DIR Return Create A Forum - Home
---------------------------------------------------------
gworld
HTML https://gworld.createaforum.com
---------------------------------------------------------
*****************************************************
DIR Return to: MUST KNOW
*****************************************************
#Post#: 181--------------------------------------------------
ETHICAL HACKING BASICS
By: eba95 Date: August 2, 2010, 8:39 pm
---------------------------------------------------------
Introduction
This lesson introduces you to the
world of ethical hacking. Ethical
hacking is a form of legal hacking
that is done with the permission of
an organization to help increase its
security. This lesson discusses many
of the business aspects of
penetration (pen) testing.
Information about how to perform a
pen test, what types can be
performed, what are the legal
requirements, and what type of
report should be delivered are all
basic items that you will need to
know before you perform any type
of security testing. However, first,
you need to review some security
basics. This lesson starts with a
discussion of confidentiality,
integrity, and availability. Finally, the
lesson finishes up with the history of
hacking and a discussion of some of
the pertinent laws.
NOTE
Nothing learned in this class is
intended to teach or encourage the
use of security tools or
methodologies for illegal or
unethical purposes. Always act in a
responsible manner. Make sure that
you have written permission from
the proper individuals before you
use any of the tools or techniques
described within. Always obtain
permission before installing any of
these tools on a network.
Security Fundamentals
Security is about finding a balance,
as all systems have limits. No one
person or company has unlimited
funds to secure everything, and we
cannot always take the most secure
approach. One way to secure a
system from network attack is to
unplug it and make it a standalone
system. Although this system would
be relatively secure from Internet-
based attackers, its usability would
be substantially reduced. The
opposite approach of plugging it in
directly to the Internet without any
firewall, antivirus, or security
patches would make it extremely
vulnerable, yet highly accessible. So,
here again, you see that the job of
security professionals is to find a
balance somewhere between
security and usability. Figure 1.1
demonstrates this concept.
To find this balance, you need to
know what the goals of the
organization are, what security is,
and how to measure the threats to
security. The next section discusses
the goals of security.
Goals of Security
Objective:
Understand the security triangle, also
known as CIA (confidentiality,
integrity, and availability).
There are many ways in which
security can be achieved, but it’s
universally agreed that the security
triad of confidentiality, integrity, and
availability (CIA) form the basic
building blocks of any good security
initiative.
Confidentiality addresses the secrecy
and privacy of information. Physical
examples of confidentiality include
locked doors, armed guards, and
fences. Logical examples of
confidentiality can be seen in
passwords, encryption, and firewalls.
In the logical world, confidentiality
must protect data in storage and in
transit. For a real-life example of the
failure of confidentiality, look no
further than the recent news reports
that have exposed how several
large-scale breaches in
confidentiality were the result of
corporations, such as Time Warner
and City National Bank, misplacing or
losing backup tapes with customer
accounts, names, and credit
information. The simple act of
encrypting thebackup tapes could
have prevented or mitigated the
damage.
Integrity is the second piece of the
CIA security triad. Integrity provides
for the correctness of information. It
allows users of information to have
confidence in its correctness.
Correctness doesnâ €™t mean that
the data is accurate, just that it hasnâ
€™ t been modified in storage or
transit. Integrity can apply to paper
or electronic documents. It is much
easier to verify the integrity of a
paper document than an electronic
one. Integrity in electronic
documents and data is much more
difficult to protect than in paper
ones. Integrity must be protected in
two modes: storage and transit.
Information in storage can be
protected if you use access and audit
controls. Cryptography can also
protect information in storage
through the use of hashing
algorithms. Real-life examples of this
technology can be seen in programs
such as Tripwire, MD5Sum, and
Windows File Protection (WFP).
Integrity in transit can be ensured
primarily by the protocols used to
transport the data. These security
controls include hashing and
cryptography.
Availability is the third leg of the CIA
triad. Availability simply means that
when a legitimate user needs the
information, it should be available.
As an example, access to a backup
facility 24x7 does not help if there
are no updated backups from which
to restore. Backups are one of the
ways that availability is ensured.
Backups provide a copy of critical
information should files and data be
destroyed or equipment fail. Failover
equipment is another way to ensure
availability. Systems such as
redundant array of inexpensive disks
(RAID) and subscription services such
as redundant sites (hot, cold, and
warm) are two other examples.
Disaster recovery is tied closely to
availability, as itâ €™s all about
getting critical systems up and
running quickly. Denial of service
(DoS) is an attack against availability.
Although these attacks might not
give access to the attacker, they
dodeny legitimate users the access
they require.
[Quote]
*****************************************************