

to

possess

certain skills and agree to be

bound

by

the

published

CREST ethical standards.

EH

are generally termed as white

hats. In contrast to white hats
there are also black hat hackers
and grey hat hackers.

the

owner
on

what

vulnerabilities.

EH will test

exploits and not try to identify

may

see

Ethical

security

hacker

targets or sensitive intellectual

prospective

to

IT

the IT system against known

property on which the target

the

skilled

Alternatively, the black hat

In Australia, a good start is to

if

EH are essentially

Sometimes

the

hacker

zero day vulnerabilities.

Grey

Hat

hackers

are

somewhere in between a black

hat and a white hat hackers.
Grey Hat hackers are

in

general

IT

independent

security personnel who try to

identify vulnerabilities and
will either tell the developer of

is

the

IT

system

or

simply

simply trying to identify a zero

publish the vulnerability to the

day vulnerability so as to on-

general public.

sell

that

information

to

criminal organisation. A zero

day

vulnerability

previously

is

un-identified

vulnerability in some software

which can be exploited by
third parties if they become
aware of the vulnerability.

Many research organisations

such as universities undertake
research to identify zero day
attacks but they fit squarely
within the white hat sector as
they will first only tell the
developer or owner of the
relevant system.

White Hat Hackers or Ethical

cases,

Hackers (EH) are the complete

organisation will place an

Dr. Adrian McCullagh Ph.D., LL.B. (Hons), B.App.Sc. (Computing). Mob: 0401 646 486

the

In many
research

embargo on the research paper

vulnerabilities that may exist

until the developer has a patch

in their IT infrastructure.

to correct the vulnerability.

This procedure covers ethical
Page | 4

research in IT security.

The

remainder of this newsletter

will only deal with White Hat
hackers

and

the

issues

surrounding their engagement.

Who should engage

an EH
All

organisations

should

undertake an audit of their

systems, and determine what
information and digital assets
they hold.
should

also

This exercise
include

valuation of such information

assets.

Software development
Companies
Software
development
companies should not underestimate the value of the
intellectual property they have
produced.
Even small
companies have competitors
who will eye their intellectual
property and will in some
cases undertake some not so
ethical activities to get hold of
their source code. There have
been cases where competitors
have engaged black hat
hackers to obtain a copy of a
targets source code.
The
engagement of an EH will at
least
identify
common

Credit Card Processing

Organisations
Another type of organisation
that should consider engaging
an EH is any organisation that
processes
credit
card
transactions.
Credit card
transactions should only be
processed by a Payment Card
IndustryData
Security
Standard (PCI-DSS) compliant
organisation. Version 3.1 of
the PCI-DSS was released in
April 2015, and paragraph 11.3
deals with penetration testing
of the security infrastructure
utilised for the processing and
storage
of
credit
card
information.
The
engagement of an EH is now
mandatory if the organisation
want
to
continue
the
processing of credit card
information.
Paragraph 11.3 provides that a
credit

card

processing

organisation must engage an

EH:
to undertake an industryaccepted penetration testing
(for example, NIST SP800-115);
to pen test the entire CDE
perimeter and critical systems;
to test from both inside and
outside the network;

to test and validate any

segmentation

and

scope-

reduction controls;
to undertake applicationlayer penetration tests which
include, at a minimum, the
vulnerabilities

listed

in

Requirement 6.5 of the PCIDSS;

to undertake network-layer
penetration tests which will
include

components

that

support network functions as

well as operating systems;
o review and consider all
threats

and

vulnerabilities

experienced in the previous 12

month period;
to identify how long and in
what form the penetration
testing

results

retained

should

and

be

what

remediation activities should

be undertaken.

Government Institutions
From a risk management
perspective, Governments are
always cognizant of political
risk which very rarely affects
the private sector.
Government institutions do
not want to be mentioned
unfavorably in the press and
as such they want to ensure
that

their

implemented

security framework is as best

as it is expected by the general

Dr. Adrian McCullagh Ph.D., LL.B. (Hons), B.App.Sc. (Computing). Mob: 0401 646 486

public. Consequently, on an

for breach of the fiduciary

(2)

annual

duty

authorization

basis

government

institutions should engaged an

EH.
Page | 5 Professional Service
Providers
Any organisation that is a
professional service provider
to the finance sector should
also consider the engagement
of an EH on an annual basis.
This

position

is

now

requirement for any provider

to the Wall Street sector and as
such it is likely will expand to
other jurisdiction.

they

owe

to

the

without

(or

exceeded

organisation.

authorized access to) a

Further, in most jurisdictions,

(3) protected computer and

legislators have enacted laws

to make hacking activities a
crime.

For

example

in

(4)

thereby

obtained

information.

Australia at the Federal level it

From an EH perspective it is

is the Cyber-Crime Act (2001),

the authorisation that is key

Cth, and in the USA at the

to them not being prosecuted

Federal level it is principally

for

the

and

relevant legislative regime.

Abuse Act, (18 U.S.C.) and in

The first thing the EH will

the UK at the national level it

want is written authorisation

is the Computer Misuse Act

to commence the attack and

(1990).

what type of attack is going to

Computer

Fraud

In addition to these

noted national laws, in the

Ethical Hacking
Contracts

accessed

an

attack

under

the

be permitted.

