CEH 312-50 Chapter 1 Intro to Hacking
Misconfiguration Attacks
when the default config is not change it leaves the system open to intruders via the default credentials
Cloud Computing Threats
--Single Data Breach > it allows the hacker to have access to records, therefore a single breach may compromise all the information available on the cloud. --Data Loss > Most common threats that make cloud security vulnerable. Data loss may be large or small scale; though massive loss is catastrophic and costly --Hijacking > Applications running on a cloud with flaws, weak encryption, loopholes and vulnerabilities allow the intruder to gain control, manipulate data and alter the functionality of the service --Insecure APIs --Denial of Service --Malicious Insiders --Poor Security MultiTenancy
Application Level Attacks
-Buffer Overflow -Active Content -Cross-Site Scripting -Denial of Service -SQL Injection -Session Hijacking -Phishing
Application Threats
-Improper Data/Input Validation -Authentication and Authorization Attack -Security Misconfiguration -Information Disclosure -Broken Session Management -Buffer Overflow Issues -Cryptography Attacks -SQL Injection
Skills of an Ethical Hacker > Non-Technical Skills
-Learning ability -Problem-solving skills -Communication skills -Committed to security policies -Awareness of laws, standards and regulations
Responsibilities of an Incident Response Team
-The major responsibility of this team is to take action according to the Incident Response Plan (IRP). If an IRP is not defined or not applicable to that case, the team has to follow the leading examiner to perform a coordinated operation -Examine and evaluate an event, determine the damage or scope of an attack -Document the event and processes -If required, get the support of an external security professional or consultant -If required, get the support of local law enforcement -Collection of facts -Report
Skills of an Ethical Hacker > Technical Skills
1. Have in-depth Knowledge of almost all Operating Systems like Windows, Linux, Unix and Macintosh 2. Have Basic to Detailed concepts of networking both hardware and software. 3. Have a strong command over security areas, information security and technical domains 4. They must have detailed knowledge of all older, advanced and sophisticated attacks.
What are the 6 objectives of the PCI DSS?
1. Maintaining a Secure Network 2. Securely Stored Cardholder Informaiton 3. Restricted/Controlled access to system information and operations 4. Consistently monitored and regulated tested networks. 5. Maintaining a formal well-defined security policy followed at all times 6. Maintaining systems protected against malicious attacks by hackers.
PCI DSS (Payment Card Industry Data Security Standard)
1. Maintaining a secure Network 2. Securely stored cardholder information 3. Restricted/Controlled access to system information and operations 4. Consistently monitoring and regular tested networks 5. Maintaining a formal well-defined security policy followed at all times 6. Maintaining systems protected against malicious attacks by hackers
Hacking Phases
1. Reconnaissance 2. Scanning 3. Gaining Access 4. Maintaining Access 5. Clearing Tracks
Phases of Ethical Hacking
1. Reconnaissance / Footprinting 2. Scanning 3. Enumeration 4. System Hacking 5. Maintaining Access /Escalation of Privileges 6. Covering Tracks
What is LexisNexis?
A Company that maintains a database of public record information that can be used to find competitive evidence
Vulnerability
A flaw or weakness that allows a threat agent to bypass security.
Incident Response Team
An Incident Response team consists of members who are well-aware of how to deal with incidents. This response team consists of trained officials who are expert in gathering information and securing all evidence of an attack collected from the incident system. An Incident Response team is made up of IT personnel, HR, Public Relations officers, local law enforcement, and a chief security officer.
Clearing Tracks
An attacker must hide his identity. to do this the attacker usually overwrites the system, applications and other related logs.
Zero-Day Attack
Attack between the time a software vulnerability is discovered and a patch to fix the problem is released.
Black Box
Black Box is a type of penetration testing in which the pentester is blind testing or double-blind testing. This means that the pentester has no prior knowledge of the system or any information of the target.
Information Assurance (IA)
Depends upon Integrity, Availability and Confidentiality. Combining these components Guarantees the assurance of information and information systems and their protection during usage, storage and communication.
