ethical hacking v10 module 1 - introduction to ethical hacking
TRANSCRIPT
Ethical Hacking v10 Module 1 - Introduction to Ethical Hacking
Introduction to Ethical Hacking
Goals• Describe ethical hacking• Explain the purpose of ethical hacking• Describe the components of information
security• Describe attack vectors• Describe threat management• Describe security policies• Describe security controls• Explain what a vulnerability assessment is• Describe laws related to information
security
Module 1.0 Introduction to Ethical Hacking
• 1.1 Information Security Overview• 1.2 Information Security Threats and Attack Vectors• 1.3 Hacking Concepts, Types, and Phases• 1.4 Ethical Hacking Concepts and Scope• 1.5 Information Security Controls• 1.6 Penetration Testing Concepts• 1.7 Information Security Laws and Standards
1.1 Information
Security Overview
• Essential Terminology• Elements of Information Security• Security, Functionality, and Usability
Essential Terminology
• Confidentiality - Integrity - Availability (CIA) triangle• Vulnerability• Risk• Threat• Non-repudiation• Mitigation• Control
Essential Terminology
• Hack Value – what’s the value• Vulnerability – weaknesses in design or implementation• Exploit – breaching of system using vulnerabilities• Payload – part of the exploit code• Zero-Day Attack – an attack that occurs before patch is available• Daisy Chain – gaining access using same information for multiple
networks• Doxing – publishing personal identity information• Bot – application that can be controlled remotely
Elements of Information Security
• Organization is safe from theft, tampering, disruption of Information Services• Includes:• Confidentiality• Integrity• Availability• Authenticity• Non-Repudiation
Security, Functionality, and Usability Triangle
• Combination defines level of Security• Functionality – Available features• Usability – Graphic user interface and other user helpers• Security – Restrictions
• Balance is necessary• More Security = Less Usability and Less Functionality
1.2 Information
Security Threats and
Attack Vectors
• Motives, Goals, and Objectives of Information Security Attacks• Top Information Security Attack Vectors• Information Security Threat Categories• Types of Attacks on a System• Information Warfare
Motives, Goals, and Objectives
• Attacks = Motive (Goal) + Method + Vulnerability• Top Motives• Disrupt Business Continuity• Data Theft• Changing Data• Disrupt Critical Infrastructure; cause chaos• Religious or Political Motives• Achieve Military Objectives• Destroy Organization Reputation• Revenge
Top Attack Vectors
• Cloud Computing Threats• Advanced Persistent Threats• Viruses and Worms• Mobile Threats• Botnets• Insider Attacks
Information Security Threat Categories
• Network Threats• Host Threats• Application Threats• People, Processes, Technology
Network Threats• Information gathering• Sniffing• Spoofing• Session Hijacking• Man-in-the-middle Attacks• DNS and ARP Poisoning• Password Attacks• Denial of Service Attacks (DoS)• Compromised Key Attacks• Firewall and IDS Attacks
Host Threats• Malware Attacks• Foot printing• Password Attacks• Denial of Service Attacks• Arbitrary Code Execution• Unauthorized Access• Privilege Escalation• Backdoor Attacks• Physical Threats
Application Threats• Improper Data/Input Validation• Authentication Attacks• Authorization Attacks• Security Misconfigurations• Information Disclosure• Broken Session Management• Buffer Overflows• Cryptography Attacks• SQL Injection• Improper Error Handling/Exception Management
System Attacks
• Operating System Attacks – Buffer overflows, bugs, unpatched systems• Misconfiguration Attacks – Web servers, applications, databases,
networks, frameworks• Application-level Attacks – Buffer overflows, cross-site scripting, SQL
injection, man-in-the-middle, session hijacking, denial-of-service• Shrink-Wrap Code Attacks – default configuration and settings and
off-shelve vulnerabilities
Information Warfare
• Information Warfare is the use of information and communication (ICT) and use against another• Defensive Information Warfare – defensive strategies and actions
against attacks• Prevention, Deterrence, Alerts, Detection, Emergency Preparedness,
Response
• Offensive Information Warfare – attacks against ICT assets• Web application attacks, Web server attacks, Malware attacks, MITM attacks,
System hacking
1.3 Hacking Concepts,
Types, and Phases
• What is Hacking?• Who is a Hacker?• Classes of Hackers• Hacking Phases
What is Hacking
• Exploiting system vulnerabilities and compromising security to gain unauthorized access to system resources• Modifying system or application features to achieve goal• Used to steal and redistribute intellectual property leading to
business loss
Who is a Hacker
