As organizations in recent years continue to increase their investment into the advancements of technology to upsurge productivity and efficiently, more and more companies begin to realize that protecting of this technology is just as significant (Information Security), if not; even more important in order to protect their reputation and integrity as a company.
This paper provides a comprehensive high-level view of ethical hacking, such as what it is, what it entails, and why companies hack into their own technology. Additionally, counter measures including penetration testing and real-world examples will be examined to give the reader a better understanding of ethical hacking and why it’s such an essential element of Information Security in the Information Systems/Technology field.
Vulnerability Prevention Using Ethical Hacking.pdfMithunJV
Similar to Ethical Hacking A high-level information security study on protecting a company’s information system infrastructure in the 21st century (20)
08448380779 Call Girls In Friends Colony Women Seeking Men
Ethical Hacking A high-level information security study on protecting a company’s information system infrastructure in the 21st century
1. Ethical Hacking
A high-level information security study on
protecting a company’s information system
infrastructure in the 21st century
Aaron Varrone
December 2011
Quinnipiac University- MS IT
CIS 652- Advanced Topics in Information Security- Independent Study
2. Varrone 1 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
Contents
ABSTRACT.............................................................................................................. 2
INTRODUCTION TO ETHICAL HACKING ................................................................. 3
What do Hackers do?.......................................................................................... 4
FOOTPRINTING AND RECONNAISSANCE............................................................... 5
SYSTEM HACKING.................................................................................................. 6
Types of Attacks.................................................................................................. 6
Why Cover Tracks? ............................................................................................. 8
PENETRATION TESTING......................................................................................... 8
Why Penetration Testing? .................................................................................. 8
COUNTERMEASURES............................................................................................. 9
How to defend against Footprinting? ............................................................... 10
How to defend against Password Cracking?...................................................... 10
How to defend against Privilege Escalation?..................................................... 10
How to defend against Malware? ..................................................................... 11
How to defend against Steganography? ........................................................... 11
REAL-WORLD EXAMPLES..................................................................................... 12
Hacker Boot Camp Helps Good Guys Outsmart Intruders ................................. 12
Government Agencies Seeking Code Breakers.................................................. 12
Ethical Hacking Proves to be an Excellent Test for Companies.......................... 13
Ethical Hacking Demand Helping Firm Achieve Record Profits.......................... 13
College Universities Teaching Students How to Hack........................................ 13
CONCLUSION....................................................................................................... 14
REFERENCES ........................................................................................................ 16
3. Varrone 2 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
ABSTRACT
As organizations in recent years continue to increase their investment into the
advancements of technology to upsurge productivity and efficiently, more and more
companies begin to realize that protecting of this technology is just as significant
(Information Security), if not; even more important in order to protect their
reputation and integrity as a company.
This paper provides a comprehensive high-level view of ethical hacking, such as
what it is, what it entails, and why companies hack into their own technology.
Additionally, counter measures including penetration testing and real-world
examples will be examined to give the reader a better understanding of ethical
hacking and why it’s such an essential element of Information Security in the
Information Systems/Technology field.
4. Varrone 3 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
INTRODUCTION TO ETHICAL HACKING
In simple terms, Ethical Hacking can be described as a process in which working
professionals (in the technology field) are hired on by an organization to perform a
variety of attacks to their own network, systems, and technology. The goal is quite
simple, and that is to ‘break into’, also known as ‘hack’ their way into the
organization’s information system where vulnerabilities are discovered and then
eventually ‘patched’ so that a real attack would have no harming consequences to
the company such as; data leakages, compromised systems, stolen proprietary
information, and so on. Hence where the word, ‘ethical’, comes into play, as these
hackers are solely hired on for this purpose. Professionals in this field include
outside security consultants hired by the company or even a direct role within the
company who possess expert computer skills in a wide variety of areas and systems
(networks, operating systems, application programming). Ethical hackers try to
answer three basic questions: what can the intruder see on the target system, what
can an intruder do with the information compromised, and will anyone notice that
the attack occurred?
