Classification of hacking
Internet has changed everyday life through the way people interact and the way business operates. It has facilitated the life of people in the globe by making it more comfortable than before. Some years back people used to queue for services such as payment of bills, banking and travelling to meet each other physically. So with the introduction of internet people pays their bills online, banking online and interacting with one another over the video conferencing. Meetings now days can be done online so any company staff must not presented himself or herself physically. Also with this internet computer no longer required in order to access. Anybody with a smart phone or palmtops can access it.
Since the invention of internet it has resulted to sort of crimes that people are doing on the internet. Initially computer crime was physically damaging the computer parts. Then this crime advanced to making computer malfunction by using malicious code or virus attacks. So before going deep dive lets understand terms used in computer security.
- Ethical hacking this is legal process of finding a vulnerability or weakness point in network or a computer system for testing purpose and not harming or interfering data integrity. Its purpose is to evaluate system security.
- Penetration testing this is the process of attempting to discover security flaws or vulnerability and determine whether unauthorized user can gain access to a network or computer system using the identified vulnerability.
|
PENETRATION TESTING |
ETHICAL HACKING |
|
· Anyone with skills can perform penetration testing |
· Only individual with certification can perform the ethical hacking |
|
· Access is limited to specific computers or network. |
· Access is available to wide range of network and computers |
|
· This does not require legal agreement because anyone can do in a remote area |
· This requires legal agreement in order to conduct the testing |
|
· This require less time |
· This involve a lot of work for example documenting therefore time consuming |
|
· Accessibility of infrastructure is not require |
· Accessibility of whole infrastructure is required |
|
· Tester is not a must to be a good report writer and documenting every step |
· Tester is a must to be a good report writer and documentations |
|
· This focus only on securing the system |
· This focuses on a wide range of security and organization policies. |
|
· Target specific goal |
· Target several goals |
How ethical hacking is used to improve an organization security
Evaluating organization’s security. (InfoSec Resources, 2018) Ethical hackers normally asses system security by employing same tactics as black hats but ethical hackers don’t harm or disclose the vulnerability to unauthorized individuals. Instead they report the flaws to responsible individual in an organization. They have legal agreement with the organization to perform security test and analyses them. They give detailed information or report to the organization and advice on the best practice before the bad guy find the vulnerability in the system.
Protecting the privacy of individual or organization. Ethical hackers when doing an assessment of system or network security, they may encounter with security flaw which may pose potential risk to users or organization privacy. They instead report to the responsible individual without disclosing to the public.
Reporting vulnerabilities before being exploited by the black hat hackers. Ethical hacking involves legal intentional of hacking the system so that the weakness point in the computer is identified and reported. The reported vulnerability can be patch or employ other protective measures such as hardening the system by using firewall, antivirus and IDS.
Create awareness of network attacks by educating employees in the organization. Ethical hacking help to identify trap that staff in an organization may fall into for example phishing methods being employed during security assessment. Ethical hackers will educate staff on various way to mitigate these attacks. This create awareness among employees.
How ethical hacking is used to improve an organization security
Emerging security vulnerabilities are address in time. Ethical hackers keep themselves up to date with emerging vulnerabilities and various way to mitigate them. An organization with complex network infrastructure may not be in a position to fixed all the network issue and know the node which are vulnerable to a certain exploit.
Open Source Security Testing Methodology Manual (OSSTMM). (SearchNetworking, 2018) This methodology cover several areas by providing how security configuration and policies should be implemented in every organization. The OSSTMM covers security assessment in every step that is from the first step of gathering requirements to the final step on report writing and generations. They are areas being covered by this methodology involves: internet security, information security, wireless security, physical security, communication security and process security.
This methodology focuses on technical details that need to be done in different phases. It also test for different categories or level for example international best practices and laws governing each level. Others such as ethical practices are also laid down.
CHECK methodology. (SearchNetworking, 2018) It was meant to identify the vulnerabilities in the information technology system network. Also it ensures that confidentiality, availability and integrity of data are protected.
Standards for Information Systems Auditing (ISACA). (SearchNetworking, 2018) ISACA is a well-known standard being used all over the world. It’s an information security auditing tool which controls has standards that must meet by the practitioners.
Open Web Application Security Project (OWASP). (SearchNetworking, 2018) This is an open source project meant to help developers and testers to build secure applications that are well tested before releasing. They provide standards of building web applications using bets practices methods. For example mitigating buffer overflows, SQL injection and XSS in web applications are addressed.
(Cbldatarecovery.com, 2018) The first step is to gather more information about the target. Vulnerability scanning tools such as Nikto or Nmap can be used. This tools will give an overview of the target if it’s vulnerable to any attack. Other tools can be employ also in this phase.
