Module 01 Intro to Ethical Hacking
3 levels at which an attacker can gain access
OS level Application level network level
Economic
blocking the flow of information IOT make an economic impact (such as a company that deals in information)
Intranet zone
controlled zone with no heavy restrictions
DMZ
controlled zone; provides a buffer between outside networks and internal networks
firewall management policy
defines a standard to handle application traffic, such as web or email; how to manage, protect, and update firewalls
HIPAA
health insurance portability and accountability act;
4 types of security policies
promiscuous permissive prudent paranoid
production network zone
restricted zone - strictly controls direct access from uncontrolled networks
Integrity
the trustworthiness of data or resources in the prevention of improper and unauthorized changes
pre-attack phase actions
planning/preparation methodology design gather network information
SOX Titles
1 - public company accounting oversight board - audit services 2 - auditor independence standards 3 - corporate responsibility (senior executive responsibility for accuracy) 4 - enhanced financial disclosures 5 - analyst conflicts of interest (security analyst practices) 6 - commission resources and authority (security analyst practices) 7 - studies and reports 8 - corporate and criminal fraud accountability 9 - white collar crime penalty enhancement 10 - corporate tax returns 11 - corporate fraud accountability
Incident management process
1. Preparation for incident handling 2. Detection/analysis 3. Classify/prioritize 3. Notify 5. Contain 6. forensic investigation 7. eradication/recovery 8. Post-incident activities
6 rules for privacy policies at the workplace
1. inform employees what you will collect, why, and what you'll do with it 2. limit info collection; collect by fair/lawful means 3. inform about potential use/disclosure of personal info 4. keep employee personal info accurate/up to date 5. give employees access to personal information 6. keep employees' personal info secure
Steps to create/implement security policies
1. risk assessment 2. learn from standard guidelines 3. include senior management in development 4. set clear penalties/enforce them 5. make final version available to employees 6. ensure everyone reads/signs/understands 7. deploy tools to enforce 8. train/educate employees 9. review/update regularly
ebay data breach: what was compomised?
145 million accounts (passwords, email addresses, mailing addresses, birth dates, et cetera)
Home depot data breach: consequences
56 million debit and credit card numbers stolen
Nonrepudiation
A way to guarantee that the sender of a message cannot deny having sent it, and the recipient cannot deny having received the message
Phases of a network vulnerability assessment
Acquisition - review laws and procedures for vulnerability assessment, review company documents and previously discovered vulnerabilities Identification - conduct interviews with customers and employees involved in system architecture design, and administration; gather technical info about network components; identify industry standards the system complies with Analysis - analyze results of current and previous vulnerability assessments, identify risks, perform threat and risk analysis, analyze the effectiveness of existing security controls and policies Evaluation - identify the gap between existing and required security, identify possible upgrades and controls needed Generating reports - tasks rendered by each team member, methods used and findings, general and specific recommendations, terms used and their definitions, information collected from all the phases
Information Warfare categories
C2 Intelligence-based Electronic Psychological Hacker Economic Cyber
5 elements of information security
CIA triad (confidentiality, integrity, availability), authenticity, non-repudiation
Top 6 infosec attack vectors
Cloud computing threats Advanced persistent threats Viruses/worms Mobile threats Botnet Insider attack
Vulnerability research websites
CodeRed Center (eccouncil) MSVR - microsoft vuln. research Security Magazine SecurityFocus Help Net Security HackerStorm SC Magazine ComputerWorld HackerJournals WindowsSecurity
How can application code be modified to allow or disallow a session hijack?
Cookieless authentication can allow session hijacking to occur <forms cookieless="UseURI"> Prevent this by using cookies for authentication <forms cookieless="UseCookies">
Processes that help in achieving IA
Develop policy, process, and guidance Design network/user authentication strategy ID network threats/vulnerabilities ID problems and resource requirements Create plan for identified resource requirements Apply appropriate information assurance controls Certification and accreditation for information systems Provide IA training
DCMA
Digital Millenium Copyright Act; copyright law that defines legal prohibitions against circumvention of technical protection measures used by copyright owners to protect their works
EISA
Enterprise information security architecture; a set of requirements, processed, principals, and models that determines the structure and behavior of an organization's information systems
FISMA
Federal Information Security Management Act; framework for ensuring the effectiveness of information security controls over information that supports Federal operations and assets
Privilege escalation occurs during which phase?
