THIS BOOK WILL COVER A WIDE RANGE of techniques and technologies that hackers can use to compromise a system in one way or another. Before you go further, it is important to first understand what hackers are and where they come from.
The first generation of hackers who emerged in the 1960s were individuals who would be called "geeks" or technology enthusiasts today. These early hackers would go on to create the foundation for technologies such as the ARPANET, which paved the way for the Internet. They also initiated many early software-development movements that led to what is known today as open source. Hacking was motivated by intellectual curiosity; causing damage or stealing information was "against the rules" for this small number of people.
In the 1980s, hackers started gaining more of the negative connotations by which the public now identifies them. Movies such as War Games and media attention started altering the image of a hacker from a technology enthusiast to a computer criminal. During this time period, hackers engaged in activities such as theft of service by breaking into phone systems to make free phone calls. The publishing of books such as The Cuckoo's Egg and the emergence of magazines such as Phrack cast even more negative light on hackers. In many respects, the 1980s formed the basis for what a hacker is today.
Over the past two decades, the definition of what a hacker is has evolved dramatically from what was accepted in the 1980s and even the 1990s. Current hackers defy easy classification and require categorization into several groups to better match their respective goals. Here is a brief look at each of the groups to better understand what the information technology industry is dealing with:
Script kiddies—These hackers occupy the lowest level of the hacker hierarchy. They typically possess very basic skills and rely upon existing tools that they can locate on the Internet. These hackers are the beginners and may or may not understand the impact of their actions in the larger scheme of things. It is important, however, not to underestimate the damage these individuals can cause; they can still do a great deal of harm.
White-hat hackers—These individuals know how hacking works and the danger it poses, but use their skills for good. They adhere to an ethic of "do no harm." White-hat hackers are sometimes also referred to as ethical hackers, which is the name most widely known by the general public.
Gray-hat hackers—Hackers in this class are "rehabilitated" hackers or those who once were on "the dark side," but are now reformed. For obvious reasons, not all people will trust a gray-hat hacker.
Black-hat hackers—A black-hat hacker has, through actions or stated intent, indicated that his or her hacking is designed to break the law, disrupt systems or businesses, or generate an illegal financial return. Hackers in this class should be considered to be "up to no good," as the saying goes. They may have an agenda or no agenda at all. In most cases, black-hat hackers and outright criminal activity are not too far removed from one another.
The purpose of this book is to teach you how to ensure the security of computers and networks by learning and understanding the mindset of individuals out to compromise those systems. To defend information technology assets, you need to understand the motivations, tools, and techniques that attackers commonly use.
In today's world, organizations have quickly learned that they can no longer afford to underestimate or ignore the threat attackers pose. Organizations of all sizes have learned to reduce threats through a combination of technological, administrative, and physical measures designed to address a specific range of problems. Technological measures include devices and techniques such as virtual private networks (VPNs), cryptographic protocols, intrusion detection systems (IDS), intrusion prevention systems (IPS), access control lists (ACLs), biometrics, smart cards, and other devices. Administrative controls include policies, procedures, and other rules. Physical measures include devices such as cable locks, device locks, alarm systems, and other similar devices. Keep in mind that each of these devices, even if expensive, can be cheaper and more effective than cleaning up the aftermath of an intrusion.
While discussing attacks and attackers, security professionals must be thorough in assessment and evaluation of the threat by also considering where it comes from. When evaluating the threats against an organization and possible sources of attack, always consider the fact that attackers can come from both outside and inside the organization. A single disgruntled employee can cause tremendous amounts of damage because he or she is an approved user of the system. In just about any given situation, the attacks originating from outside the firewall will greatly outnumber the attacks that originate from the inside. However, an insider may go unnoticed longer and also have some level of knowledge of how things work ahead of time, which can result in a more effective attack.
Note
Never underestimate the damage a determined individual can do to computer systems. For example, Michael Calce, commonly known as MafiaBoy, was an individual who in February 2000 launched a series of denial of service (DoS) attacks that were responsible for causing damages estimated upwards of $1.2 billion.
Note
Both insiders and outsiders rely on exploits of some type. Remember that an exploit refers to a piece of software, a tool, or a technique that targets or takes advantage of a vulnerability—leading to privilege escalation, loss of integrity, or denial of service on a computer system.