• Intelligent people with excellent computer and networking skills exploring a system or network• Hobbyists testing vulnerabilities of systems and networks• Anyone to gain knowledge for legal or illegal purposes
Hacker Classes
• Black Hats • White Hats• Gray Hats• Suicide Hackers• Script Kiddies• Cyber Terrorists• State Sponsored Hackers• Hacktivists
Hacker Phases
• Reconnaissance• Scanning• Gaining Access• Maintaining Access• Clearing Tracks
Reconnaissance
• Reconnaissance is the preparation phase, gathering information• Could be a point of return in the future• Could include organization’s clients, employees, operations, networks,
systems• Passive Reconnaissance – gaining information without interacting
with target• Active Reconnaissance – phoning, helpdesk, IS department contact
Scanning
• Pre-Attack – scanning network using information gathered during reconnaissance• Port Scanning – for vulnerabilities• Attack systems that can be penetrated
Gaining Access
• Gaining access to the operating system or application on system or network• Attacker accesses and escalates privileges to compromise system,
network, intermediate systems• Examples include password cracking, buffer overflows, denial of
services, session hijacking
Maintaining Access
• Attacker attempts to take and retain ownerships of the systems• Attackers use backdoors, rootkits, or trojans to keep others from re-
taking ownership• Attackers upload, download, manipulate data, applications, and
configurations on the owned systems• Attackers use the compromised system to launch further attacks
Clearing Tracks
• Covering Tracks is the activities that the attacker uses to hide his/her malicious acts• Attacker intends to continue access, remain unnoticed, and delete
evidence to avoid prosecution• Attacker overwrites server, system, application logs to avoid suspicion
1.4 Ethical Hacking
Concepts and Scope
• What is Ethical Hacking?• Why Ethical Hacking is Necessary• Skills of an Ethical Hacker
What is Ethical Hacking
• Ethical hacking allows a security user to use hacking tools, tricks, and techniques to identify vulnerabilities making sure organization’s system is secure• Security user focuses on simulating techniques to find any exploitable
vulnerabilities• Ethical hackers perform security assessment of their organization with
permission of organization’s authorities
Is Ethical Hacking Necessary
• Keep ahead of unethical hackers and allows counter attacks against attacks• To prevent hackers• To uncover vulnerabilities• To analyze and strengthen an organization’s security posture
Is Ethical Hacking Necessary continued
• What can an intruder see?• What can an intruder do?• Have there been any intrusions detected?• Are the components of the information system protected and
patched properly?• How much effort, time, and money is needed to have adequate
protections?• Are the information security measures in compliance with industry
and legal standards?
Skills of an Ethical Hacker continued• Technical Skills include:• Has in-depth knowledge of major operating environments, concepts,
technologies and related hardware and software• Should be a computer expert understanding technical domains• Should have security knowledge and experience• Should understand sophisticated attacks
• Non-Technical Skills include:• Ability to learn and adapt new technologies quickly• Strong work ethics• Committed to organization’s security and policies• Understanding of local, state, and federal laws and organizational compliance
1.5 Information
Security Controls
• Information Security Management Program• Threat Modeling• Enterprise Information Security Architecture
(EISA)• Network Security Zoning• Information Security Policies
1.5 Information
Security Controls (cont’d)
• Physical Security• Incident Management• Types of Vulnerability Assessments• Vulnerability Research
Information Assurance (IA)• IA is the assurance that confidentiality, integrity, availability, and
authenticity of information and information systems at all times• IA is achieved by:• Developing, implementing, and adhering to network and local policies• Designing proper user authentication• Identifying network vulnerabilities and threats• Identifying resource requirements• Applying proper information assurance controls• Performing certification and accreditation• Providing and requiring information assurance training
Information Security Management Program• These are programs that allow organizations to reduce risks• They are used in all aspects of the organization and all security
principals• They are a combination of well-defined policies, processes,
procedures, standards, and guidelines to establish the required level of information security
Information Security Framework• Each piece of the Framework is important• Security Policy• Roles and Responsibilities• Security Guidelines and Frameworks• Popular Frameworks• PCI DSS• ISO 27001/27002• CIS Critical Security Controls• NIST Framework for Improving Critical Infrastructure