Gaining access
Steps of Threat Modeling
ID security objectives application overview decompose application identify threats identify vulnerabilities
Incident response team members
ISO (infosec) ITO (infotech) IPO (privacy) IM (incident manager) Network Admin Sys admin Business apps/online sales officer Internal auditor Incident coordinator Incident analyst Administration Human Resources Public Relations
How do incident management and incident handling relate to one another?
Incident handling is part of incident management (management includes awareness training and other elements that help prepare for or prevent incidents)
Events that can occur during the "maintain access" phase
Install backdoors/rootkits/trojans; manipulate data and configurations on the system; use the system to launch further attacks; implement packet sniffer to capture all data
Types of individuals responsible for data breaches and statistics (%)
Malicious outsider - 55.28% Accidental loss - 24.08% Malicious Insider - 16.07% State Sponsored - 3.44% Hacktivist - 1.33%
3 things needed for an attack to occur
Motive, method, vulnerability
types of attacks on a system
OS attacks misconfiguration attacks application level attacks shrink-wrap code attacks
What can vulnerability scanners identify?
OS running on the host IP/TCP/UDP ports open/listening Apps installed on computers Accounts with weak passwords Files/folders with weak permissions Default services/apps that might have to be uninstalled Mistakes in security config of common applications Computers exposed to known or publicly reported vulnerabilities
System administrator - incident handling roles and responsibilities
Patching/service packs Backups Inspect system logs
Infosec policies accomplish what?
Reduce or eliminate legal liability to employees/third parties Protect information Prevent wastage of company computing resources
% of breaches in each industry
Retail - 56.59% Financial - 20.55% Corporate - 9.63% Education - 5.13% Government - 4.23% Healthcare - 3.87%
SOX
Sarbanes Oxley Act; designed to protect investors and the public by increasing the accuracy and reliability of corporate disclosures
Hacker
System shutdowns, data errors, info theft, services theft, false messaging, access to data with viruses, logic bombs, etc (hacker skillz)
google play hack: problem
Turkish hacker Ibrahim Balic has brought down Google Play's entire system twice, preventing developers for updating apps/uploading new apps and preventing users from downloading apps
Exploit
a breach of IT system security through vulnerabilities
What type of code block can be used to secure against a DoS attack?
a finally block (mandates release of a connection resource)
Information security
a state of well-being of information and infrastructure in which the possibility of theft, tampering, and disruption of information and services is kept low or tolerable
APT
advanced persistent threat; an attack that focuses on stealing information from the victim machine without the user being aware of it; generally targeted at govt/large companies; slow in nature, rely on vulnerabilities in apps, OS, and embedded systems
Zero-Day Attack
an attack that exploits computer application vulnerabilities before the software developer releases a patch for the vulnerability
incident manager roles/responsibilities
analyze from a management and technical POV; responsible for incident analysts and reports info to incident coordinator
CVE
common vulnerabilities and exposures; vendor-neutral listing of reported security vulnerabilities in major operating systems and applications
ITO incident management roles/responsibilities
communicates with ISO, provides support to incident management team w/ available technology
JP Morgan Chase data breach: consequences
contact information for 76 million households and 7 million small businesses compromised
IPO incident management roles/responsibilities
coord activities w/iso prep documentation for different types of data that may have been breached help individuals in discussing investigation issues related to customer privacy and employee related information guidance in communication among affected agencies evaluates the need to alter practices, privacy policies, and procedures
Information Protection Policy
defines the sensitivity levels of information, who may have access, how it is stored and transmitted, and how it should be deleted
Intelligence-based warfare
design, protection, and denial of systems that seek to gather intelligence
ebay data breach: solution
ebay told customers to change their passwords
LPT
ec-council's pentesting methodology
HIPAA components
electronic transaction and code sets standards privacy rule security rule national identifier requirements enforcement rule
Physical security threats include:
environmental (natural disasters) AND man made threats (terrorism, wars, theft, vandalism)
Network Administrator - incident handling roles and responsibilities
examines network for signs of breach use tracking tools to monitor network contacts ISP and seeks their assistance in handling incidents blocks network traffic from a suspected intruder
Vulnerability
existence of a weakness, design, or implementation error that can lead to an unexpected event compromising the security of the system
hacking
exploiting vulnerabilities/compromising security to gain unauthorized/inappropriate access to system resources; involves modifying features to achieve a goal outside the creator's original purpose
APK
file format used for installing software on android OS
Daisy chaining
gaining access to one network or computer and then using the same information to gain access to multiple networks and computers containing desirable information
google play hack: attack type
hacker wrote a malformed APK IOT test a vulnerability in the Android app database; upon uploading it brought down system, causing DOS attack
JP Morgan Chase data breach: cause
hackers discovered what programs/applications ran on JP/Chase computers and found known vulnerabilities in those web applications and programs IOT provide backdoor into systems
ebay data breach: what attack type used?
