This lesson presents some background material from chapter 1. Objectives
important to this lesson:
Hacker profiles and motives
History of hacking
Ethical hacking
Common methods
Penetration testing
Ethical standards and the law
Concepts:
Chapter 1
Our text begins with a more reasonable approach than some others, suggesting
that we should consider the motives
of hackers when we try to categorize them. It still gives us labels for
people with particular motives, so we have to read further than the bullet
headings:
good guys - also called white
hats, professionals who hack to find
and fix vulnerabilities
amateurs - also called script
kiddies, these are hackers who want
to be like famous hackers; typically, they use tools created
by hackers the amateurs are trying to be like
criminals - hackers who want
to turn a profit from stolen
information, often credit card and personally identifying information
ideologues - hackers who work
for political, national,
or religious reasons, typically
against perceived enemies of their ideologies
The
text continues with a short list of control types that may be helpful
in deterring hackers:
technical controls - software
and hardware solutions that include firewalls, authentication systems,
intrusion detection, and intrusion prevention systems
administrative controls -
policies and rules that guide and require users to operate computer
systems more safely and securely
physical controls - the first
line of defense of any asset: don't let the black
hats near it! You may need to use guards, dogs, turnstiles,
gates, and/or card sensors. Old-fashioned locks on doors are good, too.
In a side note, the text explains two useful terms:
vulnerability - a weakness
in a system or in a defense that an attacker can use to gain access
to our systems
exploit - this word is a verb,
meaning to take advantage of
something; the text explains that in IT security, it is also a noun,
and it means a program, a tool,
or a method that uses a vulnerability
to gain unauthorized access to a system
The text presents a list of rationalizations
that have been used by hackers to justify unlawful hacks. The text does
not quite make it clear that these reasons are not valid legal defenses:
Attacking a system is not like attacking a person - Maybe, but stealing
information that belongs to someone else is
attacking that person.
Stealing software from a rich company is okay - Stealing is still
stealing, regardless of the wealth of the victim; the victim is probably
not Prince John or the Sheriff of Nottingham.
Attacking another country or a political rival is fair - No, it is
not. You may have heard about Watergate,
which is the name of a hotel that now represents an attempt to breach
the security of an opposing political party.
Hacking is fine if you are learning from it - Learning is not just
learning if it involves illegal actions. We have labs, we have a cyber
defense club that holds events, and there are sites online like Hack
the Box that encourage you to practice your skills and to develop
more by hacking their puzzles. You don't have to break laws and you
should not do so.
Breaking in is okay if that is all you do - If you are testing a system
with the permission of its owners, that would be fine. If you don't
have permission, you are invading their privacy as much as you would
be if you were entering someone's home or business without permission.
This may be something your parent never told you. If so, listen/read
carefully: the world does not belong to you. You don't
get to screw around with it just because you want to.
The text moves on to discuss several motivations that may cause hackers
to do their thing. They relate to the material presented so far:
Benefiting the system owner - This is a repeat of the concept of a
white hat hacker testing a system for vulnerabilities.
Social status - Hacking a system to gain status among hackers may
be an example of someone needing to belong to and be recognized as a
member of a group. People who don't have social connections will try
to find some, sometimes in unfortunate ways.
Monetary gain - The white hat hacker in the examples above is probably
working for a fee, but this bullet is about black hats who are after
things they can steal and sell, or things they can lock and hold for
ransom. Both, as should be obvious, are crimes.
Ideology - This motive includes cyberterrorists, social activists,
and state sponsored hackers. The degree to which a person chooses to
disregard laws and social conventions to pursue their ideology determines
the intensity of the crimes they might commit in the name of their ideals.
The text spends a few paragraphs reviewing the history of computer hacking.
It might be good to pause for a moment to consider that the hacking of
private information is almost as old as writing, and certainly as old
as codes and ciphers. The art of hacking computers had to wait for computers
to be invented, but people have been trying to uncover secrets as long
as there have been secrets.
That
being said, computer hacking also includes compromising and disabling
systems, which the text illustrates with a worm that was released at Cornell
University in 1988. The Morris
worm may not have been the first on the Internet, but it was the first
one the news media noticed. Its introduction was a watershed moment that
our author sees as the moment the Internet itself became a target and
a medium for abuse.
