Mahavir Polytechnic CO6I-ETI-UNIT 5

Mahavir Polytechnic, Nashik

Department of Computer Engineering
Year: TY Subject: ETI (22618)

UNIT 5: Basics of Hacking Marks: 10

Course Outcome 5: Describe Ethical Hacking process.

Syllabus:
5.1 Ethical Hacking
How Hackers Beget Ethical Hackers, Defining hacker, Malicious users
Data Privacy and General Data Protection and Regulation (GDPR)
5.2 Understanding the need to hack your own systems
5.3 Understanding the dangers your systems face
Non-Technical attacks, Network-infrastructure attacks, Operating-system attacks, Application and other
specialized attacks
5.4 Obeying the Ethical hacking Principles
Working ethically, respecting privacy, not crashing your systems
5.5 The Ethical Hacking Process
Formulating your plan, selecting tools, Executing the plan, Evaluating results, Moving on
5.6 Cyber Security act

Hacking ?

Hacking
.
आ

आ .

. आ आ

illegal आ . , आ
.

Dept. Of Computer Engineering Page 1

Mahavir Polytechnic CO6I-ETI-UNIT 5

, ( , , )

. आ

programming, algorithms, network, security

आ

Computer Hacking process आ computer

modification ( ) creator आ .
Hacking is the art of declaring the mistakes of Hardware and softwares.

Hack .
Hacker term offensive real skills आ

Hacking

1960 MIT . आ
. आ आ

. आ
आ .

आ 3 आ .

1.

आ .

आ
. .

Dept. Of Computer Engineering Page 2

Mahavir Polytechnic CO6I-ETI-UNIT 5

2.

.आ
आ

आ .

3.

. आ .
illegal आ .

. .
.

4 ) Script Kiddie :

Field ,
आ .

Crackers ? | What is Crackers in Marathi

Black Hat Hackers Crackers . illegal computer system

आ illegal . data
modification data destruction . computer virus आ internet worm

pc आ botnet spam .

Dept. Of Computer Engineering Page 3

Mahavir Polytechnic CO6I-ETI-UNIT 5

–आ
.

–
.

– आ
आ . .

–आ आ आ

Ethical Hacking ?

Ethical Hacking

. आ
आ . ethical hackers

आ आ आ ,
. Ethical Hackers आ

Ethical Hackers आ आ .

, ethical hackers . Ethical

Hackers .

आ आ .

Dept. Of Computer Engineering Page 4

Mahavir Polytechnic CO6I-ETI-UNIT 5

Ethical Hacking

1. आ आ आ Ethical Hackers
.
2. आ

आ आ Ethical Hacking .
3. Ethical Hackers आ .

What Is a Malicious User?

Malicious users (or internal attackers) try to compromise computers and sensitive information from
the inside as authorized and “trusted” users. Malicious users go for systems they believe they can
compromise for fraudulent gains or revenge.
hackers and malicious users.
Malicious user means a rogue employee, contractor, intern, or other user who abuses his or her
trusted privileges .It is a common term in security circles. Users search through critical database
systems to collect sensitive information, e-mail confidential client information to the competition or
elsewhere to the cloud, or delete sensitive files from servers that they probably do not have access.
There’s also the occasional ignorant insider whose intent is not malicious but who still causes
security problems by moving, deleting, or corrupting sensitive information. Even an innocent “fat-
finger” on the keyboard can have terrible consequences in the business world. Malicious users are
often the worst enemies of IT and information security professionals because they know exactly
where to go to get the goods and don’t need to be computer savvy to compromise sensitive
information. These users have the access they need and the management trusts them, often without
question. In short they take the undue advantage of the trust of the management.

Dept. Of Computer Engineering Page 5

Mahavir Polytechnic CO6I-ETI-UNIT 5

Data Privacy and General Data Protection and Regulation (GDPR)

Data privacy and the General Data Protection Regulation (GDPR) are essential aspects of modern data
management and protection. Here's an overview of both concepts:

1. Data Privacy:
o Data privacy refers to the protection of individuals' personal information and their right to
control how their data is collected, used, and shared.
o It encompasses various principles and practices aimed at safeguarding sensitive data from
unauthorized access, misuse, and exploitation.
o Data privacy involves implementing measures such as encryption, access controls, data
anonymization, and secure data handling procedures to ensure that personal information
is kept confidential and secure.
2. General Data Protection Regulation (GDPR):
o GDPR is a comprehensive data protection law enacted by the European Union (EU) in
2018 to enhance data privacy rights and strengthen data protection for individuals within
the EU and the European Economic Area (EEA).
o GDPR sets out rules and requirements for organizations that process personal data,
regardless of whether the organization is located within the EU. It applies to businesses,
government agencies, non-profit organizations, and other entities that handle personal
data of EU residents.
o Key principles of GDPR include:
 Lawfulness, fairness, and transparency in data processing.
 Purpose limitation: Personal data should be collected for specified, explicit, and
legitimate purposes and not further processed in a manner incompatible with
those purposes.
 Data minimization: Only collect and process personal data that is necessary for
the intended purpose.
 Accuracy: Personal data should be accurate and kept up to date.
 Storage limitation: Personal data should be kept in a form that permits
identification of data subjects for no longer than is necessary for the purposes for
which the data is processed.

Dept. Of Computer Engineering Page 6

Mahavir Polytechnic CO6I-ETI-UNIT 5

 Integrity and confidentiality: Personal data should be processed in a manner that

ensures appropriate security, including protection against unauthorized or
unlawful processing and accidental loss, destruction, or damage.
o GDPR also gives individuals greater control over their personal data by granting them
rights such as the right to access, rectify, erase, and restrict the processing of their data. It
also imposes strict requirements for obtaining valid consent for data processing and
mandates data breach notification obligations for organizations.

Understanding the need to hack your own systems

Hacking your own systems, also known as ethical hacking or penetration testing, involves simulating
cyberattacks on your organization's network, systems, and applications to identify vulnerabilities and
weaknesses before malicious hackers exploit them. Here's why it's important:

1. Identify Weaknesses: By hacking your own systems, you can proactively identify
vulnerabilities and weaknesses in your cybersecurity defenses. This allows you to understand
where your systems are most vulnerable and prioritize efforts to address those weaknesses.
2. Mitigate Risks: Understanding your organization's cybersecurity risks is essential for mitigating
potential threats and preventing security breaches. Ethical hacking helps you uncover
vulnerabilities that could be exploited by malicious actors, allowing you to take corrective
actions to strengthen your defenses and reduce the risk of data breaches or other security
incidents.
3. Compliance Requirements: Many industries and regulatory frameworks, such as PCI DSS,
HIPAA, and GDPR, require organizations to conduct regular security assessments and
penetration tests to ensure compliance with security standards and regulations. Ethical hacking
helps organizations meet these compliance requirements by identifying and addressing security
vulnerabilities in their systems and applications.
4. Improve Security Posture: Ethical hacking provides valuable insights into the effectiveness of
your organization's security controls and measures. By identifying and remediating
vulnerabilities, you can improve your security posture and enhance your ability to detect,
respond to, and mitigate cyber threats effectively.

Dept. Of Computer Engineering Page 7

Mahavir Polytechnic CO6I-ETI-UNIT 5

5. Build Trust: Demonstrating a commitment to cybersecurity and proactive risk management can
help build trust with customers, partners, and stakeholders. By conducting ethical hacking and
taking steps to strengthen your cybersecurity defenses, you show that you take data protection
and privacy seriously and are committed to safeguarding sensitive information.
6. Cost-Effective Security Testing: While preventing security breaches is crucial, it's also
important to consider the cost-effectiveness of your security measures. Ethical hacking allows
you to identify vulnerabilities and weaknesses in your systems early on, reducing the likelihood
of costly security incidents and the associated financial and reputational damage.

Understanding the dangers your systems face

Understanding the dangers your systems face is essential for effectively managing cybersecurity risks
and protecting your organization's assets, data, and reputation. Here are some key dangers that your
systems may face:

1. Cyberattacks: Cyberattacks are deliberate and malicious attempts by hackers to compromise the
confidentiality, integrity, or availability of your systems and data. These attacks can take various
forms, including malware infections, phishing scams, ransomware attacks, denial-of-service
(DoS) attacks, and social engineering tactics.
2. Data Breaches: Data breaches occur when unauthorized individuals gain access to sensitive or
confidential information stored on your systems. This can include personal identifiable
information (PII), financial data, intellectual property, trade secrets, and other valuable assets.
Data breaches can result in financial losses, legal liabilities, reputational damage, and loss of
customer trust.
3. Vulnerabilities: Vulnerabilities are weaknesses or flaws in your systems, applications, or
networks that can be exploited by hackers to gain unauthorized access or perform malicious
activities. Common vulnerabilities include software bugs, misconfigurations, insecure network
protocols, weak authentication mechanisms, and unpatched software.
4. Insider Threats: Insider threats refer to the risks posed by individuals within your organization
who misuse their privileges, access, or knowledge to intentionally or unintentionally harm your
systems, steal data, or sabotage operations. Insider threats can come from employees,
contractors, vendors, or other trusted insiders.

