Friday, 1 March 2013

Ethical Hacking Basics Class Part 1


Introduction

This lesson introduces you to the world of ethical hacking. Ethical hacking is a form of legal hacking that is done with the permission of an organization to help increase its security. This lesson discusses many of the business aspects of penetration (pen) testing. Information about how to perform a pen test, what types can be performed, what are the legal requirements, and what type of report should be delivered are all basic items that you will need to know before you perform any type of security testing. However, first, you need to review some security basics. This lesson starts with a discussion of confidentiality, integrity, and availability. Finally, the lesson finishes up with the history of hacking and a discussion of some of the pertinent laws. 

NOTE 

Nothing learned in this class is intended to teach or encourage the use of security tools or methodologies for illegal or unethical purposes. Always act in a responsible manner. Make sure that you have written permission from the proper individuals before you use any of the tools or techniques described within. Always obtain permission before installing any of these tools on a network. 

Security Fundamentals 

Security is about finding a balance, as all systems have limits. No one person or company has unlimited funds to secure everything, and we cannot always take the most secure approach. One way to secure a system from network attack is to unplug it and make it a standalone system. Although this system would be relatively secure from Internet-based attackers, its usability would be substantially reduced. The opposite approach of plugging it in directly to the Internet without any firewall, antivirus, or security patches would make it extremely vulnerable, yet highly accessible. So, here again, you see that the job of security professionals is to find a balance somewhere between security and usability. Figure 1.1 demonstrates this concept.


To find this balance, you need to know what the goals of the organization are, what security is, and how to measure the threats to security. The next section discusses the goals of security. 

Goals of Security


Objective:

Understand the security triangle, also known as CIA (confidentiality, integrity, and availability). 

There are many ways in which security can be achieved, but it’s universally agreed that the security triad of confidentiality, integrity, and availability (CIA) form the basic building blocks of any good security initiative. 

Confidentiality addresses the secrecy and privacy of information. Physical examples of confidentiality include locked doors, armed guards, and fences. Logical examples of confidentiality can be seen in passwords, encryption, and firewalls. In the logical world, confidentiality must protect data in storage and in transit. For a real-life example of the failure of confidentiality, look no further than the recent news reports that have exposed how several large-scale breaches in confidentiality were the result of corporations, such as Time Warner and City National Bank, misplacing or losing backup tapes with customer accounts, names, and credit information. The simple act of encrypting thebackup tapes could have prevented or mitigated the damage. 

Integrity is the second piece of the CIA security triad. Integrity provides for the correctness of information. It allows users of information to have confidence in its correctness. Correctness doesn’t mean that the data is accurate, just that it hasn’t been modified in storage or transit. Integrity can apply to paper or electronic documents. It is much easier to verify the integrity of a paper document than an electronic one. Integrity in electronic documents and data is much more difficult to protect than in paper ones. Integrity must be protected in two modes: storage and transit. 

Information in storage can be protected if you use access and audit controls. Cryptography can also protect information in storage through the use of hashing algorithms. Real-life examples of this technology can be seen in programs such as Tripwire, MD5Sum, and Windows File Protection (WFP). Integrity in transit can be ensured primarily by the protocols used to transport the data. These security controls include hashing and cryptography. 

Availability is the third leg of the CIA triad. Availability simply means that when a legitimate user needs the information, it should be available. As an example, access to a backup facility 24x7 does not help if there are no updated backups from which to restore. Backups are one of the ways that availability is ensured. Backups provide a copy of critical information should files and data be destroyed or equipment fail. Failover equipment is another way to ensure availability. Systems such as redundant array of inexpensive disks (RAID) and subscription services such as redundant sites (hot, cold, and warm) are two other examples. Disaster recovery is tied closely to availability, as it’s all about getting critical systems up and running quickly. Denial of service (DoS) is an attack against availability. Although these attacks might not give access to the attacker, they dodeny legitimate users the access they require.

Assets, Threats, and Vulnerabilities


Objectives: 

Recall essential terminology 
List the elements of security 

As with any new technology topic, terminology is used that must be learned to better understand the field. To be a security professional, you need to understand the relationship between threats, assets, and vulnerabilities. 

Risk is the probability or likelihood of the occurrence or realization of a threat. There are three basic elements of risk: assets, threats, and vulnerabilities. Let’s discuss each of these. 

An asset is any item of economic value owned by an individual or corporation. Assets can be real — such as routers, servers, hard drives, and laptops — or assets can be virtual, such as formulas, databases, spreadsheets, trade secrets, and processing time. Regardless of the type of asset discussed, if the asset is lost, damaged, or compromised, there can be an economic cost to the organization. 

A threat is any agent, condition, or circumstance that could potentially cause harm, loss, damage, or compromise to an IT asset or data asset. From a security professional’s perspective, threats can be categorized as events that can affect the confidentiality, integrity, or availability of the organization’s assets. These threats can result in destruction, disclosure, modification, corruption of data, or denial of service. Some examples of the types of threats an organization can face include the following: 

Unauthorized Access
If userids and passwords to the organization’s infrastructure are obtained and confidential information is compromised and unauthorized, access is granted to the unauthorized user who obtained the userids and passwords.
Stolen/Lost/Damaged/Modified Data
A critical threat can occur if the information is lost, damaged, or unavailable to legitimate users.
Disclosure of Confidential Information
Anytimethere is a disclosure of confidential information, it can be a critical threat to an organization if that disclosure causes loss of revenue, causes potential liabilities, or provides a competitive advantage to an adversary.
Hacker Attacks
An insider or outsider who is unauthorized and purposely attacks an organization’s components, systems, or data.
Cyber Terrorism
Attackers whotarget critical, national infrastructures such as water plants, electric plants, gas plants, oil refineries, gasoline refineries, nuclear power plants, waste management plants, and so on.
Viruses and Malware
An entirecategory of software tools that are malicious and are designed to damage or destroy a system or data.
Denial of Service (DoS) or Distributed Denial of Service Attacks
An attack against availability that isdesigned to bring the network and/or access to a particular TCP/IP host/server to its knees by flooding it with useless traffic. Many DoSattacks, such as the Ping of Death and Teardrop, exploit limitations in the TCP/IP protocols. Like malware, hackers constantly develop new DoS attacks, so they form a continuous threat.
Natural Disasters, Weather, or Catastrophic Damage
Hurricanes, such as Katrina that hit New Orleans in 2005, storms, weather outages, fire, flood, earthquakes, and other natural events compose an ongoing threat.
If the organization is vulnerable to any of these threats, there is an increased risk of successful attack. 

A vulnerability is a weakness in the system design, implementation, software or code, or the lack of a mechanism. A specific vulnerability might manifest as anything from a weakness in system design to the implementation of an operational procedure. Vulnerabilities might be eliminated or reduced by the correct implementation of safeguards and security countermeasures. 

Vulnerabilities and weaknesses are common with software mainly because there isn’t any perfect software or code in existence. Vulnerabilities in software can be found in each of the following:

Firmware
This software is usually stored in ROM and loaded during system power up.
Operating System
This operating system software is loaded in workstations and servers.
Configuration Files
The configuration file and configuration setup for the device.
Application Software
The application or executable file that is run on a workstation or server.
Software Patch
This is a small piece of software or code snippet that the vendor or developer of the software typically releases as software updates, software maintenance, and known software vulnerabilities or weaknesses.
Vulnerabilities are not the only concern the ethical hacker will have. Exploits are a big concern, as they are a common mechanism used to gain access. That’s discussed next.

Defining an Exploit 

An exploit refers to a piece of software, tool, or technique that takes advantage of a vulnerability that leads to privilege escalation, loss of integrity, or denial of service on a computer system. Exploits are dangerous because all software has vulnerabilities; hackers and perpetrators know that there are vulnerabilities and seek to take advantage of them. Although most organizations attempt to find and fix vulnerabilities, some organizations lack sufficient funds for securing their networks. Even those that do are burdened with the fact that there is a window between when a vulnerability is discovered and when a patch is available to prevent the exploit. The more critical the server, the slower it is typically patched. Management might be afraid of interrupting the server or afraid that the patch might affect stability or performance. Finally, the time required to deploy and install the software patch on production servers and workstations exposes an organization’s IT infrastructure to an additional period of risk.

