Ethical Hacking

An Overview On White-Hat Hacking

Related Articles

Risk Management

Ethical Hacking Topics

Hacking Overview
Footprinting And Reconnaissance
Network Scanning
Enumeration Stage
System Hacking
Trojan And Backdoors
Viruses And Worms
Virus and Worm Timeline
Sniffers And Session Hijacking
Social Engineering
Denial of Service
Web Server and Applications
Wireless Network Hacking
IDS, Firewalls, Honeypots
Buffer Overflows
Cryptography
Penetration Testing

Hacking is the act of gaining unauthorized access to a computer system by a user for the purpose of either stealing information or damaging the system. Ethical Hacking, however, is the authorized access to a computer or system usually for testing the systems security and reporting the findings to an responsible party or security team.

Hackers strive to break or exploit systems and cause problems for users and companies. They are constantly testing the limits of an application or system to find it's vulnerabilities. Ethical hacking has pretty much the same goals in mind, but for an entirely different purpose. Ethical hackers test systems for defensive reasons rather than offensive reasons.

The Four Hacker Classes

There are three hacker classes, each with a different purpose and goal. These classes are:

  • Black Hats
  • White Hats
  • Grey Hats

The Black Hats are the hackers who cause trouble. They hack for personal gain, sometimes monetary, or to intentionally compromise a computer system. These are the hackers most portrayed on TV and in the movies.

The White Hats are the hackers who are authorized to try to break into a system by someone in the company that has the authority to grant such activity. These hackers are the ones that use their skills and tools as a defensive measure to find weaknesses in a system and once finding these weaknesses, report them to the proper people or team.

The Grey Hats are by far the most interesting group of hackers. They can be hackers that have been hired but are not authorized to access the system. They could just be skilled individuals who feel that by the use of full disclosure, they can justify their actions. Full disclosure is still controversial, however. Should a Gray Hat innocently find a weakness, it is up to them to decide whether they report it to the proper team or not.

Another group of hackers that fall under the Grey Hats are those known as Hacktivists. They are the ones with a personal or group agenda. They are either trying to make a point or are using their skills or to make a statement. Of course you have those who actually wish to get caught. By doing so, they consider the act of getting caught part of their plan. These are known as Suicide Hackers.

There is one group that do not belong to any of the above classes, and this group is better known as Script Kiddies. These people are not hackers in the true sense, but rather a group that, due to the lack of true technical skills to create their own script, rely on preexisting scripts to perform their "hacking".

Curiosity Or Invasion

A typical hacker can be defined as a person who is curious about how things work. They obtain information and are able to use this information for whatever they so desire. Though it should not be used in a negative way, many times it is. So where are the boundaries dividing curiosity and invasion?

The boundary between the two classifications all depends on if the hacker obtained the information illegally or by false pretense or whether they were hired to perform a security, or penetration test for the organization. Typically, curiosity becomes invasion once the legal boundary is breached.

Threat Modeling and Risk Management

Threat Modeling is the determining the importance of the security issues that are the most important to a company or organization, and then identifies the events possible that could affect those issues.

Risk Management determines the proper course of action to take when a threat is identified. (For further reading, check out our discussion about Risk Management.)

Management must be committed to security and must be made aware of both the threat modeling and risk management of their organization. Only with this commitment can a system remain secure and if a breach has occurred, can it be contained, managed and eliminated effectively.

Some terms that go hand-in-hand with risk management are:

  • Threat: Potential threats that are neither good or bad, just potential.
  • Weakness: A flaw that leaves an asset vulnerable to attack.
  • Exposure: A point of access to a weakness.
  • Vulnerability: An instance of an exposure to a weakness.
  • Exploit: The act of taking advantage of a vulnerability.

Types of Attack

There are six different categories of attack. Each one of these can result in successful attacks and can exploit weaknesses in all seven layers of the OSI Model.

Social Engineering and Physical attacks - Considered to be the most dangerous, social engineering attacks exploits the human nature in each of us. This can be done without any high cost or much skill. Physical access is possible at all times as well.

