Modes of Ethical Hacking

There are several ways to conduct security evaluation.

• Remote network
  This simulates the intruder launching an attack across the internet. The primary defense that must be defeated here are border firewall, filtering routers etc.
• Remote dial-up network
  This simulates the intruder launching an attack against the organization's modem pools. The primary defense that must be defeated here are user authentication scheme.
  
• Local network
  This simulates an employee or other authorized person who have legal/authorized connection to the organization network. The primary defense must be defeated here are intranet firewall, intranet web server and server security measures.
  
• Stolen equipment
  This is to test how user protection their information assets. For example, if a stolen laptop has stored password or critical information that can be easily accessed, this can a security breach. Attacker may remote dial up to the main server of the organization with proper authentication.
• Social engineering
  This test evaluate the integrity and awareness of the target organization's personnel. A typical quoted example of social engineering is that of an intruder calling the computer help line and asking for the external telephone number of the modem pool. Defense against this kind of attack is the hardest because people and personalities are involved. To be of assistance come naturally in organizations gearing more toward a service orientation and this may inadvertently lead to security compromise. Often see scenario include telling someone who appears to be lost where the computer room located, or let someone into the building who does not have proper identification credentials. The only defense against this is to raise the security awareness.
• Physical entry
  This test acts out the physical penetration of the organization's building. The primary defense here are strong security policy, security guard, access control and monitoring and security awareness.
  
  

How do Ethical Hacker go about the evaluation?

Any security evaluation involves three phases: preparation, conduct and conclusion.

1. Preparation
   In this phase, a formal contract is signed that contains a non-disclosure clause as well as a legal clause to protect the ethical hacker against any protection that he may possibly attract during the conduct phase. The contract also outlines infrastructure perimeter, evaluation activities, time schedules and resources available to him.
   During this phase, the ethical hacker should discuss with the organization about what the organization is trying to protect, against whom and at what cost. After discussion, a security plan is prepared which will identify the systems that are to be tested for vulnerabilities, how the testing would be carried out (methodology) and what restriction may be applied (limitation faced).
   While it is theoretically possible to say that the testing strategy should follow a "no-holds-barred" approach, practically this not usually the case. This approach is encouraged so that the ethical hacker is given the chance to gain maximum access.
   
2. Conduct
   In this phase, the evaluation technical report is prepared based on testing potential vulnerabilities.
   There are several methods for carrying out ethical hacking, but the two most used approaches are the limited vulnerability analysis and attack and penetration testing. Limited vulnerability analysis deals with enumerating the specific entry points to the organization's information system over the internet, as well as the visibility of mission critical systems and data from a connection on the internal network. On detection, the potential entry point and mission critical systems are scanned for known vulnerabilities. The scanning is done using standard connection techniques and not solely based on vulnerability scanners.
   In an attack and penetration testing, discovery scans are conducted to gain as much information as possible about the target system. Similar to limited vulnerability analysis, the penetration scan can be conducted from both the internet and internal network perspective. This approach differs from the limited vulnerability analysis is that the testing is not limited to scanning alone. It goes a step further and tries to exploit the vulnerabilities. This is said to simulate the real threat to data security.
   Clients usually prefer a limited vulnerability analysis because they do not want to risk loss of data or any other damage.
   It should be communicate with the organization that there are inherent risks in undertaking an ethical hack. These can include alarmed staff and unintentional system crashes, degraded network and system performance, denial of service, and log file size explosions. A possible way of minimizing this risk is to conduct the test after office hours or holidays. The organization should provide contact within, who can respond to calls from the ethical hackers if a system or network appears to be adversely affected by the evaluation or if an extremely dangerous vulnerability is found that should be immediately corrected. While conducting an evaluation, ethical hackers may come across security holes that cannot be fixed within the predetermined time frame. Therefore, the ethical hacker must communicate to his client the urgency for corrective action that can extend even after evaluation is completed. If the system administrator delays the evaluation of his system until a few days or weeks before this computer need to go online again, no ethical hacker can provide a really complete evaluation or implement the correction for potentially immense security problems. Therefore, such aspect must be considered during the preparation phase.
   
3. Conclusion
   In this phase, the result of evaluation is communicated to the organization and corrective action/advise is taken if needed.
   
