Intro to ethical hacking
Blue Teaming
A blue team (also known as defender team) is a group of highly skilled individuals, who undertake assessment of information security or products to identify security deficits, to determine the adequacy of security measures, to foresee efficacy of proposed security solutions, and so on, to defend against various attacks. Blue team The blue team may include system administrators and general IT staff and has access to all the organizational resources and information. Blue teaming is the least expensive and the most frequently used security assessment approach. Its primary role is to detect and mitigate red team (attackers) activities, and to anticipate the surprise attacks that might occur.
Cold backup
A cold backup is also called an offline backup. The cold backup takes place when the system is not working or is not accessible by users. A cold backup is the safest method of backup as it avoids the risk of copying the data. A cold backup involves downtime, as the users cannot use the machine until the process is back online.
Hot backup
A hot backup is a popular type of backup method. It is also called as dynamic backup or active backup. In a hot backup, the system continues to perform the backup process even if the user is accessing the system. Implementation of a hot backup in an organization, avoids downtime.
Paranoid Policy
A paranoid policy forbids everything. There is a strict restriction on all use of company computers, whether it is system usage or network usage. There is either no Internet connection or severely limited Internet usage. Due to these overly severe restrictions, users often try to find ways around them.
Prudent Policy
A prudent policy starts with all the services blocked. The administrator enables safe and necessary services individually. It logs everything, such as system and network activities. It provides maximum security while allowing only known but necessary dangers.
Security Audit
A security audit just checks whether the organization is following a set of standard security policies and procedures. It is systematic method of technical assessment of an organization's system that includes conducting manual interviews with staff, performing security scans, reviewing security of various access controls, and analyzing physical access to the organizational resources.
Network security zone
A security zone is an area within a network that consists of a group of systems and other components with the same characteristics, all of which serve to manage a secure network environment. The network security zoning mechanism allows an organization to efficiently manage a secure network environment by selecting the appropriate level of security for different zones of Internet and intranet networks. It also enforces the organization's Internet security policies, according to the origin of the Web content and helps in effectively monitoring and controlling inbound and outbound traffic.
Access Control
Access control is a method for reducing the risk of data from being affected and to save the organization's crucial data by providing limited access of computer resources to users. The mechanism grants access to system resources to read, write, or execute to the user based on the access permissions and their associated roles. The crucial aspect of implementing access control is to maintain the integrity, confidentiality, and availability of the information. An access control system includes: File permissions such as create, read, edit or delete Program permissions such as the right to execute a program Data rights such as the right to retrieve or update information in a database There are two types of access controls: physical and logical. The physical access controls the access to buildings, physical IT assets, etc. The logical access controls the access to networks and data. In general, access control provides essential services like authorization, identification, authentication, access permissions and accountability. Authorization determines the action a user can perform Identification and authentication identify and permit only authorized users to access the systems The access permissions determine approvals or permissions provided to a user to access a system and other resources Accountability categorizes the actions performed by a user.
Properties of security zone
Active security policies that enforce rules on the traffic in transit (traffic that can pass through the firewall) and the action to be taken against it Pre-defined screening options that detect and block the malicious traffic Address book (IP addresses and address sets) to recognize members, so that policies can be applied.
Apt
Advanced Persistent Threats (APT): Advanced Persistent Threat (APT) is an attack that focuses on stealing information from the victim machine without its user being aware of it. These attacks are generally targeted at large companies and government networks. APT attacks are slow in nature, so the effect on computer performance and Internet connections is negligible. APTs exploit vulnerabilities in the applications running on a computer, operating system, and embedded systems.
Authentication:
Authentication refers to verifying the credentials provided by the user while attempting to connect to a network. Both wired and wireless networks perform authentication of users before allowing them to access the resources in the network. A typical user authentication consists of a user ID and a password. The other forms of authentication are authenticating a website using a digital certificate, comparing the product and the label associated with it. Example: Password, PIN, etc.
Authorization:
Authorization provides access control to various organizational resources. Access control includes role-based, rule-based, and attribute-based authorization services. Once the user is authenticated authorization component verifies whether that user is allowed to access a particular service or not. The user access request (generally in the form of URL for Web-based applications) is validated based on authorization policies stored in IAM policy store. To provide this service authorization makes use of complex access control mechanisms based on organizational security policies such as user groups, user roles, action performed, channels accessed, types of resources, time, external data and business rules.
Authorization:
Authorization refers to the process of providing permission to access the resources or perform an action on the network. Network administrators can decide the access permissions of users on a multi-user system. They even decide the user privileges. The mechanism of authorization can allow the network administrator to create access permissions for users as well as verify the access permissions created for each user. In logical terms, authorization succeeds authentication. But, the type of authentication required for authorization varies. However, there are cases that do not require any authorization of the users requesting for a service. Example: A user can only read the file but not write to or delete it.
Availability
Availability Availability is the assurance that the systems responsible for delivering, storing, and processing information are accessible when required by authorized users. Measures to maintain data availability can include redundant systems' disk arrays and clustered machines, antivirus software to stop malware from destroying networks, and distributed denial-of-service (DDoS) prevention systems.
Botnet
Botnet: A botnet is a huge network of compromised systems used by attackers to perform denial-of-service attacks. Bots, in a botnet, perform tasks such as uploading viruses, sending mails with botnets attached to them, stealing data, and so on. Antivirus programs might fail to find—or even scan for—spyware or botnets. Hence, it is essential to deploy programs specifically designed to find and eliminate such threats.
Application level attacks
Buffer overflow attacks o Sensitive information disclosure o Cross-site scripting o Session hijacking o Man-in-the-middle attacks o Denial-of-service attacks o SQL injection attacks o Phishing o Parameter/form tampering o Directory traversal attacks.
Confidentiality
Confidentiality Confidentiality is the assurance that the information is accessible only to those who are authorized to have access. Confidentiality breaches may occur due to improper data handling or a hacking attempt. Confidentiality controls include data classification, data encryption, and proper equipment disposal (i.e. of DVDs, CDs, etc.).
Discretionary Access Control (DAC)
Discretionary access controls determine the access controls taken by any possessor of an object in order to decide the access controls of the subjects on those objects. The other name for DAC is a need-to-know access model. It permits the user, who is granted access to information, to decide how to protect the information and the level of sharing desired. Access to files is restricted to users and groups based upon their identity and the groups to which the users belong.
Enterprise Information Security Architecture (EISA)
EISA is a set of requirements, processes, principles, and models that determine the current and/or future structure and behavior of an organization's security processes, information security systems, personnel, and organizational sub-units. It ensures that the security architecture and controls are in alignment with the organization's core goals and strategic direction. Though EISA deals with information security, it relates more broadly to the security practice of business optimization. Thus, it also addresses business security architecture, performance management and security process architecture. The main objective of implementing EISA is to make sure that IT security is in alignment with business strategy.
