Ch 1m: Blue Frog begins its "vigilante approach" to fight spam -- July, 2005
Ch 1n: Russian spammer fights back, claims to have stolen Blue Frog's database, sends threating email -- DOS attack in progress -- May 2, 2006
Ch 1o: Blue Frog compromised and destroyed by attacks, urgent instructions to uninstall it, the owners have lost control -- May 17, 2006 Hands-On Ethical Hacking and Network Defense *
Chapter 1
Ethical Hacking Overview
Hands-On Ethical Hacking and Network Defense * Describe the role of an ethical hacker
Describe what you can do legally as an ethical hacker
Describe what you cannot do as an ethical hacker
Hands-On Ethical Hacking and Network Defense * Ethical hackers
Employed by companies to perform penetration tests
Penetration test
Legal attempt to break into a company’s network to find its weakest link
Tester only reports findings, does not solve problems
Security test
More than an attempt to break in; also includes analyzing company’s security policy and procedures
Tester offers solutions to secure or protect the network
Hands-On Ethical Hacking and Network Defense * Hackers
Access computer system or network without authorization
Breaks the law; can go to prison
Crackers
Break into systems to steal or destroy data
U.S. Department of Justice calls both hackers
Ethical hacker
Performs most of the same activities but with owner’s permission
Hands-On Ethical Hacking and Network Defense * Script kiddies or packet monkeys
Young inexperienced hackers
Copy codes and techniques from knowledgeable hackers
Experienced penetration testers write programs or scripts using these languages
Practical Extraction and Report Language (Perl), C, C++, Python, JavaScript, Visual Basic, SQL, and many others
Script
Set of instructions that runs in sequence
This class alone won’t make you a hacker, or an expert
It might make you a script kiddie
It usually takes years of study and experience to earn respect in the hacker community
It’s a hobby, a lifestyle, and an attitude
A drive to figure out how things work Hands-On Ethical Hacking and Network Defense *
Hands-On Ethical Hacking and Network Defense * Tiger box
Collection of OSs and hacking tools
Usually on a laptop
Helps penetration testers and security testers conduct vulnerabilities assessments and attacks
Hands-On Ethical Hacking and Network Defense * White box model
Tester is told everything about the network topology and technology
Network diagram
Tester is authorized to interview IT personnel and company employees
Makes tester’s job a little easier
From ratemynetworkdiagram.com (Link Ch 1g) Hands-On Ethical Hacking and Network Defense *
Hands-On Ethical Hacking and Network Defense *
Hands-On Ethical Hacking and Network Defense * Black box model
Company staff does not know about the test
Tester is not given details about the network
Burden is on the tester to find these details
Tests if security personnel are able to detect an attack
Hands-On Ethical Hacking and Network Defense * Gray box model
Hybrid of the white and black box models
Company gives tester partial information
Hands-On Ethical Hacking and Network Defense * Certification programs available in almost every area of network security
Basics:
CompTIA Security+ (CNIT 120)
Network+ (CNIT 106 or 201)
CNIT is a Prometric Vue testing center
Certification tests are given in S214
CompTIA and Microsoft
The next tests will be in the second week of April, right after Spring Break
Email sbowne@ccsf.edu if you want to take a test Hands-On Ethical Hacking and Network Defense *
* But see Run Away From The CEH Certification
Link Ch 1e on my Web page
* Designated by the Institute for Security and Open Methodologies (ISECOM)
Uses the Open Source Security Testing Methodology Manual (OSSTMM)
Test is only offered in Connecticut and outside the USA, as far as I can tell
See links Ch 1f and Ch 1h on my Web page
* Issued by the International Information Systems Security Certifications Consortium (ISC2)
Usually more concerned with policies and procedures than technical details
Web site
www.isc2.org
Hands-On Ethical Hacking and Network Defense * SysAdmin, Audit, Network, Security (SANS)
Offers certifications through Global Information Assurance Certification (GIAC)
Top 20 list
One of the most popular SANS Institute documents
Details the most common network exploits
Suggests ways of correcting vulnerabilities
Web site
www.sans.org (links Ch 1i & Ch 1j)
Hands-On Ethical Hacking and Network Defense * Laws involving technology change as rapidly as technology itself
Find what is legal for you locally
Laws change from place to place
Be aware of what is allowed and what is not allowed
Hands-On Ethical Hacking and Network Defense * Tools on your computer might be illegal to possess
Contact local law enforcement agencies before installing hacking tools
Written words are open to interpretation
Governments are getting more serious about punishment for cybercrimes
Comments