hackers got some employees' login credentials, allowing them access to corporate network; then used an XSS attack to divert to a fake website that recorded user login credentials when they entered them
Home depot data breach: attack type
hackers installed custom malware called "BlackPOS" on payment systems in self-checkout lanes which captured data from the cards
ISO incident management roles/responsibilities
identifies nature and scope of incident communicate with infosec specialists and other team members as reqd incident handling training examines details of the investigation verifies evidence gathering/storage methods and chain of custody are correct
pentesting methodology - steps
info gather vulnerability analysis external pentesting internal network pentesting firewall/ids pentesting password cracking social engineering web app pent SQL pent routers/switches wireless net DoS stolen laptops, PDAs and cell phones source code pentesting physical security pentesting surveillance camera database penetration VoIP VPN Cloud Wardialing Virtual machine virus/trojan detection log management pentesting file integrity checks mobile device pentesting telecom/broadband pentesting email security security packages data leakages SAP pentesting
IA
information assurance - assurance of CIA & authenticity of information
ISSAF
information systems security assessment framework; in-depth info about how to conduct a pen test
Identify security zones
internet zone Internet DMZ Production network Intranet Management network
NIST
national institute of standards and technology; federal technology agency that works with industry to develop and apply technology, measurements, and standards
infosec threat categories
network threats host threats application threats
Where are firewalls located in security zones?
one on each side of the DMZ; production zone has one or more firewalls; intranet zone located behind one or more firewalls
OWASP
open source web app security project; pentesting methodology for web apps and services
OSSTMM
open-source security testing methodology manual; standard set of pentests to achieve security metrics; de facto standard for highest level of pentesting
Payload
part of an exploit code that performs the intended malicious action, such as destroying, hijacking computers, or creating a backdoor
Passive vs active reconnaissance
passive - do not interact directly with the target active - interacting with the target by ANY means
PCI-DSS
payment card industry data security standard; applies to all entities involved in payment card processing
attack phase actions
penetrate perimeter acquire target escalate privileges execution, implementation, retraction
permissive vs prudent security policies
permissive - begins open/known dangerous content blocked prudent - begins with everything blocked and necessary services are allowed individually; everything is logged
scanning
phase immediately preceding the attack; uses information gained during recon to ID specific vulnerabilities. Includes use of port scanners, network mappers, ping tools, etc.
Risk analysis
possible monetary loss due to an incident; based on severity and likelihood
3 phases of pentesting
pre-attack, attack, and post-attack phases
Information security
protecting or safeguarding information or information systems that use, store, and transmit information from unauthorized access, disclosure, alteration, and destruction
Indemnification clause
protects pentester from financial liabilities in case the test results in any damage to assets
doxing
publishing PII about an individual collected from publicly available databases and social media
5 phases of hacking
reconnaissance scanning gaining access maintaining access covering tracks
post-attack phase actions
reporting clean-up artifact destruction
PCI-DSS requirements
secure network protect cardholder data maintain vulnerability management program implement strong access control measures monitor and test networks regularly maintain an infosec policy
network management zone
secured zone with strict policies
data breach
security incident in which an organization's confidential data is exposed (intentionally or unintentionally) to an untrusted environment (unauthorized party) in which the data could be altered, copied, or manipulated
SFU triangle
security, functionality, and usability
bot
software application that can be controlled remotely to execute or automate predefined tasks
ISO/IEC 27001:2013
specifies requirements for establishing, implementing, maintaining and continually improving an information security management system
SAP
systems, applications, products
Confidentiality
the assurance that information is accessible only to those who are authorized access
Availability
the assurance that the systems responsible for delivering, processing and storing information are accessible when required by authorized users
Authenticity
the characteristic of a communication, document, or data that ensures the quality of being uncorrupted/genuine; confirming that a user is who he or she claims to be
C2 warfare
the impact an attacker has over the compromised network/system they control
Hack Value
the notion that something is worth hacking or is interesting
Information Warfare definition
the use of ICT (information communication technology) to take competitive advantage over an appoinment
Internet zone
uncontrolled network security zone - outside the control of the company
Cyber
use of info systems against virtual personas of individuals or groups
Electronic
using radio and cryptographic techniques to degrade communication; radio = physical layer; crypt = encryption
Shrink-wrap code attack
vulnerability found in code that is reused often