Hacking phase: clearing tracks
For obvious reasons, such as avoiding legal trouble and maintaining access, attackers will usually attempt to erase all evidence of their actions. Clearing tracks refers to the activities carried out by an attacker to hide malicious acts. The attacker's intentions include continuing access to the victim's system, remaining unnoticed and uncaught, deleting evidence that might lead to his/her prosecution. They use utilities such as PsTools (https://docs.microsoft.com) tools or Netcat or Trojans to erase their footprints from the system's log files. Once the Trojans are in place, the attacker has most likely gained total control of the system and can execute scripts in the Trojan or rootkit to replace critical system and log files to hide their presence in the system. Attackers always cover their tracks to hide their identity. Other techniques include steganography and tunneling. Steganography is the process of hiding data in other data, for instance image and sound files. Tunneling takes advantage of the transmission protocol by carrying one protocol over another. Attackers can use even a small amount of extra space in the data packet's TCP and IP headers to hide information. An attacker can use the compromised system to launch new attacks against other systems or as a means of reaching another system on the network undetected. Thus, this phase of the attack can turn into another attack's reconnaissance phase. System administrators can deploy host-based IDS (intrusion detection systems) and antivirus software in order to detect Trojans and other seemingly compromised files and directories. As an ethical hacker, you must be aware of the tools and techniques that attackers deploy, so that you are able to advocate and implement countermeasures, detailed in subsequent modules.
Level of security in any system can be defined by the strength of three components:
Functionality: The set of features provided by the system. Usability: The GUI components used to design the system for ease of use. Security: Restrictions imposed on accessing the components of the system. The relationship between these three components is demonstrated by using a triangle because increase or decrease in any one of the component automatically affects the other two components. Moving the ball towards any of the three components means decreasing the intensity of other two components.
Hacker classes
Hackers usually fall into one of the following categories, according to their activities: Black Hats: Black hats are individuals who use their extraordinary computing skills for illegal or malicious purposes. This category of hacker is often involved with criminal activities. They are also known as crackers. White Hats: White hats or penetration testers are individuals who use their hacking skills for defensive purposes. These days, almost every organization has security analysts who are knowledgeable about hacking countermeasures, which can secure its network and information systems against malicious attacks. They have permission from the system owner. Gray Hats: Gray hats are the individuals who work both offensively and defensively at various times. Gray hats fall between white and black hats. Gray hats might help hackers in finding various vulnerabilities of a system or network and at the same time help vendors to improve products (software or hardware) by checking limitations and making them more secure. Suicide Hackers: Suicide hackers are individuals who aim to bring down critical infrastructure for a "cause" and are not worried about facing jail terms or any other kind of punishment. Suicide hackers are similar to suicide bombers, who sacrifice their life for an attack and are thus not concerned with the consequences of their actions. Script Kiddies: Script kiddies are unskilled hackers who compromise systems by running scripts, tools, and software developed by real hackers. They usually focus on the quantity of attacks rather than the quality of the attacks that they initiate. Cyber Terrorists: Cyber terrorists are individuals with a wide range of skills, motivated by religious or political beliefs to create fear of large-scale disruption of computer networks. State Sponsored Hackers: State sponsored hackers are individuals employed by the government to penetrate and gain top-secret information and to damage information systems of other governments. Hacktivist: Hacktivism is when hackers break into government or corporate computer systems as an act of protest. Hacktivists use hacking to increase awareness of their social or political agendas, as well as themselves, in both the online and offline arenas. They are individuals who promote a political agenda by hacking, especially by defacing or disabling websites. Common hacktivist targets include government agencies, multinational corporations, or any other entity that they perceive as a threat. It remains a fact, however, that gaining unauthorized access is a crime, irrespective of their intentions.
Information assurance IA
IA refers to the assurance of the integrity, availability, confidentiality, and authenticity of information and information systems during usage, processing, storage, and transmission of information. Security experts accomplish the information assurance with the help of physical, technical, and administrative controls. Information Assurance and Information Risk Management (IRM) ensures that only authorized personnel access and use information. This helps in achieving information security and business continuity. Some of the processes that help in achieving information assurance include: Developing local policy, process, and guidance in such a way that the information systems are maintained at an optimum security level. Designing network and user authentication strategy — Designing a secure network ensures the privacy of user records and other information on the network. Implementing an effective user authentication strategy secures the information systems data. Identifying network vulnerabilities and threats — Vulnerability assessments outline the security posture of the network. Performing vulnerability assessments in search of network vulnerabilities and threats help to take proper measures to overcome them. Identifying problems and resource requirements. Creating plan for identified resource requirements. Applying appropriate information assurance controls. Performing Certification and Accreditation (C&A) process of information systems helps to trace vulnerabilities, and implement safety measures to nullify them. Providing information assurance training to all personnel in federal and private organizations brings among them an awareness of information technology.
IAM Framework
IAM comprises of two modules, namely, access management module and identity management module. Access Management Module It covers authentication and authorization components of IAM. It provides organization wide authentication of resources by verifying access privileges of the users at the time of access. Identity Management Module It covers user management and enterprise directory service components of IAM. It provides capabilities like monitoring, recording, and logging of user behavioral activities.
Identification:
Identification deals with confirming the identity of a user, process, or device accessing the network. User identification is the most common technique used in authenticating the users in the network and applications. Users have a unique User ID, which helps in identifying them. The authentication process includes verifying a user ID and a password. Users need to provide both the credentials in order to gain access to the network. The network administrators provide access controls and permissions to various other services depending on the user ID's. Example: Username, Account Number, etc..
The threat modeling process involves five steps:
Identify security objectives Application overview Decompose application Identify threats Identify vulnerabilities
Application Overview
Identify the components, data flows, and trust boundaries. To draw the end-to-end deployment scenario, the administrator should use a whiteboard. First, he/she should draw a rough diagram that explains the working and structure of the application, its subsystems, and its deployment characteristics. The deployment diagram should contain the following: o End-to-end deployment topology o Logical layers o Key components o Key services o Communication ports and protocols o Identities o External dependencies
What is IAM?
Identity and Access Management (IAM) is a framework for business practices that consists of users, procedures, and software products to manage user digital identities and access to resources of an organization. It ensures that the right users obtain access to the right information at the right time. IAM systems are used for automated creation, recording, and management of user identities and their access privileges. It is linked to the policies, procedures, protocols and processes of an organization. It provides identity management functions such as controlling user access to organizational secure systems and ensures that all users and services are properly authenticated, authorized and audited.
Application threat
Improper data/input validation o Authentication and authorization attacks o Security misconfiguration o Improper error handling and exception management o Information disclosure o Hidden-field manipulation o Broken session management o Buffer overflow issues o Cryptography attacks o SQL injection o Phishing.