Information Security Management Framework
Security Framework Example
Threat Modeling• Threat Modeling is a risk management approach used to analyze
current security• Capture• Organize• Analyze
• Identify Security Objectives• Application Overview• Deconstruct Application• Identify Threats• Identify Vulnerabilities
Enterprise Information Security Architecture (EISA)• Enterprise Information Security Architecture is a set of requirements,
processes, principles, and models that defines the structure and behavior of an organization’s information systems• Monitors and detects network behavior and acts on risks• Helps organization detect and recover from security breaches• Prioritizes resources of organization and examines threats• Helps organization understand cost and benefit• Identifies assets and helps information system personnel function properly• Helps perform risk assessment
Network Security Zoning• Network Security Zoning allows an organization to manage security by
using security levels for different areas of the Internet and Intranet• Affords monitoring and controlling of inbound and outbound traffic• Examples:• Internet Zone – Uncontrolled zone; outside the organization• Internet DMZ Zone – Controlled zone; defense between internal network and
Internet• Production Zone – Restricted zone; access is strictly controlled• Intranet Zone – Controlled zone; no extreme restrictions• Management Zone – Secured zone; with strict policies
Information Security Policies• Information Security Policies are the basis of an organization’s
security infrastructure• Define basic security requirements and rules to be implemented to
protect and secure the organization’s assets• Goals:• Maintain management and administration of network security• Protect computing resources• Avoid legal liabilities• Prevent waste of computing resources• Prevent unauthorized modification of data• Define user access rights• Protect confidential, proprietary information from theft, misuse, and
unauthorized disclosure
Types of Security Policies• Promiscuous Policy – No restrictions• Permissive Policy – Some restrictions but only on known attacks• Prudent Policy – Maximum security; blocks all services unless used by
organization• Paranoid Policy – Restricts everything; little or no Internet
connectivity
Examples of Security Policies• Access Control• Remote Access• Firewall Management• Network Connection• Password• User Account• Information Protection• Special Access• Email Security• Acceptable Use
Privacy Policies in the Workplace• Employers have access to employees’ personal information• Rules for Workplace Privacy • Limit the amount of collected information (legal)• Tell employees about the information being collected and keep them
informed of any potential collection, use, and disclosure of person information• Maintain accurate employee records• Provide employees access to their person information• Secure employees personal information
Create and Implement Security Policies• Perform Risk Assessment• Use proper type of organizational standards• Include senior management • Set penalties• Create finalized version• Have document of understanding signed by all staff• Enforce policies• Train employees• Review and update regularly
HR/Legal Implications of Security Policy Enforcement
• Human Resources• Responsible for making employees aware of security policies• Security training for employees• Work with management to monitor policy implementation and violation
• Legal• Policies should be developed with consultation with legal experts• Additional attention to violation of employee rights must be considered
Physical Security• Physical security is the first level of defense• Physical security is protection of organizational assets from all threats• Prevent unauthorized access• Prevent tampering with or theft of data• Prevent espionage, sabotage, damage, or theft • Prevent social engineering attacks
• Physical threats include:• Environmental – floods, fire, earthquakes, dust• Man-made – terrorism, wars, bombs, vandalism, or dumpster diving
Physical Security Controls• Protection of• Premises• Reception Area• Server and Workstation Areas• Any Equipment Areas• Physical Access Control• Computer And Equipment Maintenance Control• Wiretapping• Environmental Controls
Incident Management• Incident management is defined processes to identify, analyze,
prioritize, and resolve security incidents and prevent future incidents• Incident Management Includes:• Vulnerability Handling• Artifact Handling• Announcements• Alerts• Incident Handling – Triage, Response, Reporting and Detection, Analysis• Other Incident Management Services
Incident Management Process• Preparation for Incident Handling and Response• Detection and Analysis• Classification and Prioritization• Notification• Containment• Forensic Investigation• Eradication and Recovery• Post-incident Activities