Dept. Of Computer Engineering Page 8

Mahavir Polytechnic CO6I-ETI-UNIT 5

5. Third-party Risks: Third-party risks arise from the use of external vendors, suppliers,
contractors, or service providers who have access to your systems, data, or networks. These third
parties may introduce security vulnerabilities, data breaches, or compliance risks that could
impact your organization's security posture and reputation.
6. Compliance Violations: Non-compliance with regulatory requirements, industry standards, or
contractual obligations can expose your organization to legal liabilities, fines, penalties, and
reputational damage. Failure to protect sensitive data, such as personal information or payment
card data, can result in regulatory enforcement actions and loss of customer trust.
7. Emerging Threats: The cybersecurity landscape is constantly evolving, with new and emerging
threats emerging regularly. These threats may exploit emerging technologies, vulnerabilities, or
attack vectors to bypass traditional security controls and defenses. Staying informed about
emerging threats and trends is essential for proactively mitigating risks and protecting your
systems.

Understanding the dangers your systems face

Non-Technical attacks, Network-infrastructure attacks, Operating-system attacks,
Application and other specialized attacks

Understanding the various types of attacks your systems may face is crucial for implementing effective
cybersecurity measures. Here's a breakdown of different categories of attacks:

1. Non-Technical Attacks:
o Social Engineering: Social engineering attacks manipulate individuals into divulging
sensitive information or performing actions that compromise security. Examples include
phishing, pretexting, baiting, and tailgating.
o Physical Security Breaches: Physical security attacks involve unauthorized access to
physical premises or theft of physical assets. This can include theft of devices, tampering
with equipment, or gaining physical access to sensitive areas.
2. Network-Infrastructure Attacks:
o Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS): These attacks
overwhelm a network, system, or service with an excessive volume of traffic, causing it
to become unavailable to legitimate users.

Dept. Of Computer Engineering Page 9

Mahavir Polytechnic CO6I-ETI-UNIT 5

o Man-in-the-Middle (MitM): MitM attacks intercept and modify communication

between two parties without their knowledge. Attackers can eavesdrop on sensitive
information or alter data in transit.
o DNS Spoofing: DNS spoofing attacks manipulate the Domain Name System (DNS) to
redirect users to malicious websites or intercept their traffic.
3. Operating-System Attacks:
o Exploiting Vulnerabilities: Attackers exploit security vulnerabilities in operating
systems to gain unauthorized access, escalate privileges, or execute malicious code.
Examples include buffer overflow attacks, code injection, and privilege escalation.
o Malware: Malicious software (malware) targets operating systems to steal data, disrupt
operations, or gain control of systems. Common types of malware include viruses,
worms, Trojans, ransomware, and spyware.
4. Application and Other Specialized Attacks:
o SQL Injection: SQL injection attacks target web applications by exploiting
vulnerabilities in database query processes. Attackers can manipulate SQL queries to
access or modify database contents.
o Cross-Site Scripting (XSS): XSS attacks inject malicious scripts into web applications,
which are executed in the context of legitimate users' browsers. This can lead to theft of
session cookies, defacement of websites, or phishing attacks.
o Zero-Day Exploits: Zero-day exploits target previously unknown vulnerabilities in
software applications, hardware, or protocols. Attackers exploit these vulnerabilities
before they are discovered and patched by vendors.

Obeying the Ethical hacking Principles

Working ethically, respecting privacy, not crashing your systems

Absolutely, obeying ethical hacking principles is essential for conducting responsible and effective
security testing. Here are some key principles to follow:

1. Working Ethically: Ethical hacking involves adhering to a strict code of conduct and ethical
standards. It's essential to conduct security testing in a lawful and responsible manner, respecting
the rights and privacy of others, and obtaining proper authorization before testing systems.

