Ethical Hacking Philip Robbins August 31, 2013 Information - PowerPoint PPT Presentation

ISA 330 Introduction to Proactive System Security Week #1 Ethical Hacking Philip Robbins – August 31, 2013 Information Security & Assurance Program University of Hawai'i West Oahu 1

Ethical Hacking Topics • Introductions • Syllabus Review • Fundamentals of Ethical Hacking • Class Discussion • Tools • Security Resources • Review Questions, Q&A 2

Introductions Who am I? • Information Systems Authorizing Official Representative ‐ United States Pacific Command (USPACOM) ‐ Risk Management Field ‐ Assessments to USPACOM Authorizing Official / CIO • Former Electronics & Environmental Engineer • Bachelor of Science in Electrical Engineering • Master of Science in Information Systems • Ph.D. Student in Communication & Information Sciences • Certified Information Systems Security Professional (CISSP) and Project Management Professional (PMP) 3

Syllabus Class Textbook 4

Fundamentals “A locked door keeps an honest man out.” 5

Fundamentals • Introduction to Proactive System Security What this class IS about: An introductory course in adopting a proactive (v.s. reactive) stance towards systems security. What this class IS NOT about: An offensive class in hacking. How does one better understand how to defend against system security attacks? By performing and testing against them. 6

Fundamentals • In the news: Facebook CEO personal page hacked by Palestinian white hat. Chinese suffers largest internet attack in history. Syrian Electronic Army takes down the New York Times. http://www.cnn.com/video/data/2.0/video/world/2013/08/19/worldone‐clancy‐zuckerberg‐facebook‐security‐flaw.cnn.htm 7

Fundamentals • In the news: Facebook CEO personal page hacked by Palestinian white hat. Chinese suffers largest internet attack in history. Syrian Electronic Army takes down the New York Times. http://money.cnn.com/2013/08/26/technology/china‐cyberattacks/index.html 8

Fundamentals • In the news: Facebook CEO personal page hacked by Palestinian white hat. Chinese suffers largest internet attack in history. Syrian Electronic Army takes down the New York Times. http://www.cnn.com/2013/08/30/opinion/lewis‐hackers‐nyt/index.html?iref=allsearch 9

Fundamentals • What is Hacking? Classical Definition: Seeking to understand computer systems strictly for the love of having that knowledge. BEFORE Modern Definition: Illegal access to computer or network systems. NOW 10

Fundamentals • What is a “Hacker”? 11

12

Fundamentals Who/what is a “Cracker”? Term used to describe a hacker with malicious intent. Crackers (cyber criminals) get into all kinds of mischief, including breaking or "cracking" copy protection on software programs, breaking into systems and causing harm, changing data, or stealing. 13

Fundamentals • “Hacker” v.s. “Cracker”? ‐ Today there’s no real distinction between the two terms. Hacker = Cracker However… ‐ Some hackers regard crackers as less educated. ‐ Some crackers don’t create their own work; simply steal other people's work to cause mischief, or for personal gain. 14

Fundamentals • Who are “Script kiddies”? ‐ Unskilled individuals who use scripts or programs developed by knowledgeable programmers to attack computer systems. ‐ Generally considered “posers” or “kiddies” lacking the ability to write sophisticated scripts or programs on their own. ‐ Usually seeking to gain credit or impress their friends. 15

Fundamentals What is an “Ethical Hacker”? • Oxymoron: Honest Criminal ‐ A new breed of network defenders. ‐ Performs the same activities a hacker does but with the owner / company’s permission. ‐ Usually contracted to perform penetration testing. 16

Fundamentals • Penetration Testing ‐ Discover vulnerabilities. ‐ Perform attack and penetration assessments. ‐ Perform discovery and scanning for open ports & services. ‐ Apply exploits to gain access and expand access as necessary. ‐ Activities involving application penetration testing and application source review. ‐ Interact with the client as required. ‐ Produce reports documenting discoveries during the engagement. ‐ Report your findings with the client at the conclusion of each engagement. v.s. • Security Testing + Participate in research and provide recommendations for improvement. + Participate in knowledge sharing. 17