Security Testing


Objective: 

Define the modes of ethical hacking 
Security testing is the primary job of ethical hackers. These tests might be configured in such way that the ethical hackers have no knowledge, full knowledge, or partial knowledge of the target of evaluation (TOE).

NOTE 

The term target of evaluation (TOE) is widely used to identify an IT product or system that is the subject of an evaluation. The EC-Council and some security guidelines and standards use the term to describe systems that are being tested to measure their confidentiality, integrity, and availability. 

The goal of the security test (regardless of type) is for the ethical hacker to test the security system and evaluate and measure its potential vulnerabilities.

No Knowledge Tests (Blackbox) 

No knowledge testing is also known as blackbox testing. Simply stated, the security team has no knowledge of the target network or its systems. Blackbox testing simulates an outsider attack as outsiders usually don’t know anything about the network or systems they are probing. The attacker must gather all types of information about the target to begin to profile its strengths and weaknesses. The advantages of blackbox testing include 

The test is unbiased as the designer and the tester are independent of each other. The tester has no prior knowledge of the network or target being examined. Therefore there are no preset thoughts or ideas about the function of the network. A wide range of resonances work and are typically done to footprint the organization, which can help identify information leakage. The test examines the target in much the same way as an external attacker. 

The disadvantages of blackbox testing include 
It can take more time to perform the security tests. 
It is usually more expensive as it takes more time to perform. 
It focuses only on what external attackers see, while in reality, most attacks are launched by insiders. 

Full Knowledge Testing (Whitebox) 

Whitebox testing takes the opposite approach of blackbox testing. This form of security test takes the premise that the security tester has full knowledge of the network, systems, and infrastructure. This information allows the security tester to follow a more structured approach and not only review the information that has been provided but also verify its accuracy. So, although blackbox testing will typically spend more time gathering information, whitebox testing will spend that time probing for vulnerabilities.

Partial Knowledge Testing (Graybox) 

In the world of software testing, graybox testing is described as a partial knowledge test. EC-Council literature describes graybox testing as a form of internal test. Therefore, the goal is to determine what insiders can access. This form of test might also prove useful to the organization as so many attacks are launched by insiders.

Types of Security Tests


Objective: 

State security testing methodologies 

Several different types of security tests can be performed. These can range from those that merely examine policy to those that attempt to hack in from the Internet and mimic the activities of true hackers. These security tests are also known by many names, including 

Vulnerability Testing 
Network Evaluations 
Red Team Exercises 
Penetration Testing 
Host Vulnerability Assessment 
Vulnerability Assessment 
Ethical Hacking 

No matter what the security test is called, it is carried out to make a systematic examination of an organization’s network, policies, and security controls. Its purpose is to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of potential security measures, and confirm the adequacy of such measures after implementation. Security tests can be defined as one of three types, which include highlevel assessments, network evaluations, and penetration tests. Each is described as follows: 

High-level assessments
Also called a level I assessment, it is a top-down look at the organization’s policies, procedures, and guidelines. This type of vulnerability assessment does not include any hands-on testing. The purpose of a top-down assessment is to answer three questions: Do the applicable policies exist?
Are they being followed? 
Is there content sufficient to guard against potential risk? 

Network evaluations
Also called a level II assessment, it has all the elements specified in a level I assessment plus includes hands-on activities. These hands-on activities would include information gathering, scanning, vulnerability assessment scanning, and other hands-on activities. Throughout this book, tools and techniques used to perform this type of assessment are discussed.
Penetration tests
Unlike assessments and evaluations, penetration tests are adversarial in nature. Penetration tests are also referred to as level III assessments. These events typically take on an adversarial role and look to see what the outsider can access and control. Penetration tests are less concerned with policies and procedures and are more focused on finding low hanging fruit and seeing what a hacker can accomplish on this network.
NOTE 

Just remember that penetration tests are not fully effective if an organization does not have the policies and procedures in place to control security. Without adequate policies and procedures, it’s almost impossible to implement real security. Documented controls are required. 


No comments:

Post a Comment