Ethical Hacking & Countermeasures Basic Theory

Security Principles
1. Security is a supporting process
2. Security requirements come fron
  1. Valuable data
  2. Personal / private data
  3. Valuable resources
  4. E-Payments
  5. Gov. Secrects
  6. Criminal conspiracy
3. Info Security preserves
  1. Confidentiality
    1. Information is not made available or disclosed to unauthorised individuals
  2. Integrity
    1. Safeguarding the accuracy and completeness of assets
  3. Availability
    1. Being accessible and usable upon demand by an authorised entity
  4. Reliability
    1. Trustworthiness of the data and system
  5. Authenticity
    1. Like integrity, confirms accuracy of who / what is accessing assets
  6. Accountability
    1. Know who did what and be sure of it
4. Systems
  1. Application or software
  2. Libraries
  3. Hardware
  4. Supply chain
  5. Users and customers
5. Assets have tangible or intangible value
6. More definitions
  1. Vulnerabilities: exploitable system weakness
  2. Threat: Event with potential to cause harm or damage
  3. Risk: The potential for a threat to exploit a vulnerability and open up assets
7. Elements of security
8. Social context
  1. Social norms impact on people's behaviour
  2. If policies are against social norms, people won't comply
Risk
1. "A threat or possibility that an action of even will affect an organisations ability to achieve goals"
2. Security Measures
  Annotations:
  - Risk analysis and management flow
  1. Risks
    1. Vulnerabilities
    2. Threats
    3. Assets
3. Identify and assess levels of risk
  1. Values of assets
  2. Threats to those assets
  3. Any vulnerabilities and their severity
4. Outcomes of analysis
  1. All assets identified and rated by importance
  2. Threats identified and rated
  3. Vulnerabilities identified and rated
  4. Documented in risk register
5. Problems
  1. Biz measures in money not actual security risk
  2. Accuracy on the likliehood of threats
6. Risk levels
  1. DON'T use financial scale for risk
  2. High
    1. Major impact on organisation
  3. Medium
    1. Noticeable impact
  4. Low
    1. Can be absorbed
7. Risk analysis steps
  1. Decide on scope
    1. Draw context diagram
    2. Decide on boundary
    3. Make assumptions
  2. Identify assets
    1. Types of asset include: Hardware, software, data, people, docs, supplies, money
  3. Identify threats
    1. I.e. loss of confidentiality, integrity, completeness or avilability
      1. Rank either High, med or low / 1 out of 10.
  4. Identify vulnerabilities to threats
    1. Current system: Look at known issues and weaknesses
      1. New System: Look at what software is to be used and what security it offers.
        Further reading: ISO 27001
    2. Chart them with an attempt Vs success rate
  5. Risk assesment
    1. Impact valuation Vs vulnerability
8. Risk management & response
  1. Adoption of security measures related to risks to the assets
  2. Bad: Withdraw from activity, accept it and do nothing
  3. Good: reduce it with prevention, detection, reaction and insurance
Ethics and Professionalism
1. Common fallacies
  1. All info should be free
  2. System resources are wasted
  3. Hackers keep authorities at bay
2. Ethics provide rules and morals
  1. Ethical theories
    1. Authoritarianism: held by most people, no single auth.
    2. Consequentialism: Greatest happiness of greatest number, got to protect minorities
    3. Deontologism: Should everyone act in a certain way, can rule breaks be justified?
    4. Relativism: Knowledge of cultural variation, some absolutes.
3. Professionals have specific problems, work affects others, new situations.
4. Computing ethics include the privacy of data and people, safety of systems (i.e. transport) and accountability (decision making)
5. Codes of conduct act as a reminder, guidance to newbies, based on a wealth of experience, allow for professional perspective.
  1. BCS codes of conduct to protect public interest, have a duty to authorities and to the profession.
  2. People may react negitivly as it doesn't wholly relate to them, they don't like it or it isn't addressing their particular issue
6. Approaching ethical issues
  1. Identify controversial practice
  2. Analyse ethical issue
  3. Deliberate on ethical issue (apply theories to analyse)
7. Ethical hacking works in unchartered territory
8. Must be able to debate controversial moral issues
Basic Hacking Techniques
1. Insider and outsider attacks
  1. Security is equal to the countermeasures in place
2. Types of hacker
  1. White hat: authorised to test the security via agreed means
  2. Grey hat: Claim to test security for the good of everyone
  3. Black hat: Attempt to break security and profit from it in some form
3. The hacking stack
  1. Social
    1. Application
      1. Application software
        Systems software
        Transport
        Physical
        Key loggers, bin rummage, listening equipment
        Denial of service, intrusion.
        OS, routers, hardware devices via viruses
        Injected PDF's & content, incorrect security function
    2. Social engineering, blackmail
  2. Layer selection based on nature (of target), skills and time.
4. The process
  1. Plan, identify targets, contacts and scope
  2. Footprint
    1. Occurs at more than one layer
  3. Execute attack
  4. Analyse and Evaluate
5. Hackers aim to disrupt: Privacy, Availability, Non-repudiation, Integrity, Confidentiality.
  1. Non-Repudiation: e-commerce, sender cannot deny sending message, recipient cannot deny having the message
  2. Privacy: not to be confused with security.
6. Planning pen test
  1. Methodologies
    1. OSSTMM
    2. ISSAF
    3. NIST SP 800-115
  2. Rules of engagement
  3. Handling reports
7. Diagnostics
  1. What worked / didn't work and why
  2. Is it accurate, complete?
  3. How long will it take?

Media attachments

Screen_Shot_2014-05-20_at_14.36.39 (image/png)

Next up

Ethical Hacking & Countermeasures Basic Theory

Description

Resource summary

Media attachments

Similar

	Created by David Bain about 10 years ago