SlideShare a Scribd company logo

Ethical Hacking A high-level information security study on protecting a company’s information system infrastructure in the 21st century

Q
Quinnipiac University

As organizations in recent years continue to increase their investment into the advancements of technology to upsurge productivity and efficiently, more and more companies begin to realize that protecting of this technology is just as significant (Information Security), if not; even more important in order to protect their reputation and integrity as a company. This paper provides a comprehensive high-level view of ethical hacking, such as what it is, what it entails, and why companies hack into their own technology. Additionally, counter measures including penetration testing and real-world examples will be examined to give the reader a better understanding of ethical hacking and why it’s such an essential element of Information Security in the Information Systems/Technology field.  

Technology
1 of 17
Download to read offline
Ethical Hacking A high-level information security study on protecting a company’s information system infrastructure in the 21st century Aaron Varrone December 2011 Quinnipiac University- MS IT CIS 652- Advanced Topics in Information Security- Independent Study
Varrone 1 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century Contents ABSTRACT.............................................................................................................. 2 INTRODUCTION TO ETHICAL HACKING ................................................................. 3 What do Hackers do?.......................................................................................... 4 FOOTPRINTING AND RECONNAISSANCE............................................................... 5 SYSTEM HACKING.................................................................................................. 6 Types of Attacks.................................................................................................. 6 Why Cover Tracks? ............................................................................................. 8 PENETRATION TESTING......................................................................................... 8 Why Penetration Testing? .................................................................................. 8 COUNTERMEASURES............................................................................................. 9 How to defend against Footprinting? ............................................................... 10 How to defend against Password Cracking?...................................................... 10 How to defend against Privilege Escalation?..................................................... 10 How to defend against Malware? ..................................................................... 11 How to defend against Steganography? ........................................................... 11 REAL-WORLD EXAMPLES..................................................................................... 12 Hacker Boot Camp Helps Good Guys Outsmart Intruders ................................. 12 Government Agencies Seeking Code Breakers.................................................. 12 Ethical Hacking Proves to be an Excellent Test for Companies.......................... 13 Ethical Hacking Demand Helping Firm Achieve Record Profits.......................... 13 College Universities Teaching Students How to Hack........................................ 13 CONCLUSION....................................................................................................... 14 REFERENCES ........................................................................................................ 16
Varrone 2 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century ABSTRACT As organizations in recent years continue to increase their investment into the advancements of technology to upsurge productivity and efficiently, more and more companies begin to realize that protecting of this technology is just as significant (Information Security), if not; even more important in order to protect their reputation and integrity as a company. This paper provides a comprehensive high-level view of ethical hacking, such as what it is, what it entails, and why companies hack into their own technology. Additionally, counter measures including penetration testing and real-world examples will be examined to give the reader a better understanding of ethical hacking and why it’s such an essential element of Information Security in the Information Systems/Technology field.
Varrone 3 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century INTRODUCTION TO ETHICAL HACKING In simple terms, Ethical Hacking can be described as a process in which working professionals (in the technology field) are hired on by an organization to perform a variety of attacks to their own network, systems, and technology. The goal is quite simple, and that is to ‘break into’, also known as ‘hack’ their way into the organization’s information system where vulnerabilities are discovered and then eventually ‘patched’ so that a real attack would have no harming consequences to the company such as; data leakages, compromised systems, stolen proprietary information, and so on. Hence where the word, ‘ethical’, comes into play, as these hackers are solely hired on for this purpose. Professionals in this field include outside security consultants hired by the company or even a direct role within the company who possess expert computer skills in a wide variety of areas and systems (networks, operating systems, application programming). Ethical hackers try to answer three basic questions: what can the intruder see on the target system, what can an intruder do with the information compromised, and will anyone notice that the attack occurred? Before proceeding further, a basic understanding of the umbrella, Information Security field must be conveyed. There are three elements of Information Security: Confidentiality- assurance that the information is accessible only to those authorized to have access, Integrity- the reliability of data or resources in terms of preventing improper and unauthorized changes, and Availability- assurance that the systems responsible for delivering, storing, and processing information are accessible when required by an authorized user. (EC-Council, 2011) With this said, all three elements have a direct impact to the way in which network and system security is portrayed, which leads us to our discussion of Ethical Hacking. If all three of these elements are properly addressed and implemented during the architecture of the way in which an organization’s systems interact, then one would not have to be so concerned with their technology and securing of this technology. As companies continue to grow and expand their horizon for the need of information systems by increasing their investment on a year-to-year basis , so does the need to protect and defend their infrastructure against malicious activities, attacks, and destructive encounters. The risk of not protecting one’s information system is too extraordinary as the effects of a successful hacking attempt include: damage and theft of proprietary information, client/customer data, personal information, impeding of business operations and activities. All in which can lead to a company’s downfall. As great as the technology is that many of these companies have adapted in creating an efficient
Varrone 4 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century operation, their lack on focusing their attention on security can contradict themselves and instead create an inefficient and ineffective use of the technology. Who is a Hacker? A hacker can be defined as an individual with superb computer skills who has the ability to create and explore into another system, which can be software programs or hardware based devices. A motive behind a hacker’s mindset is to gain knowledge or poke around to do illegal and disruptive activities that could result in monetary benefits. For some, it’s a hobby to see how many systems and networks they can control. There are four unique hacker classes: Black Hats- individuals who resort to malicious or destructive activity for malicious intent. White Hats- individuals using them for defensive purposes, also known as security analysts. Suicide Hackers- individuals who aim to bring down critical infrastructure for a “cause” and would rather be known for their destruction they commit. These individuals are not worried about facing any type of severe penalty regardless of fines or jail time sentences. Gray Hats- are individuals who work both offensively and defensively at various times whose intent is mostly for the well-being, however this is not always the case. (EC-Council, 2011) What do Hackers do? There are five phases that goes through a hacker’s mindset: Phase 1 Reconnaissance- refers to the preparatory phase where an attacker looks to gather as much information about a target as they can prior to launching an attack. Such examples include: employees’ names, phone numbers, and email addresses, system names, and software installed on these systems. There are two types of reconnaissance: Passive- which involves acquiring information without directly interacting with the target or someone affiliated with the target, such as searching for press releases or public records; and Active- which involves interacting with the target directly by any means, for instance phoning calls to the help desk or technical support center pretending to be an employee of the company.
Varrone 5 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century Phase 2 Scanning- refers to the “pre-attack phase” of when an attacker scans the network seeking specific information on the basis of information gathered during reconnaissance. Such examples include: port scanning, vulnerability scanners, and dialers. Phase 3 Gaining Access- Once access is achieved to the desired operating system, application, or network; the attacker can escalate privileges to obtain complete control of the system. Such examples include: password cracking, buffer overflows, denial of service, and session hijacking. Phase 4 Maintaining Access- After access has been attained, most hackers attempt ways in which to retain their ownership of the system/application/device. Attackers may prevent the system from being owned by other fellow hackers by securing their access exclusively with backdoors, trojans, or rookits. Attackers then use the compromised system to launch further attacks, which allows them to upload, download, or manipulate data, configuration, and applications at any given time period. Phase 5 Covering Tracks- After a hacker’s activities have been carried out, smarter attackers usually look for ways in which they can hide their malicious act by covering their tracks and hiding their own identity. This can be achieved by overwriting system, application, audit, and event logs or deleting any evidence that may lead to prosecution. (EC-Council, 2011) FOOTPRINTING AND RECONNAISSANCE Footprinting and reconnaissance are hacking methodologies used to uncover and collect as much information as possible regarding an organization’s information system. These two methods are carefully planned well ahead in time before an attack is carried out. Basic information such as a company’s DNS, IP addresses, system and network architectures, platforms, and applications used, is all prevalent information that can be gathered and collected by an hacker to help carry out the attack. While this information is collected, the hacker cautiously examines and identifies vulnerabilities that can be exploited. An ethical hacker looks to examine what information can be made available publicly by collecting information from the internet or internally and then documents the effects this may have to the organization, such as: privacy loss, corporate espionage, competitive intelligence, and information leakage. There are four types of Footprinting:
Varrone 6 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century Anonymous Footprinting- Gathering information from sources where the author of the information cannot be traced nor identified. Internet Footprinting- Collecting information about a target from the Internet. Organizational/Private Footprinting- Collecting information internally within the organization. Pseudonymous Footprinting- Collecting information that may be published under a different name in an attempt to preserve privacy and confidentiality. (EC-Council, 2011) SYSTEM HACKING There are several ways an attacker can gain access to a particular system, however each way requires the ability for an attacker to exploit a weakness, vulnerability, or even human-error. Types of Attacks Operating System Attacks- Attackers search for platform (operating system) vulnerabilities and then exploit them. Such examples include: buffer overflow, bugs and glitches, and unpatched operating systems. Application-Level/Shrink Wrap Code Attacks- Programming is complex and there are times where unsecure code is used over and over again to reduce this complexity, such as utilizing existing libraries of code. If it’s there, why reinvent the wheel? This leads to poor and nonexistent error checking in these applications which can lead to buffer overflow attacks, cross-site scripting, denial of service, SQL injection attacks, session hijacking, man-in-the-middle attacks, and so on. Misconfiguration Attacks- Misconfigured systems occur when a change is made to a file’s permission. If that’s the case, the file or application can no longer be considered as secure. Administrators are expected to change the configuration and limit authority of the devices before they are deployed to the network. Failure to do this allows the default settings to be used to attack the system. Password Cracking- Various techniques and tools are utilized to recover passwords from computer systems. Hackers can use these tools to gain unauthorized access to a vulnerable system. Most of these techniques are successful due to weak or easily guessable passwords, such as dictionary words or default
Varrone 7 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century passwords. Such password cracking techniques include: dictionary attacks, brute force attacks, hybrid attacks, syllable attacks, and rule-based attacks. Surprisingly an increasingly number of non-technical password stealing techniques have been reported in recent years, such as: shoulder surfing, social engineering, and dumpster diving. Spyware/Keyloggers- Refers to a program or device (software or hardware) specifically hidden to record the user’s interaction with the system without the user’s knowledge. The various types of spyware include: screen capturing spyware, USB spyware, child monitoring spyware, video spyware (secretly monitors and records webcams and video IM conversations, attacks can then be remotely viewed via the web or mobile phone), audio/cellphone spyware, GPS spyware (uses the global positioning system to determine location of a vehicle, person, or asset to which it is attached or installed to), and even print spyware. Viruses/Trojans/Worms- Are all examples of malware, unsolicited code or software on a system that in most cases allows for data breaches, backdoor access for a hacker to gain access to or executes damage that can harm the system. This type of malware is commonly created with malicious code or tools and utilities that have the ability to attack vulnerable systems (as long as the hacker knows where the vulnerability exists). Rootkits- Refers to code hidden within a kernel of the operating system that has the ability to hide itself and cover up traces of the malicious intent. More specifically, it replaces certain operating system calls and utilities with its own modified version. From there, the attacker acquires root access (above a level of administrator) to the system by installing a virus, trojan, worm, or other malware in order to exploit it. This allows the attacker to maintain undetected access to the system. Such types of rookits include: hypervisor level, kernel level, application level, hardware/firmware, and boot loader. Steganography- Is a technique consisting of hiding a secret message within an ordinary message or file and extracting it at the destination to maintain its hidden identity. The most popular use of this technique are when hackers utilize a graphic image and embedding a code within that image file to perform a malicious activity. This conceals the data within the file. Such techniques include: substitution, transform domains, cover generation, distortion, statistical, and spread spectrum. The various means of steganography besides images include: document, video, and audio steganography. (EC-Council, 2011)
Varrone 8 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century Why Cover Tracks? Most hackers, with the exception of a suicidal one, will cover their traces to avoid detection and possible jail sentence. However, this is not the only reason. By covering their track, this allows the attacker to install backdoors to gain access in the future. When this is executed, a clever hacker will usually escalate the compromised account’s privileges without documenting the system change. As previously mentioned, they can do this by manipulating the log files of an operating system or altering the event logs. Once intruders have successfully gained administrator type access on a system, they will attempt to cover their tracks in every possible way that they can, including deleting recently modified files and disabling audit logs. Disabling these logs is usually performed immediately after obtaining administrator privileges. PENETRATION TESTING Penetration testing is a method of actively evaluating the security of an information system or network by simulating an attack from a malicious source. Various security measures are analyzed for weaknesses in design, technical flaws, and vulnerabilities that can be exploited. There are two types of testing that is performed: Black box testing, which simulates an attack from someone who is unfamiliar with the system; and white box testing, which simulates an attacker that has knowledge about the system, such as an employee. The results are recorded and delivered to senior level management and technical audiences. Why Penetration Testing? Penetration testing allows the company to identify threats that may occur during the testing stage discovered in its information system or network. Companies that hire such testers have actually discovered that overall IT security costs are reduced and provides a better return on security investment (ROSI) by identifying and resolving vulnerabilities, weaknesses, and possible exploits that may have been taken advantage of if the proper security measures weren’t enforce. Additionally, companies are also seeing what type of IT security investments they really need to focus on, as oppose to investing in a large enterprise-wide security solution that covers everything, which may not always be necessary for every organization out there.
Varrone 9 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century Additionally, these professionals provide an organization with assurance of a thorough and comprehensive assessment of an organization’s security policy, procedure, controls, and how they may decide to be implemented. Many industry- wide regulations may be applied such as HIPAA (Health Insurance Portability and Accountability Act), FDA (Food Drug Administration), PCI (Personal Confidential Information); requiring specific certification and best practice security standards in order to continue business. For instance, PCI regulation requires all hard drives to be encrypted within the organization. A Penetration Tester’s Best Friend Vulnerability libraries are a penetration tester’s best friend as it documents all of the discovering vulnerabilities that have been reported by testers, users, ethical hackers, and even the programmers themselves. The majority of these vulnerabilities are design flaws that will open an operating system and its applications susceptible to an attack. These vulnerabilities are classified based on severity levels (low, medium, or high) and exploit range (remote or local). Such professionals need access to this research in order to identify and correct exposures to their respective function. Many of these vulnerabilities are documented on websites and databases available to the public, where even some of the more ‘proficient’ hackers, seek to expand those vulnerabilities to a further level. A list of vulnerability research websites are listed below:  The United States Computer Emergency Readiness Team (US-CERT) Vulnerabitlity Database (kb.cert.org)  National Vunerability Database Sponsored by DHS National Cyber Security Division (National Institute of Standards and Technology) (nvd.nist.gov)  Secunia – (secunia.com )  SecuriTeam – (securiteam.com)  SecurityTracker- (securitytracker.com) COUNTERMEASURES In conjunction with penetration testing, countermeasures are examined closely, documented, and then reviewed by the ethical hacker to improve the security posture at the company. There are several different countermeasures that are more closely scrutinized than others, including but not limited to: footprinting, defending against password cracking, defend against privilege escalation, defending against malware including session hi-jacking, networking sniffing, man-in-the-middle, denial of service, and against steganography attacks.
Varrone 10 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century How to defend against Footprinting? Defending against footprinting includes: configuring routers and access control list (ACL) to restrict the responses to footprinting request, implement/configure IDS (Intrusion Detection System) to refuse suspicious traffic picked up in patterns, locking down ports with a suitable firewall configuration, configuring web servers to avoid information leakage, and lastly disable unwanted protocols. Ethical hackers will additionally document and evaluate the content of information made available publicly and work to remove any sensitive information discovered such as their network architecture, applications, employees, and/or email addresses. (EC-Council, 2011) How to defend against Password Cracking? By incorporating strict password guidelines within an organization’s security policy, hackers will have that much more of a difficult time of successfully being able to crack a password. These guidelines should include: requiring user’s to use a combination of alphanumeric characters along with upper and lowercase numbers, letters, and symbols. Additionally, by requiring users to change their password on a more frequent basis- such as 30 days, this will help alleviate hackers from returning to an account or system that has been compromised at one point in time. There should be additional effort and resources available for monitoring system logs or alarming events for possible attacks as well. How to defend against Privilege Escalation? As described above, once hackers obtain access to a system or account, they will seek ways to escalate their privileges to that similar of an administrator. Therefore, countermeasures to defend against the ability for them to escalate privileges is examined:  Use encryption as much as possible and wherever it can be done. Not all systems, applications, devices have the ability to encrypt their data; but one level of encryption (for instance, on a user’s workstations) will make it that much more difficult for an intruder to gain access to.  Systems should be patched on a continuing basis as patching cycles never end and there will always be room to resolve vulnerabilities, bugs, and other fixes in an application or operating system.