Role Based Access Control (RBAC)
In role based access control, the access permissions are available based on the access policies determined by the system. The access permissions are out of user control, which means that users cannot amend the access policies created by the system. Users can be assigned access to systems, files, and fields on a one-to-one basis whereby access is granted to the user for a particular file or system. It can simplify the assignment of privileges and ensure that individuals have all the privileges necessary to perform their duties.
Incident Management
Incident management is a set of defined processes to identify, analyze, prioritize, and resolve security incidents to restore the system to normal service operations as soon as possible, and prevent further recurrence of the incident. It involves not only responding to incidents, but also triggering alerts to prevent potential risks and threats. Security administrator must identify software that is open to attacks before someone takes advantage of the vulnerabilities. Incident management includes the following: Vulnerability analysis Artifact analysis Security awareness training Intrusion detection Public or technology monitoring The purpose of the incident management process: Improves service quality Resolves problem proactively Reduces impact of incidents on business/organization Meets service availability requirements Increases staff efficiency and productivity Improves user/customer satisfaction T Assists in handling future incidents.
integrity
Integrity Integrity is the trustworthiness of data or resources in the prevention of improper and unauthorized changes—the assurance that information is sufficiently accurate for its purpose. Measures to maintain data integrity may include a checksum (a number produced by a mathematical function to verify that a given block of data is not changed) and access control (which ensures that only the authorized people can update, add, and delete data to protect its integrity).
Internet dmz zone
Internet DMZ: The Internet DMZ ("demilitarized zone"; also called a controlled zone) is a controlled, Internet-facing zone that typically contains Internet-facing components of network web servers and email gateways through which employees of an organization directly communicate. It acts as a barrier between the organization's private network and its public untrusted network. The Internet DMZ uses a firewall at each of the two gateway faces, which enable the control of: o Traffic entering the hosts in a DMZ from the Internet o Traffic leaving from the hosts in a DMZ to the Internet o Traffic entering the hosts in a DMZ from internal (private) networks o Traffic leaving from the hosts in a DMZ to internal networks Security administrators may install access control software in the DMZ to monitor and control user access to resources stored in the restricted and other controlled zones.
IoT threats
IoT Threats: The IoT devices connected to the Internet have little or no security that makes them vulnerable to various types of attacks. These devices include many software applications that are used to access the device remotely. Due to the hardware constraints such as memory, battery, etc. these IoT applications do not include complex security mechanisms to protect the devices from attacks. These drawbacks make the IoT devices more vulnerable and allow attackers to access the device remotely and perform various attacks.
User Management:
It provides administrative services such as delegated administration, user and role management, user provisioning and de-provisioning, password management, self-service, and compliance audit. Delegated administration improves accuracy of the system data within an IAM by distributing workload among different user departments. Many of the user management functions are centralized and some of these functions are delegated to end users. User and role management provides administrative services such as user identity creation, propagation and maintaining user identity and rights. It also performs user life cycle management that helps an organization to manage the lifetime of user accounts, from the initial phase of provisioning to the final phase of de-provisioning. An organization can maintain update and accurate user identity information using self-service, which provides user profile management functions including user's self-registration and automated password reset. Compliance audit service logs and tracks user behavioral activities.
Network threat
Listed below are some of the network threats: o Information gathering o Sniffing and eavesdropping o Spoofing o Session hijacking o Man-in-the-Middle attack o DNS and ARP poisoning o Password-based attacks o Denial-of-Service attack o Compromised-key attack o Firewall and IDS attack.
Hacking phase: maintaining access
Maintaining access refers to the phase when the attacker tries to retain his or her ownership of the system. Once an attacker gains access to the target system with admin/root level privileges (thus owning the system), he or she is able to use both the system and its resources at will, and can either use the system as a launch pad to scan and exploit other systems, or to keep a low profile and continue exploiting the system. Both these actions can cause a great amount of damage. For instance, the hacker could implement a sniffer to capture all network traffic, including Telnet and FTP (file transfer protocol) sessions with other systems, and then transmit that data wherever he or she pleases. Attackers who choose to remain undetected remove evidence of their entry and install a backdoor or a Trojan to gain repeat access. They can also install rootkits at the kernel level to gain full administrative access to the target computer. Rootkits gain access at the operating system level, while a Trojan horse gains access at the application level. Both rootkits and Trojans require users to install them locally. In Windows systems, most Trojans install themselves as a service and run as local system, with administrative access. Attackers can upload, download, or manipulate data, applications, and configurations on the owned system and can also use Trojans to transfer user names, passwords, and any other information stored on the system. They can maintain control over the system for a long time by closing up vulnerabilities to prevent other hackers from taking control from them, and sometimes, in the process, render some degree of protection to the system from other attacks. Attackers use the compromised system to launch further attacks.
Host threats
Malware attacks o Foot printing o Profiling o Password attacks o Denial-of-Service attacks o Arbitrary code execution o Unauthorized access o Privilege escalation o Backdoor attacks o Physical security threats.
Network mapping
Map the network by getting the information from the server domain registry numbers unearthed during the passive reconnaissance phase. The IP block forms the backbone of the network. Investigate the network linkages both upstream and downstream. These include the primary and secondary name servers for hosts and subdomains. Steps include (but are not limited to): o Interpreting broadcast responses from the network o Using ICMP to sweep the network, if ICMP is not blocked o Using reverse name lookups to verify addresses.
Perimeter mapping
Map the perimeter by tracerouting the gateway to define the outer network layer and routers, and tracing system trails in the Web logs and intrusion logs. The tester may also follow system trails from Web postings and bulletin boards. Steps include (but are not limited to): o Analyzing the traceroute response and mapping the perimeter using Firewalking techniques o Using online sources such as Netcraft to find out more about the information systems (IS) infrastructure and historical performance data. Doing so will give server uptime to determine if the latest patch releases have been applied. Verify them.
Mobile threats
Mobile Threats: Attackers are increasingly focusing on mobile devices, due to the increased adoption of smart phones comparatively fewer security controls. for business and personal use and their Users may download malware applications (APKs) onto their smartphones, which can damage other applications and data and convey sensitive information to attackers. Attackers can remotely access a smartphone's camera and recording app to view user activities and track voice communications, which can aid them in an attack.
Network Security Controls
Network security controls are used to ensure the confidentiality, integrity, and availability of the network services. These security controls are either technical or administrative safeguards implemented to minimize the security risk. To reduce the risk of a network being compromised, an adequate network security requires implementing a proper combination of network security controls. These network security controls include: Access Control Identification Authentication Authorization Accounting Cryptography Security Policy These controls help organizations with implementing strategies for addressing network security concerns. The multiple layers of network security controls along with the network should be used to minimize the risks of attack or compromise. The overlapping use of these controls ensures defense in depth network security.
