Ethical Hacking Principles

Questions and Answers

What is the primary goal of Ethical Hacking?

• To exploit weaknesses in computer systems
• To sell identified weaknesses to the highest bidder
• To develop new computer systems
• To identify weaknesses in computer systems (correct)

What is a fundamental rule that ethical hackers must follow?

• Inform only the hardware vendors about the identified weaknesses
• Obtain written permission before hacking (correct)
• Keep the identified weaknesses secret
• Hack without permission for better results

What should ethical hackers do after identifying weaknesses in a computer system?

• Transparently report all identified weaknesses to the organization (correct)
• Sell the identified weaknesses to other organizations
• Exploit the weaknesses for personal gain
• Ignore the weaknesses and move on to the next system

What is the main focus of Ethical Hacking?

Protecting the weaknesses in computer systems (D)

What is a fundamental requirement for ethical hackers before conducting any hacking activity?

Obtain permission from the computer system owner (C)

What aspect is often mistakenly associated with security when people think about it?

Firewalls and hackers (D)

What does the text suggest about computer crimes and the use of computers?

Computers have revolutionized the nature of crimes (C)

What is a key component of information security according to the text?

Policies and procedures (C)

What is a potential consequence of not being aware of tools that allow for ACK packets to be generated and sent?

Allowing outside sources to initiate communication with inside systems (B)

How can a 'cut through' configuration of a firewall potentially lead to security vulnerabilities?

Creating fragments with dangerous payloads (D)

What can happen if a company's employees are not aware of social engineering attacks?

Happily giving out useful information to attackers (D)

Why do marketing people prefer to use the word 'hacking' instead of 'security professional toolset education'?

To draw more attention and paying customers (B)

What is emphasized as the key for accomplishing real security in the text?

Knowledge and its implementation (B)

Match the following security activities with their recommended approach:

Ensuring employees create complex passwords = Set operating system configurations for password requirements Configuring firewall and router for protection = Read manuals, make configuration changes, implement ACLs Testing company's password policy = Obtain permission from management before conducting activities Implementing security measures without intrusion = Ensure company's security policy allows for testing activities

Match the following statements with their descriptions:

Use of hacking in education = Marketing strategy to attract attention Toolset used by attackers and security professionals = Mostly the same Security professionals' approach to setting up protection = Read manuals, implement ACLs, make configuration changes Ethical hacking activities and company's permission = Intrusive if not acknowledged and allowed by management

Match the ethical hacking skill with its description:

Foot printing and scanning = Identifying and mapping out a network to gather information for a potential attack Techniques for system hacking = Methods for gaining unauthorized access to a computer system or network Malware and their attacks and detect and prevent them = Understanding various types of malicious software and how to defend against them Detect and prevent the security attacks in different environments = Identifying and stopping security breaches in diverse computing environments

Match the assessment activity with its timing:

Midterm 1 = 7-8 weeks Quizzes = 4-11 weekly Participation labs = 14-15 weeks Final written Examination = End of semester

Match the reference type with its description:

Essential References = Key resources necessary for understanding the course material Additional References = Supplementary materials for further exploration of the subject

Match the following with their descriptions:

Novice ethical hacker = Relies on tools developed by others to exploit specific vulnerabilities Advanced ethical hacker = Has the skill set and understanding to look at the code itself and identify possible vulnerabilities Hacker = Finds and exploits weaknesses in computer systems and/or networks to gain access Dictionary definition of hacking = The act of gaining unauthorized access to data in a system or computer

Match the following with their roles in ethical hacking:

Ethical hacker's reliance on tools = Novice ethical hacker Ethical hacker's primary task = Identifying possible vulnerabilities and programming code errors Ethical hacker's skill set = Advanced ethical hacker Hacker's activity = Finding and exploiting weaknesses in computer systems and/or networks to gain access

Match the following with their relation to security flaws in software:

Novice ethical hacker's approach = Using tools developed by others to exploit specific vulnerabilities Advanced ethical hacker's approach = Identifying possible vulnerabilities and programming code errors and developing ways to rid the software of these types of flaws Vendor's motivation for integrating protection mechanisms = Backlash and demand from customer bases Dictionary definition of hacking = The act of gaining unauthorized access to data in a system or computer

Match the following with their characteristics:

Ethical hacker's expertise level = Understanding to look at the code itself and identify possible vulnerabilities Vendor's response to market demands for security = Will step up to the plate when customers are willing to pay more for security Hacking according to the dictionary definition = The act of gaining unauthorized access to data in a system or computer Novice ethical hacker's reliance on others' tools = Using tools developed by others to exploit specific vulnerabilities