Varrone 11 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century  Run services within a system’s environment as an “unprivileged” account, this way if this account does become compromised, the intruder can’t do much since access is restricted.  Restrict interactive logon privileges and run users and applications on the least possible privileges.  Implement multi-factor authentication and authorization such as biometrics and token keys. If an intruder only has compromised one authentication type in a multi-factor verification environment, the hacker is left with the same result as when they first started, and that’s clearly no system access. (EC-Council, 2011) How to defend against Malware? Malware and other unsolicited software can be tricky at times if the malicious files are not detected by an anti-virus product, which in this case would be known as a zero-day threat. In any circumstance to help alleviate the issue and reduce risk; install, maintain, administer, and update the anti-virus product within the environment. This includes updates to signature files, scan engine versions, program versions, patches and hot fixes releases. Additionally by installing and administering a personal and enterprise firewall with application and device control policies and restrict and limit web-access, can all diminish the company’s risk from exposure. How to defend against Steganography? Steganography is one of the more difficult types of attacks to defend against as code is hidden and embedded into an existing application or file. Since these types of attacks are performed in the background, an ordinary user or even a computer expert may have trouble ‘noticing’ if anything has been altered before the file or application was changed. The best ways to defend against these type of attacks is to use steganography detection tools that specifically look for these changes from file to file and application to application. These tools are also known as file integrity verification checks. One of the more common steganography detection tools used is a product called Stego Watch.
Varrone 12 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century REAL-WORLD EXAMPLES The number of information security professionals in the workforce continues to rise as companies have realized that as their usage of technology continues to grow, so does the risk associated with using the technology. Technology is becoming much more complex with the advancements that are made which further complicates how attacks are performed and ultimately carried out by an intruder. With this said, below are some real-life examples of how organizations (including: government agencies and non-for-profit such as universities) have utilized ethical hacking tactics to protect their technology from being hacked into, breached, and ultimately compromised. Hacker Boot Camp Helps Good Guys Outsmart Intruders Rudy Chavez, a former Unix system administrator, employed by IT services firm Booz Allen Hamilton, became a certified ethical hacker one month later. The company that he was employed for decided they would benefit by having a ‘hacker of their own’ to help outsmart other cybercriminals at their own game, sending Chavez off to an ethical hacking boot camp. During the boot camp, which consisted of a combination of classroom instruction and computer-lab time, Chavez learned how legitimate tools, technologies, and techniques are being issued for illegal activities and hostile purposes. Chavez claims that the sophistication and pervasiveness of the tools out there allows for great havoc and that although generally the IT security field takes a defensive approach, the training has lead him to take an offensive posture and help him understand how these attacks happen. (Information Week, 2005) Government Agencies Seeking Code Breakers Even government agencies are searching for hacking talent. According to the Toronto Star, a widely recognized newspaper in Canada, reports that a British spy agency is using an anonymous code-breaking web page to recruit self-taught hackers that they might not have found otherwise. The page was launched in November of 2011. A spokesman for the U.K.’s Government Communications Headquarters even admitted that recruiting Oxford and Cambridge graduates is not always in the best interest for the agency. They also claim that most cyber- specialists enter their organization as graduates, however with the quickly evolving world of cybercrime, they feel it’s essential to look for candidates who may be self- taught but have a keen interest in code-breaking and ethical hacking. (Taylor, 2011)
Varrone 13 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century Ethical Hacking Proves to be an Excellent Test for Companies As the growth of extortion attempts by hackers against firms continue to rise at an alarming rate, Mark Hanvey, Chief Security Officer of Cable & Wireless, U.K.’s second largest fixed line telecommunications operator, states that he is encouraged to see companies investing in ethical hacking to protect their commercial assets. He states that ethical hacking is an excellent test for systems and is helping out companies, however he urges that risk can never be eliminated, only minimized, which is done by putting in effective monitoring and counter measures tactics, such as around the clock monitoring. As long as companies continue to invest in effective information security systems, and this starts with hacking your own; organizations can stay away from being on the news the next day about a possible data breach. (Hanvey, 2005) Ethical Hacking Demand Helping Firm Achieve Record Profits A computer service company hired by large corporations for their expert in security consulting, NCC, has achieved record profits thanks to the increase demand for its ethical hacking services. These companies are hiring the firm for them to hack into their own systems so that vulnerabilities can be found. Rob Cotton, chief executive of the firm has stated that because of the nature of the economy, many companies are seeing an alarming number of increase in threats. The Financial Times reports that revenue has risen to 31 percent because of this service, which only very few companies have to offer. (Stafford, 2006) College Universities Teaching Students How to Hack A study conducted in 2007 revealed that the average computer is attacked by hackers more than 2,200 times a day which comes out to about once every 40 seconds and that hackers have stolen an estimated $49 billion in the United States alone in 2006. Geoffrey Lund, leader of the software-applications program at University of Abertary Dundee in Scotland has stated that he has helped design a new course to teach students on how to hack and defend against network systems. Although classes that teach hacking techniques are rare and controversial as administrators at the school were nervous about teaching such potential destructive techniques, he claims that ethics are also covered in the classroom, and that they do conduct background checks on students beforehand as a prerequisite. Lund states that the course prepares students for a rapidly growing job market by teaching that the best defense is a good offense. The class is set up with a network of
Varrone 14 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century approximately 20 computers isolated from the rest of the university system where the students then practice hacking into or even bringing down the network. By hacking into these systems and network, students are able to learn about weaknesses of an intuition’s system. Alexander Graham, an experienced information technology professional who even enrolled in the course had stated that he is shocked by how much damage a malicious hacker can do. He claims the course is extremely helpful and believes in the philosophy of “Know thy enemy, then you can defeat them” at their own game. (Vance, 2007) CONCLUSION Ethical Hacking is a growing trend that appears to be on all types of organizations’ radar. As evident from this study, we see a large number of money invested to ensure that they are protected against risks associated with hacking attacks. The increasing alarming number of attacks against these organizations are well known and the losses can be easily quantified. As hacking involves creative thinking; vulnerability testing and security audits cannot guarantee that an information system is secure. To rebuttal this, organizations must implement a defense in depth strategy by penetrating into their own systems and network. Ethical hacking becomes necessary as it allows one to counter the attack and reverse engineer malicious attackers by anticipating methods they used to launch an attack and break into a system. An ethical hacker can only help the organization better understand their system from a security perspective, however it is still up to the organization to place the right guards around the technology. Securing of these information systems does comes with its challenges. For instance, compliance to government laws and regulations must be followed and maintained. Companies (depending on the industry) must be willing to spend vast amounts of dollars on education, training, and awareness in order to stay in compliance. Such industries for example have strict laws that prevent data from being outsourced outside the country (or if it is outsourced, requires the use of encryption), similar to sensitive personal information. Other industries may require certain security measures in placed in order to continue business operations. These regulations add another challenge to security, ensuring that the proper measures are being enforced. Additionally, it is difficult to centralize security in a distributed computing environment as the evolution of technology evolves, so does the complexity in administering, managing, and monitoring sophisticated and complex attacks. As we turn everything we do into the palm of our hands; mobile security, adaptive
Varrone 15 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century authentication, and social media strategies from an offensive and defensive perspective are only the stepping stones on what’s next to expect in the digital age that we live in today. “The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge.” –Stephen Hawking, Theoretical Physicist and Cosmologist
Varrone 16 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century REFERENCES EC-Council. (2011). Ethical Hacking and Countermeasures v7.1 Course. Hanvey, M. (2005, June 22). Ethical Hacking An Excellent Test of Mettle for Security Systems. The Financial Times, p. 16. Information Week. (2005, June 23). Hacker Boot Camp Helps Good Guys Outsmart Internet Troublemakers; The number of IT security professionals is expected to grow to nearly 800,000 by 2008, and more of them need to think like hackers to be effective. Information Week. Stafford, P. (2006, July 19). NCC Ethically Hacks its Way to Record. The Financial Times, p. 24. Taylor, L. C. (2011, December 2). British spies recruit 'ethical hackers'. Toronto Star. Vance, E. (2007, April 13). Students at the University of Abertay Dundee Learn Computer Hacking to Defend Networks. The Chronicle of Higher Education.