Non repudiation
Non-Repudiation Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message, and that the recipient cannot deny having received the message. Individuals and organization use digital signatures to ensure non-repudiation.
Penetration Testing
Penetration testing is a methodological approach to security assessment that encompasses the security audit and vulnerability assessment and demonstrates if the vulnerabilities in system can be successfully exploited by attackers.
Phishing
Phishing: Phishing is a practice of sending an illegitimate email falsely claiming to be from a legitimate site in an attempt to acquire a user's personal or account information. Attackers perform phishing attacks by distributing malicious links via some communication channel or mails to obtain private information like account numbers, credit card numbers, mobile numbers, etc. from the victim. Attackers design emails to lure victims such a way that they appear to be from some legitimate source or at times they send malicious links that resemble a legitimate website.
Permissive Policy
Policy begins wide-open and only the known dangerous services/attacks or behaviors are blocked. For example, in a permissive Internet policy, the majority of Internet traffic is accepted, but several known dangerous services and attacks are blocked. Because only known attacks and exploits are blocked, it is impossible for administrators to keep up with current exploits. Administrators are always playing catch-up with new attacks and exploits. This policy should be updated regularly to be effective.
Steps involved in the incident management process:
Preparation for Incident Handling and Response All the actions are pre-planned and detailed guidelines are provided to the employees at this step. Various policies and procedures are established to stay well equipped. Right people with appropriate skills are trained by providing tools to ensure effective response actions. Detection and Analysis In this step, security events are monitored and carefully analyzed using firewalls, intrusion detection and prevention systems, etc. Detection and analysis of incidents include identifying signatures of an incident, analyzing those signatures, recording the incident, prioritizing various incidents and alerting incidents. Classification and Prioritization Each incident is categorized and sub-categorized to troubleshoot the incident securely. It helps in saving a lot of time. Accurate categorization helps to allocate the management to the right team that has the appropriate knowledge and skills to handle the situation in real time. Moreover, depending on the impact of incident, events are classified as a low, medium or high priority incident. Prioritization is done based on the severity, urgency, resource requirement, potential cost, etc. Notification After the incident has been identified and classified, suitable people and teams are notified about the problem. People having appropriate knowledge and training against the breach are employed to consider the situation and perform all the required actions at the right time. All the required people, including the third party, the CIO, Head of Information Security and Local Information Security Officer, etc. are provided with regular status updates. Containment Containment is a crucial step in the incident management process that focuses on preventing additional damage. It includes planning of strategies to avoid any further loss from taking place along with being assured that no forensic evidence is destructed or tempered related to the incident. Two important aspects need to be taken care of and they are: o Ensuring all the critical and essential computer resources are kept and protected at a safe place o Regular check on infected system is done to know their operational status. Forensic Investigation Forensic investigation is performed to find the root cause of the incident to know what exactly happened to the information system. The analysis of past records is performed using various forensic tools to detect the source of the attack and to capture the culprit. The whole process is well documented, as it is required in case of external threats for law enforcement. System logs, real-time memory, network device logs, application logs and all other supporting data are scanned and reviewed during investigation. Eradication and Recovery The eradication and recovery step is the process of recovering the system or network to its original state. This process is done only after the completion of all internal and external actions. The two important aspects of this step are cleanup and notification. Cleanup is performed using various antivirus softwares, uninstalling infected software, reloading the operating system, and also sometimes replacing the entire hard disk and rebuilding the network. All the professionals working with the incident response team are notified about the actions taken to recover the system or network. Post-incident Activities Once the process is complete, the security incident requires additional review and analysis before closing the process. Conducting the final review is an important step in the incident management process due to the following reasons: o It includes legal action o It requires review by higher level management o It needs to be documented for auditing purpose This step includes post incident review and generating a post incident report. Security incident review includes preparing a set of questions on the incident and sending it to a group of end users, who have knowledge on it. This review helps to gather information about incident handling from various sources. Once the review is completed, the post incident report is automatically generat.
Incident Management
Process Incident management is the process of logging, recording, and resolving incidents that take place in the organization. The incident may occur due to fault, service degradation, error, and so on. The users, technical staff, and/or event monitoring tools identify the incidents. The main objective of the incident management process is to restore the service to a normal state as quickly as possible for customers, while maintaining availability and quality of service.
Random ware
Ransomware: Ransomware is a type of a malware, which restricts access to the computer system's files and folders and demands an online ransom payment to the malware creator(s) in order to remove the restrictions. It attachments to email messages, infected software applications, compromised websites.
Hacking phase: reconnaissance
Reconnaissance refers to the preparatory phase in which an attacker gathers as much information as possible about the target prior to launching the attack. In this phase, the attacker draws on competitive intelligence to learn more about the target. It could be the future point of return, noted for ease of entry for an attack when more about the target is known on a broad scale. Reconnaissance target range may include the target organization's clients, employees, operations, network, and systems. This phase allows attackers to plan the attack. This may take some time as the attacker gathers as much information as possible. Part of this reconnaissance may involve social engineering. A social engineer is a person who convinces people to reveal information such as unlisted phone numbers, passwords, and other sensitive information. For instance, the hacker could call the target's Internet service provider and, using whatever personal information previously obtained, convince the customer service representative that the hacker is actually the target, and in doing so, obtain even more information about the target. Another reconnaissance technique is dumpster diving. Dumpster diving is, simply enough, looking through an organization's trash for any discarded sensitive information. Attackers can use the Internet to obtain information such as employees' contact information, business partners, technologies currently in use, and other critical business knowledge. But dumpster diving may provide them with even more sensitive information, such as user names, passwords, credit card statements, bank statements, ATM receipts, Social Security numbers, private telephone numbers, checking account numbers, and any number of other things. Searching for the target company's web site in the Internet's Whois database can easily provide hackers with the company's IP addresses, domain names, and contact information. (EC-Council) Reconnaissance techniques are broadly categorized into active and passive. When an attacker is using passive reconnaissance techniques, she/he does not interact with the target directly. Instead, the attacker relies on publicly available information, news releases, etc. Active reconnaissance techniques, on the other hand, involve direct interactions with the target system by using tools to detect open ports, accessible hosts, router locations, network mapping, details of operating systems, and applications. Attackers use active reconnaissance when there is a low probability of detection of these activities. For example, telephone calls to the help desk or technical department. As an ethical hacker, you must be able to distinguish among the various reconnaissance methods, and advocate preventive measures in the light of potential threats. Companies, on their part, must address security as an integral part of their business and/or operational strategy, and be equipped with the proper policies and procedures to check for potential vulnerabilities.
