ETHICAL HACKING

A LICENCE TO HACK

Aswini.S
III MCA
INTRODUCTION
 Ethical hacking- also known as penetration
testing or intrusion testing or red teaming has
become a major concern for businesses and
governments.

 Companies are worried about the possibility of

being “hacked” and potential customers are
worried about maintaining control of personal
information.

 Necessity of computer security professionals to

break into the systems of the organisation.
INTRODUCTION
 Ethical hackers employ the same tools and
techniques as the intruders.

 They neither damage the target systems nor

steal information.

 The tool is not an automated hacker program

rather it is an audit that both identifies the
vulnerabilities of a system and provide advice
on how to eliminate them.
PLANNING THE TEST
Aspects that should be focused on:

 Who should perform penetration testing?

 How often the tests have to be conducted?
 What are the methods of measuring and
communicating the results?
 What if something unexpected happens during
the test and brings the whole system down?
 What are the organization's security policies?
The minimum security policies that
an organization should posses
 Information policy
 Security policy
 Computer use
 User management
 System administration procedures
 Incident response procedures
 Configuration management
 Design methodology
 Disaster methodology
 Disaster recovery plans.
Ethical hacking- a dynamic process
 Running through the penetration test
once gives the current set of security
issues which subject to change.

 Penetration testing must be

continuous to ensure that system
movements and newly installed
applications do not introduce new
vulnerabilities into the system.
Who are ethical hackers
The skills ethical hackers should posses

 They must be completely trustworthy.

 Should have very strong programming and

computer networking skills and have been
in networking field for several years.
Who are ethical hackers
 Should have more patience.

 Continuous updating of the knowledge on

computer and network security is required.

 They should know the techniques of the

criminals, how their activities might be
detected and how to stop them.
Choice of an ethical hacker
 An independent external agency.
black box testing.

 An expertise with in your own

organization.
white box testing.
AREAS TO BE TESTED
 Application servers

 Firewalls and security devices

 Network security

 Wireless security
Red Team-Multilayered Assessment
Various areas of security
are evaluated using a
multilayered approach.
• Each area of security
defines how the target
will be assessed.
• An identified vulnerability
at one layer may be
protected at another
layer minimizing the
associated risk of the
vulnerability.
Information security (INFOSEC)- A
revolving process
Attacks on Websites:-
Denial of service attack
 Some hackers hack your websites just
because they can.
 They try to do something spectacular to
exhibit their talents.
 Their comes the denial of service attack.
 During the attacks, customers were unable
to reach the websites, resulting in loss of
revenue and “mind share”.
On January 17, 2000, a U.S. library of
congress website was attacked.
The ethical hack itself
 Testing itself poses some risk to the client.
 Criminal hacker monitoring the
transmissions of ethical hacker could trap
the information.
 Best approach is to maintain several
addresses around the internet from which
ethical hackers originate.
 Additional intrusion monitoring software
can be deployed at the target.
IBM’S Immune system for Cyber
space
Any of the following combination may
be used
 Remote network.
 Remote dial-up network.
 Local network.
 Stolen laptop computer.
 Social engineering.
 Physical entry.
Competitive Intelligence
 A systematic and ethical program for
maintaining external information that can
affect your company’s plans.
 It is legal collection and analysis of
information regarding the vulnerabilities of
the business partners.
 The same information used to aid a
company can be used to compete with the
company.
 The way to protect the information is to be
aware of how it may be used.
Information Security Goals
 Improve IS awareness.
 Assess risk.
 Mitigate risk immediately.
 Assist in the decision making process.
 Conduct drills on emergency response
procedures.
Conclusions
 Never underestimate the attacker or
overestimate our existing posture.
 A company may be target not just for its
information but potentially for its various
transactions.
 To protect against an attack, understanding
where the systems are vulnerable is
necessary.
 Ethical hacking helps companies first
comprehend their risk and then, manage
them.
Conclusions
 Always security professionals are one
step behind the hackers and crackers.
 Plan for the unplanned attacks.
 The role of ethical hacking in security
is to provide customers with
awareness of how they could be
attacked and why they are targeted.
“Security though a pain”, is necessary.
 References
1.www.javvin.com
2.www.computerworld.com
3.www.research.ibm.com/journals
4.www.howstuffworks.com
5.”Information Technology”
journal,september,august
2005,published by EFY.
6.IEEE journal on" security and
privacy”
Thank You