Recommended

Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingSanu Subham
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingNitheesh Adithyan
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hackingsamprada123
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hackingchakrekevin
 
Ethical hacking ppt
Ethical hacking pptEthical hacking ppt
Ethical hacking pptRohit Yadav
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingKeith Brooks
 
ethical hacking
ethical hackingethical hacking
ethical hackingsamprada123
 
hacking
hackinghacking
hackingmayank1293
 

Recommended

Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingSanu Subham
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingNitheesh Adithyan
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hackingsamprada123
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hackingchakrekevin
 
Ethical hacking ppt
Ethical hacking pptEthical hacking ppt
Ethical hacking pptRohit Yadav
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingKeith Brooks
 
ethical hacking
ethical hackingethical hacking
ethical hackingsamprada123
 
hacking
hackinghacking
hackingmayank1293
 
Secure Shell - a Presentation on Ethical Hacking
Secure Shell - a Presentation on Ethical HackingSecure Shell - a Presentation on Ethical Hacking
Secure Shell - a Presentation on Ethical HackingNitish Kasar
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical HackingAkshay Kale
 
185
185185
185vivatechijri
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingMukul Agarwal
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingBinit Kumar
 
presentation on ethical hacking
presentation on ethical hacking presentation on ethical hacking
presentation on ethical hacking Amol Deshmukh
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingVishesh Singhal
 
System Security in Ethical Hacking
System Security in Ethical HackingSystem Security in Ethical Hacking
System Security in Ethical HackingVanipriya Sakthivel
 
TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKINGSHERALI445
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingGanesh Vadulekar
 
Ethical Hacking and Network Security
Ethical Hacking and Network SecurityEthical Hacking and Network Security
Ethical Hacking and Network Securitysumit dimri
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingTharindu Kalubowila
 
Ethical hacking.
Ethical hacking.Ethical hacking.
Ethical hacking.Khushboo Aggarwal
 
Unit ii-hackers and cyber crimes
Unit ii-hackers and cyber crimesUnit ii-hackers and cyber crimes
Unit ii-hackers and cyber crimesSweta Kumari Barnwal
 
hacking presentation slide
hacking presentation slide hacking presentation slide
hacking presentation slide Tauhidul islam
 
Ethical hacking course
Ethical hacking courseEthical hacking course
Ethical hacking courseChitraKuder
 
basic knowhow hacking
basic knowhow hackingbasic knowhow hacking
basic knowhow hackingAnant Shrivastava
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hackDharmesh Makwana
 
Introduction to hacking
Introduction to hackingIntroduction to hacking
Introduction to hackingnitish mehta
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingAditya Vikram Singhania
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingMohammad Affan
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingMuzaffar Ahmad
 

More Related Content

What's hot

Secure Shell - a Presentation on Ethical Hacking
Secure Shell - a Presentation on Ethical HackingSecure Shell - a Presentation on Ethical Hacking
Secure Shell - a Presentation on Ethical HackingNitish Kasar
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical HackingAkshay Kale
 
presentation on ethical hacking
presentation on ethical hacking presentation on ethical hacking
presentation on ethical hacking Amol Deshmukh
 
System Security in Ethical Hacking
System Security in Ethical HackingSystem Security in Ethical Hacking
System Security in Ethical HackingVanipriya Sakthivel
 
TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKINGSHERALI445
 
Ethical Hacking and Network Security
Ethical Hacking and Network SecurityEthical Hacking and Network Security
Ethical Hacking and Network Securitysumit dimri
 
hacking presentation slide
hacking presentation slide hacking presentation slide
hacking presentation slide Tauhidul islam
 
Ethical hacking course
Ethical hacking courseEthical hacking course
Ethical hacking courseChitraKuder
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hackDharmesh Makwana
 
Introduction to hacking
Introduction to hackingIntroduction to hacking
Introduction to hackingnitish mehta
 

What's hot (20)

Secure Shell - a Presentation on Ethical Hacking
Secure Shell - a Presentation on Ethical HackingSecure Shell - a Presentation on Ethical Hacking
Secure Shell - a Presentation on Ethical Hacking
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
185
185185
185
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
presentation on ethical hacking
presentation on ethical hacking presentation on ethical hacking
presentation on ethical hacking
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
System Security in Ethical Hacking
System Security in Ethical HackingSystem Security in Ethical Hacking
System Security in Ethical Hacking
 
TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKING
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Ethical Hacking and Network Security
Ethical Hacking and Network SecurityEthical Hacking and Network Security
Ethical Hacking and Network Security
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Ethical hacking.
Ethical hacking.Ethical hacking.
Ethical hacking.
 
Unit ii-hackers and cyber crimes
Unit ii-hackers and cyber crimesUnit ii-hackers and cyber crimes
Unit ii-hackers and cyber crimes
 
hacking presentation slide
hacking presentation slide hacking presentation slide
hacking presentation slide
 
Ethical hacking course
Ethical hacking courseEthical hacking course
Ethical hacking course
 
basic knowhow hacking
basic knowhow hackingbasic knowhow hacking
basic knowhow hacking
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hack
 
Introduction to hacking
Introduction to hackingIntroduction to hacking
Introduction to hacking
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Viewers also liked

CMIT 321 FINAL EXAM 2016
CMIT 321 FINAL EXAM 2016CMIT 321 FINAL EXAM 2016
CMIT 321 FINAL EXAM 2016HamesKellor
 
DATABASE DESIGN AND MANAGEMENT - By Hansa Edirisinghe
DATABASE DESIGN AND MANAGEMENT - By Hansa EdirisingheDATABASE DESIGN AND MANAGEMENT - By Hansa Edirisinghe
DATABASE DESIGN AND MANAGEMENT - By Hansa EdirisingheHansa Edirisinghe
 
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...Hansa Edirisinghe
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hackingsamprada123
 
Spiritual leadership
Spiritual leadershipSpiritual leadership
Spiritual leadershipMaRi Eagar
 
Ethical Dilemmas in Business
Ethical Dilemmas in BusinessEthical Dilemmas in Business
Ethical Dilemmas in BusinessShahzad Khan
 

