Hands-On Ethical Hacking and Network Defense - Second Edition Chapter 1. After reading this chapter and completing the exercises, you will be able to:

Transcription

1 Objectives After reading this chapter and completing the exercises, you will be able to: Describe the role of an ethical hacker Describe what you can do legally as an ethical hacker Describe what you can t do as an ethical hacker Who are the Players? Introduction to Ethical Hacking Who are Ethical Hackers Hired by companies to perform penetration tests Penetration test Authorized attempt to break into a company s network to find the weakest link Security test More than a break in attempt; includes analyzing company s security policy and procedures Vulnerabilities are reported The Role of Security and Penetration Testers Hackers Crackers Tiger box Access computer system or network without authorization Breaks the law; can go to prison Break into systems to steal or destroy data U.S. Department of Justice calls both hackers Collection of tools Used for conducting vulnerability assessments and attacks The Role of Security & Penetration Testers (cont)

2 Script kiddies or Packet Monkeys Younger, inexperienced hackers who copy code from knowledgeable hackers See Leet speak ( Programming Skills Languages used by experienced penetration testers Script What is a Script? Practical Extraction and Report Language (Perl) C language Set of instructions Runs in sequence to perform tasks Definition: A script is a set of instructions used by a computer to execute a set of pre-determined instructions. Once the computer executes the instructions, it returns data (a value) which could be a number, a string, a list, or another data type. A very simple script does nothing but return a value. To return a value, it uses the "return" keyword of the script to provide the request data to the script that called it. A very simple script might look like this: return ("This is a string."). The return keyword is usually followed by open and close parentheses. Javascript Example: window.open (" Penetration-Testing Methodologies White Box model Tester is told about network topology and technology Tester is permitted to interview IT personnel and company employees

3 Black Box model Hands-On Ethical Hacking and Network Defense - Second Edition Makes tester s job a little easier Staff does not know about the test Tester is not given details about technologies used Burden is on tester to find details Tests security personnel s ability to detect an attack Gray Box model Hybrid of white and black box models Company gives tester partial information (e.g., OSs are used, but no network diagrams) Certification Programs - Network Security Personnel Minimum certification: Security+: Comptia (or equivalent knowledge) Industry Standard: Certified Ethical Hacker (CEH): EC Council Based on 22 domains (subject areas) Certified Information System Security Professional (CISSP): International Information Systems Security Certification Consortium (ISC2), CISSP Consists of ten domains Certification Programs - Network Security Personnel (cont) Professional Security Tester Designated by the Institute for Security and Open Methodologies (ISECOM) Based on Open Source Security Testing Methodology Manual (OSSTMM) Written by Peter Herzog Five main topics (i.e., professional, enumeration, assessments, application, and verification)

4 Red Team Internal to organization Conducts penetration tests Composed of people with varied skills Unlikely that one person will perform all tests SANS Institute SysAdmin, Audit, Network, Security (SANS) Institute Top 20 list Offers training and certifications through Global Information Assurance Certification (GIAC) One of the most popular SANS Institute documents Details most common network exploits Suggests ways of correcting vulnerabilities Web site: Which Certification Is Best? Penetration and Security Testers Both need technical skills to perform duties effectively Good understanding of networks Role of management in an organization Skills in writing and verbal communication Desire to continue learning Danger of certification exams What You Can Do Legally Some participants simply memorize terminology Laws involving technology change Don t have a good grasp of subject matter

5 Keep abreast of what s happening in your area Find out what is legal for you locally Be aware of what is allowed and what you should not or cannot do Laws of the Land Laws vary from state to state and country to country Some hacking tools on your computer might be illegal Contact local law enforcement agencies before installing hacking tools Laws are written to protect society Written words are open to interpretation Government is getting more serious about cybercrime punishment Is Port Scanning Legal? Some states deem it legal Not always the case Be prudent before using penetration-testing tools Federal government does not see it as a violation Allows each state to address it separately Research state laws Read your ISP s Acceptable Use Policy IRC bot Program that sends automatic responses to users Gives the appearance of a person being present AUP Comparisons Federal Laws Getting more specific in areas of: Cybercrimes

6 Intellectual property issues Computer hacking and intellectual property (CHIP) New government branch Addresses computer hacking and intellectual property crimes What You Cannot Do Legally Illegal actions: Accessing a computer without permission Destroy data without permission Copy information without permission Installing worms or viruses Denying users access to network resources Be careful your actions do not prevent client s employees from doing their jobs! Get It in Writing Contracts: Using a contract is good business (CYA) May be useful in court Check internet for free modifiable templates Have an attorney review contracts before signing (CYA) Books on working as an independent contractor The Computer Consultant s Guide by Janet Ruhl Getting Started in Computer Consulting by Peter Meyer Ethical Hacking in a Nutshell Skills needed to be a security tester Knowledge of network and computer technology Ability to communicate with management and IT personnel

7 An understanding of the laws in your location Ability to use necessary tools