Elements of Information Security > Availabilty
Ensuring timely and reliable access to and use of information applying to systems and data. risk > Business disruption, Loss of customer's confidence and Loss of revenue
Types of Vulnerability Assessment
Following are the types of vulnerability assessment: 1. Active Assessment 2. Passive Assessment 3. Host-based Assessment 4. Internal Assessment 5. External Assessment 6. Network Assessment 7. Wireless Network Assessment
Gray Box
Gray Box is a type of penetration testing in which the pentester has very limited prior knowledge of the organization's network. For example, information related to the operating system or network might be very limited.
Elements of Information Security > Integrity
Guarding against improper information modification or destruction, this includes ensuring information non-repudiation and authenticity risk > Information is no longer reliable or accurate, Fraud
Shrink Wrap Code Attacks
Hacker Exploit holes in unpatched OS and poorly configured software and application.
Generating Reports
In this phase, reports are drafted for documenting the security event, and for presenting them to higher authorities such as a security manager, board of directors, or others. Reports contain: -Tasks completed by each member of the team -Methods and tools used -Findings -Recommendations -Gathered information
Incident Management
Incident Response Management is the procedure and method of handling any incident that occurs. This incident may be a violation of any condition, policy, etc. Similarly, in information security, incident responses are the remediation actions or steps taken as the response of an incident to make the system stable, secure, and functional again. Incident response management defines the roles and responsibilities of penetration testers, users or employees of an organization.
Incident Management Process
Incident Response Management processes include: 1. Preparation for Incident Response 2. Detection and Analysis of Incident Response 3. Classification of an incident and its prioritization 4. Notification and Announcements 5. Containment 6. Forensic Investigation of an Incident 7. Eradication and Recovery 8. Post-Incident Activities
Industry Standard Framework and Reference Architecture
Industry standard framework and reference architecture can be referred to as a conceptual model that describes the operation and structure of the IT system in any organization.
Information Security Policies
Information Security Policies are the fundamental and most dependent component of any information security infrastructure. Fundamental security requirements, conditions, and rules are configured to be enforced in an information security policy to secure the organization's resources. These policies cover the outlines of management, administration and security requirements within an information security architecture.
Daisy Chaining
Is a sequence of hacking or attacking attempts to gain access to a network or system, one after another, using the same information and the information obtained from the previous attempt
Threat Modeling
Is the Process or approach to identifying, diagnosing, and assessing the threats and vulnerabilities of a system or application. It is an approach of threat assessment dedicated to focusing on analyzing the systems and applications while considering the security objectives.
Confidentiality
Maintains privacy except for authorized users who should be able to read the data
Network Security Zoning
Managing and deploying an organization's architecture in different security zones is called Network Security Zoning. These security zones are a set of network devices with a specific security level. Different security zones may have a similar or different security level. Defining different security zones with their security levels helps in monitoring and controlling inbound and outbound traffic across the network.
Mobile Threats
Most common are -Data leakage -Unsecure WiFi -Network Spoofing -Phishing Attacks -Spyware -Broken Cryptography -Improper Session Handling
Assessment Methodology
Network Vulnerability Assessment is an examination of possibilities of an attack and vulnerabilities in a network. The following are the phases of a Network Vulnerability Assessment:
Paranoid Policy
Paranoid Policy denies everything and limits internet usage.
PCI-DSS
Payment Card Industry Data Security Standard is a global information security standard created by "PCI Security Standards Council". Founding Members: -American Express -Discover Finsnscial -JCB International -MasterCard -Visa Inc.
Physical Security
Physical Security is always the top priority in securing anything. In Information Security, it is also considered important and regarded as the first layer of protection. Physical security includes protection against human-made attacks such as theft, damage, and unauthorized physical access as well as environmental impacts such as rain, dust, power failure, and fire.
Elements of Information Security > Confidentiality
Preserving Authorized restrictions on information access and disclosure, while including means for protecting personal privacy and proprietary information risk > loss of privacy, unauthorized access to information and identity theft
Doxing
Publishing information, or a set of information, associated with an individual.