   

Skill Profile of an Ethical Hacker

Ethical hacker should have strong computer knowledge including programming and networking. They should be proficient at installing and maintaining system that use popular operating system (e.g. Unix, Windows or Linux) usually used on target system. Detailed knowledge of hardware and software provided by popular computer and networking hardware vendors complement this basic knowledge. It is not always necessary that ethical hacker to be a security professional. However, it is an advantage to know how various systems maintain their security. These system management knowledge are necessary for actually vulnerability testing and preparing the report after the testing is carried out.

An ethical hacker should be one step ahead of the malicious hacker and possess immense patience and the capability of persistent concentration. A typical evaluation may require several days, perhaps even several weeks of analysis that the actual testing itself.

Finally, keeping up with the ever-changing world of computer and network security requires continuous education and review on part of the ethical hacker. An ethical hacker should use constructive method as opposed to destructive methods adopted by the malicious hacker. The intent behind an ethical hacker's actions is to protect and rectify the system of its vulnerabilities. An ethical hacker is convinced that he can change something by means of constructively using his skills. He is reliable and trustworthy since he might discover information about the organization that should remain secret.

Hacktivism

Hacktivism refers to hacking with / for a cause. It is a kind of electronic civil disobedience in which activists take direct action by breaking into or protesting with government or corporate computer system. It can also considered as a kind of information warfare, and it is on the rise. The hacktivists consider their obligation to bring an offline issue close to their agenda into the online world. The apparent increase in hacktivism may be due in part to the growing importance of the internet as a means of communication.

Internet hacktivists believe that the "state sponsored censorship of the internet erodes peaceful and civilized coexistence, affects the exercise of democracy, and endangers the socioeconomic development of nations". For instance, they may have agendas that consider "state-sponsored censorship of the internet as a serious form of organized and systematic violence against citizens, intended to generate confusion and xeonophobia, and a reprehensible violation of trust". For instance, the Cult of the Dead Cow, an older security group states that their objective is to "study ways and means of circumventing state sponsored censorship of the internet and implementing technologies to challenge information right violations".

Most hacktivists aim at sending across a message through their hacking activity and gaining visibility for their cause and themselves. Common targets include government agancies, MNCs, or any other entity perceived as "bad" or "wrong" by these group / individuals. It remains a fact however, that gaining unauthorized access is a crime, no matter what the intents.

What do Ethical Hacker do?

To evaluate the security of an information system, an ethical hacker seek answer to the three basic questions:

1. What can an attacker see on the target system?
   This require an ethical hacker to think "out of the box" and to be "creative". An attacker can exploited those vulnerabilities that can be overlooked in the normal and route security check by the system administrator. This correspond to the reconnaissance and scanning phase.
   
2. What can an attacker do with the available information?
   An ethical hacker tries to understand the intent and purpose of the potential exploit, so as to do appropriate countermeasures. This correspond to the gaining access and maintaining access phase. An ethical hacker need to think one step ahead of the attacker in order to provide sufficient protection.
3. Are the attacker's attempts being noticed on the target system?
   Usually attackers lurk around the system before they actually wreck havoc. If the activities of an attacker cannot be noticed, the attacker can still spend weeks or month trying to break-in. In order not be noticed, the attackers may clear their track by modifying log files or installing trojan horse or back-doors. An ethical hacker need to investigate if these activities has been recorded and what preventive measures were taken if any. This not only gives him an indirect assessment of the attacker's proficiency, but also gives him an insight into the security related activities of the enterprise / system he is evaluating.
   

The entire process of ethical hacking and subsequent patching of discovered vulnerabilities would depend on questions such as:

• What is the organization trying to protect, against whom or what and how much resources the organization is willing to expend in order to gain protection

Sometimes when such exercises are taken without proper framework, the organization may call off the evaluation at the first instance of vulnerability reporting. These may be to ward off further discovery or save resource. Therefore it is imperative that the ethical hacker and the organization work out a suitable framework.

The organization must be convinced about the need for the exercise. Usually the concerned personnel have to be guide to concisely describe all of the critical information asset whose loss could adversely affect the organization or its clients.

Last, but not the least, the ethical hacker must remember that it is not possible to guard systems completely.

Hacker Classes

Hackers can be classified into various categories based on their activity profiles.

• Black hats
• Individuals with extraordinary computing skill who use their skill with malicious intent for illegal purpose. This category of hacker are often associated with criminal activities and sought by law enforcement agencies.
• White hats
• Individuals professing hacker skill and using them for defensive purpose. Also known as "Security Analysis".
• Grey hats
• Individuals who work both offensively and defensively at various times. They believe in full disclosure that other people who come across information disclosed are able to make a judicious use of the information.

