ETHICAL HACKINGA LICENCE TO HACK

INTRODUCTION Ethical hacking- also known as penetration

testing or intrusion testing or red teaming has become a major concern for businesses and governments.

Companies are worried about the possibility of being “hacked” and potential customers are worried about maintaining control of personal information.

Necessity of computer security professionals to break into the systems of the organisation.

Ethical hackers employ the same tools and techniques as the intruders.

They neither damage the target systems nor steal information.

The tool is not an automated hacker program rather it is an audit that both identifies the vulnerabilities of a system and provide advice on how to eliminate them.

INTRODUCTION

PLANNING THE TEST

Aspects that should be focused on:

Who should perform penetration testing? How often the tests have to be conducted? What are the methods of measuring and

communicating the results? What if something unexpected happens during

the test and brings the whole system down? What are the organization's security policies?

The minimum security policies that an organization should posses Information policy Security policy Computer use User management System administration procedures Incident response procedures Configuration management Design methodology Disaster methodology Disaster recovery plans.

Ethical hacking- a dynamic process

Running through the penetration test once gives the current set of security issues which subject to change.

Penetration testing must be continuous to ensure that system movements and newly installed applications do not introduce new vulnerabilities into the system.

Who are ethical hackersThe skills ethical hackers should posses

They must be completely trustworthy.

Should have very strong programming and computer networking skills and have been in networking field for several years.

Should have more patience.

Continuous updating of the knowledge on computer and network security is required.

They should know the techniques of the criminals, how their activities might be detected and how to stop them.

Who are ethical hackers

Choice of an ethical hacker

An independent external agency. black box testing.

An expertise with in your own organization.

white box testing.

AREAS TO BE TESTED

Application servers

Firewalls and security devices

Network security

Wireless security

Red Team-Multilayered Assessment

Various areas of securityare evaluated using amultilayered approach.• Each area of security

defines how the target will be assessed.

• An identified vulnerability at one layer may be protected at another layer minimizing the associated risk of the vulnerability.

Information security (INFOSEC)- A revolving process

Attacks on Websites:- Denial of service attack Some hackers hack your websites just

because they can. They try to do something spectacular to

exhibit their talents. Their comes the denial of service attack. During the attacks, customers were unable

to reach the websites, resulting in loss of revenue and “mind share”.

On January 17, 2000, a U.S. library of congress website was attacked.

The ethical hack itself Testing itself poses some risk to the client. Criminal hacker monitoring the

transmissions of ethical hacker could trap the information.

Best approach is to maintain several addresses around the internet from which ethical hackers originate.

Additional intrusion monitoring software can be deployed at the target.

IBM’S Immune system for Cyber space

Any of the following combination may be used

Remote network. Remote dial-up network. Local network. Stolen laptop computer. Social engineering. Physical entry.

Competitive Intelligence A systematic and ethical program for

maintaining external information that can affect your company’s plans.

It is legal collection and analysis of information regarding the vulnerabilities of the business partners.

The same information used to aid a company can be used to compete with the company.

The way to protect the information is to be aware of how it may be used.

Information Security Goals

Improve IS awareness. Assess risk. Mitigate risk immediately. Assist in the decision making process. Conduct drills on emergency response

procedures.

Conclusions Never underestimate the attacker or

overestimate our existing posture. A company may be target not just for its

information but potentially for its various transactions.

To protect against an attack, understanding where the systems are vulnerable is necessary.

Ethical hacking helps companies first comprehend their risk and then, manage them.

Always security professionals are one step behind the hackers and crackers.

Plan for the unplanned attacks. The role of ethical hacking in security

is to provide customers with awareness of how they could be attacked and why they are targeted.

“Security though a pain”, is necessary.

Conclusions

References

1.www.javvin.com2.www.computerworld.com3.www.research.ibm.com/journals4.www.howstuffworks.com5.”Information Technology”

journal,september,august 2005,published by EFY.

6.IEEE journal on" security and privacy”

Queries?