Risk Management
Risk management is the process of identifying, assessing, response and implementing the activities, which control how the organization manages the potential effects. It has a prominent place throughout the security life cycle and is a continuous and ever-increasing complex process. The types of risks vary from organization to organization but preparing a risk management plan will be common between all organizations. Risk Management Objectives: To identify the potential risks is the main objective of risk management. To identify the impact of risks and help the organization develop better risk management strategies and plans. To prioritize the risks, depending on the impact/severity of the risk, and use established risk management methods, tools and techniques to assist. To understand and analyze the risks and report identified risk events. To control the risk and mitigate the risk effect. To create awareness among the security staff, develop strategies and plans for risk management strategies that last. Risk management is a continuous process performed by achieving goals at every phase. It helps reduce and maintain risk at an acceptable level utilizing a well-defined and actively employed security program. This process is applied in all stages of the organization, i.e., strategic and operational contexts, to specific network locations.
What is risk
Risk refers to a degree of uncertainty or expectation of potential damage that an adverse event may cause to the system or resources, under specified conditions. Alternatively, risk can also be defined as: A probability of the occurrence of a threat or an event that may damage, or cause loss or have other negative impact either from internal or external liabilities. A possibility of a threat, acting upon an internal or external vulnerability and causing harm to a resource. The product of the likelihood that an event would occur and the impact that event would have on an information technology asset. The relation between Risk, Threats, Vulnerabilities and Impact is as follows: RISK = Threats x Vulnerabilities x Impact The impact of an event on an information asset is the product of vulnerability in the asset and the asset's value to its stakeholders. IT risk can be expanded to RISK = Threat × Vulnerability × Asset Value In fact, risk is the combination of the following two factors: Probability of the occurrence of an adverse event Consequence of the adverse event.
Rules of Engagement (ROE)
Rules of Engagement (ROE) are the formal permissions to conduct a penetration test. They provide certain rights and restrictions to the test team for performing the test, and help testers to overcome legal, federal, and policy-related restrictions to use different penetration testing tools and techniques.
Hacking phase: scanning
Scanning is the phase immediately preceding the attack. Here, the attacker uses the details gathered during reconnaissance to scan the network for specific information. Scanning is a logical extension of active reconnaissance, and in fact, some experts do not differentiate scanning from active reconnaissance. There is a slight difference, however, in that scanning involves more in-depth probing on the part of the attacker. Often the reconnaissance and scanning phases overlap, and it is not always possible to separate the two. An attacker can gather critical network information such as the mapping of systems, routers, and firewalls by using simple tools such as the standard Windows utility Traceroute. Alternatively, they can use tools such as Cheops to add additional information to Traceroute's results. Scanning can include use of dialers, port scanners, network mappers, ping tools, vulnerability scanners, etc. Attackers extract information such as live machines, port, port status, OS details, device type, system uptime, etc. to launch attack. Port scanners detect listening ports to find information about the nature of services running on the target machine. The primary defense technique against port scanners is to shut down services that are not required, as well as to implement appropriate port filtering. However, attackers can still use tools to determine the rules implemented by the port filtering. The most commonly used tools are vulnerability scanners, which can search for thousands of known vulnerabilities on a target network. This gives the attacker an advantage because he or she only has to find a single means of entry, while the systems professional has to secure as much vulnerability as possible by applying patches. Organizations that use intrusion detection systems still have to remain vigilant, because attackers can and will use evasion techniques at every step of the way.
Identify Security Objectives
Security objectives are the goals and constraints related to the application's confidentiality, integrity, and availability. Security-specific objectives guide the threat modeling efforts and helps to determine how much effort need to put on subsequent steps. To identify security objectives, administrators should ask the following questions: o What data should be protected? o Are there any compliance requirements? o Are there specific quality-of-service requirements? o Are there intangible assets to protect?.
Shrink wrap code attack
Software developers often use free libraries and code licensed from other sources in their programs to reduce development time and cost. This means that large portions of many pieces of software will be the same, and if an attacker discovers vulnerabilities in that code, many pieces of software are at risk. Attackers exploit default configuration and settings of the off-the-shelf libraries and code. The problem is that software developers leave the libraries and code unchanged. They need to customize and fine-tune every part of their code in order to make it not only more secure, but different enough so that the same exploit will not work.
Operating system attacks
Some OS vulnerabilities include: o Buffer overflow vulnerabilities o Bugs in the operating system o An unpatched operating system Attacks performed at the OS level include: o Exploiting specific network protocol implementations o Attacking built-in authentication systems o Breaking file-system security o Cracking passwords and encryption mechanisms.
Required skills
Technical Skills o In-depth knowledge of major operating environments, such as Windows, Unix, Linux, and Macintosh o In-depth knowledge of networking concepts, technologies and related hardware and software o A computer expert adept at technical domains o Knowledge of security areas and related issues o High technical knowledge to launch the sophisticated attacks Non-Technical Skills Some of the non-technical characteristics of an ethical hacker include: o Ability to quickly learn and adapt new technologies o Strong work ethics and good problem solving and communication skills o Commitment to an organization's security policies o Awareness of local standards and laws.
Enterprise Directory Services:
The directory service provides central user repository that stores user identity information and enables other components and services of IAM to retrieve and verify user credentials submitted by various client systems. This component provides the logical structure of all the user identities of an organization. It provides single point of administration and services such as data synchronization, meta directory and virtual directory, which are used to synchronize and manage user identity data from databases, applications, networks, and systems in real time. IAM directory services implement standards such as Lightweight Directory Access Protocol (LDAP) and Simple Cloud Identity Management (SCIM).
Facilitating the rise of scrip kiddies
The ease with which system vulnerabilities can be exploited has increased while the knowledge curve required to perform such exploits has decreased. The concept of the elite "super attacker" is an illusion. However, the fast-evolving genre of "script kiddies" is a growing threat.
Attack Phase
The information gathered in the pre-attack phase forms the basis of the attack strategy. Before deciding on the attack strategy, the tester may choose to carry out an invasive information-gathering process such as scanning. The attack phase involves the actual compromise of the target. The attacker may exploit a vulnerability discovered during the pre-attack phase or use security loopholes such as a weak security policy to gain access to the system. The important point here is that while the attacker needs only one port of entry, organizations need to defend several. Once inside, the attacker may escalate privileges and install a backdoor to sustain access to the system and exploit it. During the attack phase, the pen tester needs to: Penetrate perimeter Acquire target Escalate privileges Execute, implant, retract.
Intranet zone
The intranet zone, also known as a controlled zone, contains a set of hosts in an organization's network located behind a single firewall or set of firewalls, and generally has less restriction. This zone is not heavily restricted in use, but it has an appropriate span of control set up to ensure that network traffic does not compromise the operation of significant business functions.
Mandatory Access Control (MAC)
The mandatory access controls determine the usage and access policies of the users. Users can access a resource only if that particular user has the access rights to that resource. MAC finds its application in the data marked as highly confidential. The network administrators impose MAC, depending on the operating system and security kernel. It does not permit the end user to decide who can access the information, and does not permit the user to pass privileges to other users as the access could then be circumvented.