Ethical hacker are information security professional who are engaged in evaluating the threats to an organization from attackers. Ethical hackers can be classified into following categoris:

• Former black hats
• This groups comprises of former cracker who have taken to the defensive side. They are better informed about security related matters as they have no dearth of experience and have access to the right information through hacker network. However they do not earn credibility for the very same reason as they may pass along sensitive information knowingly or inadvertently to the hacker network, thereby putting the enterprise at risk.
  
• White hats
• They profess to have skill on par with the black hats. However, it remains to be seen if they can be as efficient in information gathering as black hats.
• Consulting firm
• This is a new trend being seen in ICT consulting services with the increasing demand for third party security evaluations. These firms boast of impressive talent and credentials. However a word of caution is necessary with regard to background checks of these individuals as they may include former black hats and even script kiddies, who take up assignment for the thrill it gives them.

Anatomy of Attack

Now we come to some real fun. What does an hacker do?

In general, a hacker attack can be dissected into five phases.

1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Covering Tracks

Reconnaissance
Reconnaissance refers to the very initial stage where the hacker try to collect as much information as possible about the target before start any attack. The hacker will use both technical knowledge and social skill to learn more about the target. Social skill or social engineering can be surprisingly efficient in collect internal information.

Technical skill can be categorized into Active and Passive reconnaissance. Active reconnaissance involve using tools to interact with the target, while passive reconnaissance will collect the publicly available information, social engineering, dumpster diving etc. Active reconnaissance is usually used by newbie who discern a low threat to his reconnaissance activity to be detected.

As an ethical hacker, you must be able to identify different reconnaissance methods and able to advise preventive measure in respect of the potential threat.

Scanning

Scanning refers to pre-attacking stage when the attack scans the target with specific information gathered during reconnaissance. Scanning can be considered as an extension of active reconnaissance which involve automated tools such as network/host scanners, war dialer to discover any vulnerability. Attack can gather information such as mapping of system, router and firewall by using simple tool such as traceroute or Cheops to add sweeping functionality along with that rendered by traceroute.

Port scanner can be used to detect listening port to find information of the services running on the target machine. The primary defense is to shut down services that are not needed. Vulnerability scanner can be used to detect vulnerabilities on the target network. This gives attack advantage of time become he has to find just one vulnerability to enter while the system professional need to apply several patches.

Organizations that deploy intrusion detection system still have to worry as attacker can use evasion techniques at both application and network level. However a probably configured NIDS cannot be detected and all the better ones do anomaly detection, making to difficult for evasion.

Gaining Access

Gaining access refers to the true attack stage. Attacker can exploit the target over LAN, locally, internet, offline as deception or theft. Examples include stack-based buffer overflows, denial of service, session hijacking etc.

Spoofing is a technique to exploit the system by pretending to be someone else or a different system. The attack can use this technique to send malformed packet containing bug to the target system to exploit the vulnerability. Packet flooding can b used to remotely stop the availability of essential services. Smurf attacks try to elicit the available user on the network and the use their legitimate address of services.

The perceived risk involved when attacker gains access is high; as attacker can gain access at operating system level, application level or even network level.

Maintaining Access
Maintaining access refer to the phase when the hacker try to retain his "ownership" of the system. Once gaining access to the target system, the attacker can choose to use the system and resources to launch another attack to other system, or keep a low profile and continue exploit the system. Both are damaging to the organization. For instance the attack can install a sniffer to capture all the network traffic.

Sometimes, attackers harden the system from other hacker to secure their exclusive access with Backdoor, RootKits, Trojans and Trojan horse backdoors.

Attackers try to remain undetected by removing evidence of their entry and use backdoor or other Trojan to gain repeat access.

Covering Tracks
Covering Tracks refer to the activities to remove evidence of his presence and activities so that he can maintain access or evading criminal punishment. This normally entail removing log files and replacing system binaries with trojan, such as ps or netstate, so that system administrator cannot detect the intruder on the attacked system. Just as there are automated scripts for hacking, there are also automatic script for hiding intruders, often called rootkits.

Other techniques including Steganography, tunneling etc. Steganography is the process of hiding data. Tunneling take advantage of transmission protocol by carrying one over the other. Even extra space in TCP and IP header can be used for hiding information.