USA and Australia being a

EH contracts are complex and

federated jurisdiction each of

A crucial document to the

fraught with many dangers.

the relevant States also have

engagement of an EH is the

Such contracts should be

appropriate laws dealing with

Rules

tailored for the circumstances

hacking. Obviously, it is not

Behaviour.

and

possible

will details:

Target

organisation

to

cover

the

50

SHOULD NOT merely accept

individual states in the USA

the EH contract, because it

nor is it possible to cover the 6

will be drafted in favour of

states and 2 territories in

the EH. The Target must make

Australia. All that needs to be

sure that since they will be

noted is that there are in

allowing a controlled hack of

addition to the national laws

their IT infrastructure, the

relevant State and Territory

Target must be contractually

laws covering hacking.

protected in the same way the

EH will want to be protected.
This is especially so as the
Board of Directors and senior
management must act in the
best

interest

of

The common theme of each of

these hacking regimes is that
for a conviction there needs to
be

established

management could be liable

the

prosecutor that the defendant:

the

organisation, otherwise such

by

(1) intentionally;

of

Engagement

This document

What is to be done;
When it is to commence;
When it is to be completed;
Who is to know about the
impending attack;
How the attack is to be
carried out; and
Sometimes even where the
attack is to originate and
which systems are to be
attacked.

An important aspect of the

Rules of Behaviour are the
exclusions. These are highly
important as there may be
aspects of the IT infrastructure
that the Target may not want

to be penetrated.
Dr. Adrian McCullagh Ph.D., LL.B. (Hons), B.App.Sc. (Computing). Mob: 0401 646 486

In addition to the above

aspects, the Target will want
assurances

that

any

vulnerabilities identified will

Page | 6

remain confidential and only

be disclosed to a select number
of named personnel engaged
by the client.
As Dr. Wes McGrew at DEF
CON 19 noted, in his key note
speech, the EH should:

Properly test the testing

tools prior to their
deployment against a
Target;
Be aware of the type of
information and its
value to the Target that
it could be exposed to
and in this case the EH
should have detailed
discussions with the
Target prior to the
attack;
Undertake research into
the
network
environment between
the Target and the EH;
The EH should take
care when extending the
Targets network during
the attack;
The EH must keep all
information about, in
connection with or
resulting from the attack
encrypted both at rest
and in transit;
The EH must keep a
secure
archiving
mechanism in place
with separate keys
between Targets. The
EH must NOT allow a

key to be shared among

multiple targets;
The EH must consider
the deletion of all nonessential data once the
engagement has been
completed. This will be
a sensitive issue as the
Target will not want
their sensitive data to be
kept by the EH for any
period longer than what
is legally required.
The EH and the Target
must establish a secure
communications
channel between them.
This
is
especially
important
when
it
comes to the delivery of
the final report. Some
organisations insist on a
physical report to be
handed to a particular
person
within
the
Target. The EH under
any circumstances must
NOT send the report via
email unless it is
encrypted using an
acceptable encryption
tool.

own

the

Cloud

IT

infrastructure and as such it

has no authority to grant such
an attack.

The EH should

investigate who owns the IT

infrastructure and satisfy itself
that

legally

recognised

authorisation

has

been

obtained. This may require a

separate

agreement

which

may be a tri-partite agreement

between the Target, the EH
and the Cloud Provider.
The next contentious aspect of
the EH Contract will be the
liability

regime.

Any

deviation from the rules of

engagement will endanger the
EH to harsh financial penalties
and

could

also

result

in

criminal prosecution.

Conclusion
The engagement of an EH is an
added tool in ensuring that
any

deployment

of

IT

infrastructure has not either

Once the rules of engagement

accidentally or surreptitiously

have

resulted in the exposure of

been

settled

the

engagement contract must be

some

negotiated.

Notwithstanding,

From the EH

vulnerability.
the

perspective they will want

deployment of IT security risk

certain warranties especially

treatment

concerning ownership of the

designed to reduce the risk of

IT infrastructure that will be

a successful attack, the only

the subject of the attack. This

way to be sure that the IT

is

infrastructure

where

it

may

become

tools

is

that

are

relatively

complicated especially if a

secure is via the engagement of

cloud

an EH.

infrastructure

is

involved. The Target will not

Dr. Adrian McCullagh Ph.D., LL.B. (Hons), B.App.Sc. (Computing). Mob: 0401 646 486

As

Page | 7

noted

previous

that we know. There are

unknowns

newsletters, there is no such

known unknowns. That is to

known knowns with the

thing

IT

say, there are things that we

ability for the Target to

environment. It comes down

know we don't know. But

treat

to a risk management strategy

there are also unknown

vulnerabilities;

and such strategy should be

unknowns. There are things

engagement of the EH will

tested

we don't know we don't

not

become a fools paradise. As

know.

unknowns unknowns as

Donald Rumsfeld stated:

In

as

in
a

secure

otherwise

it

could

There are known knowns.

These are things we know

the

perspective

IT

security
the

the

to

become

identifiable
but

reclassify

the
the

they will fall within the

zero day attacks.

engagement of the EH will

help cause the known

Dr. Adrian McCullagh: ODMOB Lawyers

ABN: 81 141 521 571
Ajmccullagh57@gmail.com

If you wish to subscribe or unsuscribe to this newsletter then please contact the author by
email at the above email address.
Further if you require any assistance with anything discussed in this newsletter then
please contact the author.
PLEASE NOTE this paper is NOT the provision of legal advice. If a reader has an issue
then they should seek appropriate legal advice. The author makes no warranty as
to correctness of anything contained in this paper. This paper is the sole opinion of
the author and must not be relied upon as legal advice. Every situation is different
and as such proper analysis must be undertaken when seeking a legal opinion.
Consequently, the author takes no responsibility for any errors that may exist in this
paper and certainly takes no responsibility if any reader takes any actions based on
what is (expressly or by implication) contained in this paper. All readers take full
responsibility for anything they may do in reliance of anything contained in this
paper.
Dr. Adrian McCullagh Ph.D., LL.B. (Hons), B.App.Sc. (Computing). Mob: 0401 646 486