Introduction to Ethical Hacking. Chapter 1

Similar documents
Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security

Chapter 1 Ethical Hacking Overview. Revised

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 1 Introduction to Security

Cyber Risks in the Boardroom Conference

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

DeMystifying Data Breaches and Information Security Compliance

What is Penetration Testing?

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

HIPAA UPDATE. Michael L. Brody, DPM

Cybersecurity The Evolving Landscape

AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI)

CCISO Blueprint v1. EC-Council

Chapter 12. Information Security Management

Why you MUST protect your customer data

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

VULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID:

Security Breaches: How to Prepare and Respond

Demonstrating Compliance in the Financial Services Industry with Veriato

Security Terminology Related to a SOC

Principles of ICT Systems and Data Security

Ethical Hacking and Countermeasures: Attack Phases, Second Edition. Chapter 1 Introduction to Ethical Hacking

The Honest Advantage

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

From the Lab to the Boardroom; Forensics goes mainstream

Executive Insights. Protecting data, securing systems

COMPUTER FORENSICS (CFRS)

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

Security Audit What Why

716 West Ave Austin, TX USA

Have breaches declined since the massive Heartland Payments leak in 2008? What proportion of breaches are the result of hacking?

Penetration Testing and Team Overview

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

Compliance 101: Basics for Security Professionals

Legal Considerations and Case Studies

Tracking and Reporting

Building a Business Case for Cyber Threat Intelligence. 5Reasons Your. Organization Needs a Risk-Based 5Approach to Cybersecurity

CYBER SECURITY AND MITIGATING RISKS

Teradata and Protegrity High-Value Protection for High-Value Data

Checklist: Credit Union Information Security and Privacy Policies

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Hacking and Cyber Espionage

CASE STUDY. How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

locuz.com SOC Services

Cyber Security Issues

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Evolution of Cyber Security. Nasser Kettani Chief Technology Officer Microsoft, Middle East and Africa

Reducing Liability and Threats through Effective Cybersecurity Risk Measurement. Does Your Security Posture Stand Up to Tomorrow s New Threat?

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

CYBER ALERT. Cyber Investigations, Part 4: Hallmarks of Enterprise Impact Investigations. Key Components of an Enterprise Impact Investigation

IBM Internet Security Systems October Market Intelligence Brief

Cybersecurity Today Avoid Becoming a News Headline

Information Assurance 101

How to Take Advantage of the Cloud for ediscovery

Unit 3 Cyber security

Cyber Security Updates and Trends Affecting the Real Estate Industry

CROWDSTRIKE FALCON FOR THE PUBLIC SECTOR

Will you be PCI DSS Compliant by September 2010?

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

Building a Case for Mainframe Security

Cyber Risks and Emerging Technology/Threats

Information Security Policy

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Complete document security

Cybersecurity and Hospitals: A Board Perspective

Cybersecurity in Higher Ed

What to do if your business is the victim of a data or security breach?

Compliance with CloudCheckr

hidden vulnerabilities

Encrypting PHI for HIPAA Compliance on IBM i. All trademarks and registered trademarks are the property of their respective owners.

Bar The Gates: Cyber Threat. Wednesday, August 12, 2015: ISACA Geek Week

ID Theft and Data Breach Mitigation

Is Your z/os System Secure?

Preventing Corporate Espionage: Investigations, Data Analyses and Business Intelligence

Secure Application Development. OWASP September 28, The OWASP Foundation

SHS Annual Information Privacy and Security Training

Compliance in 5 Steps

Computer Forensics US-CERT

Cybersecurity, safety and resilience - Airline perspective

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

A practical guide to IT security

Chapter 6 Network and Internet Security and Privacy

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

QuickBooks Online Security White Paper July 2017

Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

DETAILED POLICY STATEMENT

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Cyber Security. Building and assuring defence in depth

Business continuity management and cyber resiliency

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

De-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!

Assessment and Compliance with Sarbanes-Oxley (SOX) Requirements DataGuardZ Whitepaper

90% of data breaches are caused by software vulnerabilities.