Match the following with their relationship to software security:

Advanced ethical hacker's role in software security = Developing ways to rid the software of vulnerabilities and programming code errors Vendor's integration of protection mechanisms = Due to backlash and demand from customer bases Hacker's activity according to the dictionary definition = Finding and exploiting weaknesses in computer systems and/or networks to gain access Novice ethical hacker's use of others' tools = To exploit specific vulnerabilities

Match the following with their descriptions:

Ethical hacking category according to the dictionary definition = The act of gaining unauthorized access to data in a system or computer Ethical hacker's role in identifying vulnerabilities = Advanced ethical hacker has the skill set and understanding to look at the code itself Vendor's response to market demands for security measures = Will step up only when customers are willing to pay more for security Hacker's role according to the dictionary definition = Finds and exploits weaknesses in computer systems and/or networks to gain access

Match the following hacking concepts with their descriptions:

Packet filtering firewall = Controls network traffic based on predetermined security rules Intrusion detection system = Monitors network or system activities for malicious activities or policy violations Proxies = Act as intermediaries between clients and servers, providing anonymity and security Encryption = Converts data into a code to prevent unauthorized access

Match the following components of real security with their descriptions:

Policies and procedures = Establish guidelines and protocols for security measures Liabilities and laws = Legal obligations and regulations governing information security Human behavior patterns = Understanding and addressing human tendencies that may pose security risks Corporate security programs and implementation = Developing and executing strategies to protect organizational assets

Match the following hacking tools with their purposes:

Antivirus software = Detects, prevents, and removes malicious software Hacks and cracks = Unauthorized attempts to exploit vulnerabilities in systems or software Packet filtering firewall = Screens incoming and outgoing network traffic based on predetermined security rules Intrusion detection systems = Monitors network or system activities for malicious activities or policy violations

Match the following aspects of information security with their focus areas:

Packets, firewalls, and hackers = Technical components of security measures Policies and procedures = Establishing guidelines for security protocols Human behavior patterns = Understanding and addressing security risks related to human tendencies Encryption = Converting data into a code to prevent unauthorized access

Match the following terms with their meanings:

Social engineering attacks = Exploiting human psychology to gain access to systems or sensitive information ACK packets = Acknowledgment packets sent by a receiving computer to acknowledge data received successfully Established traffic = Network traffic that is part of an existing connection and has been verified as valid Cut through configuration = Method of forwarding network packets without fully checking them

Match the following ethical hacking activities with their purposes:

Identifying weaknesses in a computer system = To uncover vulnerabilities for remediation Conducting hacking activity = To test the security of a system by simulating attacks Implementing packet filtering firewall = To control network traffic based on predetermined security rules Configuring access control lists = To regulate traffic entering the network based on specific criteria

Match the following authors with their book on ethical hacking:

Shon Harris, Gideon Lenkey, Allen Harper, Jonathan Ness and Chris Eagle = Gray Hat Hacking the Ethical Hackers Handbook Patrick Engebretson = The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy James Corley, Kent Backman, & Michael Simpson = Hands-On Ethical Hacking & Network Defense Not mentioned in the text = Codecademy – Python

Match the following websites with their content related to ethical hacking:

hackaday.com = List of Open Source Software/learning website breakthesecurity.cysecurity.org = Electronic Materials eccouncil.org = Supportive References hackthissite.org = Not mentioned in the text

Match the following rules for ethical hackers with their descriptions:

Get written permission from the owner of the computer system and/or computer network before hacking. = Rule 1 Protect the privacy of the organization been hacked. = Rule 2 Transparently report all the identified weaknesses in the computer system to the organization. = Rule 3 Inform hardware and software vendors of the identified weaknesses. = Not mentioned in the text

Match the following topics related to ethical hacking with their descriptions:

Basics of ethical hacking = Applied College Shaqra Chapter 1 Basics of the ethical hacking Ethical Hacking definition = Applied College Shaqra What is Ethical Hacking? Consequences of not being aware of tools for ACK packets = Not mentioned in the text Cut through configuration of a firewall = Not mentioned in the text

Match the following skills with their importance according to the text:

Identifying weakness in computer systems and networks = Key for accomplishing real security Abiding by specific rules and permissions = Fundamental requirement for ethical hackers before conducting any hacking activity Awareness of social engineering attacks = Potential consequence of not being aware of tools that allow for ACK packets to be generated and sent Using open source software/learning websites like Codecademy – Python = Not emphasized as a key component of information security according to the text

