Ethical Hacking v10 Module 1 - Introduction to Ethical Hacking

Introduction to Ethical Hacking

Goals• Describe ethical hacking• Explain the purpose of ethical hacking• Describe the components of information

security• Describe attack vectors• Describe threat management• Describe security policies• Describe security controls• Explain what a vulnerability assessment is• Describe laws related to information

security

Module 1.0 Introduction to Ethical Hacking

• 1.1 Information Security Overview• 1.2 Information Security Threats and Attack Vectors• 1.3 Hacking Concepts, Types, and Phases• 1.4 Ethical Hacking Concepts and Scope• 1.5 Information Security Controls• 1.6 Penetration Testing Concepts• 1.7 Information Security Laws and Standards

1.1 Information

Security Overview

• Essential Terminology• Elements of Information Security• Security, Functionality, and Usability

Essential Terminology

• Confidentiality - Integrity - Availability (CIA) triangle• Vulnerability• Risk• Threat• Non-repudiation• Mitigation• Control

Essential Terminology

• Hack Value – what’s the value• Vulnerability – weaknesses in design or implementation• Exploit – breaching of system using vulnerabilities• Payload – part of the exploit code• Zero-Day Attack – an attack that occurs before patch is available• Daisy Chain – gaining access using same information for multiple

networks• Doxing – publishing personal identity information• Bot – application that can be controlled remotely

Elements of Information Security

• Organization is safe from theft, tampering, disruption of Information Services• Includes:• Confidentiality• Integrity• Availability• Authenticity• Non-Repudiation

Security, Functionality, and Usability Triangle

• Combination defines level of Security• Functionality – Available features• Usability – Graphic user interface and other user helpers• Security – Restrictions

• Balance is necessary• More Security = Less Usability and Less Functionality

1.2 Information

Security Threats and

Attack Vectors

• Motives, Goals, and Objectives of Information Security Attacks• Top Information Security Attack Vectors• Information Security Threat Categories• Types of Attacks on a System• Information Warfare

Motives, Goals, and Objectives

• Attacks = Motive (Goal) + Method + Vulnerability• Top Motives• Disrupt Business Continuity• Data Theft• Changing Data• Disrupt Critical Infrastructure; cause chaos• Religious or Political Motives• Achieve Military Objectives• Destroy Organization Reputation• Revenge

Top Attack Vectors

• Cloud Computing Threats• Advanced Persistent Threats• Viruses and Worms• Mobile Threats• Botnets• Insider Attacks

Information Security Threat Categories

• Network Threats• Host Threats• Application Threats• People, Processes, Technology

Network Threats• Information gathering• Sniffing• Spoofing• Session Hijacking• Man-in-the-middle Attacks• DNS and ARP Poisoning• Password Attacks• Denial of Service Attacks (DoS)• Compromised Key Attacks• Firewall and IDS Attacks

Host Threats• Malware Attacks• Foot printing• Password Attacks• Denial of Service Attacks• Arbitrary Code Execution• Unauthorized Access• Privilege Escalation• Backdoor Attacks• Physical Threats

Application Threats• Improper Data/Input Validation• Authentication Attacks• Authorization Attacks• Security Misconfigurations• Information Disclosure• Broken Session Management• Buffer Overflows• Cryptography Attacks• SQL Injection• Improper Error Handling/Exception Management

System Attacks

• Operating System Attacks – Buffer overflows, bugs, unpatched systems• Misconfiguration Attacks – Web servers, applications, databases,

networks, frameworks• Application-level Attacks – Buffer overflows, cross-site scripting, SQL

injection, man-in-the-middle, session hijacking, denial-of-service• Shrink-Wrap Code Attacks – default configuration and settings and

off-shelve vulnerabilities

Information Warfare

• Information Warfare is the use of information and communication (ICT) and use against another• Defensive Information Warfare – defensive strategies and actions

against attacks• Prevention, Deterrence, Alerts, Detection, Emergency Preparedness,

Response

• Offensive Information Warfare – attacks against ICT assets• Web application attacks, Web server attacks, Malware attacks, MITM attacks,