Before proceeding further, a basic understanding of the umbrella, Information
Security field must be conveyed. There are three elements of Information Security:
Confidentiality- assurance that the information is accessible only to those
authorized to have access, Integrity- the reliability of data or resources in terms of
preventing improper and unauthorized changes, and Availability- assurance that the
systems responsible for delivering, storing, and processing information are
accessible when required by an authorized user. (EC-Council, 2011)
With this said, all three elements have a direct impact to the way in which network
and system security is portrayed, which leads us to our discussion of Ethical
Hacking. If all three of these elements are properly addressed and implemented
during the architecture of the way in which an organization’s systems interact, then
one would not have to be so concerned with their technology and securing of this
technology. As companies continue to grow and expand their horizon for the need of
information systems by increasing their investment on a year-to-year basis , so does
the need to protect and defend their infrastructure against malicious activities,
attacks, and destructive encounters.
The risk of not protecting one’s information system is too extraordinary as the
effects of a successful hacking attempt include: damage and theft of proprietary
information, client/customer data, personal information, impeding of business
operations and activities. All in which can lead to a company’s downfall. As great as
the technology is that many of these companies have adapted in creating an efficient
5. Varrone 4 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
operation, their lack on focusing their attention on security can contradict
themselves and instead create an inefficient and ineffective use of the technology.
Who is a Hacker?
A hacker can be defined as an individual with superb computer skills who has the
ability to create and explore into another system, which can be software programs
or hardware based devices. A motive behind a hacker’s mindset is to gain
knowledge or poke around to do illegal and disruptive activities that could result in
monetary benefits. For some, it’s a hobby to see how many systems and networks
they can control. There are four unique hacker classes:
Black Hats- individuals who resort to malicious or destructive activity for malicious
intent.
White Hats- individuals using them for defensive purposes, also known as security
analysts.
Suicide Hackers- individuals who aim to bring down critical infrastructure for a
“cause” and would rather be known for their destruction they commit. These
individuals are not worried about facing any type of severe penalty regardless of
fines or jail time sentences.
Gray Hats- are individuals who work both offensively and defensively at various
times whose intent is mostly for the well-being, however this is not always the case.
(EC-Council, 2011)
What do Hackers do?
There are five phases that goes through a hacker’s mindset:
Phase 1 Reconnaissance- refers to the preparatory phase where an attacker looks
to gather as much information about a target as they can prior to launching an
attack. Such examples include: employees’ names, phone numbers, and email
addresses, system names, and software installed on these systems. There are two
types of reconnaissance: Passive- which involves acquiring information without
directly interacting with the target or someone affiliated with the target, such as
searching for press releases or public records; and Active- which involves
interacting with the target directly by any means, for instance phoning calls to the
help desk or technical support center pretending to be an employee of the company.
6. Varrone 5 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
Phase 2 Scanning- refers to the “pre-attack phase” of when an attacker scans the
network seeking specific information on the basis of information gathered during
reconnaissance. Such examples include: port scanning, vulnerability scanners, and
dialers.
Phase 3 Gaining Access- Once access is achieved to the desired operating system,
application, or network; the attacker can escalate privileges to obtain complete
control of the system. Such examples include: password cracking, buffer overflows,
denial of service, and session hijacking.
Phase 4 Maintaining Access- After access has been attained, most hackers attempt
ways in which to retain their ownership of the system/application/device. Attackers
may prevent the system from being owned by other fellow hackers by securing their
access exclusively with backdoors, trojans, or rookits. Attackers then use the
compromised system to launch further attacks, which allows them to upload,
download, or manipulate data, configuration, and applications at any given time
period.
Phase 5 Covering Tracks- After a hacker’s activities have been carried out, smarter
attackers usually look for ways in which they can hide their malicious act by
covering their tracks and hiding their own identity. This can be achieved by
overwriting system, application, audit, and event logs or deleting any evidence that
may lead to prosecution.
(EC-Council, 2011)
FOOTPRINTING AND RECONNAISSANCE
Footprinting and reconnaissance are hacking methodologies used to uncover and
collect as much information as possible regarding an organization’s information
system. These two methods are carefully planned well ahead in time before an
attack is carried out. Basic information such as a company’s DNS, IP addresses,
system and network architectures, platforms, and applications used, is all prevalent
information that can be gathered and collected by an hacker to help carry out the
attack. While this information is collected, the hacker cautiously examines and
identifies vulnerabilities that can be exploited. An ethical hacker looks to examine
what information can be made available publicly by collecting information from the
internet or internally and then documents the effects this may have to the
organization, such as: privacy loss, corporate espionage, competitive intelligence,
and information leakage.
There are four types of Footprinting:
7. Varrone 6 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
Anonymous Footprinting- Gathering information from sources where the author
of the information cannot be traced nor identified.
Internet Footprinting- Collecting information about a target from the Internet.