Match the following aspects with their common misconceptions about security according to the text:

Marketing preference for 'hacking' over 'security professional toolset education' = 'Hacking' instead of 'security professional toolset education' Mistaken association with security when people think about it = Not mentioned in the text Focus on tools and software rather than ethical practices = Not mentioned in the text Emphasis on specialized tools rather than general-purpose programming = 'Hacking' instead of 'security professional toolset education'

Match the following security measures with their potential consequences of not being aware of them:

Firewall configuration to review only the first fragment of a packet = Allowing in malicious traffic Awareness of social engineering attacks = Happily giving out useful information to attackers Knowledge and implementation of security measures = Accomplishing real security Tools that allow for ACK packets to be generated and sent = Initiating an attack

Match the following aspects of information security with their focus areas:

Outside source sending a SYN packet to initiate communication with an inside system = Preventing unauthorized communication Tools that can create fragments with dangerous payloads = Malicious traffic detection Company employees' awareness of social engineering attacks = Protecting sensitive information Knowledge and implementation of security measures = Establishing a secure environment

Match the following ethical hacking activities with their purposes:

Identifying weaknesses in a computer system = Implementing proactive security measures Tools that allow for ACK packets to be generated and sent = Security vulnerability exploitation Awareness of social engineering attacks = Understanding potential attack vectors 'Cut through' configuration of a firewall = Increasing network performance

Match the following terms with their meanings:

Real security = Knowledge coupled with effective implementation Social engineering attacks = Manipulating individuals to obtain sensitive information Malicious traffic detection = Identification and prevention of harmful network traffic Proactive security measures = Preventive actions to safeguard against potential threats

Match the following security awareness activities with their purpose:

Understanding attacker techniques = Recognizing potential attacks Knowing when an attack may happen = Identifying pre-attack activities Educating network staff on security issues = Enabling effective response to security incidents Recognizing trouble when it happens = Reacting efficiently to security alarms

Match the following network activities with their significance in security:

Ping sweep followed by port scan = Indication of imminent attack Automated security products = Identification of pre-attack activities Software's inability to make decisions = Risk of relying solely on automation Human judgment calls = Understanding contextual significance of activities

Match the following computer capabilities with their role in security:

Computers' ability to outperform humans in calculations = Efficiency in repetitive tasks Humans' ability to make necessary judgment calls = Understanding nuances in security decisions Software's inability to put activities in context = Risk of decision-making reliance on software Understanding greys in life, not just 1s and 0s = Balancing human judgment with automation capabilities

Match the following aspects with their importance in information security:

Network staff's understanding of security issues = Effective response to security incidents Knowing when an attack may be imminent = Recognition of pre-attack activities Automated security products' limitations = Risks of over-reliance on automation Human ability to make necessary judgment calls = Understanding contextual significance of security incidents

Match the following terms with their meanings:

Hacking = The act of gaining unauthorized access to data in a system or computer Ethical Hacking = Finding and exploiting weaknesses in computer systems and/or networks to gain access for the purpose of improving security Hackers = People who find and exploit weaknesses in computer systems and/or networks to gain access Security Flaws = Weaknesses or vulnerabilities in software that can be exploited by hackers

Match the following ethical hacking activities with their purposes:

Using others' tools = Novice ethical hackers using tools developed by others to exploit specific vulnerabilities Developing own tools = Advanced ethical hackers identifying vulnerabilities and programming errors, and developing ways to rid the software of these flaws Understanding code = Advanced ethical hackers having the skill set and understanding to look at the code itself Exploiting vulnerabilities = Novice ethical hackers exploiting specific vulnerabilities using tools developed by others

Match the following aspects with their common misconceptions about security according to the text:

Complexity = Not related to real security, as Applied College Shaqra Security does not like complexity Market Demand = Once the market truly demands a higher level of protection and security, vendors will step up to provide it Vendor Integration = Vendors integrating protection mechanisms mainly due to customer demand and backlash Ethical Hacking = The misconception that hacking is always unethical and illegal

Match the following components of real security with their descriptions:

Protection and Security = Level of protection and security provided by software products demanded by the market and customers willing to pay more for it Customer Demand = Customers demanding a higher level of protection and security, leading vendors to step up to provide it Vendor Response = Vendors integrating protection mechanisms due to customer demand and backlash Ethical Hacking Skills = Skill set and understanding to identify possible vulnerabilities, programming code errors, and develop ways to rid the software of these flaws

Network administrators do not need to be able to recognize when an attack is underway.