White-Box Testing (Complete-Knowledge Testing)
The organization may give complete information about its network to the pen-testers if it wants to assess its security against a specific kind of attack or a specific target. The information provided can include network-topology documents, asset inventory, and valuation information. Typically, an organization would opt for this when it wants a complete audit of its security. It is critical to note that despite all this, information security is an ongoing process and penetration testing gives a snapshot of the security posture of an organization at any given point in time. Security professionals may perform white-box testing with or without the knowledge of IT staff. The top management must approve the test if it does not involve the organization's IT staff.
Types of Physical Security Control
The physical security controls are categorized based on their functionality and the plane of application. Based on their functionality, the types of security control include: Preventive Controls These controls prevent security Preventive controls may be physical, administrative, or technical. Examples include door lock, security guard, etc Detective Controls These controls detect security violations, and record any intrusion attempts. These controls act when preventive controls fail. Examples include motion detector, alarm systems and sensors, video surveillance, etc. Deterrent Controls These controls may not prevent access directly. They are used to discourage attackers and send warning messages to the attackers to discourage an intrusion attempt. Examples include various types of warning signs. Recovery Controls These controls are used in a more serious condition to recover from security violation and restore information and systems to a persistent state. Examples include disaster recovery, business continuity plans, backup systems, etc. Compensating Controls These controls are used as an alternative control when the intended controls fail or cannot be used. They do not prevent any attack attempt but try to restore using other means like restoring from backup. Examples include hot site, backup power system, etc. (EC-Council)
Pre-Attack Phase
The pre-attack phase includes planning, preparation and methodology designing to perform pen testing. This phase focuses on gathering as much information as possible about the target. It can be invasive, such as gathering information through scanning, or it can be noninvasive, such as reviewing public records.
Production network zone
The production network zone, also known as a restricted zone, supports functions for which access should be limited. It strictly controls direct access from uncontrolled networks. Typically, a restricted zone employs one or more firewalls to filter inbound and outbound traffic.
Infowar
The term information warfare or InfoWar refers to the use of information and communication technologies (ICT) for competitive advantages over an opponent. Examples of information warfare weapons include viruses, worms, Trojan horses, logic bombs, trap doors, nano machines and microbes, electronic jamming, and penetration exploits and tools. Martin Libicki has divided information warfare into the following categories: Command and control warfare (C2 warfare): In the computer security industry, C2 warfare refers to the impact an attacker possesses over a compromised system or network that they control. Intelligence-based warfare: Intelligence-based warfare is a sensor-based technology that directly corrupts technological systems. According to Libicki, "intelligence-based warfare" is a warfare that consists of the design, protection, and denial of systems that seek sufficient knowledge to dominate the battle space. Electronic warfare: According to Libicki, electronic warfare uses radio electronic and cryptographic techniques to degrade communication. Radio electronic techniques attack the physical means of sending information, whereas cryptographic techniques use bits and bytes to disrupt the means of sending information. Psychological warfare: Psychological warfare is the use of various techniques such as propaganda and terror to demoralize one's adversary in an attempt to succeed in the battle. Hacker warfare: According to Libicki, the purpose of this type of warfare can vary from shutdown of systems, data errors, theft of information, theft of services, system monitoring, false messaging, and access to data. Hackers generally use viruses, logic bombs, Trojan horses, and sniffers to perform these attacks. Economic warfare: According to Libicki, economic information warfare can affect the economy of a business or nation by blocking the flow of information. This could be especially devastating to organizations that do a lot of business in the digital world. Cyber warfare: Libicki defines cyber warfare as the use of information systems against the virtual personas of individuals or groups. It is the broadest of all information warfare and includes information terrorism, semantic attacks (similar to Hacker warfare, but instead of harming a system, it takes the system over and the system will be perceived as operating correctly), and simula-warfare (simulated war, for example, acquiring weapons for mere demonstration rather than actual use).
Policies are not technology specific and accomplish three things:
They reduce or eliminate legal liability of employees and third parties. They protect confidential and proprietary information from theft, misuse, unauthorized disclosure, or modification. They prevent wastage of the company's computing resources.
Indemnification clause:
This clause protects the penetration tester/agency from any legal or financial liabilities, in case the penetration test results in loss or damage to the assets of the organization.
Authentication:
This component provides authentication management and session management. Through this component, the users provide their login credentials to access the applications and resources of the organization. It provides services such as single sign on, session management, password services, strong authentication and multifactor-authentication.
Hacking phase: gaining access
This is the phase in which real hacking occurs. Attackers use vulnerabilities identified during the reconnaissance and scanning phase to gain access to the target system and network. Gaining access refers to the point where the attacker obtains access to the operating system or applications on the computer or network. The attacker can gain access at the operating system level, application level, or network level. Even though attackers can cause plenty of damage without gaining any access to the system, the impact of unauthorized access is catastrophic. For instance, external denial-of-service attacks can either exhaust resources or stop services from running on the target system. Ending processes can stop a service, using a logic bomb or time bomb, or even reconfiguring and crashing the system. Thus attackers can exhaust system and network resources by consuming all outgoing communication links. Attackers gain access to the target system locally (offline), over a LAN, or over the Internet. Examples include password cracking, stack-based buffer overflows, denial-of-service, and session hijacking. Using a technique called spoofing to exploit the system by pretending to be a legitimate user or different systems, they can send a data packet containing a bug to the target system in order to exploit a vulnerability. Packet flooding also breaks the availability of essential services. Smurf attacks attempt to cause users on a network to flood each other with data, making it appear as if everyone is attacking each other, and leaving the hacker anonymous. A hacker's chances of gaining access into a target system depend on several factors, such as the architecture and configuration of the target system, the skill level of the perpetrator, and the initial level of access obtained. Once an attacker gains access to the target system, he/she then tries to escalate privileges in order to take complete control of the target system. In the process, intermediate systems that are connected to it are also compromised.
Web profiling
This phase will attempt to profile and map the Internet profile of the organization. The information gleaned will be used for later attack techniques such as SQL injection, Web server and application hacking, session hijacking, denial-of-service, and so on. Steps include (but are not limited to): o Cataloging all Web-based forms, types of user input, and form-submission destinations o Cataloging Web privacy data including cookie types (persistent or session), nature and location of information stored, cookie expiration rules, and encryption used o Cataloging Web error messages, bugs in services, third-party links, and applications; locate the destination.
Promiscuous Policy
This policy does not impose any restrictions on the usage of system resources. For example, with a promiscuous Internet policy, there is no restriction on Internet access. A user can access any site, download any application, and access a computer or a network from a remote location. While this can be useful in corporate businesses where people who travel or work at branch offices need to access the organizational networks, many malware, virus, and Trojan threats are present on the Internet and due to free Internet access, this malware can come as attachments without the knowledge of the user. Network administrators must be extremely alert while choosing this type of policy.