Fundamentals • Why perform Penetration Tests? 18

Fundamentals • Steps for a Penetration Test Step #1: Planning Phase ‐ Scope & Strategy of the assignment is determined. ‐ Existing security policies and standards are used for defining the scope. Step #2: Discovery Phase ‐ Collect as much information as possible about the system including data in the system, user names and even passwords (fingerprinting). ‐ Scan and Probe into the ports. ‐ Check for vulnerabilities of the system. Step #3: Attack Phase ‐ Find exploits for various vulnerabilities. ‐ Obtain necessary security Privileges to exploit the system & exploit. 19

Fundamentals • Steps for a Penetration Test Step #4: Reporting Phase ‐ Report must contain detailed findings. ‐ Risks of vulnerabilities found and their impact on business ‐ Recommendations for solutions, if any (Security Testing). 20

Fundamentals • Penetration Testing Limitations ‐ Can’t find all the vulnerabilities on a system. ‐ Time for tester ‐ Budget ‐ Scope ‐ Skills of testers ‐ Data loss and corruption ‐ Downtime for organization ‐ Increased costs for organization* * How could pen testing decrease costs for an organization? 21

Fundamentals • Roles & Responsibilities of the Pen‐Tester ‐ Testers should collect required information from the Organization to enable penetration tests (depending on the type of testing model). ‐ Find flaws that could allow hackers to attack a target machine. ‐ Pen Testers should think & act like real hackers (ethically). ‐Tester should be responsible for any loss in the system or information during the testing. ‐ Tester should keep data and information confidential. 22

Fundamentals • Types of Pen‐Testing Methodologies White Box Model ‐ Tester is given the company network topology, info on technology used, and permission to interview all employees (including IT personnel). Black Box Model ‐ Tester is not given any information. ‐ Management doesn’t tell staff about the pen test being conducted. ‐ Help determine if company’s security personnel are able to detect attacks. Gray Box Model ‐ Hybrid of the white and black box models. ‐ Tester may get partial information. 23

Class Discussion • Which pen‐testing category / model closely mimics that of an insider threat? • Which type of pen‐testing model is better suited for an organization on a extremely limited budget? • Which pen‐testing model is most accurate? Which can be considered to have the greatest drawback? 24

Class Discussion 25

Fundamentals • Types of Hats - White Hats (Ethical / Pen-Testers improving security) - Black Hats (Hackers / Crackers degrading security) - Grey Hats (In-between White and Black) - Red Hat (Enterprise Linux) 26

Fundamentals • What can you do Legally? What about: ‐ Port scanning? ‐ Possession of hacking tools? ‐ Photographing? ‐ ISP Acceptable Use Policy (AUP)? ‐ Installing viruses on a computer network denying users? In Hawaii, the state must prove that the person charged with committing a crime on a computer had the “intent to commit a crime.” 27

Fundamentals • Federal Laws: ‐ Computer Fraud and Abuse Act, Title 18 Crime to access classified information with authorization. ‐ Electronic Communication and Abuse Act Illegal to intercept any communication, regardless of how it was transmitted. ‐ Stored Wire and Electronic Communications and Transactional Records Act Defines unauthorized access to computers that store classified information. 28

Class Discussion • What are the advantages of using a written contract when engaged in a computer consulting job? • Why is it important that your attorney read over the contract before you sign it? • What is upper management’s role for a penetration test? 29

Class Discussion • Why do you think the government does not define a common law for computer‐related crimes, rather than allowing each state to address these issues? 30

Fundamentals • Ethical Hacking in a Nutshell ‐ Must have a good understanding of networks & computer technology. ‐ Must be able to communicate with management & IT personnel. ‐ Must have an understanding of the laws that apply to your location. ‐ Must be able to apply the necessary tools to perform your tasks. 31

Fundamentals • Professional Certifications Certified Ethical Hacker (CEH) Cisco Certified Network Associate (CCNA) Project Management Professional (PMP) Certified Information Systems Security Professional (CISSP) 32

Fundamentals • Careers 33

Fundamentals • CEH 22 Domains 34

Fundamentals • CEH: Domain #1 35

Fundamentals • CEH: Domain #2 36

Fundamentals • CEH: Domain #3 37

Fundamentals • CEH: Domain #4 38

Fundamentals • CEH: Domain #5 39