Module 01 Intro to Ethical Hacking

3 levels at which an attacker can gain access

OS level Application level network level

Economic

blocking the flow of information IOT make an economic impact (such as a company that deals in information)

Intranet zone

controlled zone with no heavy restrictions

DMZ

controlled zone; provides a buffer between outside networks and internal networks

firewall management policy

defines a standard to handle application traffic, such as web or email; how to manage, protect, and update firewalls

HIPAA

health insurance portability and accountability act;

4 types of security policies

promiscuous permissive prudent paranoid

production network zone

restricted zone - strictly controls direct access from uncontrolled networks

Integrity

the trustworthiness of data or resources in the prevention of improper and unauthorized changes

pre-attack phase actions

planning/preparation methodology design gather network information

SOX Titles

1 - public company accounting oversight board - audit services 2 - auditor independence standards 3 - corporate responsibility (senior executive responsibility for accuracy) 4 - enhanced financial disclosures 5 - analyst conflicts of interest (security analyst practices) 6 - commission resources and authority (security analyst practices) 7 - studies and reports 8 - corporate and criminal fraud accountability 9 - white collar crime penalty enhancement 10 - corporate tax returns 11 - corporate fraud accountability

Incident management process

1. Preparation for incident handling 2. Detection/analysis 3. Classify/prioritize 3. Notify 5. Contain 6. forensic investigation 7. eradication/recovery 8. Post-incident activities

6 rules for privacy policies at the workplace

1. inform employees what you will collect, why, and what you'll do with it 2. limit info collection; collect by fair/lawful means 3. inform about potential use/disclosure of personal info 4. keep employee personal info accurate/up to date 5. give employees access to personal information 6. keep employees' personal info secure

Steps to create/implement security policies

1. risk assessment 2. learn from standard guidelines 3. include senior management in development 4. set clear penalties/enforce them 5. make final version available to employees 6. ensure everyone reads/signs/understands 7. deploy tools to enforce 8. train/educate employees 9. review/update regularly

ebay data breach: what was compomised?

145 million accounts (passwords, email addresses, mailing addresses, birth dates, et cetera)

Home depot data breach: consequences

56 million debit and credit card numbers stolen

Nonrepudiation

A way to guarantee that the sender of a message cannot deny having sent it, and the recipient cannot deny having received the message

Phases of a network vulnerability assessment

Acquisition - review laws and procedures for vulnerability assessment, review company documents and previously discovered vulnerabilities Identification - conduct interviews with customers and employees involved in system architecture design, and administration; gather technical info about network components; identify industry standards the system complies with Analysis - analyze results of current and previous vulnerability assessments, identify risks, perform threat and risk analysis, analyze the effectiveness of existing security controls and policies Evaluation - identify the gap between existing and required security, identify possible upgrades and controls needed Generating reports - tasks rendered by each team member, methods used and findings, general and specific recommendations, terms used and their definitions, information collected from all the phases

Information Warfare categories

C2 Intelligence-based Electronic Psychological Hacker Economic Cyber

5 elements of information security

CIA triad (confidentiality, integrity, availability), authenticity, non-repudiation

Top 6 infosec attack vectors

Cloud computing threats Advanced persistent threats Viruses/worms Mobile threats Botnet Insider attack

Vulnerability research websites

CodeRed Center (eccouncil) MSVR - microsoft vuln. research Security Magazine SecurityFocus Help Net Security HackerStorm SC Magazine ComputerWorld HackerJournals WindowsSecurity

How can application code be modified to allow or disallow a session hijack?

Cookieless authentication can allow session hijacking to occur <forms cookieless="UseURI"> Prevent this by using cookies for authentication <forms cookieless="UseCookies">

Processes that help in achieving IA

Develop policy, process, and guidance Design network/user authentication strategy ID network threats/vulnerabilities ID problems and resource requirements Create plan for identified resource requirements Apply appropriate information assurance controls Certification and accreditation for information systems Provide IA training

DCMA

Digital Millenium Copyright Act; copyright law that defines legal prohibitions against circumvention of technical protection measures used by copyright owners to protect their works

EISA

Enterprise information security architecture; a set of requirements, processed, principals, and models that determines the structure and behavior of an organization's information systems

FISMA

Federal Information Security Management Act; framework for ensuring the effectiveness of information security controls over information that supports Federal operations and assets

Privilege escalation occurs during which phase?