System and service identification through port scans
This will essentially result in the identification of live systems and their IP addresses, port states (open, closed, or filtered), protocols used (routing or tunneled), active services and service types, service application types and patch levels, OS fingerprinting, version identification, internal IP addressing, and so on. Steps include (but are not limited to): o Deploying a connect scan for all hosts on the network. Use this through port 1024 to enumerate ports. o Deploying a stealth SYN scan for ports 20, 21, 22, 23, 25, 80, and 443. Extend this scan to live systems to detect port states. o Deploying an ACK scan for ports 3100-3150, 10001-10050, and 33500-33550 using TCP port 80 as the source to get past the firewall. o Deploying a fragment scan in reverse order with FIN, NULL, and XMAS flags set for ports 21, 22, 25, 80, and 443. Testers use this for enumerating the subset of ports in the default packet fragment testing ports. o Deploying FTP bounce and idle scans for ports 22, 81, 111, 132, 137, and 161 to infiltrate the DMZ. o Deploying UDP scans to check for port filtering on a small subset. o Cataloging all the protocols. Note any tunneled or encapsulated protocols. o Cataloging all services identified for ports discovered—whether filtered or not. Note service remapping and system redirects. o Cataloging all applications identified using scanners such as Nmap. Additionally, you can retrieve information such as patch level and version fingerprinting.
The following are the goals of EISA:
To help in monitoring and detecting network behaviors in real time acting upon internal and externals security risks. To help an organization detect and recover from security breaches. To aid in prioritizing resources of an organization and pay attention to various threats. To benefit the organization in cost prospective when incorporated in security provisions such as incident response, disaster recovery, and event correlation, etc. To help in analyzing the procedures needed for the IT department to identify assets and function properly. To help perform risk assessment of an organization's IT assets with the cooperation of IT staff.
The following are the goals of security policies:
To maintain an outline for the management and administration of network security To protect an organization's computing resources To eliminate legal liabilities arising from employees or third parties To prevent wastage of company's computing resources To prevent unauthorized modifications of the data To reduce risks caused by illegal use of the system resource To differentiate the user's access rights To protect confidential, proprietary information from theft, misuse, and unauthorized disclosure.
Reasons why organizations recruit ethical hackers
To prevent hackers from gaining access to organization's information systems To uncover vulnerabilities in systems and explore their potential as a risk To analyze and strengthen an organization's security posture including policies, network protection infrastructure, and end-user practices To provide adequate preventive measures in order to avoid security breaches To help safeguard customer's data available in business transactions To enhance security awareness at all levels in a business As hacking involves creative thinking, vulnerability testing and security audits cannot ensure that the network is secure. To achieve security, organizations need to implement a "defense-in-depth" strategy by penetrating their networks to estimate vulnerabilities and expose them.
Accounting:
User accounting refers to tracking the actions performed by the user on a network. This includes verifying the files accessed by the user, functions like alteration or modification of the files or data. It keeps track of who, when, how the users access the network. It helps in identifying authorized and unauthorized actions.
Activity: Acquiring Target
Usually, target acquisition refers to all the activities to unearth as much information as possible about a particular machine or system. Acquiring a target refers to the set of activities in which the tester subjects the target machine to more-intrusive challenges such as vulnerability scans and security assessments. This helps in gaining more information about the target and exploiting it in the exploitation phase. Examples of such activities include subjecting the machine to the following procedures: Active probing assaults: This can use results of network scans to gather further information that can lead to a compromise. Running vulnerability scans: Vulnerability scans are completed in this phase. Trusted systems and trusted process assessment: This involves attempting to access the machine's resources using legitimate information obtained through social engineering or other means..
Viruses and worms
Viruses and Worms: Viruses and worms are the most prevalent networking threats, capable of infecting a network within seconds. A virus is a self-replicating program that produces a copy of itself by attaching to another program, computer boot sector or document. A worm is a malicious program that replicates, executes and spreads across network connections. Viruses make their way into the computer when the attacker shares a malicious file containing it with the victim through the Internet, or through any removable media. Worms enter a network when the victim downloads a malicious file, opens a spam mail or browses a malicious website.
Webapp threats
Web Application Threats: Web application attacks like SQL injection, cross-site scripting has made web applications a favorable target for the attackers to steal credentials, set up phishing site, or acquire private information. Majority of such attacks are the result of flawed coding and improper sanitization of input and output data from the web application. Web application attacks can threaten the performance of the website and hamper its security.
There are two types of black-box penetration testing:
o Blind Testing In the blind testing, the pen-tester has limited information or knows nothing about the target, but the target is informed of an audit scope (what, how, and when the pen-tester will be testing) prior to performing the test. Blind testing simulates the actions and procedures of a real hacker. The pen-testing team attempts to gather as much information as possible about the target organization from the Internet (company's website, domain name registry, online discussion board, USENET, etc.) and other publicly accessible sources. Pen testers start audit of the target organization's security based on the collected information. Tough, blind testing provides a lot of inside information (such as Internet access points, directly accessible networks, publicly available confidential /proprietary information, etc.) about the organization that may have been otherwise not known, but it is more time consuming and expensive, as a lot of effort is involved to research the target. Example: Ethical hacking, war-gaming, etc. o Double-Blind Testing In double-blind testing (also known as "zero-knowledge testing"), neither the pen-tester knows about the target nor the target is informed of an audit scope (what, how, and when the pen-tester will test) prior to test execution. In other words, both parties are blind to the test. Most of the security assessments today are based on double-blind testing strategy, as it validates the presence of vulnerabilities that can be exploited and the ability of the target's individuals, processes, and tools to recognize and react appropriately to the penetration attempts made. Example: Black-box auditing, penetration testing, etc.
There are two types of security policies:
technical security and administrative security policies. Technical security policies describe the configuration of the technology for convenient use; administrative security policies address how all persons should behave. All employees must agree to and sign both the policies. In an organization the high-level management is responsible for the implementation of the organization's security policies. High-level officers involved in the implementation of the policies include the following: Director of Information Security Chief Security Officer.
Reasons for insider threats:
Inadequate security awareness and training Lack of proper management controls for monitoring employee activities Use of insecure mode of data transfers.
The ROE includes:
Specific IP addresses/ranges to be tested Any restricted hosts (i.e., hosts, systems, or subnets not to be tested) A list of acceptable testing techniques (e.g., social engineering, DoS, etc.) and tools (password crackers, network sniffers, etc.) Times when testing is to be conducted (e.g., during business hours, after business hours, etc.) Identification of a finite period for testing IP addresses of the machines from which penetration testing will be conducted, so that administrators can differentiate legitimate penetration testing attacks from actual malicious attacks Points of contact for the penetration testing team, the targeted systems, and the networks Measures to prevent law enforcement being called with false alarms (created by the testing) Handling of information collected by the penetration testing team.