Viewers also liked (9)

Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
CMIT 321 FINAL EXAM 2016
CMIT 321 FINAL EXAM 2016CMIT 321 FINAL EXAM 2016
CMIT 321 FINAL EXAM 2016
 
DATABASE DESIGN AND MANAGEMENT - By Hansa Edirisinghe
DATABASE DESIGN AND MANAGEMENT - By Hansa EdirisingheDATABASE DESIGN AND MANAGEMENT - By Hansa Edirisinghe
DATABASE DESIGN AND MANAGEMENT - By Hansa Edirisinghe
 
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hacking
 
Spiritual leadership
Spiritual leadershipSpiritual leadership
Spiritual leadership
 
Ethical Dilemmas in Business
Ethical Dilemmas in BusinessEthical Dilemmas in Business
Ethical Dilemmas in Business
 

Similar to Ethical Hacking A high-level information security study on protecting a company’s information system infrastructure in the 21st century

Ashar Shaikh A-84 SEMINAR.pptx
Ashar Shaikh A-84 SEMINAR.pptxAshar Shaikh A-84 SEMINAR.pptx
Ashar Shaikh A-84 SEMINAR.pptxasharshaikh8
 
61370436 main-case-study
61370436 main-case-study61370436 main-case-study
61370436 main-case-studyhomeworkping4
 
Selected advanced themes in ethical hacking and penetration testing
Selected advanced themes in ethical hacking and penetration testingSelected advanced themes in ethical hacking and penetration testing
Selected advanced themes in ethical hacking and penetration testingCSITiaesprime
 
BASICS OF ETHICAL HACKING
BASICS OF ETHICAL HACKINGBASICS OF ETHICAL HACKING
BASICS OF ETHICAL HACKINGDrm Kapoor
 
Cyber Security PPT
Cyber Security PPTCyber Security PPT
Cyber Security PPTashish kumar
 
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...IOSR Journals
 
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...Ahmad Sharifi
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hackingijtsrd
 
GETTING STARTED WITH THE ETHICAL HACKING.pptx
GETTING STARTED WITH THE ETHICAL HACKING.pptxGETTING STARTED WITH THE ETHICAL HACKING.pptx
GETTING STARTED WITH THE ETHICAL HACKING.pptxBishalRay8
 
What is Ethical Hacking-defination, examples and techniques.pdf
What is Ethical Hacking-defination, examples and techniques.pdfWhat is Ethical Hacking-defination, examples and techniques.pdf
What is Ethical Hacking-defination, examples and techniques.pdfJawaidAbdulHameed
 
Cyber terrorism
Cyber terrorismCyber terrorism
Cyber terrorismNihal Jani
 
IRJET- Impact of Ethical Hacking on Business and Governments
IRJET- Impact of Ethical Hacking on Business and GovernmentsIRJET- Impact of Ethical Hacking on Business and Governments
IRJET- Impact of Ethical Hacking on Business and GovernmentsIRJET Journal
 
Module 1Introduction to cyber security.pptx
Module 1Introduction to cyber security.pptxModule 1Introduction to cyber security.pptx
Module 1Introduction to cyber security.pptxSkippedltd
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
Ethical Hacking And Hacking Attacks
Ethical Hacking And Hacking AttacksEthical Hacking And Hacking Attacks
Ethical Hacking And Hacking AttacksAman Gupta
 
Module 1 (legality)
Module 1 (legality)Module 1 (legality)
Module 1 (legality)Wail Hassan
 
Vulnerability Prevention Using Ethical Hacking.pdf
Vulnerability Prevention Using Ethical Hacking.pdfVulnerability Prevention Using Ethical Hacking.pdf
Vulnerability Prevention Using Ethical Hacking.pdfMithunJV
 

Similar to Ethical Hacking A high-level information security study on protecting a company’s information system infrastructure in the 21st century (20)

Ashar Shaikh A-84 SEMINAR.pptx
Ashar Shaikh A-84 SEMINAR.pptxAshar Shaikh A-84 SEMINAR.pptx
Ashar Shaikh A-84 SEMINAR.pptx
 
61370436 main-case-study
61370436 main-case-study61370436 main-case-study
61370436 main-case-study
 
Selected advanced themes in ethical hacking and penetration testing
Selected advanced themes in ethical hacking and penetration testingSelected advanced themes in ethical hacking and penetration testing
Selected advanced themes in ethical hacking and penetration testing
 
BASICS OF ETHICAL HACKING
BASICS OF ETHICAL HACKINGBASICS OF ETHICAL HACKING
BASICS OF ETHICAL HACKING
 
Cyber Security PPT
Cyber Security PPTCyber Security PPT
Cyber Security PPT
 
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
 
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
GETTING STARTED WITH THE ETHICAL HACKING.pptx
GETTING STARTED WITH THE ETHICAL HACKING.pptxGETTING STARTED WITH THE ETHICAL HACKING.pptx
GETTING STARTED WITH THE ETHICAL HACKING.pptx
 
What is Ethical Hacking-defination, examples and techniques.pdf
What is Ethical Hacking-defination, examples and techniques.pdfWhat is Ethical Hacking-defination, examples and techniques.pdf
What is Ethical Hacking-defination, examples and techniques.pdf
 
Cyber terrorism
Cyber terrorismCyber terrorism
Cyber terrorism
 
IRJET- Impact of Ethical Hacking on Business and Governments
IRJET- Impact of Ethical Hacking on Business and GovernmentsIRJET- Impact of Ethical Hacking on Business and Governments
IRJET- Impact of Ethical Hacking on Business and Governments
 
Module 1Introduction to cyber security.pptx
Module 1Introduction to cyber security.pptxModule 1Introduction to cyber security.pptx
Module 1Introduction to cyber security.pptx
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
 
Ethical hacking1
Ethical hacking1Ethical hacking1
Ethical hacking1
 
Ethical Hacking And Hacking Attacks
Ethical Hacking And Hacking AttacksEthical Hacking And Hacking Attacks
Ethical Hacking And Hacking Attacks
 
Case Study.pdf
Case Study.pdfCase Study.pdf
Case Study.pdf
 
Module 1 (legality)
Module 1 (legality)Module 1 (legality)
Module 1 (legality)
 
Vulnerability Prevention Using Ethical Hacking.pdf
Vulnerability Prevention Using Ethical Hacking.pdfVulnerability Prevention Using Ethical Hacking.pdf
Vulnerability Prevention Using Ethical Hacking.pdf
 

Recently uploaded

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

Ethical Hacking A high-level information security study on protecting a company’s information system infrastructure in the 21st century