Responsibilities of the Incident Response Team• Managing security issues using a proactive approach and responding
effectively• Providing a single point of contact for reporting security incidents• Developing and reviewing processes and procedures• Regularly reviewing legal and regulatory requirement• Managing response to an incident and making sure all procedures are
followed properly to minimize and control damage• Review exiting controls and recommending steps to keep up with
technology• Identifying and analyzing the incident including impact• Working with local law enforcement and government agencies; partners
and suppliers
What is Vulnerability Assessment• A vulnerability assessment is an inspection of a system or application
to withstand attack• Vulnerability assessments measures and classifies security
vulnerabilities• Computer systems• Network• Communication channels
• Can be used to• Identify weaknesses• Predict effectiveness of additional security measures
Types of Vulnerability Assessments• Active Assessment – Network scanner for hosts, services, and
vulnerabilities• Passive Assessment – Sniff network traffic• Host-based Assessment – Specific to a certain server or workstation• Internal Assessment – Scan internal infrastructure• External Assessment – Scan from outside to check for vulnerabilities• Application Assessment – Tests web infrastructure for
misconfigurations• Network Assessment – Checks for network security• Wireless Network Assessment – Check for vulnerabilities on the
wireless network
Network Vulnerability Assessment Methodology• Phase 1 – Acquisition• Collect documents
• Review legal requirements• Review network security• List previously discovered vulnerabilities
• Phase 2 – Identification• Conduct interviews with customers and employees• Gather technical information about all network components• Identify industry standards for compliance
Network Vulnerability Assessment Methodology continued• Phase 3 – Analyzing• Review interviews• Analyze results of previous vulnerability assessment• Analyze security vulnerabilities and identify risks• Perform threat and risk analysis• Analyze effectiveness of existing security controls• Analyze effectiveness of existing security policies
Network Vulnerability Assessment Methodology continued• Phase 4 – Evaluation
• Determine the chance of exploitation of identified vulnerabilities• Identify gaps between current and required security measures• Determine controls required to mitigate the identified vulnerabilities• Identify upgrades required to the network vulnerability assessment process
• Phase 5 – Generating Reports• Present draft of analysis to be evaluated• Report should include:
• Task rendered by each team member• Methods use and findings• General and specific recommendations• Terms used and definitions• Information collected in all phases
• All documents need to be stored in a secure database for generating the final report
Vulnerability Research• Vulnerability research is the process of discovering vulnerabilities and
design flaws that would allow operating systems and applications to be attacked or misused• Vulnerabilities are classified by severity level: low, medium, or high;
exploit range: local or remote• Security administrators need vulnerability research to:• Gather information regarding security trends, threats, attacks• Find weaknesses and alert network administrator before network attack• Get information that helps prevent security problems• Learn how to recover from a network attack
Vulnerability Research Websites• CodeRed Center (EC Council)• Microsoft Vulnerability Research (Technet)• Security Magazine• Security Focus• Help Net Security• HackerStorm• SC Magazine• Computerworld• Hacker Journal• WindowsSecurity
Penetration Testing• Penetration testing evaluates the security of the information/network
system, simulating an attack to check for vulnerabilities• Security measure are actively analyzed for any weakness or technical
flaws and vulnerabilities• Pen Testing also documents how the weakness can be exploited• A report is generated to executive management and technical
personnel
Why Penetration Testing• Identify threats• Reduce cost to the organization• Provide assurance including policy, procedure, design, and implementation• Make and maintain certifiable industry regulations• Adopt best practices in compliance and legal industry regulations• Test and verify security protections and controls• Best choice when upgrading existing infrastructure• Focuses on high-severity and application security issues to all involved
teams and management• Prepares organization for preventing exploitations• Tests and evaluates network security devices: firewalls, routers. Web
servers, etc.
