Ethical Hacking
- 2. Content • What is Information Security • CIA • Ethics & Hacking • Ethical Hacking • Ethical Hacker Vs Hacker • Type of Attackers • Steps • Benefits
- 3. What is Information Security? Information security is all about protecting the confidentiality, integrity and availability of computer system data from those with malicious intentions.
- 4. C I A •Confidentiality - Ensures that data or an information system is accessed by only an authorized person. •Integrity - Maintaining and assuring the accuracy and completeness of data over its entire life-cycle. •Availability - Data and information systems are available when required.
- 5. Ethics Moral principles that govern a person’s or group’s behavior. Hacking Practice of modifying the features of a system, in order to accomplish a goal outside of the creator’s original purpose.
- 6. History of Hacking Hacking in the past 40 years… • 1960s – MIT’s artificial intelligence lab, became staging grounds for hackers • 1970s – John Draper makes a long-distance call for free
- 7. History of Hacking • 1980s – Kevin Mitnick, secretly monitors the email of MCI (American Telecommunication company) and Digital Equipment security officials. • 1990s – Hackers break into and deface federal web sites, including the U.S. Department of Justice, U.S. Air Force, CIA, NASA and others.
- 8. Ethical Hacking Ethical hacking refers to the act of locating weaknesses and vulnerabilities of computer and information systems by duplicating the intent and actions of malicious hackers. Also known as Intrusion Testing, Penetration Testing or Red Teaming
- 9. Ethical Hacker Vs. Hacker Ethical Hacker Hacker Done legally with permission of the relevant organization Done illegally without the consent of the relevant organization Done in an attempt to prevent malicious attacks from being successful Done in an attempt to make malicious attacks possible Disclose any vulnerabilities discovered Exploit discovered vulnerabilities
- 10. Type of Attackers • Script Kiddies – Armatures, copy others codes to attack • White Hat Hackers – Professional term for ethical hackers • Black Hat Hackers – Professional term for malicious hackers • Gray Hat Hackers – Combination of both white and black, hack to learn and they are self-proclaimed ethical hackers • State Sponsored Hackers – Limitless time and funding by government • Spy Hackers – Hired hackers by corporations • Cyber Terrorists – motivated by religious / political beliefs, they spread fear, terror and commit murders
- 11. Steps Covering Tracks Maintain Access Gaining Access Scanning Reconnaissance
- 12. 1. Reconnaissance Reconnaissance is probably the longest phase, sometimes lasting weeks or months. The black hat uses a variety of sources to learn as much as possible about the target business and how it operates, including • Internet searches • Social engineering • Dumpster diving • Domain name management/search services • Non-intrusive network scanning
- 13. 2. Scanning Once the attacker has enough information to understand how the business works and what information of value might be available, he or she begins the process of scanning perimeter and internal network devices looking for weaknesses, including • Open ports • Open services • Vulnerable applications, including operating systems • Weak protection of data in transit • Make and model of each piece of LAN/WAN equipment
- 14. 3. Gaining Access Gaining access to resources is the whole point of a modern-day attack. The usual goal is to either extract information of value to the attacker or use the network as a launch site for attacks against other targets. In either situation, the attacker must gain some level of access to one or more network devices.
- 15. 4. Maintain Access Having gained access, an attacker must maintain access long enough to accomplish his or her objectives. 5. Covering Tracks After achieving his or her objectives, the attacker typically takes steps to hide the intrusion and possible controls left behind for future visits.
- 16. Benefits of Ethical Hacking • Finding vulnerabilities before an attacker. • Using hacker techniques to closely model a true attack. • Documenting strong and weak security areas. • Find the weak seams in a security fabric. End result is the company’s ability to prevent an intrusion, before it occurs.
- 17. Disadvantages of Ethical Hacking • The ethical hacker using the knowledge they gain to do malicious hacking activities. • Allowing the company’s financial and banking details to be seen. • The possibility that the ethical hacker will send and/or place malicious code, viruses, malware and other destructive and harmful things on a computer system, • Massive security breaches.
- 18. Google Dorks The Windows Registry is a database that holds your operating system's configurations and settings. By hacking registries, we can make windows better. http://www.howtogeek.com/howto/37920/the-50-best-registry- hacks-that-make-windows-better/ Registry Hacking Advanced Google searches used to find security loopholes on websites and allow hackers to break in to or disrupt the site.
Editor's Notes
- #5: Confidentiality - Ensures that data or an information system is accessed by only an authorized person. (User Id’s and passwords, access control lists (ACL) and policy based security are some of the methods through which confidentiality is achieved) Integrity - maintaining and assuring the accuracy and completeness of data over its entire life-cycle. (This means that data cannot be modified in an unauthorized or undetected manner.) Availability - Data and information systems are available when required. (Hardware maintenance, software patching/upgrading and network optimization ensures availability)
- #16: Covering Tracks - An attacker needs to destroy evidence of his presence and activities for several reasons like being able to maintain access and evade detection (and the resulting punishment).