Gaining access

Steps of Threat Modeling

ID security objectives application overview decompose application identify threats identify vulnerabilities

Incident response team members

ISO (infosec) ITO (infotech) IPO (privacy) IM (incident manager) Network Admin Sys admin Business apps/online sales officer Internal auditor Incident coordinator Incident analyst Administration Human Resources Public Relations

How do incident management and incident handling relate to one another?

Incident handling is part of incident management (management includes awareness training and other elements that help prepare for or prevent incidents)

Events that can occur during the "maintain access" phase

Install backdoors/rootkits/trojans; manipulate data and configurations on the system; use the system to launch further attacks; implement packet sniffer to capture all data

Types of individuals responsible for data breaches and statistics (%)

Malicious outsider - 55.28% Accidental loss - 24.08% Malicious Insider - 16.07% State Sponsored - 3.44% Hacktivist - 1.33%

3 things needed for an attack to occur

Motive, method, vulnerability

types of attacks on a system

OS attacks misconfiguration attacks application level attacks shrink-wrap code attacks

What can vulnerability scanners identify?

OS running on the host IP/TCP/UDP ports open/listening Apps installed on computers Accounts with weak passwords Files/folders with weak permissions Default services/apps that might have to be uninstalled Mistakes in security config of common applications Computers exposed to known or publicly reported vulnerabilities

System administrator - incident handling roles and responsibilities

Patching/service packs Backups Inspect system logs

Infosec policies accomplish what?

Reduce or eliminate legal liability to employees/third parties Protect information Prevent wastage of company computing resources

% of breaches in each industry

Retail - 56.59% Financial - 20.55% Corporate - 9.63% Education - 5.13% Government - 4.23% Healthcare - 3.87%

SOX

Sarbanes Oxley Act; designed to protect investors and the public by increasing the accuracy and reliability of corporate disclosures

Hacker

System shutdowns, data errors, info theft, services theft, false messaging, access to data with viruses, logic bombs, etc (hacker skillz)

google play hack: problem

Turkish hacker Ibrahim Balic has brought down Google Play's entire system twice, preventing developers for updating apps/uploading new apps and preventing users from downloading apps

Exploit

a breach of IT system security through vulnerabilities

What type of code block can be used to secure against a DoS attack?

a finally block (mandates release of a connection resource)

Information security

a state of well-being of information and infrastructure in which the possibility of theft, tampering, and disruption of information and services is kept low or tolerable

APT

advanced persistent threat; an attack that focuses on stealing information from the victim machine without the user being aware of it; generally targeted at govt/large companies; slow in nature, rely on vulnerabilities in apps, OS, and embedded systems

Zero-Day Attack

an attack that exploits computer application vulnerabilities before the software developer releases a patch for the vulnerability

incident manager roles/responsibilities

analyze from a management and technical POV; responsible for incident analysts and reports info to incident coordinator

CVE

common vulnerabilities and exposures; vendor-neutral listing of reported security vulnerabilities in major operating systems and applications

ITO incident management roles/responsibilities

communicates with ISO, provides support to incident management team w/ available technology

JP Morgan Chase data breach: consequences

contact information for 76 million households and 7 million small businesses compromised

IPO incident management roles/responsibilities

coord activities w/iso prep documentation for different types of data that may have been breached help individuals in discussing investigation issues related to customer privacy and employee related information guidance in communication among affected agencies evaluates the need to alter practices, privacy policies, and procedures

Information Protection Policy

defines the sensitivity levels of information, who may have access, how it is stored and transmitted, and how it should be deleted

Intelligence-based warfare

design, protection, and denial of systems that seek to gather intelligence

ebay data breach: solution

ebay told customers to change their passwords

LPT

ec-council's pentesting methodology

HIPAA components

electronic transaction and code sets standards privacy rule security rule national identifier requirements enforcement rule

Physical security threats include:

environmental (natural disasters) AND man made threats (terrorism, wars, theft, vandalism)

Network Administrator - incident handling roles and responsibilities

examines network for signs of breach use tracking tools to monitor network contacts ISP and seeks their assistance in handling incidents blocks network traffic from a suspected intruder

Vulnerability

existence of a weakness, design, or implementation error that can lead to an unexpected event compromising the security of the system

hacking

exploiting vulnerabilities/compromising security to gain unauthorized/inappropriate access to system resources; involves modifying features to achieve a goal outside the creator's original purpose

APK

file format used for installing software on android OS

Daisy chaining

gaining access to one network or computer and then using the same information to gain access to multiple networks and computers containing desirable information

google play hack: attack type

hacker wrote a malformed APK IOT test a vulnerability in the Android app database; upon uploading it brought down system, causing DOS attack

