“remember, when you connect with another computer, you're...

.

1

Essential Knowledge

Chapter #1:

Getting Started

CIS 4500

Remember …

“Remember, when you connect with

another computer, you're connecting

to every computer that computer has

connected to.” Dennis Miller

Essential Knowledge 2

CIS 4500

CEH Exam

n  EC Council

n  Site

n  Credentials

n  Establish and govern minimum standards for credentialing professional

information security specialists in ethical hacking measures.

n  Inform the public that credentialed individuals meet or exceed the

minimum standards.

n  Reinforce ethical hacking as a unique and self-regulating profession.

Essential Knowledge 3 CIS 4500

CEH Exam Blueprint

Section Knowledge of:

Weight Number

of Questions

I. Background A.  networking technologies (e.g., hardware, infrastructure)

B.  web technologies (e.g., web 2.0, skype) C.  systems technologies D.  communication protocols E.  malware operations F.  mobile technologies (e.g., smart phones) G.  telecommunication technologies H.  backups and archiving (e.g., local, network)

4% 5

II. Analysis/Assessment A.  data analysis B.  systems analysis C.  risk assessments D.  technical assessment methods

13% 16


.

2

CIS 4500

CEH Exam Blueprint


Weight Number

of Questions

III. Security A.  systems security controls B.  application/file server C.  firewalls D.  cryptography E.  network security F.  physical security G.  threat modeling H.  verification procedures (e.g., false positive/

negative validation) I.  social engineering (human factors manipulation) J.  vulnerability scanners K.  security policy implications L.  privacy/confidentiality (with regard to

engagement) M.  biometrics N.  wireless access technology (e.g., networking,

RFID, Bluetooth) O.  trusted networks P.  vulnerabilities

25% 31


CEH Exam Blueprint


Weight Number

of Questions

IV. Tools/Systems/Programs

A.  network/host based intrusion B.  network/wireless sniffers (e.g., WireShark,

Airsnort) C.  access control mechanisms (e.g., smart cards) D.  cryptography techniques (e.g., IPSec, SSL, PGP) E.  programming languages (e.g. C++, Java, C#, C) F.  scripting languages (e.g., PHP, JavaScript) G.  boundary protection appliances H.  network topologies I.  subnetting J.  port scanning (e.g., NMAP) K.  domain name system (DNS) L.  routers/modems/switches M.  vulnerability scanner (e.g., Nessus, Retina) N.  vulnerability management and protection systems

(e.g., Foundstone, Ecora) O.  operating environments (e.g., Linux, Windows,

Mac) P.  antivirus systems and programs Q.  log analysis tools R.  security models S.  exploitation tools T.  database structures

25% 31


CIS 4500

CEH Exam Blueprint


Weight Number

of Questions

V. Procedures/Methodology

A.  cryptography B.  public key infrastructure (PKI) C.  security architecture (SA) D.  service oriented architecture (SOA) E.  information security incident F.  N-tier application design G.  TCP/IP networking (e.g., network routing) H.  security testing methodology

20% 25

VI. Regulation/Policy A.  security policies B.  compliance regulations (e.g., PCI)

4% 5

Vll. Ethics A.  professional code of conduct B.  appropriateness of hacking

2% 3


Outline

n  Identify components of TCP/IP computer networking

n  Understand basic elements of information security

n  Understand incident management steps

n  Identify fundamentals of security policies

n  Identify essential terminology associated with ethical

hacking


.

3

CIS 4500

Outline

n  Define ethical hacker and classifications of hackers

n  Describe the five stages of ethical hacking

n  Define the types of system attacks

n  Identify laws, acts, and standards affecting IT security


Servers in Networks

Authentication Server

Directory Server

File Server Print Server

Mail Server E-Commerce Server

RealTime Communication Server

Application Servers

Management Server

Streaming Media Server

Mobile Communication Server

Content Management Server

Active Directory Server

FTP Server Web Server

Proxy Server


CIS 4500

TCP/IP Overview


OSI Reference Model


.

4

CIS 4500

Ethernet Frame


Frames in Transit


CIS 4500

Network Zones

n  Internet

Ø  Outside the boundary and uncontrolled. You don’t apply security policies to the Internet.

Governments try to all the time, but your organization can’t.

n  Internet DMZ

Ø  The acronym DMZ (for Demilitarized Zone) comes from the military and refers to a section of

land between two adversarial parties where there are no weapons or fighting. The idea is you

can see an adversary coming across the DMZ and have time to work up a defense. In

networking, the idea is the same: it’s a controlled buffer network between you and the

uncontrolled chaos of the Internet.

n  Production Network Zone

Ø  A very restricted zone that strictly controls direct access from uncontrolled zones. The PNZ

doesn’t hold users.

n  Intranet Zone

Ø  A controlled zone that has little-to-no heavy restrictions. This is not to say everything is wide

open on the Intranet Zone, but communication requires fewer strict controls internally.

n  Management Network Zone

Ø  Usually an area you’d find rife with VLANs and maybe controlled via IPSec and such. This is a

highly secured zone with very strict policies.


