Introduction to Ethical Hacking
1.1 Gain knowledge on various hacking terminologies
Exam Focus: Gain knowledge on various hacking terminologies. Objective includes:
· Understand the issues plaguing the information security world.
· Learn the basic elements of information security.
· Understand the security, functionality and ease of use triangle.
· Know the 5 stages of ethical hacking.
· Understand hactivism and understand the classification of hackers.
· Understand who is an ethical hacker.
· Gain information on how to become an ethical hacker.
· Learn the profile of a typical ethical hacker.
· Understand the scope and limitations of ethical hacking.
Information Security
Information security (sometimes shortened to InfoSec) is the practice of protecting an organization's data from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. In short, it is the protection of the availability, privacy, and integrity of company data and information. All of the information an organization stores, sends, receives, and refers to must be protected against accidental or deliberate modification and must be available in a timely fashion.
Employee social security, addresses, company confidential financial data, trade secrets, customer data, intellectual property, the list is endless. Each of these examples refers to data that must be protected. The protection of information is not new. What is new, however, is the importance of protecting the information, and the consequences of not protecting it, or the consequences of having the security of that information compromised. As more and more of this information is stored and processed electronically and transmitted across networks or the internet, the risk of unauthorized access increases and we are presented with growing challenges of how best to protect our information.
Why protect data?
Would you leave your home for work without locking it? Possibly turning on an alarm for additional protection? How about your car? When you park it at the mall, do you lock it? Is it also armed by a security system? Why do you do this? To protect your assets.
Similarly, an organization must protect its asset. An asset is defined as anything of value, including trademarks, patents, secret recipes, durable goods, data files, competent personnel, clients, and so on. Every asset has data associated with it, which must be protected.
To fully understand why information security is important, an organization first needs to understand both the value of information and the consequences of such information being compromised.
When information is not adequately protected, it may be compromised and this is known as an information or security breach. The consequences of information security breaches can be severe. For businesses, a breach usually entails huge financial penalties, expensive law suits, loss of reputation and business. Organizations must protect against unauthorized disclosure for a variety of reasons, the most important being: (a) legal and (b) competitive reasons. If poor security practices allow damage to your systems, you may be subject to criminal or civil legal proceedings. Negligence to protect your data can comprise your systems, and if third parties are impacted, there may be even more severe legal issues to deal with.
Security breaches can result in the theft, pilferage, and redistribution of intellectual property, which in turn may lead to business loss. Botnets can be used to launch various types of Denial-of-Service (DoS) and other web-based attacks, which may result in business downtime and significant loss of revenues. Attackers may steal and sell corporate secrets to competitors, compromise critical financial information, all of which are a compromise on an organization's competitive advantage in the market.
Threats to information security
Many people mistakenly believe that the biggest threat to information security comes from malicious attackers. However, it is far more likely that the biggest risks to information security comes from less suspicious sources. For example, a threat can be something natural, such as a flood or earthquake, or it could be accidental, such as a user inadvertently deleting a file, disgruntled employees, or individuals that have accidentally been granted access to resources they should not access to.
In order for an organization to protect itself from threats, they first need to understand what threats they'll be facing in the coming year. With each passing day, these security threats are becoming more serious and difficult to detect, it is vital for companies to understand what they can do to best protect their systems and information.
Top challenges for information security
· Worms, Viruses, Malware: Continues to be a top challenge, given the many methods to install malware on systems, including client-side software vulnerabilities. Browsers remain a top target for vulnerabilities. Vulnerability exploit is at the heart of hacking and data breaches. These types often rely on vulnerability exploit to infect, particularly client-side and third party applications.
· Malicious insiders/ex-employees: Threats are not always from the outside. Statistics show that up to a fifth of damage comes from desperate and disgruntled employees attempt to exploit the companies they currently or previously worked for.
· Careless/untrained employees: It is estimated that almost half of all the damage caused to information systems comes from authorized personnel who are either untrained or incompetent, and will continue to be a threat unless companies take action. Policies, procedures, training and a little technology can make a world of difference in reducing an organization's risk to careless insiders.
· Infrastructure: Don't discount physical factors such as fire, water, and bad power. They are a significant threat to information security.
· Mobile devices: Mobile devices have become a plague for information security professionals. There are worms and other malware that specifically target these devices such as the iPhone worm that would steal banking data and enlist these devices in a botnet. Thef of laptops is another major issue. Tens of thousands of laptops are stolen each year and often these have sensitive data that require public disclosure as a data breach.
· Social networking: Social networking sites have a certain element of trust to them which makes them a breeding ground for a variety of spurious activities such as spam, scams, scareware and a host of other attacks and these threats will continue to rise. Identity theft would be a big factor from an information security perspective,
· Social engineering: Social engineering is always a popular tool used by cyber criminals and phishing is still a popular method for doing just that.
· Zero day exploits: A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability. Zero day exploits can be engineered to take advantage of these file type exploits to compromise attacked systems or steal confidential data such as banking passwords and personal identity information.
· Cyber espionage: Most of these incidents surround government bodies and agencies and therefore have not been a huge threat to most individual organizations.
· Cloud computing: The public nature of data sharing in the cloud and the loss of control over their data for organizations is a big risk for security. Balancing data sharing with privacy requirements is a tight rope act.
Basic elements of information security
The following are elements of information security:
· Confidentiality: It is required to assure that only authorized users can access the information. Confidentiality breaches may take place because of improper data handling or a hacking attempt.
