Lecture 05 - Security - Ethical Hacking PDF

INTRO TO ETHICAL HACKING CSIT040 – modern computing skills Instructor: Dr. May El Barachi What comes to your mind when you think about hacking? 2 What is the cost of hacking? Cybercrime costs the world economy more than $1 trillion per year According to IBM, the average cost of a breach in data is around $3.68 million as of 2020. 3 What about hacking stats?  Attacks involving compromised passwords cost SMBs around $384,598 per attack  In the past 5 years there have been over 2.2 million complaints about internet crime to the FBI  White Hat Hackers are Earning Significant incomes  46% of organizations received malware via email in 2020  55% of phishing sites used target brand identities in URLs for hacking  In 2020 hackers sold over 500,000 Zoom passwords on the dark web What are the hacking trends? Credentials are the most sought-after data in a hack More than 85% of breaches in 2021 involved a human element Remote working may be causing increased hacking issues What are the hacking trends? In 2021 the most common initial attack vector was compromised credentials 60% of senior decision-makers still aren’t taking cybersecurity seriously 53% of users haven’t changed their password in the last year What are the hacking trends? Over 80% of attacks are financially motivated Defining Penetration Testing The term “hacker” How my English dictionary defines a hacker - A person who uses computers to gain unauthorised access to data - An enthusiastic and skilful computer programmer or user Different kinds of hackers White Hat Hackers (= ethical Hackers): Hackers thinking like attacking party but they work for the good guys. They are characterised by having a code of ethics which stipulates that they cause no harm. Grey Hat Hackers: Hackers straddling the line between good sides and bad sides. Perhaps they have been “rehabilitated”. Black Hat Hackers: Hackers operating on the wrong side of the law. They may have an agenda or no agenda at all. Cyberterrorists: A new form of hackers trying to destroy targets and cause bodily harm. Sometimes their actions are not stealthy. 8 Defining Penetration Testing Penetration tester? A penetration tester or a pen tester is a white hat hacker employed either as an internal employee or as an external entity to conduct a penetration test. Penetration testing? Surveying, assessing and testing the security of a given organization by using the same techniques, tactics and tools that a malicious hacker (black hat hacker and/or cyberterrorist) would use. In this subject, I would equate “penetration testing” with “ethical hacking”. Summary penetration testing = pentesting = ethical hacking Penetration tester = pentester = white hat hacker 9 Categories of Cybercrime According to Law - Reminder  Identity theft Stealing of the information that allow a person to impersonate other person(s) for illegal purposes, mainly financial gains such as opening credit card/bank account, obtaining rental properties and etc.  Theft of service Use of phone, Internet, streaming movies or similar items without permission; it usually involves password cracking Example: Sharing a Netflix account with even friends can be considered as theft and can be prosecuted in certain states of US.  Network intrusion or unauthorized access Most common type of attack; it leads to other cybercrimes Example: Breaking into your neighbour’s WiFi network will open a lot of opportunities of attack. Categories of Cybercrime According to Law  Posting and/or transmitting illegal material Distribution of pirated software/movies, child pornography Getting hard to stop it due to file sharing services, encryption and etc.  Fraud Deceiving another party or parties to illicit information or access typically for financial gain or to cause damage  Embezzlement A form of financial fraud involving theft and/or redirection of funds  Dumpster Diving Gathering information from discarded/unattended material (ATM receipt, credit card statement and etc.) Going through rubbish itself is not illegal but going through rubbish in private property is Categories of Cybercrime According to Law Writing malicious codes Malicious codes refer to items like viruses, worms, spyware, adware, rootkits, ransomware and other types of malware This crimes is to cause havoc and/or disruption Unauthorized destruction or alteration of information This covers modifying, destroying and tampering with information without appropriate permission DoS (Denial of Service) /DDoS (Distributed Denial of Service) Overloading a system’s resources so that it cannot provide the required services to legitimate users DDoS is performed in a larger scale – It is not possible to prevent DoS by blocking one source Categories of Cybercrime According to Law Cyberstalking/Cyberbullying A relatively new crime on the list. The attacker uses online resources and other means to gather information about an individual and uses this to track, in some cases, to meet the person (cyberstalking); to harass the person (cyberbullying) Cyberterrorism Attackers make use of the internet to cause significant bodily harm to achieve political gains The scope of cyberterrorism is controversial Related to information warfare Let us test your understanding on this!  