(Cbldatarecovery.com, 2018) The second step is to get closer to the target and analyze all the data collected on the first step. This step involves trying the possible vulnerabilities associated with the target for example brute force and buffer overflows. This step is can take more time while identifying an exploit that can be used to attack the target.
The third step is to probe and attack by listening to the target using sniffers tools. For example when attacking a wireless network an ettercap is use to poison ARP tables.
(RPS and PC, 2015) Audits. This involves auditing the computers and network infrastructure. Auditing team can be hired to perform this work and give details information of bad practices and outdated Softwares that are being used.
Premium Softwares can be used to scan the network. This will identify the weakest point in the network. This intelligent Softwares provide real time alert in case of vulnerabilities in the network.
Penetration tests also uncover vulnerable system in the network. These are done by qualified personnel or ethical hackers which have been legally hired to perform network security assessment test.
Using intrusion detection system. Intrusion detection system keep logs of any attack therefore an administrator can identify the vulnerable system in a network.
Thorough testing of the system by overloading with data. Buffer overflows can be identified by this. System testers can automate this task so that they can may try to find if the system is vulnerable.
Rules and regulations should consider while engaging in ethical hacking and/or pen-testing activities
- (Johansen, 2018) Before performing network assessment know the sensitivity of the client information. This will ensure that laws and regulations governing the information are obeyed.
- (DayDigital, 2018) During ethical hacking and after, keep in contact with the client and always let he or she know everything he need concerning his or her information security.
- (DayDigital, 2018) Do not go beyond the boundary set by the client during ethical hacking. Ethical hacker can access any information during hacking but keep this from violating client’s agreement.
- (Johansen, 2018) After ethical hacking never discloses the client information or security infrastructure to others. Always maintain secret of client information. Disclosing his or her information may result to clients being attack or his or her information may be used to harm client’s network.
- (Johansen, 2018) Before performing any ethical hacking know the client’s organization background for example business, network infrastructure and its layout.
- (Johansen, 2018) Also ensure that you signed legal agreement with the client so that you are in a position to know what are to be done and what should not be done. This will ensure mutual agreement between client and ethical hacker. In case of legal suite legal agreement will protect client or ethical hacker. Also ensure that you have well written, signed authorization form for the organization
- Do not jam or crash the live system being used by the client unless it’s authorized by the organization to do so.
- Execute only what have been plan to do. Do not opt out of the plan to do unplanned attack test.
- Ensure you strictly adhere to terms of the contract and observe the laws.
Conclusion
In conclusion to achieve an absolute security is a hard in any organization, therefore security start with every individual and everyone should be aware of the emerging threats in security for example sophisticated malwares such as ransom wares.
Reference
InfoSec Resources. (2018). Ethical Hacking vs. Penetration Testing. [online] Available at: https://resources.infosecinstitute.com/ethical-hacking-vs-penetration-testing [Accessed 25 Apr. 2018].
Johansen, R. (2018). Ethical Hacking Code of Ethics: Security, Risk & Issues – Panmore Institute. [online] Panmore Institute. Available at: https://panmore.com/ethical-hacking-code-of-ethics-security-risk-issues [Accessed 25 Apr. 2018].
DayDigital. (2018). Using Ethical Hacking To Improve IT Security. [online] Available at: https://daydigital.com/ethical-hacking-improve-security [Accessed 25 Apr. 2018].
Quickstart.com. (2018). 5 Strategies to Improve Your Organization’s Cyber Security. [online] Available at: https://www.quickstart.com/blog/post/5-strategies-to-improve-your-cyber-security/ [Accessed 25 Apr. 2018].
SearchNetworking. (2018). Penetration testing methodology and standards. [online] Available at: https://searchnetworking.techtarget.com/tutorial/Penetration-testing-methodology-and-standards [Accessed 25 Apr. 2018].
Steve, S. (2018). Data Breach Prevention: 3 Ways To Identify System Vulnerabilities. [online] Blog.cygilant.com. Available at: https://blog.cygilant.com/blog/data-breach-prevention-3-ways-to-identify-system-vulnerabilities [Accessed 25 Apr. 2018].
Cbldatarecovery.com. (2018). Identifying Vulnerabilities In Networked Systems – CBL Data Recovery. [online] Available at: https://www.cbldatarecovery.com/articles/network-vulnerability [Accessed 25 Apr. 2018].
EWEKA, R. and ELANGO, S. (2015). IMPLEMENTATION OF ADDRESS LEARNING/PACKET FORWARDING, FIREWALL AND LOAD BALANCING IN FLOODLIGHT CONTROLLER FOR SDN NETWORK MANAGEMENT. International Journal of Information Systems and Engineering, 3(1), pp.160-170.
RPS, M. and PC, R. (2015). Identifying Vulnerabilities in Cloud Computing Using Penetration Test. Computer Engineering & Information Technology, 04(02).
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
