In the sleepy Worcestershire town of Great Malvern, Paul is hacking into a computer network.

Using software downloaded from the internet, he locates the machine of a careless employee who has forgotten to disconnect the wireless card on the laptop he used earlier to check email in an internet cafe.

By exploiting the breach, the 29-year-old Welshman finds his way into the business’s computer network and uses a bespoke program on his Dell laptop to generate 450 password attempts a second.

In the blink of an eye, Paul has cracked the password, entered the network, and is free to snoop around, steal sensitive company information and damage critical systems.

Fortunately, Paul is not a computer hacker: he is a penetration tester for defence and security firm QinetiQ, which tests and hosts IT systems for organisations including MI5 and the government’s National Infrastructure Security Co-ordination Centre.

And by thinking like a hacker, Paul Beechey, senior IT security specialist at QinetiQ’s secure health check division, says he can root out potential flaws in IT security systems, and draw a firm’s attention to the problem before criminals have a chance to exploit it.

‘As businesses rely more and more on technology and connections to the internet they become more vulnerable. Penetration testing can expose the cracks in systems in a consensual and benign way, meaning they can protect themselves before they are hacked,’ he says.

According to research by the National Hi-Tech Crime Unit (NHTCU), the UK law enforcement agency tasked with catching internet criminals, 11 per cent of businesses had their IT systems breached by hackers and former employees last year.

A further 10 per cent of businesses had information stolen from their computer network, and four per cent had systems damaged or sabotaged.
The motivations of hackers are manifold, and range from organised crime syndicates trying to steal corporate secrets, through to curious IT geeks trying to discover the truth about UFOs – see story below.

Hackers may also look to demolish a company’s reputation by defacing its corporate web site.

On Tuesday 30 September 1997, web developers at US airline AirTran returned to work to discover the company’s web site had been defaced.

The attackers had graffitied the site of the recently rebranded company with derogatory comments, accusing the firm of trying to hide the fact that 110 people had died in an air crash in Florida the year before.

‘There are people with criminal intent, and then there are those whose actions are still criminal even if they do not mean them to be,’ says Beechey.

As well as stopping hacks, penetration testing can expose vulnerabilities in IT systems, which could lead to downtime if attacked by computer viruses or worms.
In 2003, the Slammer worm infected the computer network of Ohio’s Davis-Besse nuclear power station, disabling safety monitoring systems for nearly five hours.

The worm is believed to have entered the power plant after penetrating a contractor’s unsecured system and travelling through a bridging connection into the Davis-Besse network, bypassing the plant’s firewalls.

Whereas a hacker might take months or years to try to crack a highly secure system through sheer persistence, Beechey says an internet worm can breach defences in seconds.

To combat these automated threats, companies should also deploy vulnerability scanning software, which tests systems in real time, says Paul Simmonds, global head of security at ICI, which uses the software to automatically scan more than 400 of its web sites every week (Computing, 5 May).

David Lacey, director of information security at Royal Mail, says real-time scanning can prove more cost-effective than using ethical hacking on a regular basis, and often finds vulnerabilities faster.

Hackers are also getting smarter and more organised, says Stuart Okin, associate partner at Accenture’s IT security practice. And it is no longer just teenage script kiddies and computer science students giving it a shot, he says.

‘It is something a lot more terrifying; it is organised crime gangs and they are using new methods and new tools,’ says Okin.

‘We have moved away from the good old days of the movie War Games and the acoustic coupler. Most operating systems back then were very basic and had no encryption, but it is different these days. People are getting more sophisticated.’
With the continued growth of remote working, joint ventures and supply chain partners, Okin says organisations also need to look for cracks in their internal systems and processes.

According to the NHTCU, 75 per cent of web defacements were carried out by employees last year. Some 68 per cent of data theft and 38 per cent of financial fraud was also instigated by staff using internal systems.

‘I think firms that are putting in new systems or upgrading them should include a variety of penetration testing and social engineering methods as part of their go-live,’ says Okin.

QinetiQ’s Beechey agrees: ‘It is not just about attacking from the internet. We also test the security of the demilitarised zone on the network, as well as the internal network where, say, a cleaner could gain access to computer systems.’

According to experts, the recent foiled attempt by criminals to steal £220m from Japanese Sumitomo Mitsui bank targeted weaknesses in physical security (Computing, 21 April).

It is believed the gang tried to hack systems using a bugging device that was inserted into the USB socket in the back of a computer.

With the growth of legislation such as Sarbanes-Oxley and the Data Protection Act, Okin says a combination of ethical hackers and vulnerability management software can also protect businesses from ending up on the wrong side of the law.

‘If you are a big company, it is not a question of if; it is a question of when you are going to have a massive security breach,’ he says.

‘This is why it is important that you have all the things in place to show your shareholders that you have done everything possible to protect yourself.’

But Okin says businesses should think seriously about whether they check for vulnerabilities themselves or outsource the job to an independent ethical hacking firm.