Network Security Issues

n  Physical security

n  Controlling access to internal computers from external

entities

n  Routers, authentication hardware and software, encryption

n  Firewalls, intrusion detection systems (IDSs)


.

5

CIS 4500

Protection


In the operational model Protection =

CIS 4500

Layered Security

n  Every environment needs multiple layers of security

n  routers

n  firewalls

n  network segments

n  IDSs

n  encryption

n  authentication software

n  physical security

n  traffic control


CIS 4500

Balancing


Organizational Security

n  Incident Response Team (IRT)

n  to identify, analyze, prioritize, and resolve the incident

n  reviews detection, analyzes the exploitation, notifies

appropriate stakeholders

n  works to contain the exploitation, eradicate residual back

doors, and coordinates recovery for any lost data or services.


.

6

CIS 4500


n  Incident management process, the team provides post-

incident reporting and lessons learned to management.

n  Post-incident report: suggestions to management to

identify what risks are present and quantify them on a

measurement scale.

n  Risk management approach would allow them to come up

with solutions to mitigate, eliminate, or accept the

identified risks.



n  Identify organizational assets, threats to those assets, and

their vulnerabilities would allow the organization to explore

which countermeasures to minimize risks as much as

possible.

n  Security controls greatly increase the security posture of

the systems.


CIS 4500

Security Controls

n  Security controls can be categorized as physical, technical,

and administrative.

n  Physical controls include guards, lights, and cameras.

n  Technical controls include encryption, smartcards, and access

control lists.

n  Administrative controls include the training, awareness, and

policy efforts.


Risk Management

n  Business Impact Analysis (BIA)

n  maximum tolerable downtime (MTD), which provided a means

to prioritize the recovery of assets should the worst occur

n  business continuity plan (BCP) included a disaster recovery

plan (DRP), addressing exactly what to do to recover any lost

data or services


.

7

CIS 4500

Risk Management

n  Numbers and values

n  ALE (annualized loss expectancy) turned out to be the product

of the

n  ARO (annual rate of occurrence) and the SLE (single loss

expectancy) –  SLE is exposure factor (EF) multiplied by asset value


CIA Triad of Security


Integrity, which means guarding against improper

information modification or destruction, and includes ensuring

information nonrepudiation, accuracy, and authenticity

Availability, which means ensuring timely and reliable access

to, and use of, information

Confidentiality, which means preserving authorized

restrictions on access and disclosure, including a means for

protecting personal privacy and proprietary information

CIS 4500 Essential Knowledge 27

Access Control

n  Prevent unauthorized access

n  Access

n  Authentication

n  Access control matrix

n  Access control lists (ACLs)

n  discretionary access control (DAC)

n  mandatory access control (MAC)

n  role-based access control (RBAC)


Discretionary Access Control (DAC)

... “a means of restricting access to objects based on the

identity of subjects and/or groups to which they belong.

The controls are discretionary in the sense that a subject

with a certain access permission is capable of passing

that permission (perhaps indirectly) on to any other

subject.” ...

.

8


Mandatory Access Control (MAC)

... “a means of restricting access to objects based on the

sensitivity (as represented by a label) of the information

contained in the objects and the formal authorization

(i.e., clearance) of subjects to access information of such

sensitivity.”


Role-based Access Control (RBAC)

The roles are assigned the access permissions necessary

to perform the tasks associated with the role.

Users will thus be granted permissions to objects in

terms of the specific duties they must perform.

CIS 4500

Access Control Evaluation

n  “Rainbow Series” - “Orange Book,” which held something

known as the Trusted Computer System Evaluation Criteria

(TCSEC).

n  Common Criteria for Information Technology Security

Evaluation (also known as Common Criteria, or CC).

n  It provides a way for vendors to make claims about their in-

place security by following a set standard of controls and

testing methods, resulting in something called an Evaluation

Assurance Level (EAL: 1-7).


Common Criteria

n  A testing standard designed to reduce or remove

vulnerabilities from a product before it is released.

n  Evaluation Assurance Level (EAL) A set standard of

controls and testing methods

n  Target of evaluation (TOE) What is being tested

n  Security target (ST) The documentation describing the TOE

and security requirements

n  Protection profile (PP) A set of security requirements

specifically for the type of product being tested


.

9

CIS 4500

Security Policies

n  Access Control Policy This identifies the resources that need protection and the rules in place to

control access to those resources.

n  Information Security Policy This identifies to employees what company systems may be used

for, what they cannot be used for, and what the consequences are for breaking the rules. Generally

employees are required to sign a copy before accessing resources. Versions of this policy are also

known as an Acceptable Use Policy.

n  Information Protection Policy This defines information sensitivity levels and who has access to

those levels. It also addresses how data is stored, transmitted, and destroyed.

n  Password Policy This defines everything imaginable about passwords within the organization,

including length, complexity, maximum and minimum age, and reuse.

n  E-mail Policy Sometimes also called the E-mail Security Policy, this addresses the proper use of

the company e-mail system.

n  Information Audit Policy This defines the framework for auditing security within the organization.

