1 / 18

Chapter 1

Chapter 1. Introduction to Ethical Hacking, Ethics, and Legality. Defining Hacking. Defining Ethical Hacking Hacking for defensive purposes White Hats, Black Hats, Gray Hats Hacktivists : Hacking for a cause Script Kiddies: Use other’s tools Testing White Box: Know everything

rusk
Télécharger la présentation

Chapter 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 1 Introduction to Ethical Hacking, Ethics, and Legality

  2. Defining Hacking • Defining Ethical Hacking • Hacking for defensive purposes • White Hats, Black Hats, Gray Hats • Hacktivists: Hacking for a cause • Script Kiddies: Use other’s tools • Testing • White Box: Know everything • Black Box: Know only company name • Gray Box: between white box and black box, from inside • Security Elements • CIA: Confidentiality, Integrity, Authenticity/Availability

  3. Hacking Terminology • Threat • Exploit • Vulnerability • Target of Evaluation • Attack • Remote vs Local

  4. Hacking Phases • 1. Reconnaissance • 2. Scanning • 3. Gaining Access • 4. Maintaining Access • 5. Covering Tracks

  5. 1. Reconnaissance • Two Basic Types • Passive: dumpster diving, shoulder surfing, eavesdropping, gathering data from a whois tool, DNS, and network scanning, find active machines, open ports & apps • Active: probing, social engineering,

  6. 2. Scanning • Dialers • Port Scanners • ICMP Scanners • PING Sweeps • Network Mappers • SNMP Sweepers • Vulnerability Scanners

  7. 3. Gaining Access • Buffer overflows • Denial of Service • Session Hijacking

  8. 4. Maintaining Access • Planting • Backdoors • Rootkits • Trojans • Making a zombie

  9. 5. Covering Tracks • Steganography • Snow.exe: ASCII files • Stealth: PGP files • ImageHide: Text files • Tunneling Protocols • ITunnel, Ptunnel • Altering Log Files • Elsave, WinZapper

  10. Types of Hacking Technologies • Operating Systems • Default setting, bugs • Applications • Default settings, bugs • Shrink-Wrap code • Enabled features that aren’t used but left open • Misconfigurations

  11. Types of Attacks • Remote Network • Remote Dial-Up Network • Local Network • Stolen Equipment • Social Engineering • Physical Entry • Operating System • Application Level • Shrink wrap and malicious code attacks • Misconfiguration attacks

  12. Being Ethical • Gain Authorization • Maintain/follow nondisclosure agreement • Maintain confidentiality • Perform test – but do no evil

  13. Phases of Security Examining • EC-Council’s 3 Phrases • 1. Preparation • 2. Conduct • 3. Conclusion

  14. Laws • No U.S. laws prior to 1984 outlawing crimes committed with or against a computer • Who investigates? • Financial computer crimes -> U.S. Secret Service • All other computer crimes -> Federal Bureau of Investigation • Computer Fraud and Abuse Act – 1986 / 1996 • 18 U.S.C. 1030: Fraud and Related activity in connection with computers • 18 U.S.C. 1029: Fraud and Related activity in connection with Access Devices

  15. Laws (cont) • Computer Misuse Act of 1990 (United Kingdom) • Freedom of Information Act (FOIA) • USA Patriot Act - 2001

  16. Laws (cont) • Cyber Security Enhancement Act of 2002 • SPY ACT 2007 • 18 U.S.C. 1028: deals with fraud related to possession of false identification documents • 18 U.S.C. 1362: Destruction of Communication Lines, Stations, or Systems • 18 U.S.C. 2510: Wire and Electronic Communications Interception and Interception of Oral Communication • 18 U.S.C. 2701: Stored wire and electronic communications, and transactional records access

  17. Laws (cont) • Human Rights Act 1998 (U.K.) • judges are not allowed to override the Act. However, they can issue a declaration of incompatibility • makes available in UK courts a remedy for breach of a Convention right, without the need to go to the European Court of Human Rights. • totally abolished the death penalty in UK law. • FMFIA of 1982 • 2004 CAN SPAM Act

  18. Laws (cont) • Federal Information Security Mgt Act (FISMA) • Privacy Act of 1974 • Gov’t Paperwork Elimination Act (GPEA) • Stalking Amendment Act 1999 (Australia) • Equal Credit Opportunity Act (ECOA) • Prohibits creditors from collecting data from applicants, such as national origin, caste, religion

More Related