BlueCrest Information Security

and Audit
Chapter 2

Ethical Hacking

Welcome to the world of Ethical Hacking

PREHISTORY
1960s: The Dawn of Hacking
Original meaning of the word "hack" started
at MIT; meant elegant, witty or inspired way
of doing almost anything; hacks were
programming shortcuts

Hackers are here. Where are you?

The explosive growth of the Internet has
brought many good thingsAs with most
technological advances, there is also a dark
side: criminal hackers.
The term hacker has a dual usage in the
computer industry today. Originally, the term
was defined as:
HACKER noun. 1. A person who enjoys
learning the details of computer systems and
how to stretch their capabilities. 2. One who
programs enthusiastically or who enjoys
programming rather than just theorizing
about programming.

What is a Hacker?
Old School Hackers: 1960s style Stanford or MIT
hackers. Do not have malicious intent, but do have
lack of concern for privacy and proprietary
information. They believe the Internet was designed
to be an open system.
Script Kiddies or Cyber-Punks: Between 12-30;
predominantly white and male; bored in school; get
caught due to bragging online; intent is to vandalize
or disrupt systems.
Professional Criminals or Crackers: Make a living by
breaking into systems and selling the information.
Coders and Virus Writers: See themselves as an
elite; programming background and write code but
wont use it themselves; have their own networks
called zoos; leave it to others to release their code
into The Wild or Internet.

What is Ethical Hacking?

Ethical hacking defined methodology adopted by
ethical hackers to discover the vulnerabilities existing
in information systems operating environments.
With the growth of the Internet, computer security
has become a major concern for businesses and
governments.
In their search for a way to approach the problem,
organizations came to realize that one of the best
ways to evaluate the intruder threat to their interests
would be to have independent computer security
professionals attempt to break into their computer
systems.

Who are Ethical Hackers?

One of the best ways to evaluate the intruder

threat is to have an independent computer security
professionals attempt to break their computer
systems
Successful ethical hackers possess a variety of skills.
First and foremost, they must be completely
trustworthy.
Ethical hackers typically have very strong
programming and computer networking skills.
They are also adept at installing and maintaining
systems that use the more popular operating
systems (e.g., Linux or Windows ) used on target
systems.
These base skills are augmented with detailed
knowledge of the hardware and software provided
by the more popular computer and networking
hardware vendors.

What do Ethical Hackers do?

An ethical hackers evaluation of a systems security seeks
answers to these basic questions:
What can an intruder see on the target systems?
What can an intruder do with that information?
Does anyone at the target notice the intruders attempts
or successes?
What are you trying to protect?
How much time, effort, and money are you willing to
expend to obtain adequate protection?

Anatomy of an attack:
Reconnaissance attacker gathers information;
can include social engineering.
Scanning searches for open ports (port scan)
probes target for vulnerabilities.
Gaining access attacker exploits vulnerabilities
to get inside your system; used for spoofing IP.
Maintaining access creates backdoor through
use of Trojans; once attacker gains access makes
sure he/she can get back in.
Covering tracks deletes files, hides files, and
erases log files. So that attacker cannot be
detected or penalized.

Classes/Types of Hackers
Black hats highly
skilled,
malicious, destructive
crackers
White hats skills used
for
defensive security
analysts
Gray hats offensively
and
defensively; will hack for
different
reasons, depends on
situation.

So Now You Know ..

Hacker
Access computer system or network without
authorization
Breaks the law . So becomes a cracker

Ethical Hacker
Performs most of the same activities but with
owners permission
Employed by companies to perform Penetration Tests
Hactivism hacking for social and political cause.

Penetration Test
Protecting an organisations asset is a continual process.
The process involves an active analysis of the system for
any
weaknesses, technical flaws or vulnerabilities.
This analysis is carried out from a position of a potential
attacker, and can involve active exploitation of security
vulnerabilities.

Any security issues that are found will be presented to

the system owner together with an assessment of their
impact and often with a proposal for mitigation or a
technical solution.

Types of Security Assessments

Vulnerability scanning:

Focuses on known weaknesses

Can be automated

Does not necessarily require expertise

Penetration testing:

Focuses on known and unknown weaknesses

Requires highly skilled testers

Carries tremendous legal burden in certain countries/organizations

IT security auditing:

Focuses on security policies and procedures

Used to provide evidence for industry regulations

Why Does Network Security Fail?

Network security fails in several common areas,
including:

Human awareness
Policy factors
Hardware or software misconfigurations
Poor assumptions
Ignorance
Failure to stay up-to-date

What is a Penetration Test?

A penetration test is the process of actively evaluating your information
security measures. Or
A penetration test is a method of evaluating the security of a computer
system or network by simulating an attack from a malicious source,
known as Black hat Hacker or Cracker.
Identifying vulnerabilities of a particular system, application, network, or
process
Exploiting those vulnerabilities
mechanisms can and will fail

to

demonstrate

that

the

security

The good guys usually get some small piece of proof and exit
as quietly as they came
There are a number of ways that this can be undertaken, but the most common procedure is
that the security measures are actively analyzed for design weaknesses, technical flaws and
vulnerabilities; the results are then delivered comprehensively in a report, to Executive,
Management and Technical audiences.

Why Penetration Testing: Why would you want it?

There are several reasons why organizations choose to perform a
penetration test; they range from technical to commercial but the
most common are:
Identify the threats facing your organizations information assets
so that you can quantify your information risk and provide
adequate information security expenditure.
Reduce your organizations IT security costs and provide a better
Return on IT Security Investment by identifying and resolving
vulnerabilities and weaknesses in the design or implementation.
Provide your organization with assurance a thorough and
comprehensive assessment of organizational security covering
policy, procedure, design and implementation.

Answer the questions Is our network secure? and How

do we know that our network is secure?

Provide a baseline to help improve security

Find configuration mistakes or missing

security updates

Reveal unexpected weaknesses in your

organizations security

Ensure regulatory compliance

Using Penetration Testing to Assess Network Security

Steps to a successful penetration test include:

Determine how the attacker is most likely to go about
attacking a network or an application
Locate areas of weakness in network or application
defenses
Determine how an attacker could exploit weaknesses
Locate assets that could be accessed, altered, or
destroyed
Determine whether the attack was detected
Determine what the attack footprint looks like
Make recommendations

Legal Issues Before You Start

First, can you do what you want to do where you want to do it?
Is a war-driving legal against your own systems when going through a
central office?

Make sure you are protected with a Letter of Authority.

Protect yourself with a Get out of jail type letter.

Encrypt your data. You dont want to be liable if your data is

compromised.
Think through your actions before doing them.
Run these tools at your own risk. I am not responsible
Test them on a stand-alone network with a network sniffer and review the
source code
Obtain tools from the proper source

Log all of your actions

Different Types of Tests Available

The different types of penetration testing are as follows:
a) External Penetration Testing
- Focuses on ITs infrastructure and underlying software of the target.

b) Internal Security Assessment

- Testing carried out from various access points being logical or physical eg.
DMZ

c) Application Security Assessment

- Testing for customised, proprietary applications or systems

d) Wireless/Remote Access Security (RAS) Security Assessment

- Testing for risk associated with mobile computing mobile work force

e) Telephony Security Assessment

- Testing for risk associated with voice technologies in an organisation

f) Social Engineering
- Is a non-technical test to trick people into braking normal security
procedures.

Different Types of Approach

Penetration tests can be conducted in one of
two ways:
a) Black-Box: With no prior knowledge of the
infrastructure to be tested.

b) White-Box: With complete knowledge of the

infrastructure to be tested.