Organizational/Private Footprinting- Collecting information internally within the
organization.
Pseudonymous Footprinting- Collecting information that may be published under
a different name in an attempt to preserve privacy and confidentiality.
(EC-Council, 2011)
SYSTEM HACKING
There are several ways an attacker can gain access to a particular system, however
each way requires the ability for an attacker to exploit a weakness, vulnerability, or
even human-error.
Types of Attacks
Operating System Attacks- Attackers search for platform (operating system)
vulnerabilities and then exploit them. Such examples include: buffer overflow, bugs
and glitches, and unpatched operating systems.
Application-Level/Shrink Wrap Code Attacks- Programming is complex and
there are times where unsecure code is used over and over again to reduce this
complexity, such as utilizing existing libraries of code. If it’s there, why reinvent the
wheel? This leads to poor and nonexistent error checking in these applications
which can lead to buffer overflow attacks, cross-site scripting, denial of service, SQL
injection attacks, session hijacking, man-in-the-middle attacks, and so on.
Misconfiguration Attacks- Misconfigured systems occur when a change is made to
a file’s permission. If that’s the case, the file or application can no longer be
considered as secure. Administrators are expected to change the configuration and
limit authority of the devices before they are deployed to the network. Failure to do
this allows the default settings to be used to attack the system.
Password Cracking- Various techniques and tools are utilized to recover
passwords from computer systems. Hackers can use these tools to gain
unauthorized access to a vulnerable system. Most of these techniques are successful
due to weak or easily guessable passwords, such as dictionary words or default
8. Varrone 7 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
passwords. Such password cracking techniques include: dictionary attacks, brute
force attacks, hybrid attacks, syllable attacks, and rule-based attacks. Surprisingly an
increasingly number of non-technical password stealing techniques have been
reported in recent years, such as: shoulder surfing, social engineering, and dumpster
diving.
Spyware/Keyloggers- Refers to a program or device (software or hardware)
specifically hidden to record the user’s interaction with the system without the
user’s knowledge. The various types of spyware include: screen capturing spyware,
USB spyware, child monitoring spyware, video spyware (secretly monitors and
records webcams and video IM conversations, attacks can then be remotely viewed
via the web or mobile phone), audio/cellphone spyware, GPS spyware (uses the
global positioning system to determine location of a vehicle, person, or asset to
which it is attached or installed to), and even print spyware.
Viruses/Trojans/Worms- Are all examples of malware, unsolicited code or
software on a system that in most cases allows for data breaches, backdoor access
for a hacker to gain access to or executes damage that can harm the system. This
type of malware is commonly created with malicious code or tools and utilities that
have the ability to attack vulnerable systems (as long as the hacker knows where the
vulnerability exists).
Rootkits- Refers to code hidden within a kernel of the operating system that has the
ability to hide itself and cover up traces of the malicious intent. More specifically, it
replaces certain operating system calls and utilities with its own modified version.
From there, the attacker acquires root access (above a level of administrator) to the
system by installing a virus, trojan, worm, or other malware in order to exploit it.
This allows the attacker to maintain undetected access to the system. Such types of
rookits include: hypervisor level, kernel level, application level, hardware/firmware,
and boot loader.
Steganography- Is a technique consisting of hiding a secret message within an
ordinary message or file and extracting it at the destination to maintain its hidden
identity. The most popular use of this technique are when hackers utilize a graphic
image and embedding a code within that image file to perform a malicious activity.
This conceals the data within the file. Such techniques include: substitution,
transform domains, cover generation, distortion, statistical, and spread spectrum.
The various means of steganography besides images include: document, video, and
audio steganography.
(EC-Council, 2011)
9. Varrone 8 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
Why Cover Tracks?
Most hackers, with the exception of a suicidal one, will cover their traces to avoid
detection and possible jail sentence. However, this is not the only reason. By
covering their track, this allows the attacker to install backdoors to gain access in
the future. When this is executed, a clever hacker will usually escalate the
compromised account’s privileges without documenting the system change. As
previously mentioned, they can do this by manipulating the log files of an operating
system or altering the event logs. Once intruders have successfully gained
administrator type access on a system, they will attempt to cover their tracks in
every possible way that they can, including deleting recently modified files and
disabling audit logs. Disabling these logs is usually performed immediately after
obtaining administrator privileges.
