Hackers, Crackers, and Network Intruders

Similar documents
Hackers: Detection and Prevention

Computer Networks & Computer Security

COB 302 Management Information System (Lesson 8)

A Decision Maker s Guide to Securing an IT Infrastructure

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Počítačové viry a bezpečnost počítačových systémů. Hacking

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

Penetration Testing Service. By Comsec Information Security Consulting

Cracking and Computer Security

Introduction to Ethical Hacking and Network Defense. Objectives. Hackers

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

E-BUSINESS THREATS AND SOLUTIONS

Financial Institution Letters

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Software Engineering 4C03 Class Project. Computer Networks and Computer Security COMBATING HACKERS

Hacking: Information Gathering and Countermeasures

Topic 1 Lesson 1: Importance of network security

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led

E-commerce. business. technology. society. Kenneth C. Laudon Carol Guercio Traver. Second Edition. Copyright 2007 Pearson Education, Inc.

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Network Incident Report

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Digital Barracuda Information Security Reports that the Risk from Viruses and Worms is Only the Tip of the Iceberg FACT SHEET

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide

Vulnerability Assessment & Compliance

Cyber Security: Beginners Guide to Firewalls

Data Security for the Hospitality

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

CRYPTUS DIPLOMA IN IT SECURITY

Securing Database Servers. Database security for enterprise information systems and security professionals

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household

HACKING RELOADED. Hacken IS simple! Christian H. Gresser

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Hacking Book 1: Attack Phases. Chapter 1: Introduction to Ethical Hacking

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Acceptable Use Policy

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

CYBER SECURITY. II. SCANDALOUS HACKINGS To show the seriousness of hacking we have included some very scandalous hacking incidences.

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange

Website Defacements. Krishna Kumar B

Network Security and the Small Business

Advanced & Persistent Threat Analysis - I

CS549: Cryptography and Network Security

Metasploit The Elixir of Network Security

Defending Against Data Beaches: Internal Controls for Cybersecurity

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Network and Host-based Vulnerability Assessment

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph I MCA

Managed Security Services

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Why The Security You Bought Yesterday, Won t Save You Today

Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions


Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

SECURING INFORMATION SYSTEMS

Intruders & Intrusion Hackers Criminal groups Insiders. Detection and IDS Techniques Detection Principles Requirements Host-based Network-based

NETWORK SECURITY ASPECTS & VULNERABILITIES

The Self-Hack Audit Stephen James Payoff

資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系

CHAPTER 10: COMPUTER SECURITY AND RISKS

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

Information Technology Cyber Security Policy

Certified Ethical Hacker (CEH)

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Cryptography and Network Security Chapter 21. Malicious Software. Backdoor or Trapdoor. Logic Bomb 4/19/2010. Chapter 21 Malicious Software

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Basics of Internet Security

Guide to Vulnerability Management for Small Companies

Tuesday, May 13, :00-2:00 EDT. Is Your Credit Union Prepared for a DDoS Attack?

9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500

Security Basics: A Whitepaper

Penetration testing & Ethical Hacking. Security Week 2014

Terms and Conditions. Acceptable Use Policy Introduction. Compliance with UK Law. Compliance with foreign law

CSE331: Introduction to Networks and Security. Lecture 15 Fall 2006

IDS and Penetration Testing Lab ISA 674

Statistical Analysis of Internet Security Threats. Daniel G. James

TIME TO LIVE ON THE NETWORK

PEER-TO-PEER NETWORK

Network Security Audit. Vulnerability Assessment (VA)

VULNERABILITY ASSESSMENT WHITEPAPER INTRODUCTION, IMPLEMENTATION AND TECHNOLOGY DISCUSSION

Radware s Behavioral Server Cracking Protection

Footprinting and Reconnaissance Tools

Barracuda Web Site Firewall Ensures PCI DSS Compliance

IBM Managed Security Services Vulnerability Scanning:

Transcription:

Hackers, Crackers, and Network Intruders

Agenda Hackers and their vocabulary Threats and risks Types of hackers Gaining access Intrusion detection and prevention Legal and ethical issues

Hacker Terms Hacking - showing computer expertise Cracking - breaching security on software or systems Phreaking - cracking telecom networks Spoofing - faking the originating IP address in a datagram Denial of Service (DoS) - flooding a host with sufficient network traffic so that it can t respond anymore Port Scanning - searching for vulnerabilities

Hacking through the ages 1969 - Unix hacked together 1971 - Cap n Crunch phone exploit discovered 1988 - Morris Internet worm crashes 6,000 servers 1994 - $10 million transferred from CitiBank accounts 1995 - Kevin Mitnick sentenced to 5 years in jail 2000 - Major websites succumb to DDoS 2000-15,700 credit and debit card numbers stolen from Western Union (hacked while web database was undergoing maintenance) 2001 Code Red exploited bug in MS IIS to penetrate & spread probes random IPs for systems running IIS had trigger time for denial-of-service attack 2 nd wave infected 360000 servers in 14 hours Code Red 2 - had backdoor installed to allow remote control Nimda -used multiple infection mechanisms email, shares, web client, IIS 2002 Slammer Worm brings web to its knees by attacking MS SQL Server

The threats Denial of Service (Yahoo, ebay, CNN, MS) Defacing, Graffiti, Slander, Reputation Loss of data (destruction, theft) Divulging private information (AirMiles, corporate espionage, personal financial) Loss of financial assets (CitiBank)

Types of hackers Professional hackers Black Hats the Bad Guys White Hats Professional Security Experts Script kiddies Mostly kids/students User tools created by black hats, To get free stuff Impress their peers Not get caught Underemployed Adult Hackers Former Script Kiddies Can t get employment in the field Want recognition in hacker community Big in eastern european countries Ideological Hackers hack as a mechanism to promote some political or ideological purpose Usually coincide with political events