5 Stages of Hacking
Reconnaissance, Scanning, Gaining Access, Maintaining Access and Clearing Tracks
Payload
Refers to the actual section of information or data in a frame as opposed to automatically generated metadata. It is a section or part of a malicious and exploited code that causes potentially harmful activities and actions such as Exploiting, Opening Backdoors and Hijacking
SOX
Sarbanes-Oxley Act -- it maintains accurate Financial auditing, reporting and increased risk management. The standards protect users from credit card fraud and theft.
Non-Regulatory
Some processes in an organization are not compliance concerned, which means that there is no rule of law required to perform a particular function. NIOSH (National Institute for Occupational Safety and Health), for example, is a non-regulatory body.
Acquisition
The Acquisition phase compares and reviews previously-identified vulnerabilities, laws, and procedures that are related to network vulnerability assessment.
HIPAA
The Health Insurance Portability and Accountability Act The HIPAA works with the Department of Health and Human Services (HHS) to develop and maintain a regulation that is associated with privacy and security of health information. The major domains in information security where the HIPAA is developing and maintaining standards and regulations are: -Electronic Transaction and Code Sets Standards -Privacy Rules -Security Rules -National Identifier Requirements -Enforcement Rules
HR & Legal Implication of Security Policies
The Human Resources department has the responsibility of making sure that the organization is aware of security policies and is providing sufficient training.
Industry-Specific Framework
The Industry-Specific Framework has been formed by bodies within a specific industry for addressing regulatory requirements or because of industry-specific risks or concerns. Examples of Industry-Specific Framework are HITRUST Common Security Framework (CSF) and COBIT (Control Objectives for Information and Related Technologies).
Permissive Policy
The Permissive Policy restricts only widely known dangerous attacks or behaviors.
Platform-Specific Guide
The Platform-Specific Guide is the finest guide to come from the manufacturer of each device. This guide includes all the essential principles regarding installation, configuration, and sometimes operations as well.
Promiscuous Policy
The Promiscuous Policy provides for no restriction on the usage of system resources.
Prudent Policy
The Prudent Policy ensures the maximum and strongest security of all the policies. However, it allows known and necessary risks while blocking all other services except individually enabled services. Every event is logged in a prudent policy.
Regulatory
The business processes and procedures that are compliance related are known as Regulatory bodies. There are some rules and regulations that are required to be followed for performing specific functions. For example, public companies deal with a lot of Sarbanes Oxley (SOX) regulation.
Types of Security Policies
The different types of security policies are as follows: 1. Promiscuous Policy 2. Permissive Policy 3. Prudent Policy 4. Paranoid Policy
Ethical Hacking
The increase in cybercrimes and hacking has created a great challenge for security experts, analysts and regulations over the last decade. For the purpose of security and protection, organizations appoint internal and external experts for penetration testing.
Sarbanes Oxley Act (SOX)
The key requirements or provisions of the Sarbanes Oxley Act (SOX) are organized in the form of 1 1 titles, and they are as follows: Title ________Majors Title I ______Public company accounting oversight board Title II _____Auditor independence Title III ____Corporate responsibility Title IV ____Enhanced financial disclosures Title V _____Analyst conflicts of interest Title VI ____Commission resources and authority Title VII ___Studies and reports Title VIII __Corporate and criminal fraud accountability Title IX ____White-collar crime penalty enhancements Title X _____Corporate tax returns Title XI Corporate fraud and accountability
Attack Vectors > Motive or Objective
The reason an attacker focuses on a particular system
National vs International
There are a lot of national and international frameworks that provide proper instructions and practices for information security. FISMA (Federal Information Security Management Act) is the United States' law developed for the protection of government data and resources against dreadful threats.
Security Testing Methodology
There are some methodological approaches to be adopted for security or penetration testing. Industry-leading Penetration Testing Methodologies are: -Open Web Application Security Project (OWASP) -Open Source Security Testing Methodology Manual (OSSTMM) -Information Systems Security Assessment Framework (ISAF) -EC-Council Licensed Penetration Tester (LPT) Methodology
Evaluation
This Phase Includes: -Inspection of identified vulnerabilities -Identification of flaws, gaps in an existing network, and required security considerations in a network design -Determination of security controls required to resolve issues and vulnerabilities -Identification of the required modification and upgrades
Analysis
This Phase includes: -Reviewing information -Analyzing the results of previously identified vulnerabilities -Risk assessment -Vulnerability and risk analysis -Evaluating the effectiveness of existing security policies
Red Team
This Team acts as an adversary, attempting to identify and exploit potential weaknesses within the organization's cyber defenses using sophisticated attack techniques.
