ETHICAL HACKING A LICENCE TO HACK

1
ETHICAL HACKINGA LICENCE TO HACK
2
INTRODUCTION

• Ethical hacking- also known as penetration
  testing or intrusion testing or red teaming has
  become a major concern for businesses and
  governments.
• Companies are worried about the possibility of
  being hacked and potential customers are
  worried about maintaining control of personal
  information.
• Necessity of computer security professionals to
  break into the systems of the organisation.

3
INTRODUCTION

• Ethical hackers employ the same tools and
  techniques as the intruders.
• They neither damage the target systems nor steal
  information.
• The tool is not an automated hacker program
  rather it is an audit that both identifies the
  vulnerabilities of a system and provide advice on
  how to eliminate them.

4
PLANNING THE TEST

• Aspects that should be focused on
• Who should perform penetration testing?
• How often the tests have to be conducted?
• What are the methods of measuring and
  communicating the results?
• What if something unexpected happens during the
  test and brings the whole system down?
• What are the organization's security policies?

5
The minimum security policies that an
organization should posses

• Information policy
• Security policy
• Computer use
• User management
• System administration procedures
• Incident response procedures
• Configuration management
• Design methodology
• Disaster methodology
• Disaster recovery plans.

6
Ethical hacking- a dynamic process

• Running through the penetration test once gives
  the current set of security issues which subject
  to change.
• Penetration testing must be continuous to ensure
  that system movements and newly installed
  applications do not introduce new vulnerabilities
  into the system.

7
Who are ethical hackers

• The skills ethical hackers should posses
• They must be completely trustworthy.
• Should have very strong programming and computer
  networking skills and have been in networking
  field for several years.

8
Who are ethical hackers

• Should have more patience.
• Continuous updating of the knowledge on computer
  and network security is required.
• They should know the techniques of the criminals,
  how their activities might be detected and how to
  stop them.

9
Choice of an ethical hacker

• An independent external agency.
• black box testing.
• An expertise with in your own organization.
• white box testing.

10
AREAS TO BE TESTED

• Application servers
• Firewalls and security devices
• Network security
• Wireless security

11
Red Team-Multilayered Assessment

• Various areas of security
• are evaluated using a
• multilayered approach.
• Each area of security defines how the target will
  be assessed.
• An identified vulnerability at one layer may be
  protected at another layer minimizing the
  associated risk of the vulnerability.

12
Information security (INFOSEC)- A revolving
process
13
(No Transcript)
14
Attacks on Websites- Denial of
service attack

• Some hackers hack your websites just because they
  can.
• They try to do something spectacular to exhibit
  their talents.
• Their comes the denial of service attack.
• During the attacks, customers were unable to
  reach the websites, resulting in loss of revenue
  and mind share.
• On January 17, 2000, a U.S. library of congress
  website was attacked.

15
(No Transcript)
16
(No Transcript)
17
The ethical hack itself

• Testing itself poses some risk to the client.
• Criminal hacker monitoring the transmissions of
  ethical hacker could trap the information.
• Best approach is to maintain several addresses
  around the internet from which ethical hackers
  originate.
• Additional intrusion monitoring software can be
  deployed at the target.

18
IBMS Immune system for Cyber space

• Any of the following combination may be used
• Remote network.
• Remote dial-up network.
• Local network.
• Stolen laptop computer.
• Social engineering.
• Physical entry.

19
(No Transcript)
20
Competitive Intelligence

• A systematic and ethical program for maintaining
  external information that can affect your
  companys plans.
• It is legal collection and analysis of
  information regarding the vulnerabilities of the
  business partners.
• The same information used to aid a company can be
  used to compete with the company.
• The way to protect the information is to be aware
  of how it may be used.

21
Information Security Goals

• Improve IS awareness.
• Assess risk.
• Mitigate risk immediately.
• Assist in the decision making process.
• Conduct drills on emergency response procedures.

22
Conclusions

• Never underestimate the attacker or overestimate
  our existing posture.
• A company may be target not just for its
  information but potentially for its various
  transactions.
• To protect against an attack, understanding where
  the systems are vulnerable is necessary.
• Ethical hacking helps companies first comprehend
  their risk and then, manage them.

23
Conclusions

• Always security professionals are one step behind
  the hackers and crackers.
• Plan for the unplanned attacks.
• The role of ethical hacking in security is to
  provide customers with awareness of how they
  could be attacked and why they are targeted.
• Security though a pain, is necessary.

24
References

• 1.www.javvin.com
• 2.www.computerworld.com
• 3.www.research.ibm.com/journals
• 4.www.howstuffworks.com
• 5.Information Technology journal,september,augus
  t 2005,published by EFY.
• 6.IEEE journal on" security and privacy

25
Queries?