Chapter 1 Introduction to ethical hacking and penetration testing.pdf
Transcript
Chapter 1 Information Security Overview INTRODUCTION TO ETHICAL Information Security Threats and Attacks Hacking Concepts HACKING Ethical Hacking Concepts...
Chapter 1 Information Security Overview INTRODUCTION TO ETHICAL Information Security Threats and Attacks Hacking Concepts HACKING Ethical Hacking Concepts Information Security Controls Penetration Testing Concepts Course Instructor: Anees Ara Information Security Laws and Standards CHAPTER CONTENT □Information Security Overview □Information Security Threats and Attacks □Hacking Concepts □Ethical Hacking Concepts □Information Security Controls □Penetration Testing Concepts □Information Security Laws and Standards “If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat” - As Sun Tzu in Art of War INFORMATION SECURITY OVERVIEW The methods and processes to protect information and information systems from unauthorized access, the disclosure of information, usage or modification. Information security ensures the confidentiality, integrity, and availability. An organization without security policies and appropriate security rules are at great risk, and the confidential information and data related to that organization are not secure in the absence of these security policies. An organization along with well-defined security policies and procedures helps in protecting the assets of that organization from unauthorized access and disclosures. INTERNET IS INTEGRAL PART OF BUSINESS AND PERSONAL LIFE – WHAT HAPPENS ONLINE IN 60 SECONDS ESSENTIAL TERMINOLOGIES ELEMENTS OF INFORMATION SECURITY ELEMENTS OF INFORMATION SECURITY CIA Risk Control Loss of privacy. Encryption. Unauthorized access to information. Authentication. Access Control Confidentiality Identity theft. Information is no longer reliable or Maker/Checker. Quality Assurance. Integrity accurate. Fraud. Audit Logs Business disruption. Loss of customer's Business continuity. Plans and test. confidence. Loss of revenue. Backup storage. Sufficient capacity. Availability SECURITY, FUNCTIONALITY AND USABILITY INFORMATION SECURITY THREATS AND ATTACKS VECTORS TOP INFORMATION SECURITY ATTACK VECTORS TOP INFORMATION SECURITY ATTACK VECTORS INFORMATION SECURITY THREAT CATEGORIES TYPES OF ATTACKS ON A SYSTEM INFORMATION WARFARE HACKING CONCEPTS □What is hacking? □Who is a hacker? □Hacker classes □Hacking Phases WHAT IS HACKING? WHO IS A HACKER? Some do hacking with malicious intent behind their escapades, like stealing business data, credit card information, social security numbers, email passwords, etc. HACKER CLASSES HACKING PHASES In general, there are five phases of hacking: □1. Reconnaissance □2. Scanning □3. Gaining Access □4. Maintaining Access □5. Clearing tracks RECONNAISSANCE SCANNING GAINING ACCESS MAINTAINING ACCESS CLEARING TRACKS ETHICAL HACKING CONCEPTS □What is ethical Hacking? □Why ethical Hacking is necessary? □Scope and Limitations of Ethical Hacking □Skills of an Ethical Hacker WHAT IS ETHICAL HACKING? WHY ETHICAL HACKING IS NECESSARY WHY ETHICAL HACKING IS NECESSARY SCOPE AND LIMITATION OF ETHICAL HACKING THE FOLLOWING STEPS PROVIDE A FRAMEWORK FOR PERFORMING A SECURITY AUDIT OF AN ORGANIZATION: □Talk to the client, and discuss the needs to be addressed during the testing □Prepare and sign NDA document with the client □Organize an ethical hacking team, and prepare a schedule for testing □Conduct the test □Analyze the results of the testing, and prepare a report □Present the report findings to the client. SKILLS OF ETHICAL HACKER INFORMATION SECURITY CONTROLS These controls prevent the occurrence of unwanted events and reduce risk to the organization's information assets. Recall the basic security concepts on internet are: - Confidentiality - Integrity - Availability Persons Accessing Information are: -Authentication, Authorization, and Non repudiation INFORMATION SECURITY CONTROLS - Incident Management - Assurance (IA) - Access Controls - Defense in Depth - Identy and Access - Information Security Policies Management(IAM) - Physical Security - Data Loss Prevention - Risk Management - Data Back Up and Recovery… - Threat Modelling INFORMATION ASSURANCE(IA) INFORMATION SECURITY MANAGEMENT PROGRAM ENTERPRISE INFORMATION SECURITY ARCHITECTURE NETWORK SECURITY ZONING DEFENSE IN DEPTH INFORMATION SECURITY POLICIES TYPES OF SECURITY POLICIES EXAMPLES PRIVACY POLICIES AT WORK STEPS TO CREATE AND IMPLEMENT SECURITY POLICIES PHYSICAL SECURITY TYPES OF PHYSICAL SECURITY CONTROLS PENETRATION TESTING CONCEPTS WHY PENETRATION TESTING TYPES OF PENETRATION TESTING PHASES OF PENETRATION TESTING COMPARISON.. BLUE TEAMING/RED TEAMING SECURITY TESTING METHODOLOGIES 1. OWASP 2. OSSTMM 3. ISSAF 4. LPT INFORMATION SECURITY LAWS AND STANDARDS 1. PCI DSS 2. ISO/IEC 27001 3. HIPAA 4. SOX 5. DMCA 6. FISMA END OF CHAPTER 1 Thank you