The text turns to some concepts we have already covered, first, that
a professional (or a student, for that matter) should never probe
a system without permission from someone who has the authority
to grant such permission. The text specifies that this should be the system
owner, but in the case of corporate or government systems, ownership
can be hard to define. At the very least, it should come from someone
who is part of the group charged with protecting that system, someone
with the authority to give assignments, to approve contracts, and to make
a case for conducting such work to the upper management of the organization.
You don't just try to break in to a system because your buddy dares you
to do it, even if your idiot buddy works on that system. (Hmm. You and
your buddy. Now it sounds like a conspiracy. Think you should call a lawyer,
kid?)
Having stressed permission the text elaborates on its definition of a
penetration test, either without insider knowledge of the system (black
box testing) or with it (white box testing). Note that the
use of the colors black and white in this context does not mean anything
about the tester's motives.
The text provides us with what we might call a code of conduct for ethical
hacking:
Don't hack without permission.
Use the same tools and tactics (or better ones) as those an attacker
might use.
Use care NOT to harm the the system you are hacking. (Primum
non nocere) You are examining it, not trying to destroy it.
Study the work done by malicious hackers to understand what they are
likely to do, to learn what you may not know.
If you pen testing (penetration testing), or any other kind of hacking,
make sure that you and the authorizer both understand what is going
to happen. This is good for any kind of contract, but it is critical
when you are doing something that might be considered illegal without
proper permission.
Your goal is the help maintain the standard of Confidentiality, Integrity,
and Availability. You can do this by finding the vulnerabilities that
lead to the opposites of those characteristics: Disclosure, Alteration,
and Disruption. If you can do any of those things, we do not have security.
The text presents a version of an attack methodology that I have seen
used by an NSA presenter. It first makes it clear that there is no universal
method, no absolute set of steps that every attacker will follow. This
series of steps is representative of what an organized, determined hacker
will probably do, even though it is not required that the hacker carry
out every step listed.
Reconnaissance - Gather information about your target from public
information and from social engineering.
Scanning - Build on the initial information with more focused attacks,
like spear phishing, waterholing, and exploiting vulnerabilities in
systems identified in the first step.
Infiltration and escalation - Get into the system with the IDs and
access you have gathered. Get escalated right to gather more resources.
Exfiltration - Take the material you have captured out of the system,
and get yourself out of it as well.
Access extension - Use the backdoors you found or installed to go
back for more later.
Assault - If this was an exercise in data mining, you may want to
continue to do it in the future. Destruction is not part of that plan.
However, if destruction is part of the plan, this is phase in which
it happens. If that is all the attacker wants to do, the previous two
steps may not take place.
Obfuscation - This is the application of anti-forensics. Clean up
your mess. Don't let the victim know anything happened. You can come
back to get more goodies if they don't know you were here.
As the text has mentioned several times, a vital activity for an information
security professional is penetration testing, also called pen
testing. The text goes into more detail in the next section, explaining
that a pen test that has not been adequately described in a contract can
leave the pen tester open to legal action from the client, and from the
client's clients. A written agreement between the pen tester (or company)
and the client is critical.
In figure 1.4, the text presents a high level overview of pen testing,
showing four major elements"
Planning - This leads to the first report cycle, and to the
contract finalization. (See below.) Note the list of bullet points in
the text that should be included in a proposal, a contract negotiation,
and in the contract for the pen test.
Discovery - This is the preliminary probe stage as described
above.
Attack - Attack often leads to more discovery, creating a loop
that can repeat any number of times.
Reporting -
Reporting the plan for the pen test to the client is part of
the contract creation process. This stage may loop several times before
an acceptable plan is agreed to by both parties.
Reporting the actions taken, the vulnerabilities found,
and recommendations for remediation should occur at the end of
the process.
The text lists three major forms a pen test may take. A contract should
specify which forms will be used. The pen testers will be better protected
if the contract includes options for all three forms.
Technical attack - testing only the technical system and its
defenses
Administrative attack - testing for problems with policies,
procedures, and standards
Physical attack - testing for weaknesses in physical defenses
as well as attempting to social engineer staff (social engineering is
placed here in the text, but it should be included in all forms
The chapter ends with a warning that computer systems are typically connected
to the Internet, and therefor to the world. This presents a problem when
determining what laws of what jurisdiction apply to a crime. We are advised
to learn about laws and regulations. A list of eleven laws from the United
States is provided as a starting point.
Assignments
This week you need to complete Lab 1, which is due before class next
week. You should begin Assignment 1 and Part 1 of an ongoing course
project. Both of these are due in two weeks.
