2. Who Are the Attackers?
• White hat hackers (Hacker) - “Ethical attackers” who received permission to
probe system for any weaknesses
• Black hat hackers - Attackers who violated computer security for personal gain
or to inflict malicious damage
• Gray hat hackers – Attackers who would break into a computer system without
permission and then publically disclose vulnerability
3. What is Pen Testing?
• A penetration test, or pen test, is an attempt to evaluate the security of an IT
infrastructure by safely trying to exploit vulnerabilities.These vulnerabilities may exist in
operating systems, service and application flaws, improper configurations, or risky end-
user behavior. Such assessments are also useful in validating the efficacy of defensive
mechanisms, as well as, end-user adherence to security policies.
• Penetration tests are typically performed using manual or automated technologies to
systematically compromise servers, endpoints, web applications, wireless
networks, network devices, mobile devices and other potential points of exposure.
• Once vulnerabilities have been successfully exploited on a particular system, testers
may attempt to use the compromised system to launch subsequent exploits at other
internal resources, specifically by trying to incrementally achieve higher levels of
security clearance and deeper access to electronic assets and information via privilege
escalation.
• Information about any security vulnerabilities successfully exploited through
penetration testing is typically aggregated and presented to IT and network systems
managers to help those professionals make strategic conclusions and prioritize related
remediation efforts.The fundamental purpose of penetration testing is to measure the
feasibility of systems or end-user compromise and evaluate any related consequences
such incidents may have on the involved resources or operations.
4. What is Ethical Hacking
• Question:What constitutes ethical hacking?
• For hacking to be deemed ethical, the hacker must obey the
following rules:
• Expressed (often written) permission to probe the network and attempt to
identify potential security risks.
• You respect the individual's or company's privacy.
• You close out your work, not leaving anything open for you or someone else to
exploit at a later time.
• You let the software developer or hardware manufacturer know of any security
vulnerabilities you locate in their software or hardware, if not already known by
the company.
Notas del editor
Attackers are people who try to gain unauthorized access to your computer. This is normally done through the use of a 'backdoor' program installed on your machine. You can protect yourself from these by using a firewall and a good up-to-date anti-virus program. You would normally get such a backdoor program by opening an E-mail attachment containing the backdoor program. It is normal for such a backdoor program to send out more copies of itself to everyone in your address book, so it is possible for someone you know to unintentionally send you a malicious program. A few backdoor programs can work with any e-mail program by sitting in memory and watching for a connection to a mail server, rather than actually running from within a specific mail program. These programs automatically attach themselves to any e-mail you send, causing you to unintentionally send out malicious programs to your friends and associates.
Why do hackers hack?
To a hacker, breaking into someone’s computer is simply a challenge. They may not specifically intend to do damage to the computer. The thrill of simply gaining access is often enough. Hackers often try to show off their skills to the world by hacking into government computers, or as revenge against another user or agency.
FAMOUS CASES
Kevin Mitnick was arrested for stealing credit card numbers and for gaining illegal entry into numerous systems via the internet.
Ed Cummings was the first person in the United States to be imprisoned for possession of a red box.
The charges
The grand jury charged that he "knowingly and with intent to defraud did possess and have custody and control of a telecommunications instrument, that had been modified and altered to obtain unauthorized use of telecommunicatio n services through the use of public telephones" on or about March 13 and 15 of 1995.
He was also charged with "being in possession of hardware and software used for altering and modifying telecommunications instruments to obtain unauthorized access to telecommunications service."
Craig Neidorf, an employee of Bellsouth, was arrested for distributing information that was thought to have been illegally obtained from the company.
A pre-law student at the University of Missouri and the editor of Phrack Magazine, was questioned first at home, then had his house searched, a nd then was called in for questioning by the U.S. Attorney's Office in Chicago in 1990 in which he complied willingly.
Written agreement(contract) of what is to be tested, on and off limits
No release of malicious content