System hacking

1.3 Hacking Concepts,

Types, and Phases

• What is Hacking?• Who is a Hacker?• Classes of Hackers• Hacking Phases

What is Hacking

• Exploiting system vulnerabilities and compromising security to gain unauthorized access to system resources• Modifying system or application features to achieve goal• Used to steal and redistribute intellectual property leading to

business loss

Who is a Hacker

• Intelligent people with excellent computer and networking skills exploring a system or network• Hobbyists testing vulnerabilities of systems and networks• Anyone to gain knowledge for legal or illegal purposes

Hacker Classes

• Black Hats • White Hats• Gray Hats• Suicide Hackers• Script Kiddies• Cyber Terrorists• State Sponsored Hackers• Hacktivists

Hacker Phases

• Reconnaissance• Scanning• Gaining Access• Maintaining Access• Clearing Tracks

Reconnaissance

• Reconnaissance is the preparation phase, gathering information• Could be a point of return in the future• Could include organization’s clients, employees, operations, networks,

systems• Passive Reconnaissance – gaining information without interacting

with target• Active Reconnaissance – phoning, helpdesk, IS department contact

Scanning

• Pre-Attack – scanning network using information gathered during reconnaissance• Port Scanning – for vulnerabilities• Attack systems that can be penetrated

Gaining Access

• Gaining access to the operating system or application on system or network• Attacker accesses and escalates privileges to compromise system,

network, intermediate systems• Examples include password cracking, buffer overflows, denial of

services, session hijacking

Maintaining Access

• Attacker attempts to take and retain ownerships of the systems• Attackers use backdoors, rootkits, or trojans to keep others from re-

taking ownership• Attackers upload, download, manipulate data, applications, and

configurations on the owned systems• Attackers use the compromised system to launch further attacks

Clearing Tracks

• Covering Tracks is the activities that the attacker uses to hide his/her malicious acts• Attacker intends to continue access, remain unnoticed, and delete

evidence to avoid prosecution• Attacker overwrites server, system, application logs to avoid suspicion

1.4 Ethical Hacking

Concepts and Scope

• What is Ethical Hacking?• Why Ethical Hacking is Necessary• Skills of an Ethical Hacker

What is Ethical Hacking

• Ethical hacking allows a security user to use hacking tools, tricks, and techniques to identify vulnerabilities making sure organization’s system is secure• Security user focuses on simulating techniques to find any exploitable

vulnerabilities• Ethical hackers perform security assessment of their organization with

permission of organization’s authorities

Is Ethical Hacking Necessary

• Keep ahead of unethical hackers and allows counter attacks against attacks• To prevent hackers• To uncover vulnerabilities• To analyze and strengthen an organization’s security posture

Is Ethical Hacking Necessary continued

• What can an intruder see?• What can an intruder do?• Have there been any intrusions detected?• Are the components of the information system protected and

patched properly?• How much effort, time, and money is needed to have adequate

protections?• Are the information security measures in compliance with industry

and legal standards?

Skills of an Ethical Hacker continued• Technical Skills include:• Has in-depth knowledge of major operating environments, concepts,

technologies and related hardware and software• Should be a computer expert understanding technical domains• Should have security knowledge and experience• Should understand sophisticated attacks

• Non-Technical Skills include:• Ability to learn and adapt new technologies quickly• Strong work ethics• Committed to organization’s security and policies• Understanding of local, state, and federal laws and organizational compliance

1.5 Information

Security Controls

• Information Security Management Program• Threat Modeling• Enterprise Information Security Architecture

(EISA)• Network Security Zoning• Information Security Policies

1.5 Information

Security Controls (cont’d)

• Physical Security• Incident Management• Types of Vulnerability Assessments• Vulnerability Research

Information Assurance (IA)• IA is the assurance that confidentiality, integrity, availability, and

authenticity of information and information systems at all times• IA is achieved by:• Developing, implementing, and adhering to network and local policies• Designing proper user authentication• Identifying network vulnerabilities and threats• Identifying resource requirements• Applying proper information assurance controls• Performing certification and accreditation• Providing and requiring information assurance training

Information Security Management Program• These are programs that allow organizations to reduce risks• They are used in all aspects of the organization and all security

principals• They are a combination of well-defined policies, processes,

procedures, standards, and guidelines to establish the required level of information security

Information Security Framework• Each piece of the Framework is important• Security Policy• Roles and Responsibilities• Security Guidelines and Frameworks• Popular Frameworks• PCI DSS• ISO 27001/27002• CIS Critical Security Controls• NIST Framework for Improving Critical Infrastructure