Because the risk to any organization is very real, it is up to each organization to determine the controls that will be most effective in reducing or mitigating the threats it faces. When considering controls, you can examine something called the TAP principle of controls. TAP is an acronym for technical, administrative, and physical, the three types of controls you can use in risk mitigation. Here's a look at each type with a few examples:
Technical—Technical controls take the form of software or hardware such as firewalls, proxies, intrusion detection systems (IDS), intrusion prevention systems (IPS), biometric authentication, permissions, auditing, and similar technologies.
Administrative—Administrative controls take the form of policies and procedures. An example is a password policy that defines what makes a good password. In numerous cases, administrative controls may also fulfill legal requirements, such as policies that dictate privacy of customer information. Other examples of administrative policy include the rules governing the hiring and firing of employees.
Physical—Physical controls are those that protect assets from traditional threats such as theft or vandalism. Mechanisms in this category include locks, cameras, guards, lighting, fences, gates, and other similar devices.
Like many criminals, black-hat hackers do not consider their activities to be illegal or even morally wrong. Depending on whom you ask, you can get a wide range of responses from hackers on how they view their actions. It is also not unheard of for hackers or criminals to have a code of ethics that they hold sacred, but seem more than a little skewed to others. In defense of their actions, hackers have been known to cite all sorts of reasons, including the following:
The no-harm-was-done fallacy—If one enters a system, even in an unauthorized manner, it is OK as long as nothing is stolen or damaged in the process.
The computer game fallacy—If the computer or system did not take any action or have any mechanism to stop the attack, it must be OK.
The law-abiding citizen fallacy—Writing a virus is not illegal, so it must be OK.
The shatterproof fallacy—Computers cannot do any real harm. The worst that can happen is a deleted file or erased program.
The candy-from-a-baby fallacy—If it is so easy to copy a program or download a song, how can it be illegal?
The hacker fallacy—Information should be free. No one should have to pay for books or media. Everyone should have free access.
Note
Although it is true that the mere act of writing a computer virus is not illegal, releasing it into the "wild" is illegal.
Note
Although it is true that applications or data can be erased or modified, worse scenarios can happen under the right circumstances. For example, consider what could happen if someone broke into a system such as a 911 emergency service and then maliciously or accidentally took it down.
Another example of attempting to explain the ethics applied to hackers is known as the hacker ethic. This set of standards dates to Steven Levy in the 1960s. In the preface of his book, Hackers: Heroes of the Computer Revolution, Levy stated the following:
Access to computers and anything that might teach you something about the way the world works should be unlimited and total.
All information should be free.
Authority should be mistrusted, and decentralization should be promoted.
Hackers should be judged by their hacking, not criteria such as degrees, age, race, gender, or position.
You can create art and beauty on a computer.
Computers can change your life for the better.
Ethics are an important component in understanding what makes a hacker, but far from the only component. One must also consider motivation. Anyone who has watched a police drama or is a fan of detective stories knows that there are three things needed to commit a crime:
Means—Does the attacker possess the ability to commit the crime in question?
Motive—Does the attacker have a reason to engage in the commission of the crime?
Opportunity—Does the attacker have the necessary access and time to commit the crime?
Focusing on the second point—motive—helps better understand why an attacker might engage in hacking activities. The early "pioneers" of hacking engaged in those activities out of curiosity. Today's hackers can have any number of motives, many of which are similar to those for traditional crimes:
Monetary—Attacks committed with the intention of reaping financial gains.
Status—Attacks committed with the intention of gaining recognition and, by extension, increased credibility within a given group (for example, a hacking group).
Terrorism—Attacks designed to scare, intimidate, or otherwise cause panic in the victim or target group.
Revenge or grudge—Attacks conceived and carried out by individuals who are angry at an organization. Attacks of this nature are often launched by disgruntled employees or customers.
Hacktivism—Attacks that are carried out to bring attention to a cause, group, or political ideology.
Fun—Attacks that are launched with no specific goal in mind other than to just carry out an attack. These attacks can be indiscriminate in their execution.
No matter what the hackers' motivations are, any of them might result in the commission of a computer-based crime. For example, attackers may hack a game server to boost their stats in an online game against their friends, but they still have entered a server without authorization.
