Introduction to Ethical Hacking and Network Defense. Objectives. Hackers



Similar documents
Hands-On Ethical Hacking and Network Defense - Second Edition Chapter 1. After reading this chapter and completing the exercises, you will be able to:

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Network Incident Report

Penetration Testing Service. By Comsec Information Security Consulting

Penetration Testing in Romania

Hacking Book 1: Attack Phases. Chapter 1: Introduction to Ethical Hacking

Ethical Hacking Overview

CRYPTUS DIPLOMA IN IT SECURITY

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Penetration Testing. Presented by

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Hackers: Detection and Prevention

An Introduction to Network Vulnerability Testing

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

Network Security: Introduction

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

COB 302 Management Information System (Lesson 8)

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

Vinny Hoxha Vinny Hoxha 12/08/2009

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

Detailed Description about course module wise:

NETWORK PENETRATION TESTING

CMPT 471 Networking II

Footprinting and Reconnaissance Tools

SECURITY. Risk & Compliance Services

Hackers are here. Where are you?

SECURING INFORMATION SYSTEMS

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

EC-Council Certified Security Analyst (ECSA)

Hackers are here. Where are you?

ASDI Full Audit Guideline Federal Aviation Administration

Cracking and Computer Security

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Exam 1 - CSIS 3755 Information Assurance

The Self-Hack Audit Stephen James Payoff

U. S. Attorney Office Northern District of Texas March 2013

EC-Council. Program Brochure. EC-Council. Page 1

SECURITY ISSUES INTERNET WORLD WIDE WEB FOR THE AND THE

Information Technology Cyber Security Policy

Topic 1 Lesson 1: Importance of network security

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Fighting Cyber Crime in the Telecommunications Industry. Sachi Chakrabarty

Data Security for the Hospitality

IDS and Penetration Testing Lab ISA 674

WHITE PAPER. An Introduction to Network- Vulnerability Testing

ETHICAL HACKING CYBER SECURITY

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Security Testing Summary of Next-Generation Enterprise VoIP Solution: Unify Inc. OpenScape SBC V8

Firewalls Overview and Best Practices. White Paper

What is Penetration Testing?

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Acceptable Use Policy

E-commerce. business. technology. society. Kenneth C. Laudon Carol Guercio Traver. Second Edition. Copyright 2007 Pearson Education, Inc.

EC-Council Certified Security Analyst / License Penetration Tester (ECSA/LPT) v4.0 Bootcamp

ΕΠΛ 674: Εργαστήριο 5 Firewalls

About Effective Penetration Testing Methodology

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

Analyze. Secure. Defend. Do you hold ECSA credential?

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Learn Ethical Hacking, Become a Pentester

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

How To Protect Your Network From Attack From A Hacker On A University Server

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box

Chapter 9 Firewalls and Intrusion Prevention Systems


PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Radware s Behavioral Server Cracking Protection

8 Steps for Network Security Protection

Software Engineering 4C03 Class Project. Computer Networks and Computer Security COMBATING HACKERS

Information Security Services

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

8 Steps For Network Security Protection

Course Content: Session 1. Ethics & Hacking

Security Testing: Step by Step System Audit with Rational Tools. First Presented for:

2011 Course Technology, Cengage Learning


Web App Security Audit Services

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Computer Networks & Computer Security

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Payment Card Industry (PCI) Data Security Standard

AASTMT Acceptable Use Policy

PCI Security Scan Procedures. Version 1.0 December 2004

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Data Security Incident Response Plan. [Insert Organization Name]

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph I MCA

Network Instruments white paper

Transcription:

Introduction to Ethical Hacking and Network Defense January 14, 2010 MIS 4600 - Abdou Illia Objectives Describe the role of an ethical hacker Describe what can an ethical hacker legally do Describe what an ethical hacker cannot legally do 2 Hackers Hackers Access computer system or network without authorization Have different motivations (from prove their status to some damage) Crackers Break into systems to steal or destroy data Script kiddies or packet monkeys Young inexperienced hackers Use publicly available hacking tools or copy codes and techniques from the Internet For the U.S. Department of Justice they all break the law; can go to prison. 3