  • 1. Ethical Hacking A high-level information security study on protecting a company’s information system infrastructure in the 21st century Aaron Varrone December 2011 Quinnipiac University- MS IT CIS 652- Advanced Topics in Information Security- Independent Study
  • 2. Varrone 1 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century Contents ABSTRACT.............................................................................................................. 2 INTRODUCTION TO ETHICAL HACKING ................................................................. 3 What do Hackers do?.......................................................................................... 4 FOOTPRINTING AND RECONNAISSANCE............................................................... 5 SYSTEM HACKING.................................................................................................. 6 Types of Attacks.................................................................................................. 6 Why Cover Tracks? ............................................................................................. 8 PENETRATION TESTING......................................................................................... 8 Why Penetration Testing? .................................................................................. 8 COUNTERMEASURES............................................................................................. 9 How to defend against Footprinting? ............................................................... 10 How to defend against Password Cracking?...................................................... 10 How to defend against Privilege Escalation?..................................................... 10 How to defend against Malware? ..................................................................... 11 How to defend against Steganography? ........................................................... 11 REAL-WORLD EXAMPLES..................................................................................... 12 Hacker Boot Camp Helps Good Guys Outsmart Intruders ................................. 12 Government Agencies Seeking Code Breakers.................................................. 12 Ethical Hacking Proves to be an Excellent Test for Companies.......................... 13 Ethical Hacking Demand Helping Firm Achieve Record Profits.......................... 13 College Universities Teaching Students How to Hack........................................ 13 CONCLUSION....................................................................................................... 14 REFERENCES ........................................................................................................ 16
  • 3. Varrone 2 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century ABSTRACT As organizations in recent years continue to increase their investment into the advancements of technology to upsurge productivity and efficiently, more and more companies begin to realize that protecting of this technology is just as significant (Information Security), if not; even more important in order to protect their reputation and integrity as a company. This paper provides a comprehensive high-level view of ethical hacking, such as what it is, what it entails, and why companies hack into their own technology. Additionally, counter measures including penetration testing and real-world examples will be examined to give the reader a better understanding of ethical hacking and why it’s such an essential element of Information Security in the Information Systems/Technology field.
  • 4. Varrone 3 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century INTRODUCTION TO ETHICAL HACKING In simple terms, Ethical Hacking can be described as a process in which working professionals (in the technology field) are hired on by an organization to perform a variety of attacks to their own network, systems, and technology. The goal is quite simple, and that is to ‘break into’, also known as ‘hack’ their way into the organization’s information system where vulnerabilities are discovered and then eventually ‘patched’ so that a real attack would have no harming consequences to the company such as; data leakages, compromised systems, stolen proprietary information, and so on. Hence where the word, ‘ethical’, comes into play, as these hackers are solely hired on for this purpose. Professionals in this field include outside security consultants hired by the company or even a direct role within the company who possess expert computer skills in a wide variety of areas and systems (networks, operating systems, application programming). Ethical hackers try to answer three basic questions: what can the intruder see on the target system, what can an intruder do with the information compromised, and will anyone notice that the attack occurred? Before proceeding further, a basic understanding of the umbrella, Information Security field must be conveyed. There are three elements of Information Security: Confidentiality- assurance that the information is accessible only to those authorized to have access, Integrity- the reliability of data or resources in terms of preventing improper and unauthorized changes, and Availability- assurance that the systems responsible for delivering, storing, and processing information are accessible when required by an authorized user. (EC-Council, 2011) With this said, all three elements have a direct impact to the way in which network and system security is portrayed, which leads us to our discussion of Ethical Hacking. If all three of these elements are properly addressed and implemented during the architecture of the way in which an organization’s systems interact, then one would not have to be so concerned with their technology and securing of this technology. As companies continue to grow and expand their horizon for the need of information systems by increasing their investment on a year-to-year basis , so does the need to protect and defend their infrastructure against malicious activities, attacks, and destructive encounters. The risk of not protecting one’s information system is too extraordinary as the effects of a successful hacking attempt include: damage and theft of proprietary information, client/customer data, personal information, impeding of business operations and activities. All in which can lead to a company’s downfall. As great as the technology is that many of these companies have adapted in creating an efficient
  • 5. Varrone 4 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century operation, their lack on focusing their attention on security can contradict themselves and instead create an inefficient and ineffective use of the technology. Who is a Hacker? A hacker can be defined as an individual with superb computer skills who has the ability to create and explore into another system, which can be software programs or hardware based devices. A motive behind a hacker’s mindset is to gain knowledge or poke around to do illegal and disruptive activities that could result in monetary benefits. For some, it’s a hobby to see how many systems and networks they can control. There are four unique hacker classes: Black Hats- individuals who resort to malicious or destructive activity for malicious intent. White Hats- individuals using them for defensive purposes, also known as security analysts. Suicide Hackers- individuals who aim to bring down critical infrastructure for a “cause” and would rather be known for their destruction they commit. These individuals are not worried about facing any type of severe penalty regardless of fines or jail time sentences. Gray Hats- are individuals who work both offensively and defensively at various times whose intent is mostly for the well-being, however this is not always the case. (EC-Council, 2011) What do Hackers do? There are five phases that goes through a hacker’s mindset: Phase 1 Reconnaissance- refers to the preparatory phase where an attacker looks to gather as much information about a target as they can prior to launching an attack. Such examples include: employees’ names, phone numbers, and email addresses, system names, and software installed on these systems. There are two types of reconnaissance: Passive- which involves acquiring information without directly interacting with the target or someone affiliated with the target, such as searching for press releases or public records; and Active- which involves interacting with the target directly by any means, for instance phoning calls to the help desk or technical support center pretending to be an employee of the company.
  • 6. Varrone 5 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century Phase 2 Scanning- refers to the “pre-attack phase” of when an attacker scans the network seeking specific information on the basis of information gathered during reconnaissance. Such examples include: port scanning, vulnerability scanners, and dialers. Phase 3 Gaining Access- Once access is achieved to the desired operating system, application, or network; the attacker can escalate privileges to obtain complete control of the system. Such examples include: password cracking, buffer overflows, denial of service, and session hijacking. Phase 4 Maintaining Access- After access has been attained, most hackers attempt ways in which to retain their ownership of the system/application/device. Attackers may prevent the system from being owned by other fellow hackers by securing their access exclusively with backdoors, trojans, or rookits. Attackers then use the compromised system to launch further attacks, which allows them to upload, download, or manipulate data, configuration, and applications at any given time period. Phase 5 Covering Tracks- After a hacker’s activities have been carried out, smarter attackers usually look for ways in which they can hide their malicious act by covering their tracks and hiding their own identity. This can be achieved by overwriting system, application, audit, and event logs or deleting any evidence that may lead to prosecution. (EC-Council, 2011) FOOTPRINTING AND RECONNAISSANCE Footprinting and reconnaissance are hacking methodologies used to uncover and collect as much information as possible regarding an organization’s information system. These two methods are carefully planned well ahead in time before an attack is carried out. Basic information such as a company’s DNS, IP addresses, system and network architectures, platforms, and applications used, is all prevalent information that can be gathered and collected by an hacker to help carry out the attack. While this information is collected, the hacker cautiously examines and identifies vulnerabilities that can be exploited. An ethical hacker looks to examine what information can be made available publicly by collecting information from the internet or internally and then documents the effects this may have to the organization, such as: privacy loss, corporate espionage, competitive intelligence, and information leakage. There are four types of Footprinting:
  • 7. Varrone 6 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century Anonymous Footprinting- Gathering information from sources where the author of the information cannot be traced nor identified. Internet Footprinting- Collecting information about a target from the Internet. Organizational/Private Footprinting- Collecting information internally within the organization. Pseudonymous Footprinting- Collecting information that may be published under a different name in an attempt to preserve privacy and confidentiality. (EC-Council, 2011) SYSTEM HACKING There are several ways an attacker can gain access to a particular system, however each way requires the ability for an attacker to exploit a weakness, vulnerability, or even human-error. Types of Attacks Operating System Attacks- Attackers search for platform (operating system) vulnerabilities and then exploit them. Such examples include: buffer overflow, bugs and glitches, and unpatched operating systems. Application-Level/Shrink Wrap Code Attacks- Programming is complex and there are times where unsecure code is used over and over again to reduce this complexity, such as utilizing existing libraries of code. If it’s there, why reinvent the wheel? This leads to poor and nonexistent error checking in these applications which can lead to buffer overflow attacks, cross-site scripting, denial of service, SQL injection attacks, session hijacking, man-in-the-middle attacks, and so on. Misconfiguration Attacks- Misconfigured systems occur when a change is made to a file’s permission. If that’s the case, the file or application can no longer be considered as secure. Administrators are expected to change the configuration and limit authority of the devices before they are deployed to the network. Failure to do this allows the default settings to be used to attack the system. Password Cracking- Various techniques and tools are utilized to recover passwords from computer systems. Hackers can use these tools to gain unauthorized access to a vulnerable system. Most of these techniques are successful due to weak or easily guessable passwords, such as dictionary words or default
  • 8. Varrone 7 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century passwords. Such password cracking techniques include: dictionary attacks, brute force attacks, hybrid attacks, syllable attacks, and rule-based attacks. Surprisingly an increasingly number of non-technical password stealing techniques have been reported in recent years, such as: shoulder surfing, social engineering, and dumpster diving. Spyware/Keyloggers- Refers to a program or device (software or hardware) specifically hidden to record the user’s interaction with the system without the user’s knowledge. The various types of spyware include: screen capturing spyware, USB spyware, child monitoring spyware, video spyware (secretly monitors and records webcams and video IM conversations, attacks can then be remotely viewed via the web or mobile phone), audio/cellphone spyware, GPS spyware (uses the global positioning system to determine location of a vehicle, person, or asset to which it is attached or installed to), and even print spyware. Viruses/Trojans/Worms- Are all examples of malware, unsolicited code or software on a system that in most cases allows for data breaches, backdoor access for a hacker to gain access to or executes damage that can harm the system. This type of malware is commonly created with malicious code or tools and utilities that have the ability to attack vulnerable systems (as long as the hacker knows where the vulnerability exists). Rootkits- Refers to code hidden within a kernel of the operating system that has the ability to hide itself and cover up traces of the malicious intent. More specifically, it replaces certain operating system calls and utilities with its own modified version. From there, the attacker acquires root access (above a level of administrator) to the system by installing a virus, trojan, worm, or other malware in order to exploit it. This allows the attacker to maintain undetected access to the system. Such types of rookits include: hypervisor level, kernel level, application level, hardware/firmware, and boot loader. Steganography- Is a technique consisting of hiding a secret message within an ordinary message or file and extracting it at the destination to maintain its hidden identity. The most popular use of this technique are when hackers utilize a graphic image and embedding a code within that image file to perform a malicious activity. This conceals the data within the file. Such techniques include: substitution, transform domains, cover generation, distortion, statistical, and spread spectrum. The various means of steganography besides images include: document, video, and audio steganography. (EC-Council, 2011)
  • 9. Varrone 8 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century Why Cover Tracks? Most hackers, with the exception of a suicidal one, will cover their traces to avoid detection and possible jail sentence. However, this is not the only reason. By covering their track, this allows the attacker to install backdoors to gain access in the future. When this is executed, a clever hacker will usually escalate the compromised account’s privileges without documenting the system change. As previously mentioned, they can do this by manipulating the log files of an operating system or altering the event logs. Once intruders have successfully gained administrator type access on a system, they will attempt to cover their tracks in every possible way that they can, including deleting recently modified files and disabling audit logs. Disabling these logs is usually performed immediately after obtaining administrator privileges. PENETRATION TESTING Penetration testing is a method of actively evaluating the security of an information system or network by simulating an attack from a malicious source. Various security measures are analyzed for weaknesses in design, technical flaws, and vulnerabilities that can be exploited. There are two types of testing that is performed: Black box testing, which simulates an attack from someone who is unfamiliar with the system; and white box testing, which simulates an attacker that has knowledge about the system, such as an employee. The results are recorded and delivered to senior level management and technical audiences. Why Penetration Testing? Penetration testing allows the company to identify threats that may occur during the testing stage discovered in its information system or network. Companies that hire such testers have actually discovered that overall IT security costs are reduced and provides a better return on security investment (ROSI) by identifying and resolving vulnerabilities, weaknesses, and possible exploits that may have been taken advantage of if the proper security measures weren’t enforce. Additionally, companies are also seeing what type of IT security investments they really need to focus on, as oppose to investing in a large enterprise-wide security solution that covers everything, which may not always be necessary for every organization out there.
  • 10. Varrone 9 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century Additionally, these professionals provide an organization with assurance of a thorough and comprehensive assessment of an organization’s security policy, procedure, controls, and how they may decide to be implemented. Many industry- wide regulations may be applied such as HIPAA (Health Insurance Portability and Accountability Act), FDA (Food Drug Administration), PCI (Personal Confidential Information); requiring specific certification and best practice security standards in order to continue business. For instance, PCI regulation requires all hard drives to be encrypted within the organization. A Penetration Tester’s Best Friend Vulnerability libraries are a penetration tester’s best friend as it documents all of the discovering vulnerabilities that have been reported by testers, users, ethical hackers, and even the programmers themselves. The majority of these vulnerabilities are design flaws that will open an operating system and its applications susceptible to an attack. These vulnerabilities are classified based on severity levels (low, medium, or high) and exploit range (remote or local). Such professionals need access to this research in order to identify and correct exposures to their respective function. Many of these vulnerabilities are documented on websites and databases available to the public, where even some of the more ‘proficient’ hackers, seek to expand those vulnerabilities to a further level. A list of vulnerability research websites are listed below:  The United States Computer Emergency Readiness Team (US-CERT) Vulnerabitlity Database (kb.cert.org)  National Vunerability Database Sponsored by DHS National Cyber Security Division (National Institute of Standards and Technology) (nvd.nist.gov)  Secunia – (secunia.com )  SecuriTeam – (securiteam.com)  SecurityTracker- (securitytracker.com) COUNTERMEASURES In conjunction with penetration testing, countermeasures are examined closely, documented, and then reviewed by the ethical hacker to improve the security posture at the company. There are several different countermeasures that are more closely scrutinized than others, including but not limited to: footprinting, defending against password cracking, defend against privilege escalation, defending against malware including session hi-jacking, networking sniffing, man-in-the-middle, denial of service, and against steganography attacks.
  • 11. Varrone 10 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century How to defend against Footprinting? Defending against footprinting includes: configuring routers and access control list (ACL) to restrict the responses to footprinting request, implement/configure IDS (Intrusion Detection System) to refuse suspicious traffic picked up in patterns, locking down ports with a suitable firewall configuration, configuring web servers to avoid information leakage, and lastly disable unwanted protocols. Ethical hackers will additionally document and evaluate the content of information made available publicly and work to remove any sensitive information discovered such as their network architecture, applications, employees, and/or email addresses. (EC-Council, 2011) How to defend against Password Cracking? By incorporating strict password guidelines within an organization’s security policy, hackers will have that much more of a difficult time of successfully being able to crack a password. These guidelines should include: requiring user’s to use a combination of alphanumeric characters along with upper and lowercase numbers, letters, and symbols. Additionally, by requiring users to change their password on a more frequent basis- such as 30 days, this will help alleviate hackers from returning to an account or system that has been compromised at one point in time. There should be additional effort and resources available for monitoring system logs or alarming events for possible attacks as well. How to defend against Privilege Escalation? As described above, once hackers obtain access to a system or account, they will seek ways to escalate their privileges to that similar of an administrator. Therefore, countermeasures to defend against the ability for them to escalate privileges is examined:  Use encryption as much as possible and wherever it can be done. Not all systems, applications, devices have the ability to encrypt their data; but one level of encryption (for instance, on a user’s workstations) will make it that much more difficult for an intruder to gain access to.  Systems should be patched on a continuing basis as patching cycles never end and there will always be room to resolve vulnerabilities, bugs, and other fixes in an application or operating system.