A sampling of common attacks that fit the definition of computer crime include the following:
Theft of access—Stealing passwords, stealing usernames, and subverting access mechanisms to bypass normal authentication. In a number of situations, the very act of possessing stolen credentials such as passwords may be enough to bring formal charges.
Network intrusions—Accessing a system of computers without authorization. Intrusions may not even involve hacking tools; the very act of logging into a guest account may be sufficient to be considered an intrusion.
Emanation eavesdropping—Sniffing devices for intercepting radio frequency (RF) signals generated by computers or terminals. Years ago, the U.S. Department of Defense established a classified program codenamed TEMPEST that was designed to shield or suppress electronic emanations to protect sensitive and classified government information.
Social engineering—Basically, telling lies to manipulate people into divulging information they otherwise would not provide. Information such as passwords, PINs (personal identification numbers), or other details can be used to attack computer-based systems. Although not necessarily a crime in every specific situation, social engineering methods such as pretexting (tricking an individual to reveal information under false pretenses) are often illegal.
Posting and/or transmitting illegal material—Distributing pornography to minors is illegal in numerous jurisdictions, as is possessing or distributing child pornography.
Fraud—Intentional deception designed to produce illegal financial gain or to damage another party.
Software piracy—The possession, duplication, or distribution of software in violation of a license agreement, or the act of removing copy protection or other license-enforcing mechanisms.
Dumpster diving—Gathering material that has been discarded or left in unsecured or unguarded receptacles. Dumpster diving often enables discarded data to be pieced together to reconstruct sensitive information.
Malicious code—Software written with a deliberate purpose to cause damage, destruction, or disruption. Examples include viruses, worms, spyware, and Trojan horses.
Denial of service (DoS) and distributed denial of service (DDoS) attacks—Overloading a system's resources so it cannot provide the required services. Both DoS and DDoS have the same effect, except that distributed denial of service (DDoS) is launched from large numbers of hosts that have been compromised and act after receiving a particular command.
IP address spoofing—Substituting a forged IP address for a valid address in network traffic or a message to disguise the true location of the message or person. This attack method may also be used as a component of other larger attacks such as DoS or DDoS attacks.
Unauthorized destruction or alteration of information—Modifying, destroying, or tampering with information without appropriate permission. This can involve manual or automated tools that have been developed for this purpose to change information at rest or in motion.
Embezzlement—A form of financial fraud that involves theft or redirection of funds as a result of violating a position of trust.
Data-diddling—The unauthorized modification of data used to forge or counterfeit information. Examples include changing performance review marks, adjusting expense account limits, or "tweaking" reports after the fact.
Logic bomb—A piece of code designed to cause harm, a logic bomb is intentionally inserted into a software system and will activate upon the occurrence of some predetermined data, time, or event.
Typical early hackers were technology enthusiasts who were curious about the new technology of networks and computers and wanted to see just how far they could push its capabilities. In the decades since, hacking has changed quite a bit—getting more advanced and cleverer as the technology advanced. For example, in the 1970s, when mainframes were more common in corporate and university environments, hacking was mostly confined to those systems. The 1980s saw the emergence of personal computers (PCs), which meant every user had a copy of an operating system. As these systems were very similar, a hack that worked on one machine would work on nearly every other PC as well. Although the first Internet worm in November 1988 exploited a weakness in the UNIX sendmail command, worm and virus writers moved their attention to the world of PCs, where most infections occur today.
As hackers evolved so did their attacks as their skills and creativity increased. The first World Wide Web browser, Mosaic, was introduced in 1993. By 1995, hackers began defacing Web sites. Some of the earliest hacks were quite funny, if not somewhat offensive or vulgar. In August 1995, hackers hacked The MGM Web site for the movie "Hackers" suggesting readers attend the DEFCON hacker conference instead. A 1996 hack of the Department of Justice Web site replaced Attorney General Janet Reno's picture with that of Adolf Hitler. The next month, hackers defaced the CIA Web site, and later that year the Air Force Web site featured a link to Area 51, a secret government site in Nevada, long linked in the popular mind to UFOs. By May 2001, Web sites were being hacked at such a rate that the group that documented them gave up trying to keep track (see http://attrition.org/mirror/attrition/).