PENETRATION TESTING
Penetration testing is a method of actively evaluating the security of an information
system or network by simulating an attack from a malicious source. Various
security measures are analyzed for weaknesses in design, technical flaws, and
vulnerabilities that can be exploited. There are two types of testing that is
performed: Black box testing, which simulates an attack from someone who is
unfamiliar with the system; and white box testing, which simulates an attacker that
has knowledge about the system, such as an employee. The results are recorded
and delivered to senior level management and technical audiences.
Why Penetration Testing?
Penetration testing allows the company to identify threats that may occur during
the testing stage discovered in its information system or network. Companies that
hire such testers have actually discovered that overall IT security costs are reduced
and provides a better return on security investment (ROSI) by identifying and
resolving vulnerabilities, weaknesses, and possible exploits that may have been
taken advantage of if the proper security measures weren’t enforce. Additionally,
companies are also seeing what type of IT security investments they really need to
focus on, as oppose to investing in a large enterprise-wide security solution that
covers everything, which may not always be necessary for every organization out
there.
10. Varrone 9 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
Additionally, these professionals provide an organization with assurance of a
thorough and comprehensive assessment of an organization’s security policy,
procedure, controls, and how they may decide to be implemented. Many industry-
wide regulations may be applied such as HIPAA (Health Insurance Portability and
Accountability Act), FDA (Food Drug Administration), PCI (Personal Confidential
Information); requiring specific certification and best practice security standards in
order to continue business. For instance, PCI regulation requires all hard drives to
be encrypted within the organization.
A Penetration Tester’s Best Friend
Vulnerability libraries are a penetration tester’s best friend as it documents all of
the discovering vulnerabilities that have been reported by testers, users, ethical
hackers, and even the programmers themselves. The majority of these
vulnerabilities are design flaws that will open an operating system and its
applications susceptible to an attack. These vulnerabilities are classified based on
severity levels (low, medium, or high) and exploit range (remote or local). Such
professionals need access to this research in order to identify and correct exposures
to their respective function. Many of these vulnerabilities are documented on
websites and databases available to the public, where even some of the more
‘proficient’ hackers, seek to expand those vulnerabilities to a further level.
A list of vulnerability research websites are listed below:
The United States Computer Emergency Readiness Team (US-CERT)
Vulnerabitlity Database (kb.cert.org)
National Vunerability Database Sponsored by DHS National Cyber Security
Division (National Institute of Standards and Technology) (nvd.nist.gov)
Secunia – (secunia.com )
SecuriTeam – (securiteam.com)
SecurityTracker- (securitytracker.com)
COUNTERMEASURES
In conjunction with penetration testing, countermeasures are examined closely,
documented, and then reviewed by the ethical hacker to improve the security
posture at the company. There are several different countermeasures that are more
closely scrutinized than others, including but not limited to: footprinting, defending
against password cracking, defend against privilege escalation, defending against
malware including session hi-jacking, networking sniffing, man-in-the-middle,
denial of service, and against steganography attacks.
11. Varrone 10 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
How to defend against Footprinting?
Defending against footprinting includes: configuring routers and access control list
(ACL) to restrict the responses to footprinting request, implement/configure IDS
(Intrusion Detection System) to refuse suspicious traffic picked up in patterns,
locking down ports with a suitable firewall configuration, configuring web servers
to avoid information leakage, and lastly disable unwanted protocols. Ethical hackers
will additionally document and evaluate the content of information made available
publicly and work to remove any sensitive information discovered such as their
network architecture, applications, employees, and/or email addresses.
(EC-Council, 2011)
How to defend against Password Cracking?
By incorporating strict password guidelines within an organization’s security policy,
hackers will have that much more of a difficult time of successfully being able to
crack a password. These guidelines should include: requiring user’s to use a
combination of alphanumeric characters along with upper and lowercase numbers,
letters, and symbols. Additionally, by requiring users to change their password on a
more frequent basis- such as 30 days, this will help alleviate hackers from returning
to an account or system that has been compromised at one point in time. There
should be additional effort and resources available for monitoring system logs or
alarming events for possible attacks as well.
How to defend against Privilege Escalation?
As described above, once hackers obtain access to a system or account, they will
seek ways to escalate their privileges to that similar of an administrator. Therefore,
countermeasures to defend against the ability for them to escalate privileges is
examined:
Use encryption as much as possible and wherever it can be done. Not all
systems, applications, devices have the ability to encrypt their data; but one
level of encryption (for instance, on a user’s workstations) will make it that
much more difficult for an intruder to gain access to.