Dept. Of Computer Engineering Page 10

Mahavir Polytechnic CO6I-ETI-UNIT 5

2. Respecting Privacy: Privacy considerations are paramount when performing ethical hacking. It's
crucial to handle sensitive information and personal data with care, ensuring that privacy laws
and regulations are followed at all times. Avoid accessing or collecting unnecessary personal
information during security testing, and handle any sensitive data securely and confidentially.
3. Not Crashing Your Systems: The primary goal of ethical hacking is to identify and mitigate
security vulnerabilities, not to cause harm or disrupt operations. It's essential to exercise caution
when conducting security testing to minimize the risk of unintended consequences, such as
system crashes, data loss, or service disruptions. Always perform testing in a controlled
environment and take appropriate precautions to prevent adverse impacts on systems and
networks.
4. Transparency and Communication: Maintain open communication and transparency with
stakeholders throughout the ethical hacking process. Clearly communicate the scope, objectives,
and methodologies of security testing, and obtain informed consent from authorized stakeholders
before conducting any testing activities. Report findings accurately and promptly, providing
clear recommendations for remediation and improvement.
5. Continuous Learning and Improvement: Ethical hacking is a dynamic and evolving field,
requiring continuous learning and skill development to stay abreast of emerging threats and
techniques. Invest in ongoing training, certification, and professional development to enhance
your expertise in ethical hacking and cybersecurity.

The Ethical Hacking Process

Formulating your plan, selecting tools, Executing the plan, Evaluating results,
Moving on

The ethical hacking process involves a systematic approach to identifying, assessing, and mitigating
security vulnerabilities in a controlled and responsible manner. Here's an overview of the key steps
involved:

1. Formulating Your Plan:

o Define Objectives: Clearly define the goals and objectives of your ethical hacking
engagement. Determine what systems, networks, or applications you will be testing, and
what specific vulnerabilities or security controls you will be assessing.

Dept. Of Computer Engineering Page 11

Mahavir Polytechnic CO6I-ETI-UNIT 5

o Scope the Engagement: Define the scope of your ethical hacking activities, including
the systems, networks, and assets that are in scope for testing. Consider any legal or
compliance requirements, as well as any constraints or limitations that may impact your
testing.
o Obtain Authorization: Obtain proper authorization from the organization or individual
responsible for the systems you will be testing. This may involve obtaining written
permission or signing a formal agreement outlining the scope and terms of the
engagement.
2. Selecting Tools:
o Choose Appropriate Tools: Select the tools and techniques that are best suited to
achieve your objectives within the defined scope of your ethical hacking engagement.
This may include network scanning tools, vulnerability scanners, password cracking
tools, exploit frameworks, and other specialized software.
o Consider Legal and Ethical Implications: Ensure that the tools you use are legal,
ethical, and appropriate for the intended purpose. Avoid using tools or techniques that
could cause harm or disruption to systems or networks.
3. Executing the Plan:
o Conduct Reconnaissance: Gather information about the target systems, networks, and
applications through passive reconnaissance techniques such as open-source intelligence
(OSINT) gathering, network enumeration, and web scraping.
o Identify Vulnerabilities: Use active scanning and testing techniques to identify security
vulnerabilities and weaknesses in the target systems. This may involve performing port
scanning, vulnerability scanning, and penetration testing to discover potential entry points
and attack vectors.
o Exploit Vulnerabilities: Once vulnerabilities have been identified, attempt to exploit
them to gain unauthorized access or perform other malicious activities. Use exploit
techniques and tools to demonstrate the impact of the vulnerabilities and validate their
severity.
o Document Findings: Document your findings, including detailed descriptions of the
vulnerabilities discovered, evidence of successful exploitation, and recommendations for
remediation and mitigation.

Dept. Of Computer Engineering Page 12

Mahavir Polytechnic CO6I-ETI-UNIT 5

4. Evaluating Results:
o Assess Risk: Evaluate the severity and impact of the vulnerabilities identified based on
factors such as likelihood of exploitation, potential impact on business operations, and
ease of remediation.
o Prioritize Remediation: Prioritize vulnerabilities based on their risk level and potential
impact on the organization's security posture. Provide recommendations for remediation
and mitigation strategies to address the identified vulnerabilities effectively.
5. Moving On:
o Communicate Findings: Present your findings to the appropriate stakeholders, including
management, IT teams, and other relevant parties. Clearly communicate the risks and
implications of the vulnerabilities discovered, and provide actionable recommendations
for improving security.
o Support Remediation Efforts: Assist the organization in implementing remediation
measures and mitigating the identified vulnerabilities. Provide guidance and support as
needed to ensure that security controls are effectively implemented and vulnerabilities are
addressed.
o Continuous Improvement: Continuously monitor and assess the organization's security
posture, and provide ongoing support and guidance to help improve security practices
and resilience to cyber threats over time.

Cyber Security act

he Cybersecurity Act is a legislative framework designed to address cybersecurity challenges and

enhance the protection of critical information infrastructure (CII) against cyber threats and attacks.
While the specifics of the Cybersecurity Act may vary depending on the country or jurisdiction, it
typically encompasses several key components:

1. Regulatory Framework: The Cybersecurity Act establishes a regulatory framework for

governing cybersecurity practices, standards, and compliance requirements. It may outline the
roles and responsibilities of government agencies, regulatory bodies, and industry stakeholders in
managing cybersecurity risks and promoting cyber resilience.

Dept. Of Computer Engineering Page 13

Mahavir Polytechnic CO6I-ETI-UNIT 5

2. Critical Information Infrastructure Protection: The Cybersecurity Act focuses on protecting

critical information infrastructure (CII) sectors, such as energy, telecommunications, finance,
healthcare, transportation, and government services, from cyber threats. It identifies CII assets,
systems, and networks that are essential for national security, economic stability, and public
safety, and establishes measures to safeguard them against cyber attacks.
3. Risk Management and Incident Response: The Cybersecurity Act emphasizes the importance
of risk management and incident response in cybersecurity governance. It may require CII
operators to conduct risk assessments, develop cybersecurity policies and procedures, implement
security controls and safeguards, and establish incident response plans to detect, respond to, and
recover from cyber incidents effectively.
4. Information Sharing and Collaboration: The Cybersecurity Act promotes information sharing
and collaboration among government agencies, private-sector organizations, and international
partners to enhance cybersecurity awareness, threat intelligence sharing, and coordinated
response efforts. It may facilitate the exchange of cybersecurity information, best practices, and
resources to strengthen collective cyber defense capabilities.
5. Compliance and Enforcement: The Cybersecurity Act establishes compliance requirements
and enforcement mechanisms to ensure that CII operators adhere to cybersecurity standards and
regulations. It may include provisions for conducting audits, assessments, and inspections to
verify compliance, as well as penalties and sanctions for non-compliance with cybersecurity
requirements.
6. Public Awareness and Education: The Cybersecurity Act may include provisions for
promoting public awareness and education about cybersecurity risks, threats, and best practices.
It may support cybersecurity awareness campaigns, training programs, and initiatives to
empower individuals, businesses, and organizations to enhance their cyber hygiene and
resilience.

Dept. Of Computer Engineering Page 14

Mahavir Polytechnic CO6I-ETI-UNIT 5

As of my last update in January 2022, India does not have a specific overarching "Cybersecurity Act."
However, the country has enacted various laws, regulations, and policies aimed at addressing
cybersecurity challenges and promoting cyber resilience. Here are some key legislative and regulatory
initiatives related to cybersecurity in India:

1. Information Technology Act, 2000 (IT Act): The IT Act is the primary legislation governing
cybersecurity and electronic commerce in India. It provides legal recognition for electronic
transactions, defines offenses related to cybercrime, and establishes penalties for cyber offenses,
such as unauthorized access, hacking, data theft, and cyber fraud.
2. The Information Technology (Amendment) Act, 2008: This amendment to the IT Act
introduced provisions to address emerging cyber threats and challenges, including data
protection, privacy, and cybersecurity. It expanded the scope of cyber offenses and enhanced
penalties for cybercrimes.
3. National Cyber Security Policy, 2013: The National Cyber Security Policy aims to create a
secure cyber ecosystem, promote cybersecurity awareness, and enhance the capacity to prevent
and respond to cyber threats. It outlines strategic objectives, priorities, and initiatives to
strengthen cybersecurity capabilities across government, critical infrastructure sectors, and the
private sector.
4. National Critical Information Infrastructure Protection Centre (NCIIPC): NCIIPC was
established under the National Technical Research Organisation (NTRO) to protect critical
information infrastructure (CII) sectors, such as energy, telecommunications, transportation,
finance, and government services, from cyber threats. It works to identify and mitigate cyber
risks to CII and enhance cyber resilience through proactive measures and collaboration with
stakeholders.
5. CERT-In (Indian Computer Emergency Response Team): CERT-In serves as the national
nodal agency for cybersecurity incident response and coordination in India. It operates under the
Ministry of Electronics and Information Technology (MeitY) and is responsible for monitoring,
analyzing, and responding to cybersecurity incidents, as well as providing guidance and support
to stakeholders.
6. Data Protection and Privacy Laws: While not specific to cybersecurity, data protection and
privacy laws in India, such as the Personal Data Protection Bill, 2019 (pending enactment), aim

Dept. Of Computer Engineering Page 15

Mahavir Polytechnic CO6I-ETI-UNIT 5

to safeguard personal data and protect individuals' privacy rights. These laws have implications
for cybersecurity practices, particularly concerning data security, breach notification, and
compliance requirements for organizations handling personal data.

Dept. Of Computer Engineering Page 16