By the turn of the century, hacks started to progress from pranks to maliciousness. DoS attacks took out companies' Internet access, affecting stock prices and causing financial damage. As Web sites began to process more credit card transactions, their back-end databases became prime targets for attacks. As computer-crime laws came into being, the bragging rights for hacking a Web site became less attractive—sure, a hacker could show off to friends, but that didn't produce a financial return. With online commerce, skills started going to the highest bidder, with crime rings, organized crime, and nations with hostile interests utilizing the Internet as an attack route.
Numerous products emerged in the 1990s and early 2000s—antivirus, firewalls, intrusion detection systems, and remote access controls—each designed to counter an increasing number of new and diverse threats.
As technology, hackers, and countermeasures improved and evolved, so did the types of attacks and strategies that initially spawned them. As is true in the security field and the technology field as a whole, new developments move rapidly, and old defensive measures lose their effectiveness as time marches on. Attackers started introducing new threats in the form of worms, spam, spyware, adware, and rootkits. These attacks went beyond harassing and irritating the public; they also caused widespread disruptions by attacking the technologies that society increasingly depended on.
Hackers also started to realize that it was possible to use their skills to generate money in all sorts of interesting ways. For example, attackers have used techniques to redirect Web browsers to specific pages that generate revenue for themselves. Another example is a spammer sending out thousands upon thousands of e-mail messages that advertise a product or service. Because sending out bulk e-mail costs mere pennies, it takes only a small number of purchasers to make a nice profit.
Keep in mind that in the security field, there is an ongoing battle between attacker and defender to establish dominance. Attackers change their tactics in an effort to keep their attacks as fresh and effective as possible, while defenders improve and adapt their defenses to counter the attacks as well as anticipate and thwart new ones.
Over the past few years, the hacking community has adapted a new team ethic or work style. In the past, it was normal for a "lone wolf" type to engage in hacking activities. Over the last few years, there is a new pattern of collective or group effort. Attackers have found that working together can provide greater results than one individual carrying out an attack alone. Such teams increase their effectiveness not only by sheer numbers, diversity, or complementary skills, but also by adding clear leadership structures. Also of concern is the very real possibility that a given group of hackers may be receiving financing from nefarious sources such as criminal organizations or terrorists. The proliferation of technology and increasing dependence on it has proved an irresistible target for criminals.
Security and technology professionals are on the front lines and as such must be aware of and deal with increasingly complex crimes. One of the biggest challenges security professionals face is staying current on the latest technologies, trends, and threats that appear in an ever-changing landscape. To be effective, security professionals must continually expand their understanding of many diverse but related areas such as ethical hacking, ethics, legal issues, cybercrime, forensic techniques, incident response, and other technologies.
Additionally, security professionals must strive to understand the reasons and motivations behind the hacker or criminal mindset. Understanding the motivations can, in some cases, yield valuable insight into why a given attack has been committed or may be committed.
As stated earlier, hacking is by no means a new phenomenon; instead it has existed in one form or another since the 1960s. It is only for a portion of the time since then that hacking has been viewed as a crime and situation that must be addressed.
Here's a look at some famous hacks over time:
In 1988, Cornell University student Robert T. Morris Jr. created what is considered to be the first Internet worm. According to Morris, his worm was designed to count the number of systems connected to the Internet. Due to a design flaw, the worm replicated quickly and indiscriminately, causing widespread slowdowns across the globe. Morris was eventually convicted under the 1986 Computer Fraud and Abuse Act and was sentenced to community service in lieu of any jail time. (Interestingly, his father, Robert Morris Sr., was the chief scientist of the National Security Agency at the time).
In December 1999, David L. Smith created the Melissa virus, which was designed to e-mail itself to entries in a user's address book and later delete files on the infected system. Smith was convicted on charges of computer fraud and theft of services, and served 20 months in prison as well as being ordered to pay $5,000 in fines and penalties for the damages he caused.
In February 2001, Jan de Wit authored the Anna Kournikova virus, which was designed to read all the entries of a user's Outlook address book and e-mail itself out to each. De Wit was ultimately sentenced to 150 hours of community service and 75 days in jail.