Network-based attacks Security is not a consideration in many of the protocols that we use on a daily basis. Security solutions have been added to mitigate the attack risks but these solutions can also increase the complexity of the network. If a system undergoes a Denial of Service (DoS) attack, the attacker(s) may not make money or extortion, however they can cause damage to the victim's reputation.

Operating System attacks - Leaving unnecessary services available, open and accessible can be an open invitation to this type of attack.

Application Level attacks - Because most applications receive input data from users as well as other sources, buffer overflows are a result if these application codes are not constructed to handle this input.

Shrink Wrap and Malicious Code attacks - Vulnerabilities within code spread to other applications when this code is reusable and used on different applications. Making matters worse, malicious code has been known to be injected into this reusable code with the intention to cause harm.

Misconfiguration attacks - Leaving systems at their default configuration settings can leave vulnerabilities that may go unnoticed. Another example here is by practicing a lax security policy.

The Five Phases of an Attack

There are five distinct phases that go into a cyber attack.

  1. Reconnaissance
  2. Scanning
  3. Gaining Access
  4. Maintaining Access
  5. Clearing Tracks

Reconnaissance is the first and foremost important step in the attack. It is the act of finding out as much as possible about the target, or better known as the Target of Evaluation (TOE). This phase is passively taken as to not raise any red flags of suspicion by the target.

Scanning occurs during passively discovering of the technology the target is using. Such discoveries could include configurations to external networks, blocks, access points and other internal information that the attacker could use to carry out their attack. The primary goal of scanning is to learn as much about the target's technical data and the system as possible.

Gaining Access happens after the first two phases are successful. The attacker may have many choices in which to launch the attack. The attack could also be direct or indirect. This phase of the attack is more successful if the system is poorly configured and countermeasures to detect intrusions are not monitored.

Maintaining Access is important in order to complete the attack. The process of maintaining access can be accomplished with a computer that is under attack or by an innocent host being used to keep the access opened. This is also known as a vulnerability linkage, staging or pivoting.

Clearing Tracks is more than just destroying evidence. It is also about completing the attack without drawing attention to the attack in the first place. If an attacker does not follow all of these phases, they risk drawing undo attention to themselves.

Some ways that the tracks can be cleared are to erase log files from an IDS, (Intrusion Detection System), firewall evasion techniques or an act of daisy chaining. Daisy chaining is an active form of clearing tracks to evade detection by having multiple events occur in sequence. Dropping a logic bomb onto a system is an example of this daisy chain effect. This logic bomb will trigger an event and destroy evidence or harm the system in a way that will hide the attack.

Penetration Testing

There are different reasons why a company or an organization would request a penetration test. This could be due to compliance standards and needing a yearly audit, or as a result from a past intrusion and the efforts to prevent another attack. It is also important that accurate records are kept throughout the testing process. Here is the basic outline in the penetration testing cycle.

  • Determine the type of test required.
  • Using project management, charter a new project for this test.
  • Draft all required legal documents.
  • In writing, have the testing outline and strategy approved.
  • Test the communication channel. Make sure that if something fails, the test can be paused and the problem reported.
  • Conduct the testing.
  • Complete a report once the test is completed.
  • Abiding with client agreements, deliver the report and archive or destroy all original copies.
  • If necessary, schedule a follow-up test.
  • Review the process and look for ways to improve on the next test.

The Three Types Of Tests

There are three types of tests that can be performed for the client.

The Black Box Test - This provides the most realistic testing. The only ones that will know that the test is occurring will be the client and the tester. There is no information given to any team of the client's organization. The only contact the tester will have is with the client alone.

This type of testing is considered risky because care must be taken on the part of both the client and the tester to protect each other and themselves. Legal concerns are here as well as something could go wrong during the testing.

The White Box Test - This is one of the most common tests and is the least invasive. More than often only the scanning phase of the attack takes place. Commercial vulnerability assessment tools are often used to obtain a baseline condition of the network. This test is most used for compliance standard testing.

The Grey Box Test - This test is performed when there is a specific objective involved. The client could request this test if a particular vulnerability was discovered during the White Box test. This test could also be used to see if users are in compliance.