The four key steps commonly termed as risk management phases are:
Risk Identification It is the initial step of the risk management plan. The main aim is to identify the risks - sources, causes, consequences, etc. of the internal and external risks affecting the security of the organization before they cause harm to the organization. The risk identification process depends on the skill set of the people and it differs from one organization to the other. Risk Assessment This phase assesses the organization's risks and estimates the likelihood and impact of those risks. Risk assessment is an ongoing iterative process and assigns priorities for risk mitigation and implementation plans, which help to determine the quantitative and qualitative value of risk. Every organization should adopt a risk evaluation process in order to detect, prioritize, and remove risks. Risk assessment determines the kind of risks present, the likelihood and severity of risk, as well as the priorities and plans for risk control. Organizations perform a risk assessment when they identify a hazard, but are not able to control it immediately. After performing a risk assessment, an update of all information facilities is needed at regular intervals. Risk Treatment Risk treatment is the process of selecting and implementing appropriate controls on the identified risks in order to modify them. The risk treatment method addresses and treats the risks, according to their severity level. Decisions made in this phase are based on the results of a risk assessment. The purpose of this step is to identify treatments for the risks that fall outside the department's risk tolerance and provide an understanding of the level of risk with controls and treatments. It identifies the priority order in which individual risks should be treated, monitored and reviewed. Before treating the risk, you need to gather information about: o The appropriate method of treatment o People responsible for treatment o Costs involved o Benefits of treatment o Likelihood of success o Ways to measure and assess the treatment Risk Tracking and Review An effective risk management plan requires a tracking and review structure to ensure effective identification and assessment of the risks as well as the use of appropriate controls and responses. The tracking and review process should determine the measures adopted, the procedures adopted, and ensure that information gathered for undertaking the assessment was appropriate. The review phase evaluates the performance of the implemented risk management strategies. Performing regular inspections of policies and standards, as well as reviewing them regularly helps to identify the opportunities for improvement. Further, the monitoring process assures there are appropriate controls in place for the organization's activities and that the procedures are understood and followed. .
Tiger team
A tiger team works together to perform a full-scale test covering all aspects of the network, as well as physical and system intrusion.
Organizations generally provide the following information for white-box testing:
o Company infrastructure: This includes information related to the different departments of an organization. Penetration testers have the Information related to hardware, software, and controls in an organization. o Network type: The network-type information could be regarding the organization's LAN and the topology used to connect the systems. It could also be information regarding access to remote networks or the Internet. o Current security implementations: Current security implementations are the various security measures adopted by an organization to safeguard vital information against any kind of damage or theft. o IP address/firewall/IDS details: This information includes details of the IP addresses an organization uses, the firewalls used to protect data from unauthorized users, and other important technical details about the network. Organizations generally provide the firewall and IDS policies to the penetration tester. o Company policies: An organization may provide business continuity and IT security policies to the pen testers, depending on the nature of the test. Security policies, legal policies, and labor policies can all be useful to the penetration tester.
Testing methods for perimeter security include, but are not limited to, the following techniques:
o Evaluating error reporting and error management with ICMP probes o Checking access control lists with crafted packets o Measuring the threshold for denial of service by attempting persistent TCP connections, evaluating transitory TCP connections, and attempting streaming UDP connections o Evaluating protocol filtering rules by attempting connection using various protocols such as SSH, FTP, and Telnet o Evaluating the IDS capability by passing malicious content (such as malformed URLs) and scanning the target variously in response to abnormal traffic o Examining the perimeter security system's response to Web server scans using multiple methods such as POST, DELETE, and COPY.
To create and implement security policies an organization should:
1. Perform risk assessment to identify risks to the organization's assets 2. Learn from standard guidelines and other organizations 3. Include senior management and all other staff in policy development 4. Set clear penalties and enforce them 5. Make the final version available to all the staff in the organization 6. Ensure that every member of the staff reads, understands and signs the policy 7. Deploy tools to enforce the policies 8. Train and educate employees about the policy 9. Regularly review and update.
Red Teaming
A red team (also known as aggressor team) is a group of white-hat hackers (ethical hackers) who attempt to launch attacks against an organization's digital infrastructure, as would a malicious attacker, to test the organization's security posture. It is proposed to detect network and system vulnerabilities and check security from an attacker's perspective approach to network, system, or information access and it may be conducted with or without warning. Red teaming may include system administrators from various departments in an organization and they perform penetration test on an information system with no or a very limited access to the organization's internal resources.
Vulnerability Assessment
A vulnerability assessment focuses on discovering the vulnerabilities in the information system but provides no indication if the vulnerabilities can be exploited or of the amount of damage that may result from the successful exploitation of the vulnerability.
Warm backup
A warm backup, also called a nearline backup, will have connectivity to the network. In a warm backup, the system updates are turned on to receive periodic updates. It is beneficial when mirroring or duplicating the data.
Management Network Zone or Secured Zone:
Access to this zone is limited to authorized users. Access to one area of the zone does not necessarily apply to another area of the zone. It is a secured zone with strict policies.
Authenticity
Authenticity Authenticity refers to the characteristic of a communication, document, or any data that ensures the quality of being genuine or uncorrupted. The major role of authentication is to confirm that a user is genuine, one who he / she claims to be. Controls such as biometrics, smart cards, and digital certificates ensure the authenticity of data, transactions, communications, or documents.
Activity: Escalating Privileges
Attacker takes an advantage of bugs, design flaws, or misconfigurations in an operating system or an application to gain elevated access to the normally protected resources from an application or user. Privilege escalation is usually performed by attackers to carry out various malicious activities such as delete files, view sensitive information, or install malicious programs such as Trojans and viruses. Therefore, once the pen tester manages to intrude in to the target system, he or she must attempt to exploit the system and gain further access to protected resources. Activities include (but are not limited to) the following techniques: The tester may take advantage of poor security policies, e-mails, or unsafe Web code to gather information that can lead to escalation of privileges. Use of techniques such as brute force to achieve privileged status. Tools for this purpose include GetAdmin and password crackers. Use of Trojans and protocol analyzers. Use of information gleaned through techniques such as social engineering to gain unauthorized access to privileged resources.
The services provided by IAM are classified into four distinct components
Authentication Authorization User management Enterprise directory service
Cloud computing threats
Cloud Computing Threats: Cloud computing is an on-demand delivery of IT capabilities in which IT infrastructure and applications are provided to subscribers as a metered service over a network. Clients can store sensitive information on the cloud. Flaw in one client's application cloud could potentially allow attackers to access another client's data..
Information security controls
The basic security concepts critical to information on the Internet are confidentiality, integrity, and availability; those related to the persons accessing information are authentication, authorization, and non-repudiation. Information is the greatest asset to an organization, and it is a must to secure it.