In December 2004, Adam Botbyl and two friends conspired to steal credit card information from the Lowe's hardware chain. The three were charged with several counts of theft and fraud, but ultimately only Botbyl served any time.
In September 2005, Cameron Lacroix (nickname "cam0") hacked into the phone of celebrity Paris Hilton and also participated in an attack against the site LexisNexis, an online public record aggregator, ultimately exposing thousands of personal records. Mr. Lacroix was charged with computer fraud and was sentenced to 11 months in a juvenile detention facility as a result of his actions.
Note
People have written worms and viruses over the years for any number of reasons. Some reasons for creating malicious code have included curiosity, monetary gain, ego, thrill seeking, desire for fame, and revenge; and in a handful of cases to impress, or get revenge against, a former lover.
The previous examples represent some of the higher-profile incidents that have occurred, but for every news item or story that makes it into the public consciousness, many more never do. For every hacking incident that is made public, only a small portion of perpetrators are caught, and an even smaller number ever get prosecuted for cybercrime. In any case, hacking is indeed a crime, and engaging in such activities can be prosecuted under any number of laws. The volume, frequency, and seriousness of attacks have only increased and will continue to do so as technology evolves even more.
As a security professional, two of the terms you will encounter early on are ethical hacker and penetration testing. Today's security community includes different schools of thought on what constitutes each. It's important to separate and clarify these two terms to understand each and where they fit into the big picture.
Engaging in any hacking activity without the explicit permission of the owner of the target you are attacking is a crime, whether you get caught or not. From everything discussed so far, you might think that hacking is not something you can engage in legally or for any benign reason whatsoever, but this is far from the truth. It is possible to engage in hacking for good reasons (for example, when a network owner contracts with a security professional to hack systems to uncover vulnerabilities that should be addressed). Notice the important phrases "network owner contracts" and "explicit permission": Ethical hackers engage in their activities only with the permission of the asset owner.
Note
In today's environment, those wishing to become ethical hackers have many options that were unavailable before. They can pursue certification classes and participate in boot camps as part of a diverse development course to hone their skills. Always remember that the main characteristic that separates black hats from white hats is compliance with the law.
Once ethical hackers have the necessary permissions and contracts in place, they can engage in penetration testing, which is the structured and methodical means of investigating, uncovering, attacking, and reporting on a target system's strengths and vulnerabilities. Under the right circumstances, penetration testing can provide a wealth of information that the system owner can use to adjust defenses.
Penetration testing can take the form of black-box or white-box testing, depending on what is being evaluated and what the organization's goals are. Black-box testing is most often used when an organization wants to closely simulate how an attacker views a system, so no knowledge of the system is provided to the testing team. In white-box testing, advanced knowledge is provided to the testing team. In either case, an attack is simulated to determine what would happen to an organization if an actual attack had occurred.
Penetration tests are also commonly used as part of a larger effort commonly known as an IT audit, which evaluates the overall effectiveness of the IT systems controls that safeguard the organization. An IT audit is usually conducted against some standard or checklist that covers security protocols, software development, administrative policies, and IT governance. However, passing an IT audit does not mean that the system is completely secure, as audit checklists often trail new attack methods by months or years.
An ethical hacker's role is to take the skills he or she has acquired and use that knowledge, together with an understanding of the hacker mindset, to simulate a hostile attacker. It often said that to properly and completely defend oneself against an aggressor, you must understand how that aggressor thinks, acts, and reacts. The idea is similar to military training exercises in which elite units are trained in the tactics of a hostile nation in order to give other units the ability to train and understand the enemy without risking lives.
Here a few key points about ethical hacking that are important to the process:
It requires the explicit permission of the "victim" before any activity can take place.
Participants use the same tactics and strategies as regular hackers.
It can harm a system if you don't exercise proper care.
It requires detailed advance knowledge of the actual techniques a regular hacker will use.
It requires that rules of engagement or guidelines be established prior to any testing.
Note
Ethical hackers can be employed to test a specific feature of a group of systems, or even the security of a whole organization. It depends on the specific needs of a given organization. In fact, some organizations keep people on staff specifically to engage in ethical hacking activities.