JP Morgan Chase data breach: cause

hackers discovered what programs/applications ran on JP/Chase computers and found known vulnerabilities in those web applications and programs IOT provide backdoor into systems

ebay data breach: what attack type used?

hackers got some employees' login credentials, allowing them access to corporate network; then used an XSS attack to divert to a fake website that recorded user login credentials when they entered them

Home depot data breach: attack type

hackers installed custom malware called "BlackPOS" on payment systems in self-checkout lanes which captured data from the cards

ISO incident management roles/responsibilities

identifies nature and scope of incident communicate with infosec specialists and other team members as reqd incident handling training examines details of the investigation verifies evidence gathering/storage methods and chain of custody are correct

pentesting methodology - steps

info gather vulnerability analysis external pentesting internal network pentesting firewall/ids pentesting password cracking social engineering web app pent SQL pent routers/switches wireless net DoS stolen laptops, PDAs and cell phones source code pentesting physical security pentesting surveillance camera database penetration VoIP VPN Cloud Wardialing Virtual machine virus/trojan detection log management pentesting file integrity checks mobile device pentesting telecom/broadband pentesting email security security packages data leakages SAP pentesting

IA

information assurance - assurance of CIA & authenticity of information

ISSAF

information systems security assessment framework; in-depth info about how to conduct a pen test

Identify security zones

internet zone Internet DMZ Production network Intranet Management network

NIST

national institute of standards and technology; federal technology agency that works with industry to develop and apply technology, measurements, and standards

infosec threat categories

network threats host threats application threats

Where are firewalls located in security zones?

one on each side of the DMZ; production zone has one or more firewalls; intranet zone located behind one or more firewalls

OWASP

open source web app security project; pentesting methodology for web apps and services

OSSTMM

open-source security testing methodology manual; standard set of pentests to achieve security metrics; de facto standard for highest level of pentesting

Payload

part of an exploit code that performs the intended malicious action, such as destroying, hijacking computers, or creating a backdoor

Passive vs active reconnaissance

passive - do not interact directly with the target active - interacting with the target by ANY means

PCI-DSS

payment card industry data security standard; applies to all entities involved in payment card processing

attack phase actions

penetrate perimeter acquire target escalate privileges execution, implementation, retraction

permissive vs prudent security policies

permissive - begins open/known dangerous content blocked prudent - begins with everything blocked and necessary services are allowed individually; everything is logged

scanning

phase immediately preceding the attack; uses information gained during recon to ID specific vulnerabilities. Includes use of port scanners, network mappers, ping tools, etc.

Risk analysis

possible monetary loss due to an incident; based on severity and likelihood

3 phases of pentesting

pre-attack, attack, and post-attack phases

Information security

protecting or safeguarding information or information systems that use, store, and transmit information from unauthorized access, disclosure, alteration, and destruction

Indemnification clause

protects pentester from financial liabilities in case the test results in any damage to assets

doxing

publishing PII about an individual collected from publicly available databases and social media

5 phases of hacking

reconnaissance scanning gaining access maintaining access covering tracks

post-attack phase actions

reporting clean-up artifact destruction

PCI-DSS requirements

secure network protect cardholder data maintain vulnerability management program implement strong access control measures monitor and test networks regularly maintain an infosec policy

network management zone

secured zone with strict policies

data breach

security incident in which an organization's confidential data is exposed (intentionally or unintentionally) to an untrusted environment (unauthorized party) in which the data could be altered, copied, or manipulated

SFU triangle

security, functionality, and usability

bot

software application that can be controlled remotely to execute or automate predefined tasks

ISO/IEC 27001:2013

specifies requirements for establishing, implementing, maintaining and continually improving an information security management system

SAP

systems, applications, products

Confidentiality

the assurance that information is accessible only to those who are authorized access

Availability

the assurance that the systems responsible for delivering, processing and storing information are accessible when required by authorized users

Authenticity

the characteristic of a communication, document, or data that ensures the quality of being uncorrupted/genuine; confirming that a user is who he or she claims to be

C2 warfare

the impact an attacker has over the compromised network/system they control

Hack Value

the notion that something is worth hacking or is interesting

Information Warfare definition

the use of ICT (information communication technology) to take competitive advantage over an appoinment

Internet zone

uncontrolled network security zone - outside the control of the company

Cyber

use of info systems against virtual personas of individuals or groups

Electronic

using radio and cryptographic techniques to degrade communication; radio = physical layer; crypt = encryption

Shrink-wrap code attack

vulnerability found in code that is reused often