Blue Team
This team is playing offense, then the blue team is on defense. Typically, this group consists of incident response consultants who provide guidance to the IT security team on where to make improvements to stop sophisticated types of cyberattacks and threats.
Phases of Penetration Testing
Three-phase process: 1- Pre-Attack Phase 2- Attack Phase 3- Post-Attack Phase
Google Play Attack
Turkish Hacker, Ibrahim Balic, hacked google play 2 times. he tested the flaw and then built an app to exploit the flaw which crashed the system causing all upload and download capabilities to stop.
VAPT
Vulnerability Assessment and Penetration Testing We are very much aware of hacks such as the loss of: -Sensitive data -Account numbers -Email Addresses -Personal Inaformation reasons to perform VAPT: -To protect the network from attacks -To learn its strengths and weaknesses -To safeguard information from theft -To comply with data security standards -To add reliability and value to services
Vulnerability Assessment
Vulnerability assessment is the procedure of examining, identifying, and analyzing the ability of a system or application, including security processes running on a system, to withstand any threat.
Information Warfare or Info War
Warfare over the control of information. The two Types are: -Defensive Information > all actions that are taken to protect oneself from attacks executed to steal information and information-based processes --Prevention, Deterrence, Indication/Warning, Detection, Emergency Preparedness and Response -Offensive Information Warfare > is an aggressive operation that is taken against a rival proactively rather than waiting for the attackers to launch an attack. -
Benchmarks/Secure Configuration Guides
When Operating Systems, database servers, web servers, or other technologies are installed, they are far away from the secured configuration. Systems with default configuration are not secure. Some guidelines are needed to keep everything safe and secure.
White Box
White Box is a type of penetration testing in which the pentester has complete information of the system and the target. This type of penetration testing is performed by internal security security teams or security audit teams in order to carry out an audit.
Scanning
a pre-attack phase. In this phase an attack scans the network trough information gathered during the initial phase of reconnaissance. Scanning tools include > Dialers, port scanners, network mappers, vulnerability scanners and client tools such as ping.
Reconnaissance
an initial preparation phase for the attacker to prepare for an attack by gathering information about the target prior to launching an attack using different tools/techniques. -Passive Reconnaissance > Acquires information about the target without directly interacting with the target. Example: searching social media -Active Reconnaissance > gaining information by directly interacting with the target. Example: interacting via calls, email, help desk or technical departments
Botnets
are a group of bots connected through the internet to perform a distributed task continuously. they are known as the workhorses of the internet. mostly used for internet relay chats, these are legal and useful.
Host Threats
are focused on system software. threats include: -Malware Attacks -Footprinting -Password Attacks -Denial-of-Services Attacks -Arbitrary Code Execution -Unauthorized Access -Privileged Escalation -Backdoor Attacks -Physical Security Threats
Information Security Management Program
are specially designed to focus on reducing the risks and vulnerabilities concerning the information security environment. This is done in order to train organizations and users to work in less vulnerable state.
Network Threat
when a network device such as a router, switch or firewall is not configured securely it leaves the network vulnerable to various threats which include: -Information Gathering -Sniffing and Eavesdropping -Spoofing -Session Hijacking -Man-in-the -Middle Attack -DNS and ARP Poisoning -Password-Based Attacks -Denial-of-Services Attacks -Compromised Key Attacks -Firewall and IDS Attacks
Operating System Attacks
attackers find vulnerabilities of an operating system: > Buffer Overflow Vulnerabilities are when a application does not have well-defined boundaries which can lead to Denial-of-services, rebooting, Attaining unrestricted access and freezing >Bugs in the OS can be used by attacker to exploit the system and/or gain access > Unpatched OS can allow malicious activities or fail to completely block malicious traffic from entering into a system.
LexisNexis
began as a legal research tool, and it has been available as an online product for years. you can gain the following --Financial and legal news --Press releases --various public records This database can be used during the reconnaissance process to yield detailed information about a companies publicly available information.