Under the right circumstances and with proper planning and goals, ethical hacking or penetration testing can provide a wealth of valuable information to the target organization ("client") about security issues that need addressing. The client should take these results, prioritize them, and take appropriate action to improve security. Effective security must still allow the system to provide the functionality and features needed for business to continue. However, a client may choose not to take action for a variety of reasons. In some cases, problems uncovered may be considered minor or low risk and left as is. If the problems uncovered require action, the challenge is to ensure that if security controls are modified or new ones put in place, existing usability is not decreased. Security and convenience are often in conflict with one another—the more secure a system becomes, the less convenient it tends to be (Figure 1-1). A great example of this concept is to look at authentication mechanisms. As a system moves from passwords to smartcards to biometrics, it becomes more secure—but at the same time users may have to take longer to authenticate, which may cause some disgruntlement.
From the theoretical side, ethical hackers are tasked with evaluating the overall state of something known as the C-I-A triad, which represents one of the core principles of security: to preserve confidentiality, integrity, and availability:
Confidentiality—Safeguarding information or services against disclosure to unauthorized parties.
Integrity—Ensuring that information is in its intended format or state; in other words, ensuring that data is not altered.
Availability—Ensuring that information or a service can be accessed or used whenever requested.
Some professionals refer to this as the A-I-C triad. Another way of looking at the balance is to observe the other side of the triad and how the balance is lost. The C-I-A triad is lost if any or all of the following occurs:
An ethical hacker is tasked with ensuring that the C-I-A triad is preserved and threats are dealt with adequately (as required by the organization's own rules). For example, consider what could result if a health-care organization lost control of (or could not provide access to) sensitive information about patients. Such situations typically result in civil and criminal actions.
Figure 1-2 shows the C-I-A triad.
It is important to identify assets, risks, vulnerabilities and threats. In the ethical hacking and security process, not all assets are created equal and do not have equal value for an organization. By definition, assets possess some value to a given organization. Asset owners evaluate each asset to determine how important it is relative to other assets and to the company as a whole. Next, the ethical hacker identifies potential threats and determines the capability of each to cause harm to the assets in question. Once assets and potential threats are identified, the ethical hacker thoroughly and objectively evaluates and documents each asset's vulnerabilities in order to understand potential weaknesses. Note that a vulnerability exists only if a particular threat can adversely affect an asset. Finally, the ethical hacker performs a risk determination for each asset individually and overall to determine the probability that a security incident could occur, given the threats and vulnerabilities in question. In a sense, risk is comparable to an individual's "pain threshold"—different individuals can tolerate different levels of pain. Risk is the same—each organization has its own tolerance of risk, even if the threats and vulnerabilities are the same.
A hacking methodology refers to the step-by-step approach an aggressor uses to attack a target such as a computer network. There is no one specific step-by-step approach all hackers use. As can be expected when a group operates outside the rules as hackers do, rules do not apply the same way. A major difference between a hacker and an ethical hacker is the code of ethics to which each subscribes.
Hacking methodology generally includes the following steps (Figure 1-3):
Footprinting—An attacker passively acquires information about the intended victim's systems. In this context, passive information gathering means that no active interaction occurs between the attacker and the victim (for example, conducting a
whoisquery.)Scanning—An attacker takes the information obtained during the footprinting phase and uses it to actively acquire more detailed information about a victim. For example, an attacker might conduct a ping sweep of all the victim's known IP addresses to see which machines respond.
Enumeration—An attacker extracts more-detailed and useful information from a victim's system. Results of this step can include a list of usernames, groups, applications, banner settings, auditing information, and other similar information.
System hacking—An attacker actively attacks a system using a method the attacker deems useful.
Escalation of privilege—If this step is successful, an attacker obtains privileges on a given system higher than should be permissible. Under the right conditions, an attacker can use privilege escalation to move from a low-level account such as a guest account all the way up to administrator or system-level access.
Covering tracks—In most cases, an attacker tries to avoid detection, and so will cover his or her tracks by purging information from the system to destroy evidence of a crime.
Planting backdoors—Depending on goals, an attacker may leave behind a backdoor on the system for later use. Backdoors can be used to regain access, as well as allow any number of different scenarios to take place, such as privilege escalations or remotely controlling a system.