Hackers vs. Ethical Hackers Ethical hacker Performs most of the same activities as hackers and crackers, but with owner s permission Employed by companies to perform penetration or security tests Red team Team of ethical hackers with varied skills (social engineering, ethics/legal issues, break-ins, etc.) 4 Penetration test vs. Security test Penetration test Legally breaking into a company s network to find its weaknesses Tester only reports findings Security test More than a penetration test Also includes: Analyzing company s security policy and procedures Offering solutions to secure or protect the network 5 Security Policy - Sets rules for expected behaviors by users (e.g. regular patches download, strong passwords, etc.), and IT personnel (e.g. no unauthorized access to users files, ), etc. Passwords must - Defines access control rules. not be written - Defines consequences of violations. down Access to files must -Helps track compliance with regulations. be granted to the level required by users job -Etc. Hacking Tools 6 Referred to as Tiger box in course textbook Collection of OSs and tools that assist with hacking Network scanners Traffic monitors Keyloggers Password crackers Etc. Practical Extraction and Report Language (Perl) C programming language Scripts, i.e. set of instructions that runs in sequence

Questions 7 Which of the following may be part of a penetration test (P) or a security test (S)? Use X to indicate your answer. 1. 2. Breaking into a computer system without authorization. Laying out specific actions to be taken in order to prevent dangerous packets to pass through firewalls. 3. 4. Scanning a network in order to gather IP addresses of potential targets Finding that patches are not timely applied as recommended by corporate rules. 5. Writing a report about a company s security defense system. 6. Scanning a network in order to find out what defense tools are being used. 7. 8. Finding that users cannot change their passwords themselves Finding that a company does not have an effective password reset rule. 9. Finding out that a firewall does not block potentially dangerous packets 10 11 Proposing a new procedure which implementation may help improve systems security Finding out that the administrator's account is called Admin and has a weak password 12 Finding out that 1/3 of the security procedures are not actually implemented. 13 Performing a denial-of service-attacks 14 Disabling network defense systems P S Penetration Testing Models White box Black box Gray box White box model Tester is told everything about the network topology and technology Tester is authorized to interview IT personnel and company employees Makes tester s job a little easier 8 Note: some diagrams may show routers, firewalls, etc. Penetration Testing Models (cont.) White box Black box Gray box Black box model Company staff does not know about the test Tester is not given details about the network. Burden is on the tester to find these details Tests if security personnel are able to detect an attack Question: What is the disadvantage of letting the company s employees know about the penetration test? 9 Question: What is the disadvantage of letting the IT staff know about the penetration test?

Penetration Testing Models (cont.) White box Black box Gray box Gray box model Hybrid of the white and black box models Company gives tester partial information 10 What You Can Do Legally Laws involving technology change as rapidly as technology itself Find what is legal for you locally Laws change from place to place Be aware of what is allowed and what is not allowed 11 Laws of the Land Tools on your computer might be illegal to possess Contact local law enforcement agencies before installing hacking tools Governments are getting more serious about punishment for cybercrimes 12

Is Port Scanning Legal? Some states deem it legal Not always the case Federal Government does not see it as a violation Allows each state to address it separately Read your ISP s Acceptable Use Policy 13 Federal Laws Federal computer crime laws are getting more specific Cover cybercrimes and intellectual property issues Computer Hacking and Intellectual Property (CHIP) New government branch to address cybercrimes and intellectual property issues 14 Hands-On Ethical Hacking and Network Defense 15 Hands-On Ethical Hacking and Network Defense

What You Cannot Do Legally Accessing a computer without permission is illegal Other illegal actions Installing worms or viruses Denial of Service attacks Denying users access to network resources Be careful your actions do not prevent customers from doing their jobs 16 Hands-On Ethical Hacking and Network Defense Get It in Writing Using a contract is just good business Contracts may be useful in court Internet can also be a useful resource Have an attorney read over your contract before sending or signing it 17 Ethical Hacking in a Nutshell What it takes to be a security tester Knowledge of network and computer technology Ability to communicate with management and IT personnel Understanding of the laws Ability to use necessary tools 18

Summary Questions What is the difference b/w penetration test and security test? What is a packet monkey? What three models are used for penetration tests? What is a red team? What portion of your ISP contract might affect your ability to conduct penetration tests over the Internet? What is the name of the new government branch that handles cybercrimes and intellectual property issues? Hacking tools are always illegal to posses. T F 19 Projects Ask your local law enforcement agency which hacking activities are considered legal or ethical and when the same activities are considered crimes. Better yet, create your own list of hacking activities and ask specific questions about them. Ask your ISP for its Acceptable Use Policy and read it. Write 1-2 paragraphs of your own interpretation of such a policy. What activities are you allowed to conduct? What activities you are not allowed to conduct? 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information