Information Security Management Framework

Security Framework Example

Threat Modeling• Threat Modeling is a risk management approach used to analyze

current security• Capture• Organize• Analyze

• Identify Security Objectives• Application Overview• Deconstruct Application• Identify Threats• Identify Vulnerabilities

Enterprise Information Security Architecture (EISA)• Enterprise Information Security Architecture is a set of requirements,

processes, principles, and models that defines the structure and behavior of an organization’s information systems• Monitors and detects network behavior and acts on risks• Helps organization detect and recover from security breaches• Prioritizes resources of organization and examines threats• Helps organization understand cost and benefit• Identifies assets and helps information system personnel function properly• Helps perform risk assessment

Network Security Zoning• Network Security Zoning allows an organization to manage security by

using security levels for different areas of the Internet and Intranet• Affords monitoring and controlling of inbound and outbound traffic• Examples:• Internet Zone – Uncontrolled zone; outside the organization• Internet DMZ Zone – Controlled zone; defense between internal network and

Internet• Production Zone – Restricted zone; access is strictly controlled• Intranet Zone – Controlled zone; no extreme restrictions• Management Zone – Secured zone; with strict policies

Information Security Policies• Information Security Policies are the basis of an organization’s

security infrastructure• Define basic security requirements and rules to be implemented to

protect and secure the organization’s assets• Goals:• Maintain management and administration of network security• Protect computing resources• Avoid legal liabilities• Prevent waste of computing resources• Prevent unauthorized modification of data• Define user access rights• Protect confidential, proprietary information from theft, misuse, and

unauthorized disclosure

Types of Security Policies• Promiscuous Policy – No restrictions• Permissive Policy – Some restrictions but only on known attacks• Prudent Policy – Maximum security; blocks all services unless used by

organization• Paranoid Policy – Restricts everything; little or no Internet

connectivity

Examples of Security Policies• Access Control• Remote Access• Firewall Management• Network Connection• Password• User Account• Information Protection• Special Access• Email Security• Acceptable Use

Privacy Policies in the Workplace• Employers have access to employees’ personal information• Rules for Workplace Privacy • Limit the amount of collected information (legal)• Tell employees about the information being collected and keep them

informed of any potential collection, use, and disclosure of person information• Maintain accurate employee records• Provide employees access to their person information• Secure employees personal information

Create and Implement Security Policies• Perform Risk Assessment• Use proper type of organizational standards• Include senior management • Set penalties• Create finalized version• Have document of understanding signed by all staff• Enforce policies• Train employees• Review and update regularly

HR/Legal Implications of Security Policy Enforcement

• Human Resources• Responsible for making employees aware of security policies• Security training for employees• Work with management to monitor policy implementation and violation

• Legal• Policies should be developed with consultation with legal experts• Additional attention to violation of employee rights must be considered

Physical Security• Physical security is the first level of defense• Physical security is protection of organizational assets from all threats• Prevent unauthorized access• Prevent tampering with or theft of data• Prevent espionage, sabotage, damage, or theft • Prevent social engineering attacks

• Physical threats include:• Environmental – floods, fire, earthquakes, dust• Man-made – terrorism, wars, bombs, vandalism, or dumpster diving

Physical Security Controls• Protection of• Premises• Reception Area• Server and Workstation Areas• Any Equipment Areas• Physical Access Control• Computer And Equipment Maintenance Control• Wiretapping• Environmental Controls

Incident Management• Incident management is defined processes to identify, analyze,

prioritize, and resolve security incidents and prevent future incidents• Incident Management Includes:• Vulnerability Handling• Artifact Handling• Announcements• Alerts• Incident Handling – Triage, Response, Reporting and Detection, Analysis• Other Incident Management Services

Incident Management Process• Preparation for Incident Handling and Response• Detection and Analysis• Classification and Prioritization• Notification• Containment• Forensic Investigation• Eradication and Recovery• Post-incident Activities

