Ethical Hacking Methodologies and Laws

Questions and Answers

What are the three penetration-testing methodologies?

Green Box

Black Box (correct)

Gray Box (correct)

White Box (correct)

What does the Computer Fraud Abuse Act criminalize?

Accessing classified information or financial information without authorization.

What does the CAN-SPAM Act regulate?

Spam

What is the Electronic Communication Privacy Act designed to do?

Make it illegal to intercept any communication.

What is the Certified Ethical Hacker (CEH)?

A certification designated by the EC-Council.

What does CISSP stand for?

Certified Information Systems Security Professional.

What are 'crackers' in the context of cybersecurity?

Hackers who break into systems to do harm.

What characterizes ethical hackers?

They break into systems with permission.

What does GIAC stand for?

Global Information Assurance Certification.

What is the gray box model?

A hybrid model for penetration testing.

What defines a hacker?

A user who attempts to break into a computer system without authorization.

What does ISECOM stand for?

Institute for Security and Open Methodologies.

What does OSSTMM stand for?

Open Source Security Testing Methodology Manual.

What is OPST?

OSSTMM Professional Security Tester certification.

What is a 'packet monkey'?

A derogatory term for unskilled crackers.

What is a penetration test?

An attack performed on a network with permission to discover vulnerabilities.

What is a 'red team'?

A group of penetration testers working together.

What are 'script kiddies'?

Unskilled hackers who use others' scripts to hack.

What does a security test involve?

Analyzing security policies and procedures.

What is the SANS Institute known for?

Conducting training and providing certifications in computer security.

What is the white box model in penetration testing?

A model where testers have full network topology and technology details.

The U.S. Department of Justice defines a hacker as a person who accesses a computer or network without the owner's permission.

True

A penetration tester is a security professional hired to protect networks from attacks.

False

Some experienced hackers refer to inexperienced hackers who use prewritten scripts or programs as which of the following? (Choose all that apply)

Script kiddies

What three models do penetration or security testers use to conduct tests?

White Box, Black Box, Gray Box.

Study Notes

Penetration-Testing Methodologies

• Black Box: Testers have no prior knowledge of the system.
• White Box: Testers have full access to system details and architecture.
• Gray Box: A combination of black and white box knowledge; partial information is provided.

Computer Fraud Abuse Act

• Federal law criminalizing unauthorized access to classified or financial information.

CAN-SPAM Act

• Legislation designed to combat unsolicited commercial emails (spam).

Electronic Communication Privacy Act

• Makes it illegal to intercept any form of communication, regardless of transmission method.

Certified Ethical Hacker (CEH)

• A certification from EC-Council focused on ethical hacking skills.

Certified Information Systems Security Professional (CISSP)

• Non-vendor-specific certification by (ISC)², validating expertise in information security.

Crackers

• Malicious hackers who infiltrate systems with the intent to damage or destroy data.

Ethical Hackers

• Individuals permitted to test systems for vulnerabilities, acting with the owner's consent.

Global Information Assurance Certification (GIAC)

• Certifies skills of security professionals, established by the SANS Institute in 1999.

Gray Box Model

• Penetration testing model that combines aspects of both black box and white box methodologies.

Hacker Definition

• Users attempting unauthorized access to computer systems or networks.

Institute for Security and Open Methodologies (ISECOM)

• A nonprofit organization supporting training and certification for security professionals.

Open Source Security Testing Methodology Manual (OSSTMM)

• Widely used security-testing manual created by Peter Herzog, outlining methodologies.

OSSTMM Professional Security Tester (OPST)

• Certification designated by ISECOM for penetration and security testers.

Packet Monkeys

• Pejorative term for unskilled hackers who use stolen code instead of creating their own.

Penetration Test

• Authorized simulated attacks on a network to identify vulnerabilities, performed by ethical hackers.

Red Team

• A collaborative group of penetration testers simulating attacks against a network.

Script Kiddies

• Inexperienced hackers who utilize scripts or programs developed by others to exploit systems.

Security Test

• A comprehensive examination of security policies and procedures beyond just breaching systems.

SysAdmin Audit Network Security (SANS) Institute

• Established in 1989, this organization offers worldwide training and various security certifications through GIAC.

White Box Model

• A testing approach allowing full communication with staff and complete details about the network’s architecture.

Hacker Definition by U.S. Department of Justice

• Characterized as individuals accessing computers or networks without authorization.

Role of a Penetration Tester

• Security professionals engaged to test networks for vulnerabilities through ethical hacking practices.

Terms for Inexperienced Hackers

• "Packet monkeys" and "script kiddies" are terms used for unskilled hackers relying on external scripts.

Penetration Testing Models

• Security testing performed using three primary methodologies: white box, black box, and gray box.

Description

Explore the various methodologies of penetration testing alongside crucial legal regulations related to cybersecurity, such as the Computer Fraud Abuse Act and CAN-SPAM Act. This quiz covers key concepts, including black box, white box, and gray box testing, as well as important certifications like CEH and CISSP.