When, where, how, how often, and sometimes even who conducts information security audits are

described here.


Hacker

n  A hacker is using a specialized set of tools, techniques,

knowledge, and skills to bypass computer security

measures.


CIS 4500

Hacker Classifications: The Hats

n  White hats Considered the good guys, these are the ethical hackers, hired by a

customer for the specific goal of testing and improving security or for other defensive

purposes. White hats are well respected and don’t use their knowledge and skills without

prior consent. White hats are also known as security analysts.

n  Black hats Considered the bad guys, these are the crackers, illegally using their skills

for either personal gain or malicious intent. They seek to steal (copy) or destroy data

and to deny access to resources and systems. Black hats do not ask for permission or

consent.

n  Gray hats The hardest group to categorize, these hackers are neither good nor bad.

Generally speaking, there are two subsets of gray hats—those who are simply curious

about hacking tools and techniques and those who feel like it’s their duty, with or

without customer permission, to demonstrate security flaws in systems. In either case,

hacking without a customer’s explicit permission and direction is usually a crime.


Attack Types

n  Operating system (OS) attacks – these attacks target the common

mistake many people make when installing operating systems—

accepting and leaving all the defaults. Administrator accounts with no

passwords, all ports left open, and guest accounts (the list could go

on forever) are examples of settings the installer may forget about.

Additionally, operating systems are never released fully secure—they

can’t be, if you ever plan on releasing them within a timeframe of

actual use—so the potential for an old vulnerability in newly installed

operating systems is always a plus for the ethical hacker.


.

10

CIS 4500

Attack Types

n  Application-level attacks - these are attacks on the actual

programming code and software logic of an application. Although

most people are cognizant of securing their OS and network, it’s

amazing how often they discount the applications running on their OS

and network. Many applications on a network aren’t tested for

vulnerabilities as part of their creation and, as such, have many

vulnerabilities built into them. Applications on a network are a gold

mine for most hackers.


Attack Types

n  Shrink-wrap code attacks - these attacks take advantage of the

built-in code and scripts most off-the-shelf applications come with.

The old refrain “Why reinvent the wheel?” is often used to describe

this attack type. Why spend time writing code to attack something

when you can buy it already “shrink-wrapped”? These scripts and

code pieces are designed to make installation and administration

easier but can lead to vulnerabilities if not managed appropriately.


CIS 4500

Attack Types

n  Misconfiguration attacks - these attacks take advantage of systems

that are, on purpose or by accident, not configured appropriately for

security. Remember the triangle earlier and the maxim “As security

increases, ease of use and functionality decrease”? This type of attack

takes advantage of the administrator who simply wants to make

things as easy as possible for the users. Perhaps to do so, the admin

will leave security settings at the lowest possible level, enable every

service, and open all firewall ports. It’s easier for the users but

creates another gold mine for the hacker.


Phases of Hacking


.

11

CIS 4500

Ethical Hacker

n  A hacker is using a specialized set of tools, techniques,

knowledge, and skills to bypass computer security

measures.

n  An ethical hacker is someone who employs the same tools

and techniques a criminal might use, with the customer’s

full support and approval, to help secure a network or

system.


Penetration Testing

n  A penetration test is a clearly defined, full-scale test of the

security controls of a system or network in order to identify

security risks and vulnerabilities.


CIS 4500

Penetration Testing

n  The preparation phase defines the time period during which the actual contract

is hammered out. The scope of the test, the types of attacks allowed, and the

individuals assigned to perform the activity are all agreed upon in this phase.

n  The assessment phase (sometimes also known as the security evaluation phase

or the conduct phase) is exactly what it sounds like—the actual assaults on the

security controls are conducted during this time.

n  The conclusion (or post-assessment) phase defines the time when final reports

are prepared for the customer, detailing the findings of the tests (including the

types of tests performed) and many times even providing recommendations to

improve security.


Laws and Regulations

n  FISMA - Federal Information Security Management Act

n  Electronics Communications Privacy Act

n  PATRIOT Act

n  Privacy Act of 1974 (5 U.S.C. § 552a)

n  Computer Fraud (18 U.S.C. § 1030)

n  CISPA - Cyber Intelligence Sharing and Protection Act

n  Data Security and Breach Notification Act

n  Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999

n  Computer Security Act of 1987

n  HIPAA - Health Insurance Portability and Accountability Act

n  SOX - Sarbanes-Oxley Act

n  PCI-DSS - Payment Card Industry Data Security Standard

n  COBIT - Control Objects for Information and Related Technology

n  ISO/IEC 27001:2013 - creating, maintaining, and improving organizational information security

systems

n  GDPR - EU General Data Protection Regulation

n  NIST SP 800, SP 1800

n  EO 13636


.

12

Stay Alert!

There is no 100 percent secure system,

and there is nothing that is foolproof!

“remember, when you connect with another computer, you're...

Documents