A penetration test is the next logical step beyond ethical hacking. Although ethical hacking sometimes occurs without formal rules of engagement, penetration testing does require rules to be agreed upon in advance. If an ethical hacker chooses to perform a penetration test without having certain parameters determined ahead of time, it can lead to a wide range of unpleasant outcomes. For example, not having the rules established prior to engaging in a test could result in criminal or civil charges, depending on the injured party and the attack involved. It is also entirely possible that without clearly defined rules, an attack may result in shutting down systems or services and completely stopping a company's operations.
National Institute of Standards and Technology Publication 800-42 (NIST 800-42), Guideline on Network Security Testing, describes penetration testing as a four-step process, as shown in Figure 1-4.
When the organization decides to carry out a penetration test, the ethical hacker should post certain questions to establish goals. During this phase, the aim should be to clearly determine why a penetration test and its associated tasks are necessary.
These questions include the following:
Why is a penetration test deemed necessary?
What is the function or mission of the organization to be tested?
What will be the limits or rules of engagement for the test?
What data and services will the test include?
Who is the data owner?
What results are expected at the conclusion of the test?
What will be done with the results when presented?
What is the budget?
What are the expected costs?
What resources will be made available?
What actions will be allowed as part of the test?
When will the tests be performed?
Will the test be performed as black or white box?
What conditions will determine the test's success?
Who will be the emergency contacts?
Penetration testing can take several forms. The ethical hacker must decide, along with the client, which tests are appropriate and will yield the results the clients seek.
Tests that can be part of a penetration test include the following:
Insider attack—This is designed to simulate the actions that a disgruntled employee or other individuals who have authorized access to a system may undertake.
Outsider attack—This is designed to closely match an outside aggressor's attack against an organization.
Stolen equipment attack—This is designed to attack an organization's physical security. Actions of this type include breaking into server rooms, bypassing locks, and other similar activities.
Social engineering attack—In this type of attack, the target is the human being, not the technology itself. If skillfully done, the attacker can obtain information or access that the attacker would not otherwise have. The attack exploits the inherent trust and habit in human nature.
Once the organization and the ethical hacker have discussed each test, determined its suitability, and evaluated its potential advantages and side effects, they can finalize the planning and contracts and perform the testing (Figure 1-5).
When performing a penetration test, the team should generally include members with different but complementary skills. When the rules of the test have been determined, the team is selected based on the intended tests it will perform and goals it will address. Expect a team to include diverse skill sets, including detailed knowledge of routers and routing protocols. Additional skills that prove useful are those that deal with the operation and configuration of firewalls and the operation of IDS and IPS systems. Team members should also share some skills, such as knowledge of networking, Transmission Control Protocol/Internet Protocol (TCP/IP), and similar technologies.
Another important aspect of the test is whether will have any knowledge that the test is being performed. In some cases, having employees unaware of the test will yield valuable insight into how they respond to incident(s). This allows for evaluation of current training.
Frameworks for the penetration test may include NIST 800-42 and 800-53, The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), or the Open Source Security Testing Methodology Manual (OSSTMM). The OSSTMM is very popular because it is an open source, peer-reviewed methodology for performing security tests and metrics.
When an ethical hacker engages in any hacking-related activity, it is absolutely essential that he or she know all applicable laws or seek assistance to determine what the laws may be. Never forget that due to the nature of the Internet and computer crime, it is entirely possible for any given crime to stretch over several jurisdictions, potentially frustrating any attempts to prosecute it. Additionally, prosecution can be stymied by the legal systems in different countries in which a mix of religious, military, criminal, and civil laws exist. Successful prosecution requires knowledge of the legal system in question.
Ethical hackers should exercise proper care not to violate the rules of engagement, because doing so can have repercussions. Once a client has determined what the goals and limitations of a test will be and contracted with the ethical hacker, the ethical hacker must carefully adhere to the guidelines. Remember two very important points when considering breaking guidelines:
Trust—The client is placing trust in the ethical hacker to use the proper discretion when performing a test. If an ethical hacker breaks this trust, it can lead to the questioning of other details, such as the results of the test.
Legal implications—Breaking a limit placed upon a test may be sufficient cause for a client to take legal action against the ethical hacker.