· Integrity: It is the trustworthiness of data or resources in the matter of preventing improper and unauthorized change. For this purpose, the information provided should be accurate.
· Availability: It assures that the systems used for delivering, storing, and processing information are accessible when needed by the authorized users.
Security, Functionality, and Usability triangle
The strength of the following three components can be used to define the levels of security:
· Functionality
· Usability
· Security
The triangle is used as an increase or decrease in any one of the factors will have an impact on the presence of the other two. When the security is increased, the ball in the triangle moves away from the functionalities and ease of use parameters.
Ethical hacking
Ethical hacking is a process by which penetration testing of networks and/or computer systems is performed by an individual, called an Ethical Hacker. The Ethical Hacker is a person who is trusted by the organization and uses the same methods and techniques as a Hacker. However, malicious hacking, often referred as hacking, is a term in which a black hat hacker, sometimes called a cracker, breaks the computer security without authorization or uses technology (usually a computer, phone system or network) for malicious reasons, such as vandalism, credit card fraud, identity theft, piracy, or other types of illegal activity.
Necessity of ethical hacking
Vulnerability testing and security audits only cannot ensure that a network is secure. In order to ensure the security of networks, a "defense in depth" strategy is required to be implemented by penetrating into the networks to estimate vulnerabilities and expose them.
Defense in depth is a security strategy in which several protection layers are placed throughout an information system. It is useful in preventing direct attacks against an information system and data as break in one layer directs the attacker to the next layer.
Ethical hacking is necessary, since it permits the countering of attacks from malicious hackers by anticipating methods that can be used to break into a system.
Stages of ethical hacking
There are five stages to ethical hacking:
1. Reconnaissance: In this phase, the attacker collects information regarding the victim. The following are the types of reconnaissance:
o Passive: It involves gaining information without directly interacting with the target. For example, searching public records or news releases.
o Active: It involves interacting with the target directly by any means. For example, telephone calls to the help desk or technical department.
2. Scanning: In this phase, the attacker begins to probe the target for vulnerabilities that can be exploited. It can include use of dialers, port scanners, network mapping, sweeping, vulnerability scanners, etc. Attackers extract information, such as computer names, IP address, and user accounts to launch attack.
3. Gaining Access: In this phase, the attacker exploits a vulnerability to gain access into the system.
4. Maintaining Access: In this phase, the attacker maintains access to fulfill his purpose of entering into the network.
5. Covering Tracks: In this phase, the attacker attempts to cover his tracks so that he cannot be detected or penalized under criminal law.
The following image demonstrates the phases of malicious hacking:
Who is an ethical hacker?
A hacker is an intelligent individual having excellent computer skills. The hacker has the ability to create and explore into the computer's software and hardware. Hackers generally have the intention to gain knowledge to do illegal things. Some hackers have a hobby to find how many computers or networks they can compromise. Some hackers perform hacking with malicious intent behind their escapades, such as stealing business data, credit card information, social security numbers, email passwords, etc.
What do ethical hackers do?
Organizations hire ethical hackers to attack their information systems and networks so that they can find vulnerabilities and verify that security measures are functioning properly. Ethical hackers may have the following responsibilities:
· Test systems and networks for vulnerabilities.
· Break security controls to access sensitive data.
Ethical hackers try to find the following:
· What can an intruder see on the target system?
· What can an intruder do with that information?
· Does anyone at the target notice the intruder's attempt or success?
Skill profile of an ethical hacker
An ethical hacker should have an excellent knowledge of computers and their functioning, including programming and networking. Since organizations have a variety of operating systems, such as UNIX, Linux, Windows, and Macintosh, an ethical hacker must be an expert in dealing with these operating systems. Ethical hackers should also be familiar with a number of hardware platforms. They should be knowledgeable about security areas and related issues as well.
Phases of ethical hacking
· Preparation: In this phase, a formal contract that contains a non-disclosure clause as well as a legal clause to protect the ethical hacker against any prosecution that he may face during the conduct phase is signed. The contract also outlines the infrastructure perimeter, evaluation activities, time schedules, and resources available to the ethical hacker.
· Conduct security evaluation: In this phase, the evaluation technical report is prepared based on testing potential vulnerabilities.
· Conclusion: In this phase, the results of the evaluation are communicated to the organization and corrective action is taken if needed.
Scope and limitations of ethical hacking
Ethical hacking is considered as a crucial component of risk assessment, auditing, counter fraud, best practices, and good governance. It is used to identify risks and highlight the remedial actions. It resolves the vulnerabilities by reducing Information and Communications Technology (ICT) costs.
However, there are chances that you will not gain much by hiring the hacker unless the businesses first know what it is they are searching for and why they are hiring an outside hacker to hack systems in the first place. An ethical hacker can support the organization in better understanding their security system, but it is the responsibility of the organization to place the right guards on the network.
Hacktivism (hactivism)
Hacktivism is the act of hacking or breaking into a computer system for a politically or socially motivated purpose. The person who performs the act of hacktivism is known as a hacktivist. A hacktivist uses the same tools and techniques as those used by a hacker. However, a hacktivist attacks government organizations and agencies, international economic organizations, and any other entities that the hacktivist defines as a cause of social and economic inequities.
General classes of ethical hackers
Hackers are categorized into the following classes:
· Black hat hackers (crackers): They are computer specialists. They perform malicious attacks on information systems by using their hacking skills.