Responsibilities of the Incident Response Team• Managing security issues using a proactive approach and responding

effectively• Providing a single point of contact for reporting security incidents• Developing and reviewing processes and procedures• Regularly reviewing legal and regulatory requirement• Managing response to an incident and making sure all procedures are

followed properly to minimize and control damage• Review exiting controls and recommending steps to keep up with

technology• Identifying and analyzing the incident including impact• Working with local law enforcement and government agencies; partners

and suppliers

What is Vulnerability Assessment• A vulnerability assessment is an inspection of a system or application

to withstand attack• Vulnerability assessments measures and classifies security

vulnerabilities• Computer systems• Network• Communication channels

• Can be used to• Identify weaknesses• Predict effectiveness of additional security measures

Types of Vulnerability Assessments• Active Assessment – Network scanner for hosts, services, and

vulnerabilities• Passive Assessment – Sniff network traffic• Host-based Assessment – Specific to a certain server or workstation• Internal Assessment – Scan internal infrastructure• External Assessment – Scan from outside to check for vulnerabilities• Application Assessment – Tests web infrastructure for

misconfigurations• Network Assessment – Checks for network security• Wireless Network Assessment – Check for vulnerabilities on the

wireless network

Network Vulnerability Assessment Methodology• Phase 1 – Acquisition• Collect documents

• Review legal requirements• Review network security• List previously discovered vulnerabilities

• Phase 2 – Identification• Conduct interviews with customers and employees• Gather technical information about all network components• Identify industry standards for compliance

Network Vulnerability Assessment Methodology continued• Phase 3 – Analyzing• Review interviews• Analyze results of previous vulnerability assessment• Analyze security vulnerabilities and identify risks• Perform threat and risk analysis• Analyze effectiveness of existing security controls• Analyze effectiveness of existing security policies

Network Vulnerability Assessment Methodology continued• Phase 4 – Evaluation

• Determine the chance of exploitation of identified vulnerabilities• Identify gaps between current and required security measures• Determine controls required to mitigate the identified vulnerabilities• Identify upgrades required to the network vulnerability assessment process

• Phase 5 – Generating Reports• Present draft of analysis to be evaluated• Report should include:

• Task rendered by each team member• Methods use and findings• General and specific recommendations• Terms used and definitions• Information collected in all phases

• All documents need to be stored in a secure database for generating the final report

Vulnerability Research• Vulnerability research is the process of discovering vulnerabilities and

design flaws that would allow operating systems and applications to be attacked or misused• Vulnerabilities are classified by severity level: low, medium, or high;

exploit range: local or remote• Security administrators need vulnerability research to:• Gather information regarding security trends, threats, attacks• Find weaknesses and alert network administrator before network attack• Get information that helps prevent security problems• Learn how to recover from a network attack

Vulnerability Research Websites• CodeRed Center (EC Council)• Microsoft Vulnerability Research (Technet)• Security Magazine• Security Focus• Help Net Security• HackerStorm• SC Magazine• Computerworld• Hacker Journal• WindowsSecurity

Penetration Testing• Penetration testing evaluates the security of the information/network

system, simulating an attack to check for vulnerabilities• Security measure are actively analyzed for any weakness or technical

flaws and vulnerabilities• Pen Testing also documents how the weakness can be exploited• A report is generated to executive management and technical

personnel

Why Penetration Testing• Identify threats• Reduce cost to the organization• Provide assurance including policy, procedure, design, and implementation• Make and maintain certifiable industry regulations• Adopt best practices in compliance and legal industry regulations• Test and verify security protections and controls• Best choice when upgrading existing infrastructure• Focuses on high-severity and application security issues to all involved

teams and management• Prepares organization for preventing exploitations• Tests and evaluates network security devices: firewalls, routers. Web

servers, etc.

Compare Security Audit, Vulnerability Assessment, and Penetration Testing• Security Audit – checks if the organization is following a set of

standard security policies and procedures• Vulnerability Testing – focuses on discovering vulnerabilities in

systems; does not include exploitation capabilities, or damage that could result• Penetration Testing – method of security assessment the incorporates

the security audit and vulnerability assessment and also takes into consideration if the vulnerabilities can be exploited by attackers

Blue Teaming/Red Teaming• Blue Team• Set of security responders perform analysis of an information system to

assess the ability and efficiency of security controls• Has access to all the organization’s resources and information• Primary role to detect and mitigate (red team) activities and be ready for

surprise attacks

• Red Team• Ethical hackers perform penetration testing with no or little access to

organization’s resources• Conducted with or without warning• Used to detect network and system vulnerabilities• Check security from an attacker’s perception