Scenario: John steals personal information, including emirates ID numbers and credit card details, from unsuspecting individuals and uses it to open fraudulent bank accounts. What type of cybercrime is John committing?  Scenario: Mary uses software to bypass the payment system of an online streaming platform and accesses premium content without paying for it. What type of cybercrime is Mary committing?  Scenario: Mark gains unauthorized access to a company's computer network and extracts sensitive customer data. What type of cybercrime is Mark committing?  Scenario: Sarah distributes copyrighted movies and software through a file-sharing service, allowing others to download them for free. What type of cybercrime is Sarah committing?  Scenario: Tom deceives individuals into providing their bank account details by posing as a bank representative through email. He then uses this information to steal funds. What type of cybercrime is Tom committing? Let us test your understanding on this!  Scenario: Lisa searches through trash bins outside a company's office to find discarded documents containing sensitive customer information. What type of cybercrime is Lisa committing?  Scenario: Alex creates a computer virus that infects other users' devices, causing them to crash or steal personal information. What type of cybercrime is Alex committing?  Scenario: Peter alters financial records within a company's database to redirect funds to his personal account. What type of cybercrime is Peter committing?  Scenario: Emily floods a website's server with a massive amount of traffic, making it unavailable to legitimate users. What type of cybercrime is Emily committing?  Scenario: Jessica repeatedly sends threatening and harassing messages to a classmate through social media platforms. What type of cybercrime is Jessica committing? Penetration Testing Methodology 1. Determining the objectives and scope of the job 2. Choosing the type of test to perform 3. Gaining permission via a contract 4. Performing penetration testing Process of penetration testing specifies steps 4.1 to 4. 6 5. Creating a risk mitigation plan (RMP) 6. Cleaning up any changes made during the test 1 6 Penetration Testing Methodology 1. Determining the objectives and scope of the job A pentester and a client should meet to discuss the objectives of the test Examples of objectives To determine security weakness To test an organization's security policy compliance, its employees’ security awareness To test an organization's ability to identify and respond to security incidents  Scope of the test Usual network penetration testing Social engineering testing: Human aspect in vulnerability Application security testing: Finding flaws in software applications Physical penetration testing: Testing the security of premises where digital assets and network resources are stored 1 7 Penetration Testing Methodology 2. Choosing the type of test to perform Three typical types of testing 1) Black-Box Testing  Most closely resembles the situation of an outside attack  This test is called “external test”  Execute the test from a remote location much like a real attacker  The pentester will be extremely limited on information of the target 2) Grey-Box Testing  The pentenster will have some limited knowledge on the target, for example, (at least) what operating system the target is mainly using 3) White-Box Testing  This gives the pentester full knowledge on the target  Basically this test simulates “insider attack”  This test is called “internal test” 1 8 Penetration Testing Methodology 3. Gaining permission via a contract It is vitally important to get clear and unambiguous permission to perform a pentest. A written form of authorization rather than a verbal authorization is important. It should include: Systems to be evaluated Perceived risks Timeframe Actions to be performed when a serious problem is found Deliverables Penetration Testing Methodology 4. Performing penetration testing (More to come regarding this) 5. Creating a Risk Mitigation Plan (RMP) Purpose: RMP is to develop options and actions to enhance opportunities and reduce threats in an organization Contents: RMP should clearly document all the actions that took place including the results, interpretations and recommendations 4. Cleaning up any changes made during the test This is obvious step needed to prevent possible mishaps Penetration Testing Process What do we want to achieve? CIA triad Confidentiality Keep information secret/private from those who are not authorized Integrity Keep information in a format that retains its original purpose and meaning Availability Integrity Keep information and resources available to those legitimate What do we want to prevent? Anti CIA triad Improper disclosure Accidental or malicious revealing of information Unauthorized altercation Accidental or malicious modification of information Disruption Accidental or malicious disturbance Unauthorised