Transcription:

Introduction to Ethical Hacking Chapter 1

Definition of a Penetration Tester Sometimes called ethical hackers though label is less preferred Pen testers are: People who assess security of a target Specially trained People who understand security concepts

What Is a Penetration Tester? Can be employed full-time by a company May work freelance as a contractor Uses the techniques of malicious hackers against a client Tactics and tools of pen tester are the same as a hacker Intent and permission differ

Why Use Penetration Testing? To test and evaluate security Taking on the pen tester role and the associated skillset has become more important in today s world as organizations have had to take a more serious look at their security posture and how to improve it. To ensure compliance with laws To perform security audits To monitor

Origins of Penetration Testing The term hacker is an old one that can trace its origin back about 50 years to technology enthusiasts of the 1960s. These individuals were not like the hackers of today; they were simply those who were curious and passionate about new technologies and spent time exploring the inner workings and limitations of early systems. Evolved from traditional hacking Arose from a need to proactively assess an organization s security Created in response to hacker activity Increasingly popular with rise in cybercrime

Goals of a Penetration Tester In any organization that is security minded, something known as the CIA triad (or the core principles of confidentiality, integrity, and availability) is trying to be preserved. Confidentiality Availability Integrity

Goals of a Penetration Tester Disruption Disclosure Alteration Testers work to find holes in the client s environment that would disrupt the CIA triad and the way it functions. Another way of looking at this is through the use of something called the anti-cia triad.

Overview of Pen Testing Hackers Have existed since the 1960s Originally technology enthusiasts Original Hackers Tried out new technology Pushed boundaries Satisfied their curiosity Sought out undocumented features

Evolution of Internet Hackers became more prolific and more dangerous not too long after the availability of the Internet to the general public. Introduction of the Internet expanded possibilities and range First attacks were mostly mischievous and benign Later attacks became malicious Newer attacks include financial fraud, piracy, credit card theft

Opponents In the real world, hackers tend to be broken down into different categories to differentiate their skills and intent. These are the different types of hackers you can expect to encounter in the real world. Terrorists Black Hats Script kiddies Malicious Gray Hats White Hats

Examples of Cybercrimes Over the past two decades crimes associated with hacking have evolved tremendously. These are some broad categories of cybercrime. Identity theft Theft of service Fraud Embezzlement Writing malware Cyberstalking

Target: Apple icloud In August 2014, a massive data breach against Apple s icloud was responsible for the public disclosure of hundreds of celebrity pictures in various intimate moments. This breach has so far resulted in lawsuits by many of those who had their pictures stolen as well as a lot of negative publicity for Apple. Hackers broke into Apple s cloud-based storage service. Several celebrities had their photos stolen and posted online. This breach resulted in numerous ongoing lawsuits.

Target 2014 In 2014 Target Corp became a victim of a large-scale cybercrime. This breach was responsible for the disclosure of an estimated 56 million different credit card accounts. The breach resulted in loss of customer data. 56 million records were compromised during the incident. The breach resulted in major lawsuits. There was a decrease in business.

JP Morgan 2014 83 million accounts compromised Being actively investigated by SEC in the United States Generated numerous lawsuits Loss of customers In October 2014 JP Morgan revealed to the U.S. Securities and Exchange Commission (SEC) that 83 million accounts were compromised. The breach is being actively investigated by the U.S. Secret Service. Early information points to the breach being the result of attackers discovering vulnerabilities in software on JP Morgan s own computer systems.

Hacking and the Law New and old laws apply to hacking. Technology has outpaced the law. Increasing amount of cybercrimes. Cybercrimes have rapidly evolved.

Addressing Legal Issues You will need to always ensure that the utmost care and concern is exercised at all times to ensure that the proper procedures are observed to avoid legal issues. Contract You need trust between the client and pen tester. The client needs to have confidence rules will be followed. The client needs limits and guidelines in the event they are broken.

Sample Laws 1973 US Code of Fair Information Practices Sarbanes-Oxley (SOX) 1974 US Privacy Act 1986 US Electronic Communications Privacy Act Cyberlaw 1984 US Medical Computer Crime Act 1996 US Health Insurance and Portability Accounting Act (HIPAA) 1996 US Computer Fraud and Abuse Act 1994 US Communications Assistance for Law Enforcement Act Federal Information Security Management Act (FISMA)

Points to Remember Remember as a pen tester that the law will impact your actions and can result in prison time and/or fines if you do things without permission. Do not attempt to become an armchair lawyer. Rather, understand that the law has an impact on what you do. Seek legal assistance if you don t fully understand the implications. The law will impact and guide many penetration tests. Seek legal assistance from a lawyer; don t try to interpret the law yourself.

Pen Testing Process Once a pen tester is in possession of the necessary permissions to conduct their activities, the actual testing can take place. There are a myriad of ways to proceed with testing at this point, and each is valid in its own way. Follows a series of steps Ensures tasks and goals are completed properly May vary based on need May be legally mandated Can be customized in some cases

Pen Testing Process Reconnaissance Scanning Enumeration Planting Backdoors Privilege Escalation System Hacking Covering Tracks

Conclusion of the Test Once this is complete, the tester should be prepared to present a detailed report of their findings. Presenting the report to the client may be the last task the tester has or there may be additional steps. Potential outcomes Presentation of the report to the client Presentation plus recommendations Presentation plus recommendation with remediation

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback