You need protection from hacker shenanigans; you need (or need to become)
an ethical hacker. An ethical hacker possesses the skills, mindset, and tools of a
hacker but is also trustworthy. Ethical hackers perform the hacks as security
tests for their systems based on how a hacker or rogue insider would work.
Ethical hacking — which encompasses formal and methodical penetration
testing, white-hat hacking, and vulnerability testing — involves the same
tools, tricks, and techniques that hackers use, but with one major difference:
Ethical hacking is legal because it’s performed with the target’s permission.
The intent of ethical hacking is to discover vulnerabilities from a malicious
attacker’s viewpoint so systems can be better secured. It’s part of an overall
information risk management program that allows for ongoing security
improvements. Ethical hacking can also ensure that vendors’ claims about
the security of their products are legitimate.
If you perform ethical hacking tests for clients or simply want to add another
certification to your credentials, you may want to consider becoming a
Certified Ethical Hacker, a certification program sponsored by EC-Council.
See www.eccouncil.org/CEH.htm for more information.
Understanding the Need to Hack Your Own Systems
To catch a thief, you must think like a thief. That’s the basis for ethical hacking.
It’s absolutely critical to know your enemy. See Chapter 2 for details
about how malicious attackers work.
The law of averages works against security. With the increased number
and expanding knowledge of hackers, combined with the growing number of
system vulnerabilities and other unknowns, the time will come when all computer
systems are hacked or compromised in some way. Protecting your
systems from the bad guys — and not just the generic vulnerabilities that
everyone knows about — is absolutely critical. When you know hacker tricks,
you can find out how vulnerable your systems really are.
Hacking preys on weak security practices and undisclosed vulnerabilities.
Firewalls, encryption, and virtual private networks (VPNs) can create a false
feeling of safety. These security systems often focus on high-level vulnerabilities,
such as viruses and traffic through a firewall, without affecting how
hackers work. Attacking your own systems to discover vulnerabilities is a
big step toward making them more secure. This is the only proven method of
greatly hardening your systems from attack. If you don’t identify weaknesses,
it’s a matter of time before the vulnerabilities are exploited.
As hackers expand their knowledge, so should you. You must think like them
and work like them in order to protect your systems from them. You, as the
ethical hacker, must know the activities that hackers carry out and how to
stop their efforts. You should know what to look for and how to use that
information to thwart hackers’ efforts. You don’t have to protect your systems from everything. You can’t. The only protection against everything is to unplug your computer systems and lock
them away so no one can touch them — not even you. That’s not the best
approach to information security and is certainly not good for business.
What’s important is to protect your systems from known vulnerabilities and
common attacks.
It’s impossible to anticipate all the possible vulnerabilities you’ll have in
your systems and business processes. You certainly can’t plan for all possible
attacks — especially the ones that are currently unknown. However, the
more combinations you try — the more you test whole systems instead of
individual units — the better your chances of discovering vulnerabilities that
affect your information systems in their entirety.
Don’t take ethical hacking too far, though. It makes little sense to harden your
systems from unlikely attacks. For instance, if you don’t have a lot of foot traffic
in your office and no internal Web server running, you may not have as
much to worry about as an Internet hosting provider would have. Your overall
goals as an ethical hacker should be as follows
Understanding the Dangers Your Systems Face
It’s one thing to know that your systems generally are under fire from hackers
around the world and rogue insiders around the office; it’s another to understand
specific attacks against your systems that are possible. This section
offers some well-known attacks but is by no means a comprehensive listing.
Many information-security vulnerabilities aren’t critical by themselves.
However, exploiting several vulnerabilities at the same time can take its toll.
For example, a default Windows OS configuration, a weak SQL Server administrator
password, and a server hosted on a wireless network may not be
major security concerns separately. But exploiting all three of these vulnerabilities
at the same time can be a serious issue that leads to sensitive information
disclosure and more.
Nontechnical attacks
Exploits that involve manipulating people — end users and even yourself —
are the greatest vulnerability within any computer or network infrastructure.
Humans are trusting by nature, which can lead to social-engineering exploits.
Social engineering is the exploitation of the trusting nature of human beings
to gain information for malicious purposes.
Other common and effective attacks against information systems are physical.
Hackers break into buildings, computer rooms, or other areas containing critical
information or property to steal computers, servers, and other valuable
equipment. Physical attacks can also include dumpster diving — rummaging
through trash cans and dumpsters for intellectual property, passwords, network
diagrams, and other information
0 comments: on "How Malicious Attackers Beget Ethical Hackers"
Post a Comment