Types/Phases of Penetration Testing• Black-box – No prior knowledge of infrastructure; blind testing;

double-blind testing• White-box – Complete knowledge of infrastructure to be tested• Grey-box – Limited knowledge of infrastructure to be tested

Security Testing Methodology• OWASP – Open Web Application Security Project – for organizations

that purchase, develop and maintain software tools• OSSTMM – Open Source Security Testing Methodology Manual – peer

review for performing high quality tests: data controls, fraud and social engineering control levels, computer networks, wireless devices, mobile devices, physical security access controls• ISSAF – Information Systems Security Assessment Framework; open

source giving security assistance for security personnel• EC-Council LPT Methodology – LPT methodology is an industry

standard for comprehensive information system security auditing framework

1.6 Information

Security Laws and Standards

• Payment Card Industry Data Security Standard (PCI-DSS)• ISO/IEC 27001:2013• Health Insurance Portability Act (HIPAA)• Sarbanes Oxley Act (SOX)• Digital Millennium Copyright Act (DMCA) and

Federal Information Security Management Act (FISMA)• Cyber Law in Different Countries

Payment Card Industry Data Security Standard (PCI-DSS)• Payment Card Industry Data Security Standard (PCI DSS) is a

proprietary standard for organizations that handle cardholder information for debit, credit, prepaid, e-purse, ATM, and POS cards• PCI DSS applies to all entities involved in payment care processing• High level overview of the PCI DSS requirements were developed and

maintained by the PCI Security Standards Council

Payment Card Industry Data Security Standard (PCI-DSS) Overview• Build and maintain a secure network• Implement strong access control measures• Protect cardholder data• Regularly monitor and test networks• Maintain a vulnerability management program• Maintain an Information Security Policy

ISO/IEC 27001:2013• ISO/IEC 27001:2013 specifies the requirements for establishing,

implementing, maintaining, and improving a security management system for the organization• Including• Use within an organization for security requirements and objectives• Cost effective• Guarantee compliance with laws and regulations• Defines new information security management processes• Identification and clarification of existing information security management

processes• Use by management to determining status of information security activities• Implement business-enabling information security• Provide relevant information security to customers

Health Insurance Portability and Accountability Act• Electronic Transactions and Code Set Standards• Privacy Rule• Security Rule• National Identifier Rule• Enforcement Rule

Sarbanes Oxley Act (SOX)• Enacted in 2002 for protection of investors and public• Made up of 11 titles

• Title 1 – Public Company Accounting Oversight Board • Title 2 – Auditor independent• Title 3 – Corporate Responsibility (financial reports)• Title 4 – Enhanced Financial Disclosures• Title 5 – Analyst Conflicts of Interest• Title 6 – Commission Resources and Authority• Title 7 – Studies and Reports• Title 8 – Corporate and Criminal Fraud Accountability• Title 9 – White Collar Crime Penalty Enhancement• Title 10 – Corporate Tax Returns• Title 11 – Corporate Fraud Accountability

Digital Millennium Copyright Act (DMCA) and Federal Information Security Management Act (FISMA)• The Digital Millennium Copyright Act (DMCA)• Implements two 1996 treaties of the World Intellectual Property Organization• Defines legal prohibitions against technological protection

• Federal Information Security Management Act• Provides comprehensive framework for guaranteeing effectiveness of

information security controls for Federal operations and assets• Standards for categorizing information and systems by mission impact• Standards for minimum security requirements for information/systems• Guidance for selecting proper security controls for information/systems• Guidance for assessing security control in information systems and

effectiveness• Guidance for security authorization for information systems

Cyber Law in Different Countries• USA• Australia• United Kingdom• China• India• Germany• Italy• Japan• Canada• Singapore• South Africa• South Korea• Belgium• Brazil• Hong Kong

Cyber Law in US

Intro to Ethical

Hacking Review

• Ethical Hacking seeks to discover vulnerabilities before they are actually exploited• Threats can be against hosts, the

network, applications• Can also look at threats as

against people, processes, technology• CIA is the foundation of all

security• Non-repudiation disallows

someone from denying they did something

Ethical Hacking v10 Module 1 - Introduction to Ethical Hacking

Documents

Transcript of Ethical Hacking v10 Module 1 - Introduction to Ethical Hacking