Systems should be patched on a continuing basis as patching cycles never end
and there will always be room to resolve vulnerabilities, bugs, and other fixes
in an application or operating system.
12. Varrone 11 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
Run services within a system’s environment as an “unprivileged” account, this
way if this account does become compromised, the intruder can’t do much
since access is restricted.
Restrict interactive logon privileges and run users and applications on the
least possible privileges.
Implement multi-factor authentication and authorization such as biometrics
and token keys. If an intruder only has compromised one authentication type
in a multi-factor verification environment, the hacker is left with the same
result as when they first started, and that’s clearly no system access.
(EC-Council, 2011)
How to defend against Malware?
Malware and other unsolicited software can be tricky at times if the malicious files
are not detected by an anti-virus product, which in this case would be known as a
zero-day threat. In any circumstance to help alleviate the issue and reduce risk;
install, maintain, administer, and update the anti-virus product within the
environment. This includes updates to signature files, scan engine versions,
program versions, patches and hot fixes releases. Additionally by installing and
administering a personal and enterprise firewall with application and device control
policies and restrict and limit web-access, can all diminish the company’s risk from
exposure.
How to defend against Steganography?
Steganography is one of the more difficult types of attacks to defend against as code
is hidden and embedded into an existing application or file. Since these types of
attacks are performed in the background, an ordinary user or even a computer
expert may have trouble ‘noticing’ if anything has been altered before the file or
application was changed. The best ways to defend against these type of attacks is to
use steganography detection tools that specifically look for these changes from file
to file and application to application. These tools are also known as file integrity
verification checks. One of the more common steganography detection tools used is
a product called Stego Watch.
13. Varrone 12 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
REAL-WORLD EXAMPLES
The number of information security professionals in the workforce continues to rise
as companies have realized that as their usage of technology continues to grow, so
does the risk associated with using the technology. Technology is becoming much
more complex with the advancements that are made which further complicates how
attacks are performed and ultimately carried out by an intruder.
With this said, below are some real-life examples of how organizations (including:
government agencies and non-for-profit such as universities) have utilized ethical
hacking tactics to protect their technology from being hacked into, breached, and
ultimately compromised.
Hacker Boot Camp Helps Good Guys Outsmart Intruders
Rudy Chavez, a former Unix system administrator, employed by IT services firm
Booz Allen Hamilton, became a certified ethical hacker one month later. The
company that he was employed for decided they would benefit by having a ‘hacker
of their own’ to help outsmart other cybercriminals at their own game, sending
Chavez off to an ethical hacking boot camp. During the boot camp, which consisted
of a combination of classroom instruction and computer-lab time, Chavez learned
how legitimate tools, technologies, and techniques are being issued for illegal
activities and hostile purposes. Chavez claims that the sophistication and
pervasiveness of the tools out there allows for great havoc and that although
generally the IT security field takes a defensive approach, the training has lead him
to take an offensive posture and help him understand how these attacks happen.
(Information Week, 2005)
Government Agencies Seeking Code Breakers
Even government agencies are searching for hacking talent. According to the
Toronto Star, a widely recognized newspaper in Canada, reports that a British spy
agency is using an anonymous code-breaking web page to recruit self-taught
hackers that they might not have found otherwise. The page was launched in
November of 2011. A spokesman for the U.K.’s Government Communications
Headquarters even admitted that recruiting Oxford and Cambridge graduates is not
always in the best interest for the agency. They also claim that most cyber-
specialists enter their organization as graduates, however with the quickly evolving
world of cybercrime, they feel it’s essential to look for candidates who may be self-
taught but have a keen interest in code-breaking and ethical hacking.
(Taylor, 2011)
14. Varrone 13 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
Ethical Hacking Proves to be an Excellent Test for Companies
As the growth of extortion attempts by hackers against firms continue to rise at an
alarming rate, Mark Hanvey, Chief Security Officer of Cable & Wireless, U.K.’s second
largest fixed line telecommunications operator, states that he is encouraged to see
companies investing in ethical hacking to protect their commercial assets. He states
that ethical hacking is an excellent test for systems and is helping out companies,
however he urges that risk can never be eliminated, only minimized, which is done
by putting in effective monitoring and counter measures tactics, such as around the
clock monitoring. As long as companies continue to invest in effective information
security systems, and this starts with hacking your own; organizations can stay
away from being on the news the next day about a possible data breach.
