Ethical Hacking Overview

Ethical Hacking Overview

Objectives

  • After completing this lecture, you will be able to:
    • Describe the role of an ethical hacker.
    • Describe what you can do legally as an ethical hacker.
    • Describe what you cannot do as an ethical hacker.

Introduction to Ethical Hacking

  • Ethical Hacking:
    • Hacking that is authorized and legal.
    • Aims to simulate the actions of a malicious attacker gaining unauthorized access to a computer system, application, or data.
    • A proactive approach to security, allowing organizations to stay one step ahead of potential threats and attacks.

Performing Ethical Hacking

  • Penetration Testing:
    • Attempt to break into a company’s network to find the weakest link.
  • Vulnerability Assessment:
    • The tester attempts to enumerate all vulnerabilities found in an application or on a system.
  • Security Testing:
    • Besides a break-in attempt; includes analyzing the company’s security policy and procedures.

The Role of Security and Penetration Testers

  • Hackers:
    • Access computer systems or networks without authorization.
    • Breaks the law; can go to prison.
  • Crackers:
    • Break into systems to steal or destroy data.
  • U.S. Department of Justice:
    • Calls both hackers.
  • Ethical Hacker:
    • Performs most of the same activities with owner’s permission.
  • Script Kiddies or Packet Monkeys:
    • Younger, inexperienced hackers who copy codes from knowledgeable hackers.
  • Programming languages used by experienced penetration testers:
    • Python, Ruby, Go, Practical Extraction and Report Language (Perl), C language.
  • Script:
    • Set of instructions that runs in sequence to perform certain tasks.
  • Hacktivist:
    • An individual who gains unauthorized access to the computer system or network for politically or socially motivated purposes.
  • Penetration testers:
    • Usually have a workstation or a server with multiple operating systems and tools for exploitation.
  • Job requirements for a penetration tester might include:
    • Perform vulnerability, attack, and penetration assessments in Intranet and wireless environments.
    • Perform discovery and scanning for open ports.
    • Apply appropriate exploits to gain access.
    • Participate in activities involving application penetration.
    • Produce reports documenting discoveries.
    • Debrief with the client at the conclusion.

Penetration-Testing Methodologies

  • White Box Model
    • Tester is told about network topology and technology.
    • May be given a floor plan.
    • Tester is permitted to interview IT personnel and company employees.
    • Makes tester’s job a little easier.
  • Black box model
    • Staff does not know about the test.
    • Tester is not given details about technologies used.
    • Burden is on tester to find details.
    • Tests security personnel’s ability to detect an attack.
  • Gray box model
    • Hybrid of the white and black box models.
    • Company gives tester partial information (e.g., OSs are used, but no network diagrams).
  • Black box model
    • No information is provided except IP address.
  • White box model
    • Additional access to the code level access
    • Required Role-based credentials

Certification Programs for Network Security Personnel

  • Certification programs
    • Available in almost every area of network security
  • Minimum certification
    • CompTIA Security+ or equivalent knowledge
    • Prerequisite for Security+ certification is CompTIA Network+

Offensive Security Certified Professional

  • OSCP
    • An advanced certification that requires students to demonstrate hands-on abilities to earn their certificates.
    • Covers network and application exploits.
    • Gives students experience in developing rudimentary buffer overflows, writing scripts to collect and manipulate data, and trying exploits on vulnerable systems.

Certified Ethical Hacker

  • Developed by the International Council of Electronic Commerce Consultants (EC-Council)
    • Based on 22 domains (subject areas)
    • Web site: www.eccouncil.org
  • Most likely be placed on a team that conducts penetration tests
    • Called a Red team
    • Conducts penetration tests
    • Composed of people with varied skills
    • Unlikely that one person will perform all tests

OSSTMM Professional Security Tester (OPST)

  • Open Source Security Testing Methodology Manual (OSSTMM) Professional Security Tester
    • Designated by the Institute for Security and Open Methodologies (ISECOM)
    • Based on Open Source Security Testing Methodology Manual (OSSTMM)
    • Written by Peter Herzog
    • Five main topics (i.e., professional, enumeration, assessments, application, and verification)
    • Web site: www.isecom.org

Certified Information Systems Security Professional

  • CISSP
    • Issued by the International Information Systems Security Certification Consortium (ISC2)
    • Not geared toward technical IT professionals
    • Tests security-related managerial skills
    • Usually more concerned with policies and procedures
    • Consists of ten domains
    • Web site: www.isc2.org

SANS Institute

  • SysAdmin, Audit, Network, Security (SANS) Institute
    • Offers training and IT security certifications through Global Information Assurance Certification (GIAC)
    • Top 25 Software Errors list
      • One of the most popular SANS Institute documents
      • Details most common network exploits
      • Suggests ways of correcting vulnerabilities
    • Web site: www.sans.org

Which Certification is Best?

