information security chapter 2
TRANSCRIPT
-
8/10/2019 Information Security Chapter 2
1/20
BlueCrestInformation Security
and Audit
Chapter 2
Ethical Hacking
-
8/10/2019 Information Security Chapter 2
2/20
Welcome to the world of Ethical Hacking
PREHISTORY
1960s: The Dawn of Hacking
Original meaning of the word "hack" startedat MIT; meant elegant, witty or inspired wayof doing almost anything; hacks wereprogramming shortcuts
-
8/10/2019 Information Security Chapter 2
3/20
Hackers are here. Where are you?
The explosive growth of the Internet has
brought many good thingsAs with mosttechnological advances, there is also a darkside: criminal hackers.
The term hacker has a dual usage in thecomputer industry today. Originally, the termwas defined as:
HACKER noun. 1. A person who enjoys
learning the details of computer systems andhow to stretch their capabilities. 2. One whoprograms enthusiastically or who enjoysprogramming rather than just theorizing
about programming.
-
8/10/2019 Information Security Chapter 2
4/20
What is a Hacker? Old School Hackers: 1960s style Stanford or MIT
hackers. Do not have malicious intent, but do havelack of concern for privacy and proprietaryinformation. They believe the Internet was designedto be an open system.
Script Kiddies or Cyber-Punks: Between 12-30;predominantly white and male; bored in school; getcaught due to bragging online; intent is to vandalizeor disrupt systems.
Professional Criminals or Crackers: Make a living by
breaking into systems and selling the information. Coders and Virus Writers: See themselves as an
elite; programming background and write code butwont use it themselves; have their own networks
called zoos; leave it to others to release their codeinto The Wild or Internet.
-
8/10/2019 Information Security Chapter 2
5/20
-
8/10/2019 Information Security Chapter 2
6/20
-
8/10/2019 Information Security Chapter 2
7/20
What do Ethical Hackers do?
An ethical hackers evaluation of a systems security seeks
answers to these basic questions:
What can an intruder see on the target systems?
What can an intruder do with that information?
Does anyone at the target notice the intruders attempts
or successes?
What are you trying to protect?
How much time, effort, and money are you willing to
expend to obtain adequate protection?
-
8/10/2019 Information Security Chapter 2
8/20
-
8/10/2019 Information Security Chapter 2
9/20
-
8/10/2019 Information Security Chapter 2
10/20
So Now You Know ..
Hacker
Access computer system or network withoutauthorization
Breaks the law . So becomes a cracker
Ethical Hacker
Performs most of the same activities but with
owners permission
Employed by companies to perform Penetration Tests
Hactivismhacking for social and political cause.
-
8/10/2019 Information Security Chapter 2
11/20
Penetration Test
Protecting an organisationsasset is a continual process.
The process involves an active analysis of the system for
any weaknesses, technical flaws or vulnerabilities.
This analysis is carried out from a position of a potential
attacker, and can involve active exploitation of security
vulnerabilities.
Any security issues that are found will be presented to
the system owner together with an assessment of their
impact and often with a proposal for mitigation or a
technical solution.
-
8/10/2019 Information Security Chapter 2
12/20
Types of Security Assessments
Vulnerability scanning: Focuses on known weaknesses
Can be automated
Does not necessarily require expertise
Penetration testing: Focuses on known and unknown weaknesses
Requires highly skilled testers
Carries tremendous legal burden in certain countries/organizations
IT security auditing: Focuses on security policies and procedures
Used to provide evidence for industry regulations
-
8/10/2019 Information Security Chapter 2
13/20
Why Does Network Security Fail?
Network security fails in several common areas,including:
Human awareness Policy factors
Hardware or software misconfigurations
Poor assumptions Ignorance
Failure to stay up-to-date
-
8/10/2019 Information Security Chapter 2
14/20
What is a Penetration Test?
A penetration test is the process of actively evaluating your information
security measures. Or
A penetration test is a method of evaluating the security of a computer
system or network by simulating an attack from a malicious source,
known as Black hat Hacker or Cracker.
Identifying vulnerabilities of a particular system, application, network, or
process
Exploiting those vulnerabilities to demonstrate that the security
mechanisms can and will fail
The good guys usually get some small piece of proof and exit
as quietly as they came
There are a number of ways that this can be undertaken, but the most common procedure is
that the security measures are actively analyzed for design weaknesses, technical flaws and
vulnerabilities; the results are then delivered comprehensively in a report, to Executive,
Management and Technical audiences.
-
8/10/2019 Information Security Chapter 2
15/20
Why Penetration Testing: Why would you want it?
There are several reasons why organizations choose to perform a
penetration test; they range from technical to commercial but the
most common are:
Identify the threats facing your organizations information assets
so that you can quantify your information risk and provide
adequate information security expenditure.
Reduce your organizations IT security costs and provide a better
Return on IT Security Investment by identifying and resolving
vulnerabilities and weaknesses in the design or implementation.
Provide your organization with assurancea thorough and
comprehensive assessment of organizational security covering
policy, procedure, design and implementation.
-
8/10/2019 Information Security Chapter 2
16/20
-
8/10/2019 Information Security Chapter 2
17/20
Using Penetration Testing to Assess Network Security
Steps to a successful penetration test include:
Determine how the attacker is most likely to go aboutattacking a network or an application
Locate areas of weakness in network or application
defenses Determine how an attacker could exploit weaknesses
Locate assets that could be accessed, altered, or
destroyed Determine whether the attack was detected
Determine what the attack footprint looks like
Make recommendations
-
8/10/2019 Information Security Chapter 2
18/20
Legal Issues Before You Start First, can you do what you want to do where you want to do it?
Is a war-driving legal against your own systems when going through a
central office?
Make sure you are protected with a Letter of Authority. Protect yourself with a Get out of jail type letter.
Encrypt your data. You dont want to be liable if yourdata iscompromised.
Think through your actions before doing them.
Run these tools at your own risk. I am not responsible Test them on a stand-alone network with a network sniffer and review the
source code
Obtain tools from the proper source
Log all of your actions
-
8/10/2019 Information Security Chapter 2
19/20
Different Types of Tests Available
The different types of penetration testing are as follows:
a) External Penetration Testing- Focuses on ITs infrastructure and underlying software of the target.
b) Internal Security Assessment
- Testing carried out from various access points being logical or physical eg.
DMZ
c) Application Security Assessment
- Testing for customised, proprietary applications or systems
d) Wireless/Remote Access Security (RAS) Security Assessment
- Testing for risk associated with mobile computingmobile work force
e) Telephony Security Assessment
- Testing for risk associated with voice technologies in an organisation
f) Social Engineering
- Is a non-technical test to trick people into braking normal security
procedures.
-
8/10/2019 Information Security Chapter 2
20/20
Different Types of Approach
Penetration tests can be conducted in one of
two ways:
a) Black-Box: With no prior knowledge of the
infrastructure to be tested.
b) White-Box: With complete knowledge of the
infrastructure to be tested.