(Hanvey, 2005)
Ethical Hacking Demand Helping Firm Achieve Record Profits
A computer service company hired by large corporations for their expert in security
consulting, NCC, has achieved record profits thanks to the increase demand for its
ethical hacking services. These companies are hiring the firm for them to hack into
their own systems so that vulnerabilities can be found. Rob Cotton, chief executive
of the firm has stated that because of the nature of the economy, many companies
are seeing an alarming number of increase in threats. The Financial Times reports
that revenue has risen to 31 percent because of this service, which only very few
companies have to offer.
(Stafford, 2006)
College Universities Teaching Students How to Hack
A study conducted in 2007 revealed that the average computer is attacked by
hackers more than 2,200 times a day which comes out to about once every 40
seconds and that hackers have stolen an estimated $49 billion in the United States
alone in 2006. Geoffrey Lund, leader of the software-applications program at
University of Abertary Dundee in Scotland has stated that he has helped design a
new course to teach students on how to hack and defend against network systems.
Although classes that teach hacking techniques are rare and controversial as
administrators at the school were nervous about teaching such potential destructive
techniques, he claims that ethics are also covered in the classroom, and that they do
conduct background checks on students beforehand as a prerequisite. Lund states
that the course prepares students for a rapidly growing job market by teaching that
the best defense is a good offense. The class is set up with a network of
15. Varrone 14 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
approximately 20 computers isolated from the rest of the university system where
the students then practice hacking into or even bringing down the network. By
hacking into these systems and network, students are able to learn about
weaknesses of an intuition’s system. Alexander Graham, an experienced information
technology professional who even enrolled in the course had stated that he is
shocked by how much damage a malicious hacker can do. He claims the course is
extremely helpful and believes in the philosophy of “Know thy enemy, then you can
defeat them” at their own game.
(Vance, 2007)
CONCLUSION
Ethical Hacking is a growing trend that appears to be on all types of organizations’
radar. As evident from this study, we see a large number of money invested to
ensure that they are protected against risks associated with hacking attacks. The
increasing alarming number of attacks against these organizations are well known
and the losses can be easily quantified.
As hacking involves creative thinking; vulnerability testing and security audits
cannot guarantee that an information system is secure. To rebuttal this,
organizations must implement a defense in depth strategy by penetrating into their
own systems and network. Ethical hacking becomes necessary as it allows one to
counter the attack and reverse engineer malicious attackers by anticipating
methods they used to launch an attack and break into a system. An ethical hacker
can only help the organization better understand their system from a security
perspective, however it is still up to the organization to place the right guards
around the technology.
Securing of these information systems does comes with its challenges. For instance,
compliance to government laws and regulations must be followed and maintained.
Companies (depending on the industry) must be willing to spend vast amounts of
dollars on education, training, and awareness in order to stay in compliance. Such
industries for example have strict laws that prevent data from being outsourced
outside the country (or if it is outsourced, requires the use of encryption), similar to
sensitive personal information. Other industries may require certain security
measures in placed in order to continue business operations. These regulations add
another challenge to security, ensuring that the proper measures are being
enforced. Additionally, it is difficult to centralize security in a distributed computing
environment as the evolution of technology evolves, so does the complexity in
administering, managing, and monitoring sophisticated and complex attacks. As we
turn everything we do into the palm of our hands; mobile security, adaptive
16. Varrone 15 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
authentication, and social media strategies from an offensive and defensive
perspective are only the stepping stones on what’s next to expect in the digital age
that we live in today.
“The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge.”
–Stephen Hawking, Theoretical Physicist and Cosmologist
17. Varrone 16 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
REFERENCES
EC-Council. (2011). Ethical Hacking and Countermeasures v7.1 Course.
Hanvey, M. (2005, June 22). Ethical Hacking An Excellent Test of Mettle for Security
Systems. The Financial Times, p. 16.
Information Week. (2005, June 23). Hacker Boot Camp Helps Good Guys Outsmart
Internet Troublemakers; The number of IT security professionals is expected
to grow to nearly 800,000 by 2008, and more of them need to think like
hackers to be effective. Information Week.
Stafford, P. (2006, July 19). NCC Ethically Hacks its Way to Record. The Financial
Times, p. 24.
Taylor, L. C. (2011, December 2). British spies recruit 'ethical hackers'. Toronto Star.
Vance, E. (2007, April 13). Students at the University of Abertay Dundee Learn
Computer Hacking to Defend Networks. The Chronicle of Higher Education.