Compare Security Audit, Vulnerability Assessment, and Penetration Testing• Security Audit – checks if the organization is following a set of
standard security policies and procedures• Vulnerability Testing – focuses on discovering vulnerabilities in
systems; does not include exploitation capabilities, or damage that could result• Penetration Testing – method of security assessment the incorporates
the security audit and vulnerability assessment and also takes into consideration if the vulnerabilities can be exploited by attackers
Blue Teaming/Red Teaming• Blue Team• Set of security responders perform analysis of an information system to
assess the ability and efficiency of security controls• Has access to all the organization’s resources and information• Primary role to detect and mitigate (red team) activities and be ready for
surprise attacks
• Red Team• Ethical hackers perform penetration testing with no or little access to
organization’s resources• Conducted with or without warning• Used to detect network and system vulnerabilities• Check security from an attacker’s perception
Types/Phases of Penetration Testing• Black-box – No prior knowledge of infrastructure; blind testing;
double-blind testing• White-box – Complete knowledge of infrastructure to be tested• Grey-box – Limited knowledge of infrastructure to be tested
Security Testing Methodology• OWASP – Open Web Application Security Project – for organizations
that purchase, develop and maintain software tools• OSSTMM – Open Source Security Testing Methodology Manual – peer
review for performing high quality tests: data controls, fraud and social engineering control levels, computer networks, wireless devices, mobile devices, physical security access controls• ISSAF – Information Systems Security Assessment Framework; open
source giving security assistance for security personnel• EC-Council LPT Methodology – LPT methodology is an industry
standard for comprehensive information system security auditing framework
Security Testing Methodology• OWASP – Open Web Application Security Project – for organizations
that purchase, develop and maintain software tools• OSSTMM – Open Source Security Testing Methodology Manual – peer
review for performing high quality tests: data controls, fraud and social engineering control levels, computer networks, wireless devices, mobile devices, physical security access controls• ISSAF – Information Systems Security Assessment Framework; open
source giving security assistance for security personnel• EC-Council LPT Methodology – LPT methodology is an industry
standard for comprehensive information system security auditing framework
1.6 Information
Security Laws and Standards
• Payment Card Industry Data Security Standard (PCI-DSS)• ISO/IEC 27001:2013• Health Insurance Portability Act (HIPAA)• Sarbanes Oxley Act (SOX)• Digital Millennium Copyright Act (DMCA) and
Federal Information Security Management Act (FISMA)• Cyber Law in Different Countries
Payment Card Industry Data Security Standard (PCI-DSS)• Payment Card Industry Data Security Standard (PCI DSS) is a
proprietary standard for organizations that handle cardholder information for debit, credit, prepaid, e-purse, ATM, and POS cards• PCI DSS applies to all entities involved in payment care processing• High level overview of the PCI DSS requirements were developed and
maintained by the PCI Security Standards Council
Payment Card Industry Data Security Standard (PCI-DSS) Overview• Build and maintain a secure network• Implement strong access control measures• Protect cardholder data• Regularly monitor and test networks• Maintain a vulnerability management program• Maintain an Information Security Policy
ISO/IEC 27001:2013• ISO/IEC 27001:2013 specifies the requirements for establishing,
implementing, maintaining, and improving a security management system for the organization• Including• Use within an organization for security requirements and objectives• Cost effective• Guarantee compliance with laws and regulations• Defines new information security management processes• Identification and clarification of existing information security management
processes• Use by management to determining status of information security activities• Implement business-enabling information security• Provide relevant information security to customers
Health Insurance Portability and Accountability Act• Electronic Transactions and Code Set Standards• Privacy Rule• Security Rule• National Identifier Rule• Enforcement Rule
Sarbanes Oxley Act (SOX)• Enacted in 2002 for protection of investors and public• Made up of 11 titles
• Title 1 – Public Company Accounting Oversight Board • Title 2 – Auditor independent• Title 3 – Corporate Responsibility (financial reports)• Title 4 – Enhanced Financial Disclosures• Title 5 – Analyst Conflicts of Interest• Title 6 – Commission Resources and Authority• Title 7 – Studies and Reports• Title 8 – Corporate and Criminal Fraud Accountability• Title 9 – White Collar Crime Penalty Enhancement• Title 10 – Corporate Tax Returns• Title 11 – Corporate Fraud Accountability
Digital Millennium Copyright Act (DMCA) and Federal Information Security Management Act (FISMA)• The Digital Millennium Copyright Act (DMCA)• Implements two 1996 treaties of the World Intellectual Property Organization• Defines legal prohibitions against technological protection
• Federal Information Security Management Act• Provides comprehensive framework for guaranteeing effectiveness of
information security controls for Federal operations and assets• Standards for categorizing information and systems by mission impact• Standards for minimum security requirements for information/systems• Guidance for selecting proper security controls for information/systems• Guidance for assessing security control in information systems and
effectiveness• Guidance for security authorization for information systems
Cyber Law in Different Countries• USA• Australia• United Kingdom• China• India• Germany• Italy• Japan• Canada• Singapore• South Africa• South Korea• Belgium• Brazil• Hong Kong
Cyber Law in US
Intro to Ethical
Hacking Review
• Ethical Hacking seeks to discover vulnerabilities before they are actually exploited• Threats can be against hosts, the
network, applications• Can also look at threats as
against people, processes, technology• CIA is the foundation of all
security• Non-repudiation disallows
someone from denying they did something