Types of Hackers Criminal Hackers Real criminals, are in it for whatever they can get no matter who it hurts Corporate Spies Are relatively rare Disgruntled Employees Most dangerous to an enterprise as they are insiders Since many companies subcontract their network services a disgruntled vendor could be very dangerous to the host enterprise

What is Hacking? Unauthorized use of computer and network resources. Hacker originally meant a very gifted programmer. When it is done by request and under a contract between an ethical hacker and an organization, it is OK! The difference is that the ethical hacker has authorization to probe the target. The number of really gifted hackers in the world is very small, but there are lots of wannabes (-Dr. Charles C. Palmer, IBM)

Definitions Hacker: A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming. A malicious meddler who tries to discover sensitive information by poking around. Hence `password hacker', `network hacker'. The correct term for this sense is cracker. Cracker: One who breaks security on a system. Coined ca. 1985 by hackers in defense against journalistic misuse of hacker. An earlier attempt to establish `worm' in this sense around 1981--82 on Usenet was largely a failure. though crackers often like to describe themselves as hackers, most true hackers consider them a separate and lower form of life.

Who hacks? Hackers in Eastern Europe hacked about 1 million credit card numbers from 40 financial companies in the United States in 2003 alone. 64% of companies suffered losses from hackers activities. More serious offenders, able to cause damage to a system, are known as hackers.

Who cracks? There are 3 groups of crackers: Vandals: hack computer systems for destruction (deleting files). Jokers: the most harmless; hacking systems and carrying in different sounds, noises, and visual effects. Breakers: professional criminals commit hacking of computer systems with the purpose of money theft, industrial or commercial espionage, and thefts of expensive software.

Hacking - For Good Ethical Hacking The Best Defense Is A Good Offense. Performed for the sake of enhancing the performance of a device or exposing the vulnerabilities of a security system for the benefit of the system administrator. Penetration Testing- analysis and probe of system for purpose of targeting flaws and weaknesses that could be hacked and exploited by a malicious hacker (Black Hat hackers). - Old/unpatched software. - Poor configuration of - Disabled or faulty security Web servers. systems.

Hacking - For Good Who are they? White Hat hackers. Computer and network experts who possess a variety of knowledge and skills concerning the web, network and operating systems, programming, and physical security. Abide by ethical principles which prevent them from abusing computer systems. Trusted individuals with strict confidentiality policies.

Hacking - For Good Ethical Hackers and Certifications Universal Certification Does Not Exist The EC-Council (International Council of Electronic Commerce Consultants) has released a certification called Certified Ethical Hacker test. Other certifications available: OSCP-Offensive Security Certified Professional CEPT-Certified Expert Penetration Tester CPTE-Certified Penetration Testing Expert CPTS-Certified Penetration Testing Specialist ECSA-EC-Council Certified Security Analyst

Hackers - For good Who uses them? Increasingly, companies of all types and sizes are hiring security experts to act like the enemy. Some companies have departments dedicated to ethical hacking: IBM Microsoft

Hacking - For Good Where did it come from? Ethical hacking emerged from early open source software on the internet. Such software still exists such as Mozilla Firefox, Wikipedia, and Citizendium. Open source is a development method for software that harnesses the power of distributed peer review and transparency of process.

Laws, Fines, and Penalties Hackers, virus and worm writers could get 20 years to life in federal prison. Anyone who uses computers to cause death or bodily harm, such as bringing down power grids or airport control centers, can get the maximum sentence. The sentence is increased by 25% if they steal personal information. The sentence is increased by 50% if they share the stolen information. If posted on the Internet, sentence is doubled!

Top intrusion justifications I m doing you a favor pointing out your vulnerabilities I m making a political statement Because I can Because I m paid to do it

Gaining access Front door Password guessing Password/key stealing Back doors Often left by original developers as debug and/or diagnostic tools Forgot to remove before release Trojan Horses Usually hidden inside of software that we download and install from the net (remember nothing is free) Many install backdoors Software vulnerability exploitation Often advertised on the OEMs web site along with security patches Fertile ground for script kiddies looking for something to do

Password guessing Default or null passwords Password same as user name (use finger) Password files, trusted servers Brute force make sure login attempts audited!

Password/key theft Dumpster diving Its amazing what people throw in the trash Personal information Passwords Good doughnuts Many enterprises now shred all white paper trash Inside jobs Disgruntled employees Terminated employees (about 50% of intrusions resulting in significant loss)

Once inside, the hacker can... Modify logs To cover their tracks To mess with you Steal files Sometimes destroy after stealing A pro would steal and cover their tracks so to be undetected Modify files To let you know they were there To cause mischief Install back doors So they can get in again Attack other systems

Intrusion detection systems (IDS) A lot of research going on at universities Doug Somerville- EE Dept, Viktor Skorman EE Dept Big money available due to 9/11 and Dept of Homeland Security Vulnerability scanners pro-actively identifies risks User use pattern matching When pattern deviates from norm should be investigated Network-based IDS examine packets for suspicious activity can integrate with firewall require one dedicated IDS server per segment

Intrusion prevention Patches and upgrades (hardening) Disabling unnecessary software Firewalls and Intrusion Detection Systems Honeypots Recognizing and reacting to port scanning

Computer Crimes Financial Fraud Credit Card Theft Identity Theft Computer specific crimes Denial-of-service Denial of access to information Viruses Melissa virus cost New Jersey man 20 months in jail Melissa caused in excess of $80 Million Intellectual Property Offenses Information theft Trafficking in pirated information Storing pirated information Compromising information Destroying information Content related Offenses Hate crimes Harrassment Cyber-stalking Child privacy

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information