The Ethical Hack
eBook - ePub

The Ethical Hack

A Framework for Business Value Penetration Testing

  1. 352 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

The Ethical Hack

A Framework for Business Value Penetration Testing

About this book

This book explains the methodologies, framework, and "unwritten conventions" that ethical hacks should employ to provide the maximum value to organizations that want to harden their security. It goes beyond the technical aspects of penetration testing to address the processes and rules of engagement for successful tests. The text examines testing from a strategic perspective to show how testing ramifications affect an entire organization. Security practitioners can use this book to reduce their exposure and deliver better service, while organizations will learn how to align the information about tools, techniques, and vulnerabilities that they gather from testing with their business objectives.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access The Ethical Hack by James S. Tiller in PDF and/or ePUB format, as well as other popular books in Business & Business General. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Auerbach Publications
Year
2004
Print ISBN
9780367393816
eBook ISBN
9781135502478
Topic
Business
Subtopic
Business General
Index
Business

1
Getting Started

i_Image3
Hiring someone to hack your company goes by many names, such as ethical hacking, penetration testing, tiger teaming, intrusion testing, vulnerability analysis, and even security assessment. In addition, each term has different meanings in different countries or regions. The term penetration testing does not go over well in Central America and some places in the United States, whereas the term ethical hacking is not the preferred term in Western Europe. Tiger team is a derivative of a military term and I have heard it used in Taiwan and Japan, another place the use of ethical hacking, as the name of an act, does not go over well. Nevertheless, the most predominant terms are ethical hacking and penetration testing, and both terms are used quite regularly throughout this book.
The intention of this book is simple: explain and detail the methodologies, framework, and unwritten conventions ethical hacks should exercise to provide the most value to organizations seeking to enhance their security posture.
There is a great deal of respect for other books of similar type, extensive training on the subject, and professional service organizations that provide hacking services. All these convey valuable information pertaining to tools and processes on how to use them. However, it is critical that structure and process combine to ensure all parties recognize ultimate value and a company is not being hacked under false pretenses.
Security is a lot of things combined in many ways that will have varying degrees of impact, good and bad. This is a lesson in value and risk and how they relate to ethical hacking. Within security, one must take into consideration the human element as much as the technical. Additionally, there are the pragmatic issues of value and risk and their effects on business objectives.
There are several areas associated with ethical hacking that have yet to be addressed in their entirety. Following is a list of characteristics of ethical hacking and the gap associated with each. This book provides the framework and structure to address these fundamental issues.

  • Focusing on Tools and Technology, and Very Little on Methodology. Today, there is a clear understanding of the use and availability of tools to support an ethical hack. Thanks to several popular references, the processes of technically performing a hack are well documented and reasonably well established. However, organizations desperately need to understand the details in the overall processes and how to use the test, and its results, for the betterment of their security posture. This is the ultimate goal behind ethical hacking services but, ironically, remains elusive and a rarity among the greater population of penetration-testing engagements.
  • Interpreting the Results. When a system is determined “secure” because it has survived a controlled attack, it does not necessarily mean that system is actually secure. The vast amount of assumptions, limitations, and expectations inherent and applied to a test may result in indeterminate conclusions. Moreover, there are situations where the test resulted in voluminous amounts of vulnerabilities being identified making it nearly impossible to weed through the information to find what really matters and measure the risk. Another problem is that results are rarely integrated into the company’s security program effectively and usually appear as ad hoc point solutions to solve an immediate need, such as a new firewall rule or another untracked policy statement. In some cases the entire exercise is to simply satisfy executive management that a vulnerability exists, without thought of integrating the results into the practice of corporate security. Few perform proper insightful planning by engaging in a process, resulting in limited scope and value to the company as a whole. Understandably, a test’s lack of comprehensive planning is the root cause of the questionable effectiveness of many ethical hacking tests.
  • Protecting the Innocent. Ethical hacking requires breaking into computer systems or applications to demonstrate the risk of an identified vulnerability. By collecting specific information from the target, an ethical hacker can prove access was successful and reveal the exposure. The result is that highly sensitive information about the target’s security capabilities (or the lack of them) is collected and maintained far outside the owner’s control. If this information were to fall into the wrong hands, it could be used to perpetrate a real attack against the company. Another risk is the information being leaked to the public or to stockholders who stand to lose their investment if the exposures represent a fundamental risk to the business. Information of this type can result in all types of disasters, including negative portrayals by the media, devaluation, loss of customers, or legal consequences. Also, there are several opportunities for the tester to accidentally inflict harm on intermediates, such as an Internet service provider (ISP), partners connected to the target’s network, or customers interacting with the systems or applications under attack.
  • Politics and Processes. Breaking into a company can represent a substaninteracting with the systems or applications under attack. tial threat to the continued employment of several people within the organization. It is essential the test be performed to support the entire company and not an individual. In some cases, the deliverable of an ethical hack was not presented to the people who needed it most to make the necessary security improvements. Politics play a major role in the planning of a test and the creation of limitations and expectations, ultimately affecting the outcome. Establishing a solid foundation of communication, expectations, imposed and inherent limitations, and metrics for the test will help to ensure the company benefits from the experience, not the individual.
  • Testing Dangers. There are several dangers associated with penetration testing. These range from outages, system or application faults, and the destruction of information to more ominous issues such as information leaks (when questionable resources are used to perform the engagement, possibly sharing critical information with others for status or money) and piggybacking (when a real hacker uses the test’s activities to camouflage his attack). Proper teaming and communication protocols will protect both tester and target from inadvertently harboring illicit activities. Moreover, testing engagements are a prime source for teaching people how to break into networks, especially yours. Great care and attention must be paid to the people performing the test and to their ethics and responsibilities.

AUDIENCE

The audience for this book is twofold, each on his or her own side of the “value fence.”
Managers of organizations that are looking to solicit third parties (or internal departments) to perform an ethical hack against their networks, systems, applications, and even physical establishments are the primary beneficiaries of this book. Information security administrators, managers, directors, or anyone considering or responsible for obtaining penetration services can gain a great deal by employing a business-value, business-focused approach.
Information about what to expect from all phases of the test, from the first meetings to accepting the deliverable and knowing how to best use the results, are discussed. Elements detailed will help in identifying a good test from a bad one, or finding the value from what was perceived initially as a failure. Most important, organizations seeking penetration services will gain further insight into the appropriate measures and methodologies that should be practiced by a third party. Finally, this book provides guidance in setting test expectations: What are your expectations? What do you think the results will show? Are you prepared for Pandora’s box to be opened? Understanding the details of a test will provide unequalled insight, and, most important, business value to any company.
For security practitioners, this book also provides exceptional value. First, by understanding what the customer is reading and digesting the information from his perspective, security consultants can learn more about the impact of his involvement and how to best meet their customer’s demands. This book provides a set of methodologies that can be leveraged to protect you and the customer’s interests, and ensure that you are providing a highly tuned, valuable service to your customer. Much of the information in this book should not be shocking or new to the majority of the security community. However, the goal is to provide a framework for performing tests and the structured content for all of the processes assumed to be in practice today.

HOW TO USE THIS BOOK

This book is more of a story about the logical, and sometimes illogical, aspects of information security. There are so many nuances regularly overlooked or placed on the back burner because they seem insurmountable or simply do not align with business objectives adding to the bottom line. This story is an opportunity to discuss the larger challenges of information security by using a popular tool—ethical hacking—as a medium for communication. For better or for worse, ethical hacking is becoming a huge component of a security program in the industry, and with it a greater sense of security, or lack of it, depending on your perception.
In Setting the Stage, Chapter 2, we set the foundation of the book by asking the high-level questions about value. We also cover what a penetration test is and the best time to employ such a service considering the state of your security posture and exactly what you are looking to gain. This is also the opportunity to take a quick look back at the history of computer crime and the evolution of penetration testing. Therefore, we also take a close look at the different types of hackers and what level of intensity a company can expect and plan for. And no security book would be complete without some FUD (fear, uncertainty, and doubt) around the state of the industry. Thanks to organizations such as Symantec, Gartner, IDC, CSI, and the FBI, we take a look at the industry as a whole in an effort to support the concept of security.
The Framework, Chapter 3, is a brief overview of the format of a test and ultimately of the book. This is an opportunity to provide a top-down view of ethical hacking and cover the primary methods for exercising a test. It is also the point where the value elements of the test are introduced, setting the stage for much more detailed discussions all founded on value.
Before we can ask the hard questions about the relationship among security, business, and the wedge of ethical hacking, we must establish a common language around security models. In Chapter 4, two common, yet unique models are introduced and then combined to demonstrate the fundamentals of security in the light of penetration testing.
Next, we look at an information security program based on accepted standards. Chapter 5 provides the opportunity to introduce the subject of risk, how to measure it, and see where penetration testing fits in the scope of risk analysis. We discuss management, controls, and measuring the threats and outlining the concepts of ethical hacking throughout the book.
Business Perspective, Chapter 6, introduces the business characteristics, such as the perspectives of security and the objectives of the test, and how to translate those into planning specifics to ensure value. Additionally, we investigate the reasoning for having the test performed in the first place. This is an opportunity to discuss the primary components that will help gain as much value from the process as possible.
Once we cover the business elements, we then move into planning the test. A great deal of information is shared in Chapter 7 and used throughout the book. We cover imposed and inherent limitations that face the test and how to deal with them. Importantly, the type of threat will affect how the test is performed, ultimately affecting the planning cycle.
Performing a test is not as simple as loading your favorite tool and whacking away at networks and servers. Properly preparing technically and procedurally for the test is essential to the value of the test and ensuring the privacy of the targeted company. In Chapter 8, Preparing for a Hack, we take a look at the common practices in addition to the lesser-known preparation techniques. Moreover, how the engagement should be managed is detailed.
Chapter 9, Reconnaissance, represents the beginning of detailing the attack processes. The planning and preparation is complete at this point and we move into action. We cover in great detail social engineering and how to tune the plethora of options to best use this investigative tool within your environment and meeting your goals. The chapter goes on to detail other areas of recon, such as wireless networks, dumpster diving, and combing the Internet for information.
Enumeration, Chapter 10, introduces the first technical phase of the engagement. The act of getting computers, networks, applications, services, and other technology to offer information about how they are configured and running is an art. Tools and tactics are introduced and used as an introduction to the exploitation phase. Again, value and methodology are the key factors during this discussion.
Once a technical picture is created of the organization, a point in the test must be dedicated to simply determining the vulnerabilities. This is where Chapter 11 helps you take different sources of information and convert them into an attack strategy, all based on meeting the goals of the company.
There are many books on exploiting vulnerabilities, but not typically within the framework of a comprehensive methodology. Although penetration testers do this naturally, Exploitation, Chapter 12, helps to map the exploitation of a vulnerability into the planning and, most important, the effects it will have on the final deliverable.
All this would be for naught without a document detailing what transpired during the test. However, we would be grossly remiss if the entire framework of value we established early in the process were not intimately used for the creation of a document. We detail every aspect of a deliverable—where the information came from, how to interpret the test in a manner that takes the goals, objectives, and risks into account—and put it in a format that will make sense to the business and not just the security geeks.
In my experience, the integration of the results from a test is usually limited to applying patches and reconfiguring a couple of routers, at best. Most of this is due to how the test was planned, executed, and the format of the information contained within the deliverable. The Integration chapter takes everything we’ve covered and provides the roadmap for realizing all the potential value from the test
This is a story about security, more so than just about ethical hacking. It is about taking a tool, one of many, and applying it in a manner that provides the greatest value from the process. As with any story, the different sections of the framework are intimately related, one feeding off the other to make for a usable collection of information to help you get the most from a test and, it is hoped, from all things security.