The following is a summary of laws, regulations, and directives that an ethical hacker should have a basic knowledge of:
1973 U.S. Code of Fair Information Practices governs the maintenance and storage of personal information by data systems such as health and credit bureaus.
1974 U.S. Privacy Act governs the handling of personal information by the U.S. government.
1984 U.S. Medical Computer Crime Act addresses illegally accessing or altering medication data.
1986 (Amended in 1996) U.S. Computer Fraud and Abuse Act includes issues such as altering, damaging, or destroying information in a federal computer and trafficking in computer passwords if it affects interstate or foreign commerce or permits unauthorized access to government computers.
1986 U.S. Electronic Communications Privacy Act prohibits eavesdropping or the interception of message contents without distinguishing between private or public systems.
1994 U.S. Communications Assistance for Law Enforcement Act requires all communications carriers to make wiretaps possible.
1996 U.S. Kennedy-Kassebaum Health Insurance and Portability Accountability Act (HIPAA) (with additional requirements added in December of 2000) addresses the issues of personal health care information privacy and health-plan portability in the United States.
1996 U.S. National Information Infrastructure Protection Act—enacted in October of 1996 as part of Public Law 104-294—amended the Computer Fraud and Abuse Act, which is codified in 18 U.S.C. $ 1030. This act addresses the protection of the confidentiality, integrity, and availability of data and systems. This act is intended to encourage other countries to adopt a similar framework, thus creating a more uniform approach to addressing computer crime in the existing global information infrastructure.
2002 Sarbanes-Oxley Act (SOX) is a corporate governance law that affects public corporations' financial reporting. Under SOX, corporations must certify the accuracy and integrity of their financial reporting and accounting.
2002 Federal Information Security Management Act (FISMA) requires every U.S. federal agency to create and implement an information security program to protect the information and information systems that agency uses. This act also requires agencies to conduct annual reviews of their information security program and submit results to the Office of Management and Budget (OMB).
This chapter addressed ethical hacking and its value to the security professional. Ethical hackers are individuals who possess skills comparable to regular hackers, but ethical hackers engage in their activities only with permission. Ethical hackers attempt to use the same skills, mindset, and motivation as a hacker in order to simulate an attack by an actual hacker while at the same time allowing for the test to be more closely controlled and monitored. Ethical hackers are professionals who work within the confines of a set of rules of engagement that are never exceeded lest they find themselves facing potential legal action.
Conversely, regular hackers may not follow the same ethics and limitations of ethical hackers. Regular hackers may work without ethical limitations, and the results they can achieve are restricted only by the means, motives, and opportunities that are made available.
Finally, hacking that is not performed under contract is considered illegal and is treated as such. By its very nature, hacking activities can easily cross state and national borders into multiple legal jurisdictions.
Asset
Authentication
Black-box testing
Cracker
Denial of service (DoS)
Distributed denial of service (DDoS)
Dumpster diving
Ethical hacker
Exploit
Hacker
Intrusion detection system (IDS)
Intrusion prevention system (IPS)
Logic bomb
Trojan horse
Vulnerability
White-box testing
Which of the following represents a valid ethical hacking test methodology?
HIPAA
RFC 1087
OSSTMM
TCSEC
It is most important to obtain _______ before beginning a penetration test.
A security exposure in an operating system or application software component is called a _______.
The second step of the hacking process is _______.
When hackers talk about standards of behavior and moral issues of right and wrong, what are they referring to?
Rules
Standards
Laws
Ethics
Hackers may justify their actions based on which of the following:
All information should be free
Access to computers and their data should be unlimited
Writing viruses, malware, or other code is not a crime
Any of the above
This individual responsible for releasing what is considered to be the first Internet worm was:
Kevin Mitnick
Robert Morris, Jr.
Adrian Lamo
Kevin Poulsen
A hacker with computing skills and expertise to launch harmful attacks on computer networks and uses those skills illegally is best described as a(n):
Disgruntled employee
Ethical hacker
White hat hacker
Black hat hacker
If a penetration test team does not have anything more than a list of IP addresses of the organization's network, what type of test are the penetration testers conducting?
Blind assessment
White box
Gray box
Black box
How is the practice of tricking employees into revealing sensitive data about their computer system or infrastructure best described?
Ethical hacking
Dictionary attack
Trojan horse
Social engineering