Viruses and Worms
describes as malicious software. Viruses spread by attaching itself to other files. They require user interaction to trigger, infect and initiate malicious activities. Worms are self-replicating causing rapid infection.
What was David Smith famous for?
for developing the Melissa Virus. This virus used the insecurity of macros to spread itself. Smith served 20 years in prison.
What was Kevin Mitnick famous for?
for hacking many high-profile targets by using TCP session hijacking and IP spoofing. He later became a Grey Hat hacker after prison.
Security, Functionality, and Usability Triangle
if the ball sits center all three components are stronger. on the other hand if the ball is closer to security it means the system is consuming more resources for security. this will impact the level of functionality and ease of use making it non user friendly
Exploit
is a breach of a system's security through vulnerabilities, Zero-Day Attacks or any other hacking technique
Hacker
is a person capable of stealing information such as business data, personal data, financial information, credit card information, user name and password from a system she or he has no authorized access to.
Bot
is a software used to control the target remotely and to execute predefined tasks. It is capable of running automated scripts over the internet. Malware bot are used by hackers to gain complete authority over a computer
Insider Threat
is an attack performed on a system within a corporate network by a trusted person
Non-Repudiation
is one of the Information Assurance (IA) Pillars. It guarantees the transmission and receiving of information between the sender and receiver via different techniques, such as digital signatures and encryption. it is the assurance of communication and its authenticity so that the sender is unable to deny the sent message.
Enterprise Information Security Architecture (EISA)
is the combination of requirements and processes that helps in determining, investigating, and monitoring the structure of the behavior of an information system.
Maintaining Access/Escalation Of Privileges
is the point where an attacker tries to maintain access, ownership and control over the compromised system. the hacker usually strengthens the system to keep security or other hackers out of the system. They use backdoors, Rootkits or Trojans.
Gaining Access
is the point where the hacker gains control over an Operating System (OS), Application or computer network. The control gained by the attacker defines the access level. Example network level Technique include Password cracking, denial of service, session hijacking, buffer overflow or other ways to gain unauthorized access.
Penetration Testing
is the process of hacking a system, with permission from the owner of that system, to evaluate security, Hack Value, Target of Evaluation (TOE), attacks, exploits, zero-day vulnerability, and other components such as threats, vulnerabilities, and daisy chaining.
Authenticity
is the process of identifying credentials of authorized users or devices before granting privileges or access to a system or network, and enforcing certain rules and policies.
Hacking
refers to exploiting vulnerabilities in a system and compromising the security to gain unauthorized command and control of the system.
Skills of an Ethical Hacker > Mind Map
see image
Hack Value
the attractiveness, interest or thing of worth to the hacker.
APT > Advanced Persistent Threats
the process of stealing information through a continuous procedure. Persistent defines the process of an external command and controlling system, which continuously monitors and fetches data from a target. The Criteria are: --Objective > goal of threat --Timelines > time spent probing/accessing the target --Resources > level of knowledge/Tools --Risk Tolerance > tolerance to remain undetected --Skill & Methods > Tool/Technique used in event --Actions > Precise action of threat --Attack Origination Point > Number of Origination points --Numbers Involved in Attack > Number of internal/external systems involved --Knowledge Source > Discern Information regarding threats
Why is Ethical Hacking Necessary?
the rise in the use of digital mediums along with the number of malicious attacks perpetuated by criminals have brought about the need for individuals/companies that can counter this type of activity. these aggressive/advanced attacks include: -Denial-of-Service attacks -Manipulation of Data -Identity Theft -Vandalism -Credit Card Theft -Piracy -Theft of Sevices
Attack Vectors > Method
the technique or process used by an attacker to gain access to a target system
Attack Vectors > Vulnerability
these help the attacker in fulfilling his intentions
Identification
this phase includes > interaction with customers, employees, administration, or other people involved in designing the network architecture to gather the technical information.
Data Breach
when an attacker obtains one or more of the following types of information --Customers names --Encrypted Passwords --Email addresses --Postal Addresses --Contact Numbers --Dates of Birth