False (B)

Recognizing an attack as it is happening should be easy for all types of attacks.

False (B)

People who work in positions within corporations should try to ignore security issues.

False (B)

The world is becoming less dependent upon technology.

False (B)

Security professionals should not run tests against configurations to see if they are allowing malicious traffic into a controlled environment.

False (B)

Hacking tools do not carry out different types of attacks.

False (B)

Security issues and compromises are expected to go away soon.

False (B)

It is not important to know how different types of attacks take place so they can be properly recognized and stopped.

False (B)

A 'cut-through' configuration of a firewall can potentially lead to security vulnerabilities.

True (A)

If a company's employees are not aware of social engineering attacks, they are less likely to give out useful information to attackers.

False (B)

Lack of knowledge and experience in the field of cybersecurity can lead to a false sense of security.

True (A)

An outside source can send a SYN packet to initiate communication with an inside system.

False (B)

Knowledge and its implementation are not crucial for accomplishing real security.

False (B)

The primary goal of Ethical Hacking is to allow unauthorized access to computer systems.

False (B)

A network engineer configures a firewall to review only the first fragment of a packet and not the packet fragments that follow.

True (A)

If an administrator realizes there are tools that allow for ACK packets to be generated and sent, it would lead to a true sense of security.

False (B)

Black Hat Hackers break into computer networks for personal or financial gain.

True (A)

White Hat Hackers perform threat assessment on computer systems and ensure the safety of network systems.

True (A)

Grey Hat Hackers check the network for vulnerabilities without the permission of the owner and keep their findings to themselves.

False (B)

Hackers are generally categorized by their motive behind the hacking, and they can be classified as Black Hat, White Hat, or Grey Hat Hackers.

True (A)

Not all hackers have bad intentions; some hackers bypass security measures with good intentions.

True (A)

Black Hat Hackers employ the same techniques as White Hat Hackers but with bad intentions.

False (B)

Grey Hat Hackers only break into computer networks for personal or financial gain.

False (B)

Ethical Hacking professionals ensure the safety of network systems by finding security leaks.

True (A)

Black Hat Hackers are responsible for writing malware and implanting viruses to gain access to computer systems.

True (A)

White Hat Hackers perform threat assessment on computer systems with bad intentions, unlike Black Hat Hackers.

False (B)

Study Notes

Ethical Hacking

• The primary goal of Ethical Hacking is to identify vulnerabilities in a computer system to prevent malicious hackers from exploiting them.
• A fundamental rule that ethical hackers must follow is to obtain proper permission from the system owner before conducting any hacking activity.

Ethical Hacking Rules

• Ethical hackers must follow a fundamental requirement of obtaining proper permission from the system owner before conducting any hacking activity.
• A key aspect of ethical hacking is to identify weaknesses in a computer system and report them to the system owner.

Security

• A key component of information security is the ability to recognize and respond to security threats.
• Lack of knowledge and experience in the field of cybersecurity can lead to a false sense of security.
• A 'cut-through' configuration of a firewall can potentially lead to security vulnerabilities.
• If a company's employees are not aware of social engineering attacks, they are more likely to give out useful information to attackers.

Hacking Types

• Hackers are generally categorized by their motive behind the hacking, and they can be classified as Black Hat, White Hat, or Grey Hat Hackers.
• Black Hat Hackers break into computer networks for personal or financial gain.
• White Hat Hackers perform threat assessment on computer systems and ensure the safety of network systems.
• Grey Hat Hackers check the network for vulnerabilities without the permission of the owner and keep their findings to themselves.

Security Measures

• Knowledge and its implementation are crucial for accomplishing real security.
• Real security involves identifying and addressing security vulnerabilities.
• Not being aware of tools that allow for ACK packets to be generated and sent can lead to a false sense of security.

Firewalls

• A network engineer configuring a firewall to review only the first fragment of a packet and not the packet fragments that follow can lead to security vulnerabilities.

Misconceptions

• Many people mistakenly associate security with the absence of security issues and compromises, which is not true.
• Recognizing an attack as it is happening can be challenging, and it's not easy for all types of attacks.
• Network administrators need to be able to recognize when an attack is underway.

Description

Learn about the principles of ethical hacking, including identifying weaknesses in computer systems and networks, obtaining permission before hacking, and transparently reporting vulnerabilities to the organization. Understand the key rules and ethical considerations in ethical hacking practices.