  • 12. Varrone 11 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century  Run services within a system’s environment as an “unprivileged” account, this way if this account does become compromised, the intruder can’t do much since access is restricted.  Restrict interactive logon privileges and run users and applications on the least possible privileges.  Implement multi-factor authentication and authorization such as biometrics and token keys. If an intruder only has compromised one authentication type in a multi-factor verification environment, the hacker is left with the same result as when they first started, and that’s clearly no system access. (EC-Council, 2011) How to defend against Malware? Malware and other unsolicited software can be tricky at times if the malicious files are not detected by an anti-virus product, which in this case would be known as a zero-day threat. In any circumstance to help alleviate the issue and reduce risk; install, maintain, administer, and update the anti-virus product within the environment. This includes updates to signature files, scan engine versions, program versions, patches and hot fixes releases. Additionally by installing and administering a personal and enterprise firewall with application and device control policies and restrict and limit web-access, can all diminish the company’s risk from exposure. How to defend against Steganography? Steganography is one of the more difficult types of attacks to defend against as code is hidden and embedded into an existing application or file. Since these types of attacks are performed in the background, an ordinary user or even a computer expert may have trouble ‘noticing’ if anything has been altered before the file or application was changed. The best ways to defend against these type of attacks is to use steganography detection tools that specifically look for these changes from file to file and application to application. These tools are also known as file integrity verification checks. One of the more common steganography detection tools used is a product called Stego Watch.
  • 13. Varrone 12 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century REAL-WORLD EXAMPLES The number of information security professionals in the workforce continues to rise as companies have realized that as their usage of technology continues to grow, so does the risk associated with using the technology. Technology is becoming much more complex with the advancements that are made which further complicates how attacks are performed and ultimately carried out by an intruder. With this said, below are some real-life examples of how organizations (including: government agencies and non-for-profit such as universities) have utilized ethical hacking tactics to protect their technology from being hacked into, breached, and ultimately compromised. Hacker Boot Camp Helps Good Guys Outsmart Intruders Rudy Chavez, a former Unix system administrator, employed by IT services firm Booz Allen Hamilton, became a certified ethical hacker one month later. The company that he was employed for decided they would benefit by having a ‘hacker of their own’ to help outsmart other cybercriminals at their own game, sending Chavez off to an ethical hacking boot camp. During the boot camp, which consisted of a combination of classroom instruction and computer-lab time, Chavez learned how legitimate tools, technologies, and techniques are being issued for illegal activities and hostile purposes. Chavez claims that the sophistication and pervasiveness of the tools out there allows for great havoc and that although generally the IT security field takes a defensive approach, the training has lead him to take an offensive posture and help him understand how these attacks happen. (Information Week, 2005) Government Agencies Seeking Code Breakers Even government agencies are searching for hacking talent. According to the Toronto Star, a widely recognized newspaper in Canada, reports that a British spy agency is using an anonymous code-breaking web page to recruit self-taught hackers that they might not have found otherwise. The page was launched in November of 2011. A spokesman for the U.K.’s Government Communications Headquarters even admitted that recruiting Oxford and Cambridge graduates is not always in the best interest for the agency. They also claim that most cyber- specialists enter their organization as graduates, however with the quickly evolving world of cybercrime, they feel it’s essential to look for candidates who may be self- taught but have a keen interest in code-breaking and ethical hacking. (Taylor, 2011)
  • 14. Varrone 13 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century Ethical Hacking Proves to be an Excellent Test for Companies As the growth of extortion attempts by hackers against firms continue to rise at an alarming rate, Mark Hanvey, Chief Security Officer of Cable & Wireless, U.K.’s second largest fixed line telecommunications operator, states that he is encouraged to see companies investing in ethical hacking to protect their commercial assets. He states that ethical hacking is an excellent test for systems and is helping out companies, however he urges that risk can never be eliminated, only minimized, which is done by putting in effective monitoring and counter measures tactics, such as around the clock monitoring. As long as companies continue to invest in effective information security systems, and this starts with hacking your own; organizations can stay away from being on the news the next day about a possible data breach. (Hanvey, 2005) Ethical Hacking Demand Helping Firm Achieve Record Profits A computer service company hired by large corporations for their expert in security consulting, NCC, has achieved record profits thanks to the increase demand for its ethical hacking services. These companies are hiring the firm for them to hack into their own systems so that vulnerabilities can be found. Rob Cotton, chief executive of the firm has stated that because of the nature of the economy, many companies are seeing an alarming number of increase in threats. The Financial Times reports that revenue has risen to 31 percent because of this service, which only very few companies have to offer. (Stafford, 2006) College Universities Teaching Students How to Hack A study conducted in 2007 revealed that the average computer is attacked by hackers more than 2,200 times a day which comes out to about once every 40 seconds and that hackers have stolen an estimated $49 billion in the United States alone in 2006. Geoffrey Lund, leader of the software-applications program at University of Abertary Dundee in Scotland has stated that he has helped design a new course to teach students on how to hack and defend against network systems. Although classes that teach hacking techniques are rare and controversial as administrators at the school were nervous about teaching such potential destructive techniques, he claims that ethics are also covered in the classroom, and that they do conduct background checks on students beforehand as a prerequisite. Lund states that the course prepares students for a rapidly growing job market by teaching that the best defense is a good offense. The class is set up with a network of
  • 15. Varrone 14 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century approximately 20 computers isolated from the rest of the university system where the students then practice hacking into or even bringing down the network. By hacking into these systems and network, students are able to learn about weaknesses of an intuition’s system. Alexander Graham, an experienced information technology professional who even enrolled in the course had stated that he is shocked by how much damage a malicious hacker can do. He claims the course is extremely helpful and believes in the philosophy of “Know thy enemy, then you can defeat them” at their own game. (Vance, 2007) CONCLUSION Ethical Hacking is a growing trend that appears to be on all types of organizations’ radar. As evident from this study, we see a large number of money invested to ensure that they are protected against risks associated with hacking attacks. The increasing alarming number of attacks against these organizations are well known and the losses can be easily quantified. As hacking involves creative thinking; vulnerability testing and security audits cannot guarantee that an information system is secure. To rebuttal this, organizations must implement a defense in depth strategy by penetrating into their own systems and network. Ethical hacking becomes necessary as it allows one to counter the attack and reverse engineer malicious attackers by anticipating methods they used to launch an attack and break into a system. An ethical hacker can only help the organization better understand their system from a security perspective, however it is still up to the organization to place the right guards around the technology. Securing of these information systems does comes with its challenges. For instance, compliance to government laws and regulations must be followed and maintained. Companies (depending on the industry) must be willing to spend vast amounts of dollars on education, training, and awareness in order to stay in compliance. Such industries for example have strict laws that prevent data from being outsourced outside the country (or if it is outsourced, requires the use of encryption), similar to sensitive personal information. Other industries may require certain security measures in placed in order to continue business operations. These regulations add another challenge to security, ensuring that the proper measures are being enforced. Additionally, it is difficult to centralize security in a distributed computing environment as the evolution of technology evolves, so does the complexity in administering, managing, and monitoring sophisticated and complex attacks. As we turn everything we do into the palm of our hands; mobile security, adaptive
  • 16. Varrone 15 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century authentication, and social media strategies from an offensive and defensive perspective are only the stepping stones on what’s next to expect in the digital age that we live in today. “The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge.” –Stephen Hawking, Theoretical Physicist and Cosmologist
  • 17. Varrone 16 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century REFERENCES EC-Council. (2011). Ethical Hacking and Countermeasures v7.1 Course. Hanvey, M. (2005, June 22). Ethical Hacking An Excellent Test of Mettle for Security Systems. The Financial Times, p. 16. Information Week. (2005, June 23). Hacker Boot Camp Helps Good Guys Outsmart Internet Troublemakers; The number of IT security professionals is expected to grow to nearly 800,000 by 2008, and more of them need to think like hackers to be effective. Information Week. Stafford, P. (2006, July 19). NCC Ethically Hacks its Way to Record. The Financial Times, p. 24. Taylor, L. C. (2011, December 2). British spies recruit 'ethical hackers'. Toronto Star. Vance, E. (2007, April 13). Students at the University of Abertay Dundee Learn Computer Hacking to Defend Networks. The Chronicle of Higher Education.