2
Setting the Stage

i_Image3
You can compare security, to some degree, to physics. Many different thoughts and disciplines exist in physics, ranging from the pragmatic application of mathematics to the farthest interpretations of quantum mechanics. Ethical hacking has become the pinnacle of thought-provoking security activity that touches on the simplistic nature of security to the wide-ranging and encompassing aspects of managing risks.
Ethical hacking is essentially the act of exploiting vulnerabilities without the darker intentions of an explicit attack. The movie Sneakers was one of the first mainstream films that demonstrated the controlled attack. The film begins very late in the evening with Robert Redford and a small team breaking into a bank. After some very technical maneuvering, they successfully escaped with millions of dollars in loot. The next morning Robert walks into the bank and slams a suitcase full of the money on the senior staff’s meeting table. It was not until this point that you realize he was not a thief, but rather a security expert proving the vulnerabilities of the bank’s security systems by exploiting them.
The pursuit of vulnerability is what people seek, not the negative conclusion normally associated with an attack. For example, a security auditor can explain in detail that the schematics for your alarm system are available on the Internet and, with limited computer resources and ample time, can reverse-engineer the system and exploit its weaknesses. However, no matter the perspective, determining the validity of such a threat and the risk that someone may attempt to exploit it is arguably inconclusive. A security professional performing a risk assessment can apply various metrics resulting in some form of measurement, but these are related to high-level interpretations. Until someone gets the plans from the Internet, performs an analysis, and attempts to exploit the system, the numbers and metrics of the risk analysis are questionable to some degree. In other words, you don’t know until you try.
Today, ethical hacking has become mainstream, almost a common occurrence for organizations wishing to test their intellectual and technical fortitude against the underworld. To counteract some concerns behind ethical hacking, many companies use different providers for ethical hacking services. For example, one organization utilizes professional services to test their networks monthly, using a different firm each time. The idea is to get a different perspective, because methodologies differ from firm to firm, not to mention the different habits of the people performing the test.
The Computer Crimes Investigation Unit of the Department of Homeland Security can identify hackers based solely on their technique. How you approach an attack is a fi...

Table of contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. About the Author
  5. Contributors
  6. Foreword
  7. Preface
  8. Acknowledgments
  9. 1 Getting Started
  10. 2 Setting the Stage
  11. 3 The Framework
  12. 4 Information Security Models
  13. 5 Information Security Program
  14. 6 The Business Perspective
  15. 7 Planning for a Controlled Attack
  16. 8 Preparing for a Hack
  17. 9 Reconnaissance
  18. 10 Enumeration
  19. 11 Vulnerability Analysis
  20. 12 Exploitation
  21. 13 The Deliverable
  22. 14 Integrating the Results