Objectives
• After reading this chapter and completing the exercises, you will be able to: – Describe the role of an ethical hacker
– Describe what you can do legally as an ethical hacker – Describe what you can’t do as an ethical hacker • Who are the Players?
• Introduction to Ethical Hacking Who are “Ethical Hackers”
– Hired by companies to perform penetration tests • Penetration test
– Authorized attempt to break into a company’s network to find the weakest link • Security test
– More than a break in attempt; includes analyzing company’s security policy and procedures
– Vulnerabilities are reported The Role of Security and Penetration Testers • Hackers
– Access computer system or network without authorization • Breaks the law; can go to prison
• Crackers
– Break into systems to steal or destroy data
• U.S. Department of Justice calls both hackers • Tiger box
– Collection of tools
• Used for conducting vulnerability assessments and attacks • The Role of Security & Penetration Testers (cont)
• Script kiddies or Packet Monkeys
– Younger, inexperienced hackers who copy code from knowledgeable hackers – See Leet speak (http://en.wikipedia.org/wiki/Leet)
– Programming Skills
– Languages used by experienced penetration testers
• Practical Extraction and Report Language (Perl) • C language – Script • Set of instructions • Runs in sequence to perform tasks What is a Script?
• Definition: A script is a set of instructions used by a computer to execute a set of pre-determined instructions. Once the computer executes the instructions, it returns data (a value) which could be a number, a string, a list, or another data type.
– A very simple script does nothing but return a value. To return a value, it uses the "return" keyword of the script to provide the request data to the script that called it. • A very simple script might look like this:
– return ("This is a string."). The return keyword is usually followed by open and close parentheses.
• Javascript Example:
window.open ("http://www.javascript-coder.com","mywindow") Penetration-Testing Methodologies
• White Box model
– Tester is told about network topology and technology
• Makes tester’s job a little easier • Black Box model
– Staff does not know about the test
– Tester is not given details about technologies used • Burden is on tester to find details
– Tests security personnel’s ability to detect an attack • Gray Box model
– Hybrid of white and black box models – Company gives tester partial information
(e.g., OSs are used, but no network diagrams)
Certification Programs - Network Security Personnel • Minimum certification:
• Security+: Comptia (or equivalent knowledge) • Industry Standard:
• Certified Ethical Hacker (CEH): EC Council
• Based on 22 domains (subject areas) • Certified Information System Security Professional (CISSP):
– International Information Systems Security Certification Consortium (ISC2), CISSP – Consists of ten domains
– Certification Programs - Network Security Personnel (cont) • Professional Security Tester
– Designated by the Institute for Security and Open Methodologies (ISECOM)
– Based on Open Source Security Testing Methodology Manual (OSSTMM) Written by Peter Herzog
– Five main topics (i.e., professional, enumeration, assessments, application, and verification)
• Red Team
– Internal to organization – Conducts penetration tests
– Composed of people with varied skills
– Unlikely that one person will perform all tests • SANS Institute
• SysAdmin, Audit, Network, Security (SANS) Institute
– Offers training and certifications through Global Information Assurance Certification (GIAC)
• Top 20 list
– One of the most popular SANS Institute documents – Details most common network exploits
– Suggests ways of correcting vulnerabilities – Web site: www.sans.org
Which Certification Is Best?
• Penetration and Security Testers
– Both need technical skills to perform duties effectively • Good understanding of networks
• Role of management in an organization • Skills in writing and verbal communication • Desire to continue learning
– Danger of certification exams
• Some participants simply memorize terminology – Don’t have a good grasp of subject matter What You Can Do Legally
– Keep abreast of what’s happening in your area • Find out what is legal for you locally
– Be aware of what is allowed and what you should not or cannot do • Laws vary from state to state and country to country • Laws of the Land
• Some hacking tools on your computer might be illegal
– Contact local law enforcement agencies before installing hacking tools • Laws are written to protect society
– Written words are open to interpretation
• Government is getting more serious about cybercrime punishment • Is Port Scanning Legal?
• Some states deem it legal – Not always the case
– Be prudent before using penetration-testing tools • Federal government does not see it as a violation
– Allows each state to address it separately • Research state laws
• Read your ISP’s “Acceptable Use Policy” • IRC “bot”
– Program that sends automatic responses to users – Gives the appearance of a person being present • AUP Comparisons
• Federal Laws
• Getting more specific in areas of: – Cybercrimes
– Intellectual property issues
• Computer hacking and intellectual property (CHIP) – New government branch
– Addresses computer hacking and intellectual property crimes What You Cannot Do Legally
• Illegal actions:
– Accessing a computer without permission – Destroy data without permission
– Copy information without permission – Installing worms or viruses
– Denying users access to network resources
– Be careful your actions do not prevent client’s employees from doing their jobs! • Get It in Writing
• Contracts:
– Using a contract is good business (CYA) – May be useful in court
– Check internet for free modifiable templates
– Have an attorney review contracts before signing (CYA) • Books on working as an independent contractor
– The Computer Consultant’s Guide by Janet Ruhl
– Getting Started in Computer Consulting by Peter Meyer Ethical Hacking in a Nutshell
• Skills needed to be a security tester
– Knowledge of network and computer technology
– An understanding of the laws in your location – Ability to use necessary tools
![[N′ (4 Decyloxy 2 oxidobenzylidene) 3 hydroxy 2 naphthohydrazidato κ3N,O,O′]dimethyltin(IV): crystal structure and Hirshfeld surface analysis](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==)