Datasheet

ManualsBrandsFor Dummies Manualsbooks978-0-470-55093-9

Chapter 1

Introduction to Ethical Hacking

In This Chapter

▶ Understanding hackers’ and malicious users’ objectives

▶ Differentiating between ethical hackers and malicious attackers

▶ Examining how the ethical hacking process came about

▶ Understanding the dangers that your computer systems face

▶ Starting to use the ethical hacking process

his book is about hacking ethically — the methodology of testing your

computers and networks for security vulnerabilities and plugging the

holes you find before the bad guys get a chance to exploit them.

Although ethical is an often overused and misunderstood word, Webster’s

New World Dictionary defines ethical perfectly for the context of this book

and the professional security testing techniques that I cover — that is,

“conforming to the standards of conduct of a given profession or group.”

IT and information security practitioners are obligated to perform the

tests covered in this book aboveboard and only after permission has been

obtained by the owner(s) of the systems — hence the disclaimer in this

book’s Introduction.

Straightening Out the Terminology

Most people have heard of hackers and malicious users. Many have even

suffered the consequences of hackers’ criminal actions. So who are these

people? And why do you need to know about them? The next few sections

give you the lowdown on these attackers.

In this book, I use the following terminology:

COPYRIGHTED MATERIAL

Summary of content (16 pages)

PAGE 1
Chapter 1 In This Chapter RI ▶ Understanding hackers’ and malicious users’ objectives AL Introduction to Ethical Hacking ▶ Differentiating between ethical hackers and malicious attackers TE ▶ Examining how the ethical hacking process came about ▶ Starting to use the ethical hacking process D T MA ▶ Understanding the dangers that your computer systems face TE his book is about hacking ethically — the methodology of testing your computers and networks for security vulnerabilities and plugging the
PAGE 2
10 Part I: Building the Foundation for Ethical Hacking ✓ Hackers (or external attackers) try to compromise computers and sensitive information for ill-gotten gains — usually from the outside — as an unauthorized user. Hackers go for almost any system they think they can compromise. Some prefer prestigious, well-protected systems, but hacking into anyone’s system increases an attacker’s status in hacker circles.
PAGE 3
Chapter 1: Introduction to Ethical Hacking Defining malicious user Malicious users — meaning a rogue employee, contractor, intern, or other user who abuses his or her privileges — is a common term in security circles and in headlines about information breaches. A long-standing statistic states that insiders carry out 80% of all security breaches.
PAGE 4
12 Part I: Building the Foundation for Ethical Hacking If you perform ethical hacking tests for clients or simply want to add another certification to your credentials, you might want to consider becoming a Certified Ethical Hacker (C|EH), through a certification program sponsored by EC-Council. See www.eccouncil.org/CEH.htm for more information. Ethical hacking versus auditing Many people confuse ethical hacking with security auditing but there are big differences.
PAGE 5
Chapter 1: Introduction to Ethical Hacking (HIPAA), Gramm-Leach-Bliley Act (GLBA), North American Electric Reliability Corporation (NERC) CIP requirements, and Payment Card Industry Data Security Standard (PCI DSS) require periodic and consistent security evaluations. Incorporating your ethical hacking into these required tests is a great way to meet the state and federal regulations and beef up your overall privacy and security compliance program.
PAGE 6
14 Part I: Building the Foundation for Ethical Hacking Anticipating all the possible vulnerabilities you’ll have in your systems and business processes is impossible. You certainly can’t plan for all possible attacks — especially the unknown ones. However, the more combinations you try and the more you test whole systems instead of individual units, the better your chances are of discovering vulnerabilities that affect your information systems in their entirety.
PAGE 7
Chapter 1: Introduction to Ethical Hacking Social engineering is the exploitation of the trusting nature of human beings to gain information for malicious purposes. Check out Chapter 5 for more information about social engineering and how to guard your systems against it. Other common and effective attacks against information systems are physical.
PAGE 8
16 Part I: Building the Foundation for Ethical Hacking Application and other specialized attacks Applications take a lot of hits by hackers. Programs, such as e-mail server software and Web applications, are often beaten down: ✓ Hypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP) applications are frequently attacked because most firewalls and other security mechanisms are configured to allow full access to these services from the Internet.
PAGE 9
Chapter 1: Introduction to Ethical Hacking Respecting privacy Treat the information you gather with the utmost respect. All information you obtain during your testing — from Web application log files to clear text passwords to personally identifiable information and beyond — must be kept private. Don’t snoop into confidential corporate information or employees’ private lives.
PAGE 10
18 Part I: Building the Foundation for Ethical Hacking If you choose to hire a “reformed” hacker to work with you during your testing or to obtain an independent perspective, be careful. I cover the pros, cons, do’s, and don’ts associated with hiring an ethical hacker in Chapter 18. Formulating your plan Getting approval for ethical hacking is essential. Make sure that what you’re doing is known and visible — at least to the decision makers. Obtaining sponsorship of the project is the first step.
PAGE 11
Chapter 1: Introduction to Ethical Hacking Handle social engineering and DoS attacks carefully. Determine how they affect the systems you test and your entire organization. ✓ Dates the tests will be performed and your overall timeline: Determining when the tests are performed is something that you must think long and hard about.
PAGE 12
20 Part I: Building the Foundation for Ethical Hacking Selecting tools As with any project, if you don’t have the right tools for ethical hacking, you might have difficulty accomplishing the task effectively. Having said that, just because you use the right tools doesn’t mean that you’ll discover all the right vulnerabilities. Know the personal and technical limitations. Many vulnerability scanners generate false positives and negatives (incorrectly identifying vulnerabilities).
PAGE 13
Chapter 1: Introduction to Ethical Hacking ✓ SuperScan ✓ QualysGuard ✓ WebInspect ✓ Proactive Password Auditor ✓ Metasploit ✓ LANguard ✓ AirMagnet WiFi Analyzer I discuss these tools and many others in Parts II through V when I go into the specific hack attacks. Appendix A contains a more comprehensive listing of these tools for your reference. The capabilities of many security and hacking tools are often misunderstood.
PAGE 14
22 Part I: Building the Foundation for Ethical Hacking Executing the plan Good ethical hacking takes persistence. Time and patience are important. Be careful when you’re performing your ethical hacking tests. A hacker in your network or a seemingly benign employee looking over your shoulder might watch what’s going on and use this information against you or your business. Making sure that no hackers are on your systems before you start isn’t practical.
PAGE 15
Chapter 1: Introduction to Ethical Hacking Submit a formal report to upper management or to your client, outlining your results and any recommendations you wish to share. Keep these parties in the loop to show that your efforts and their money are well spent. Chapter 16 describes the ethical hacking reporting process. Moving on When you finish your ethical hacking tests, you (or your client) still need to implement your recommendations to make sure the systems are secure.
PAGE 16
24 Part I: Building the Foundation for Ethical Hacking