  • Penetration testers and security testers need technical skills to perform duties effectively.
    • Must also have:
      • A good understanding of networks and the role of management in an organization
      • Skills in writing and verbal communication
      • Desire to continue learning
    • Danger of certification exams
      • Some participants simply memorize terminology.
      • Don’t have a good grasp of subject matter

What Can You Do Legally

  • Laws involving technology change as rapidly as technology itself
    • Keep abreast of what is happening in your area
    • Find out what is legal for you locally
    • Be aware of what is allowed and what you should not or cannot do
    • Laws vary from state to state and country to country
    • Example: In some states, the possession of lockpicking tools constitutes a crime

Laws of the Land

  • Some hacking tools on your computer might be illegal
    • Contact local law enforcement agencies before installing hacking tools
    • Laws are written to protect society
    • Written words are open to interpretation
    • Example: In Hawaii, the state must prove the person charged had the “intent to commit a crime”
    • Ignorance of the Law Is Not an Excuse
    • Government is getting more serious about cybercrime punishment
Case Examples:

  • Massachusetts, 2013: Aaron Swartz was charged with 13 felony counts under the Computer Fraud and Abuse Act after downloading 2.7 million articles from JSTOR.

  • Massachusetts, 2014: Cameron Lacroix was sentenced to 4 years in prison for hacking law enforcement agencies' servers and a college server to change grades.

  • Georgia, 2014: Sergei Nicolaevich Tsurikov was sentenced to 11 years in prison for conspiracy to commit wire fraud and computer intrusion involving counterfeit payroll debit cards and the withdrawal of over 99 million.

  • Delaware, 2014: Nathan Leroux, Sanadodeh Nesheiwat, David Pokora, and Austin Alcala were indicted for stealing gaming technology and Apache helicopter training software using SQL injection.

  • Texas, 2014: Fidel Salinas, an alleged member of Anonymous, faces up to 10 years in federal prison for allegedly cyberstalking a female victim and attempting to gain unauthorized access to her Web site.

  • New York, 2014: Lauri Love was charged with hacking into the Federal Reserve using SQL injection and stealing confidential information.

  • Wisconsin, 2014: James L Santelle was sentenced to 24 months' probation and ordered to pay $$$110,932.71 in restitution for participating in a distributed denial-of-service attack against the Angel Soft Web site.

  • Electronic Transaction Act 2063 – Nepal

    • The objective of this Act is to ensure the reliability and security of electronic transactions including the control of unauthorized use of electronic records or alteration in such records through illegal manner.

Is Port Scanning Legal?

  • Some states consider it legal
    • Not always the case
    • Be prudent before using penetration-testing tools
    • Federal government does not see it as a violation
    • Allows each state to address it separately
    • Research state laws
    • Read your ISP’s “Acceptable Use Policy”
Acceptable Use Policy Example:

  • PacInfo Net makes no restriction on usage provided that such usage is legal under the laws and regulations of the State of Hawaii and the United States of America and does not adversely affect PacInfo Net customers.

  • Customers are forbidden from using techniques designed to cause damage to or deny access by legitimate users of computers or network components connected to the Internet.

  • IRC “bot”

    • Program that sends automatic responses to users
    • Gives the appearance of a person being present
    • Some ISP’s may prohibit the use of IRC bots

What You Cannot Do Legally

  • Illegal actions:
    • Accessing a computer without permission
    • Destroying data without permission
    • Copying information without permission
    • Installing viruses that deny users access to network resources
    • Be careful your actions do not prevent client’s employees from doing their jobs

Get It In Writing

  • Using a contract is good business
    • May be useful in court
  • Books on working as an independent contractor:
    • Getting Started as an Independent Computer Consultant by Mitch Paioff and Melanie Mulhall
    • The Consulting Bible: Everything You Need to Know to Create and Expand a Seven-Figure Consulting Practice by Alan Weiss
    • Internet can also be a helpful resource
      • Free modifiable templates
    • Have an attorney read your contract before signing

Ethical Hacking in a Nutshell

  • Skills needed to be a security tester
    • Knowledge of network and computer technology
    • Ability to communicate with management and IT personnel
    • An understanding of the laws in your location
    • Ability to apply necessary tools to perform your tasks
    • Communication and Writing Skills

Summary

  • Companies hire ethical hackers to perform penetration tests
  • Penetration tests discover vulnerabilities in a network
  • Security tests are performed by a team of people with varied skills
  • Penetration test models
    • White box model
    • Black box model
    • Gray box model
  • Security testers can earn certifications
    • CEH
    • CISSP
    • OPST
  • As a security tester, be aware
    • What you are legally allowed or not allowed to do
    • ISPs may have an acceptable use policy
    • May limit ability to use tools
  • Laws should be understood before conducting a security test
    • Federal laws
    • State laws
  • Get it in writing
    • Use a contract
    • Have an attorney read the contract
  • Understand tools available to conduct security tests
    • Learning how to use them should be a focused and methodical process