altercation of information or resources LET US LEARN ABOUT THE FIRST STEP: INTELLIGENCE GATHERING Let us start by a proverb! “know yourself, know your enemy, and you shall win a hundred battles without loss” -- General Sun Tzu Introduction to Intelligence Gathering Intelligence gathering is a process of ethical hacking through which a pentester locates information about a target, which will be useful for later steps of the attack. Intelligence gathered about a target may refine the steps that will come later. Anything that have potential to be exploited should be sought. It is important to develop an “eye” to detect the useful information carefully, but sheer “luck” could work. Consequences to Intelligence Gathering Reputation/Business loss  If customers find that their information and/or other data is not properly secured, the reputation of a company will be eroded and the incident will cause the customers to go elsewhere. Information leakage  Vital information such as project information, employee data, personal details, financial information, or any of a number of possibilities can be lost. Consequences to Intelligence Gathering Privacy Loss  If the information that is supposed to be kept confidential is lost, the legal repercussions as well as the loss of confidence can result. Corporate information  Information that is uncovered through the intelligence gathering process can be sold to the competitors looking for details about their opponents. Types of information to be gathered Technical information  Information regarding operating system, network and applications, IP addresses and/or IP address ranges, and device information.  Additionally, information regarding webcams, alarm systems, mobile devices and etc. Administrative information Organizational structure, corporate policies, hiring procedures, details of employees, phone directories, vendor information, and etc. Physical details  Data about location and facility. Intelligence gathering methods Passive  Methods that do not engage the target. If the target is not engaged, little or no indication of an impending attack will be given to the target. Active  Methods that do engage the target by, for example, making phone calls to the company, help desk, employees and/or other personnel. Care should be taken not to give the target an indication of the attack. Open Source Intelligence (OSINT) gathering  Gathering intelligence from those sources that are typically publicly available and open.  A kind of passive information gathering method.  The least aggressive method. Gathering info about a domain Netcraft  A website that provides comprehensive information about technologies that a domain uses  URL: http://toolbar.netcraft.com/site_report  In fact, Netcraft will provide almost all the information whois can provide  It provides information about web hosting company, hosting history, type of web server, whether it sends spam, server-side and client-side technologies, web applications used and etc. (Many more!)  All the above information can be exploited to find vulnerabilities of the target Gathering info about a domain Netcraft example  As an example, query www.howtogeek.com on netcraft  You can see this site is using WordPress as blog software  Then go to www.exploit-db.com and search wordpress  A long list of exploitable vulnerabilities exist! Gathering info about sub-domains Finding subdomains  Subdomain: A subdomain is a domain which is a part of a larger domain  Example uow.edu.au has subdomains media.uow.edu.au, eis.uow.edu.au, and etc. Reasons for having subdomains  To organize content more effectively by giving different divisions or departments their own subsite that they can control and manage  Or companies may want to “hide” contents by having subdomain sites, for example: beta.facebook.com  A few web tools for searching for subdomains exist:  https://searchdns.netcraft.com/  https://pentest-tools.com/information-gathering/find- subdomains-of-domain (more effective) Gathering intelligence from website  What can be found  People (personnel)  Email addresses  Physical addresses  Job postings leaking information  Product, project and service information Gathering intelligence about website Electronic dumpster diving (finding websites that do not exist any more)  Process of looking for old, obsolete and obscure old data  The Wayback Machine (archive.org) can be used  The Wayback Machine project which started in 1996 contains around 435 billion web pages that have been archived  Visit web.archive.org to get old web pages of our university Gathering intelligence about website The same server different websites:  One server can serve/handle multiple websites.  Gaining access to one of those websites on the same server can be helpful to attack others.  Visit https://www.yougetsignal.com/tools/web-sites-on-web-server/ and query a website you know  Example  Enter www.uow.edu.au on the active window and see the results. These websites share the same IP address as www.uow.edu.au TIME FOR THE LAB!

Lecture 05 - Security - Ethical Hacking PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue