Your SlideShare is downloading. ×
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Masters Thesis on Ethical Hacking  Sagar - MISCU
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Masters Thesis on Ethical Hacking Sagar - MISCU

4,827

Published on

1 Comment
9 Likes
Statistics
Notes
  • free free download this latest version 100% working.
    download link- http://gg.gg/hqcf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
4,827
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
1
Likes
9
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1.     Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking   another  technique  to  enhance  information  security?”   Research  based  on  Mumbai  and  Pune,  India.                                                                                                                                                                         Masters  Thesis                                                                                                                                           MS  in  Management  Information  Systems                     Author   Sagar  .R.  Dhande       ID  -­‐  2973641  C o v e n t r y   U n i v e r s i t y ,   U K    
  • 2. 2           Table  of  Contents   C HAPTER  1  ....................................................................................................................................  10   1.0  Introduction  ..........................................................................................................................  10   1.1  Information  Security  ..................................................................................................................................  10   1.2  Information  and  Data  ................................................................................................................................  10   1.3  Overview  of  Mumbai  and  Pune  .............................................................................................................  13   1.4  Problem  Statement  and  definition   .......................................................................................................  14   C HAPTER  2  ....................................................................................................................................  16   2.0  Research  Question  and  Analysis  ..........................................................................................  16   2.1  Research  Questions  and  Objectives  ....................................................................................................  16   2.2  Primary  Data  .................................................................................................................................................  19   C HAPTER  3  ....................................................................................................................................  20   3.0  Research  Theory  and  Framework  .......................................................................................  20   3.1  Research  Theories  ......................................................................................................................................  20   3.2  Research  Framework  ................................................................................................................................  23   3.2.1  Dependent  Variables  .........................................................................................................................  23   3.2.2  Factors  .....................................................................................................................................................  23   3.2.3  Proposed  Framework  .......................................................................................................................  24   C HAPTER  4  ....................................................................................................................................  25   4.0  L ITERATURE  R EVIEW  ...............................................................................................................  25   4.1  Current  Information  security  Crime  and  Scenario  .......................................................................  25   4.1.1  In-­‐house  Threat  ...................................................................................................................................  25   4.1.1.1  Wipro  Employee  Cheats  $4  million  ....................................................................................  25   4.1.1.2  Bank  of  America  Employee  steals  customers’  data  .................................................  26   4.1.2  Nigerian  Lottery  Email  scam  .........................................................................................................  26   4.1.3  Social  Engineering  Issues  ................................................................................................................  27   4.1.3.1  Social  networking  site  issue  ..................................................................................................  27   Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 3. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   3   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.       4.1.3.2  UTI  Bank  Phishing  Issue  .........................................................................................................  28   4.1.4  Mass  defacement  of  websites  ........................................................................................................  29   4.2  Security  awareness  among  Indians  .....................................................................................................  31   4.3  Emerging  Cyber  security  threats  ..........................................................................................................  32   4.3.1  Hackers  ...................................................................................................................................................  32   4.3.1.1  Types  of  hackers  .........................................................................................................................  32   4.3.1.1.1  Black  Hat  Hackers  .............................................................................................................  32   4.3.1.1.2  White  Hat  Hackers  ............................................................................................................  32   4.3.2  Spyware/  Malware   .............................................................................................................................  32   4.3.3  Viruses  .....................................................................................................................................................  34   4.3.4  Social  Engineering/  Phishing  ........................................................................................................  35   4.3.4  Bot  network  operator  .......................................................................................................................  35   4.3.5  Insider  threat  ........................................................................................................................................  37   4.3.5  Key  logger  ..............................................................................................................................................  37   4.4  Conclusion  for  Information  security  crime  and  scenario  ..........................................................  38   4.5  General  security  tools  and  techniques  ...............................................................................................  39   4.5.1  Antivirus  .................................................................................................................................................  39   4.5.1.1  Drawback  .......................................................................................................................................  39   4.5.1.2  Working  of  Antivirus  ................................................................................................................  40   4.5.1.3  Virus  dictionary  approach   ......................................................................................................  40   4.5.1.4  Suspicious  behavior  approach  .............................................................................................  40   4.5.1.5  Concerns:  .......................................................................................................................................  41   4.5.2  Firewall  ...................................................................................................................................................  41   4.5.2.1  Limitations  ....................................................................................................................................  42   4.5.2.3  Advantage  to  hacker  .................................................................................................................  43   4.5.3  Patches  ....................................................................................................................................................  43   4.5.4  Anti-­‐Spyware  Software  ....................................................................................................................  44   4.5.5  Anti  Key  logger  ....................................................................................................................................  44   4.5.5.1  Limitation  ......................................................................................................................................  45   4.5.6  Biometrics  Tools  .................................................................................................................................  46   4.5.6.1  Working  of  biometrics  tools  ..................................................................................................  47   4.5.6.2  Benefits  of  using  BTPs   ..............................................................................................................  49   4.5.6.3.  Concerns  .......................................................................................................................................  49    
  • 4. 4       4.5.6.4  Limitation  ......................................................................................................................................  49   4.5.7  Hardware  Encryption  .......................................................................................................................  50   4.5.7.1  Encryption  .....................................................................................................................................  50   4.5.7.1.1  Network  Encryption  .........................................................................................................  50   4.5.7.1.2  Disk  Encryptions  ................................................................................................................  51   4.5.8  Hardware  Firewall  .............................................................................................................................  51   4.5.8.1  Limitation  ......................................................................................................................................  52   4.5.9  Laws,  Rules  and  Policies  ..................................................................................................................  53   4.5.9.1  Benefits  ...........................................................................................................................................  53   4.5.9.2  Limitations  ....................................................................................................................................  53   4.6  Penetrating  Firewall,  Antivirus,  Antispyware  ................................................................................  54   4.7  Ethical  Hacking  .............................................................................................................................................  55   4.7.1  Hackers  ...................................................................................................................................................  55   4.7.2  Ethical  hackers  .....................................................................................................................................  56   4.7.3  Ethical  Hacking  ....................................................................................................................................  57   4.7.4  Why  Ethical  Hacking?  .......................................................................................................................  57   4.7.4.1  Evaluation  of  a  system’s  ......................................................................................................  58   4.7.4.2  Types  of  attack  for  Ethical  Hacking  and  Hacking  ....................................................  58   4.7.4.2.1  Non-­‐technical  attacks  ......................................................................................................  59   4.7.4.2.2  Network-­‐infrastructure  attacks  ..................................................................................  59   4.7.4.2.3  Operating-­‐system  attacks  ...................................................................................................  60   4.7.4.2.4.  Application  and  other  specialized  attacks  ..................................................................  60   4.8  The  Ethical  Hacking  Process  ..................................................................................................................  61   4.8.1  Formulating  your  plan   ......................................................................................................................  61   4.8.2  Selecting  tools  ......................................................................................................................................  62   4.8.3  Executing  the  plan  ..............................................................................................................................  62   4.8.4  Evaluating  results  ...............................................................................................................................  62   C HAPTER  5  ....................................................................................................................................  63   5.0  Research  Methodology  .........................................................................................................  63   5.1  Introduction   ...................................................................................................................................................  63   5.2  Purpose  of  Research  ..................................................................................................................................  63   5.3  Research  philosophy   ..................................................................................................................................  64   Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 5. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   5   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.       5.4  Research  Strategies  ....................................................................................................................................  66   5.4.1  Research  Approaches  .......................................................................................................................  66   5.4.2  Time  Horizons  ......................................................................................................................................  66   5.5  Data  Collection  Methods  ..........................................................................................................................  67   5.5.1  Sampling  Design  ..................................................................................................................................  67   5.5.1.1  Quota  sampling  ...........................................................................................................................  67   5.5.1.2  Snowball  sampling   .....................................................................................................................  67   5.5.2  Sample  Frame  and  Sample  Size  ....................................................................................................  67   5.5.2.1  Sample  size  formula:   .................................................................................................................  68   5.5.3  Target  Region  .......................................................................................................................................  68   5.5.4  Target  Industries  ................................................................................................................................  68   5.3.5  Target  Sample  ......................................................................................................................................  69   5.6  Data  Collection  .............................................................................................................................................  70   5.6.1  Secondary  Data  Collection  ..............................................................................................................  70   5.6.2  Primary  Data  Collection  ...................................................................................................................  70  6.0  Data  Analysis  .........................................................................................................................  71   6.1  Primary  Data  Questionnaire  ...................................................................................................................  71   6.2  Analysis  approach  .......................................................................................................................................  72   6.4  Results  of  the  questionnaires  .................................................................................................................  73   6.4.1  Analysis  of  Section  A  .........................................................................................................................  73   6.4.1.1  Gender  .............................................................................................................................................  73   6.4.1.2  Respondents  Designation  ......................................................................................................  73   6.4.1.3  Industry  Type  ..............................................................................................................................  74   6.4.2  Analysis  of  Section  B  .........................................................................................................................  75   6.4.2.1  Type  of  Information  stored  by  respondent  in  system  ...............................................  75   6.4.2.2  Security  tools  used  by  respondents  ...................................................................................  76   6.4.2.2.2    Hardware  security  tools  and  techniques  ....................................................................  77   6.4.2.2.3    Security  rules,  law,  policies  and  access  control  .......................................................  78   6.4.3  Analysis  of  Section  C  ..........................................................................................................................  79   6.4.3.1    Respondents  view  on  information  security  ..................................................................  79   6.4.3.2    Respondents’  expectation  from  security  techniques  ............................................  80   6.4.4  Analysis  of  Section  D  .........................................................................................................................  81   6.4.4.1  Attacked  for  unauthorized  access  to  the  system  ..........................................................  81    
  • 6. 6       6.4.4.2  Breaking  system’s  password  .................................................................................................  81   6.4.4.2.1  Operating  system  attack  .................................................................................................  82   6.4.4.3  Getting  information  by  faking  target  .................................................................................  83   6.4.4.3.1Non-­‐  technical  attack  ........................................................................................................  83   6.4.4.4  Violating  companies/  individual  rules,  policies,  law  ..................................................  84   6.4.4.4.1  Violating  (breaking)  laws,  rules  and  policies  attack  ..........................................  85   6.4.4.5  Breaking  network  infrastructure  ........................................................................................  86   6.4.4.5.1  Attacking  Network  infrastructure  ..............................................................................  87   6.4.4.6  Action  taken  after  identifying  security  threat  (vulnerability)  ................................  88   6.4.4.7  Respondent’s  acceptance  of  attacks  to  ensure  security  ........................................  89   C HAPTER  7  ....................................................................................................................................  90   7.0  Discussion  and  Conclusion  ...................................................................................................  90   7.1  Discussion  and  Conclusion  on  section  A  ...........................................................................................  90   7.2  Discussion  and  Conclusion  on  section  B  ...........................................................................................  92   7.3  Discussion  and  Conclusion  on  section  C  ...........................................................................................  94   7.4  Discussion  and  Conclusion  on  section  D  ...........................................................................................  96   7.5  Limitations  of  Research  ..........................................................................................................................   100   7.6  Future  Research  .........................................................................................................................................   100   7.7  Conclusion  ....................................................................................................................................................   100   References  ................................................................................................................................  102   Appendix  1.  Questionnaire  ......................................................................................................  109   Appendix  2.  Gantt  chart  ...........................................................................................................  117                 Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 7. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   7   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.          Table  of  Figures  Figure  1.  Data  and  Information  .........................................................................................................................  11  Figure  2.  Information  System  for  Information  ...........................................................................................  11  Figure  3.  Rising  of  sophisticated  attacking  tool  with  time  ....................................................................  15  Figure  4.  Proposed  Framework  .........................................................................................................................  24  Figure  5.  Fake  HDFC  bank  Webpage  ...............................................................................................................  28  Figure  6.  Statistics  of  defaced  Indian  website  .............................................................................................  29  Figure  7.  Defacement  of  Indian  websites  ......................................................................................................  30  Figure  8.  Statistics  of  security  awareness  in  world  ..................................................................................  31  Figure  9.  Distributed  Denial  of  service  attack  .............................................................................................  36  Figure  10.    Key  Logger  Flow  –  Step  1  ..............................................................................................................  37  Figure  11.  Key  Logger  Flow  –  Step  2  ...............................................................................................................  38  Figure  12.  Software  Firewall  ..............................................................................................................................  41  Figure  13.  Stage  2  of  BTP  process  ....................................................................................................................  47  Figure  14.  Final  stage  of  BTP  process  .............................................................................................................  47  Figure  15.    IRIS  scanner  example  .....................................................................................................................  48  Figure  16.  Hardware  based  Encryption  .........................................................................................................  50  Figure  17.  Disk  Encryption  ..................................................................................................................................  51  Figure  18.  Hardware  Firewall  ............................................................................................................................  52  Figure  19.    Emerging  cyber  security  threats  can  bypass  traditional  security  controls  ............  54  Figure  20.  The  Research  process  "Onion"   .....................................................................................................  64              
  • 8. 8   Abstract         Table  of  graphs   Graph  1:  Gender  .......................................................................................................................................................  73   Graph  2.  Respondents  Designation   .................................................................................................................  73   Graph  3.  Industry  Type  .........................................................................................................................................  74   Graph  4.  Types  of  Information  stored.  ...........................................................................................................  75   Graph  5.    Software  security  tools  important  and  usage  ..........................................................................  76   Graph  6.  Hardware  security  tools  importance  and  usage   ......................................................................  77   Graph  7.  Security  rules,  polices,  laws  and  permission  importance  and  usage  .............................  78   Graph  8.  Respondents  view  on  Information  Security  ..............................................................................  79   Graph  9.    Respondents  Expectations  from  security  techniques  ..........................................................  80   Graph  10.  Results  for  unauthorized  access  to  the  system  .....................................................................  81   Graph  11.  Breaking  system’s  password  .........................................................................................................  81   Graph  12.  Response  for  Operating  system  attack  .....................................................................................  82   Graph  13.  Getting  information  by  faking  targets  .......................................................................................  83   Graph  14.    Response  for  Non-­‐Technical  attack   ...........................................................................................  83   Graph  15.  Violating  companies/  individual  rules,  policies,  law  ..........................................................  84   Graph  16.  Response  for  violating  rules/  polices/  laws.  ..........................................................................  85   Graph  17.  Breaking  Network  infrastructure  ...............................................................................................  86   Graph  18.    Response  for  attacking  network  infrastructure  ..................................................................  87   Graph  19.    Response  on  action  taken  after  identifying  security  threat   ............................................  88   Graph  20.  Response  on  acceptance  of  attacks  to  ensure  security  ......................................................  89   Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 9. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   9   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.       Abstract  T erm information security is frequently used to describe the risks of guarding information that is in a digital format. This digital information is typically manipulated by processor, transmitted over a network (such asinternet, intranet) and usually stored in computers, server, database, disks etc.Today Information Systems plays valuable role in corporate and personal world,companies and individuals practicing different techniques (using software andhardware’s) to secure data and information. Tremendous security threats likevirus, bots, denial of service attack, telecom fraud, unauthorized access, andphishing etc., are rising at rate more than 25% – 30% than previous year.Research conducted by McAfee Security journal, 2008 states, social engineering(Phishing attacks), spam are increasing; and always upgrading with new methodsto obtain personal and confidential information from users. Whereas the oldtechniques and scripts (virus programs) are decreasing or under control (as theyare constantly under view) new techniques and methods are targeting informationand are successful in drafting the threats graph high against security. Theseemerging and upgrading threats are required to be treated with new advancedcountermeasures; one of them is Ethical Hacking. Antiviruses, anti spyware’s,hardware security ‘tool and rules’, laws are already used and are not sufficient totackle current problem. New advanced Ethical hacking approach includes Ethicalhacker who practices hacker’s techniques and strategies to identify vulnerability(security holes) by attacking the system in the same way as hacker could havedone (intentionally ethical) and if found any security holes or vulnerabilities thenEthical Hackers finds the way to fix and cover it.  
  • 10. 10   Chapter  1     CHAPTER 1 1.0 Introduction 1.1 Information Security Information security is the process or ‘combination of techniques’ to protect information. It ensures protection to availability, privacy and integrity of information. Nowadays businesses and individuals are solely rely on the information stored in database, memory; transferred through network. Information can be anything personal staff details, client lists, bank account details (credit card details), username and password, mails; software source code, media, personal documents, marketing and sales information in fact anything that is storable in system and valuable for user, business or system. Information is high priority for any business, which holds the power to wobble the business in such competitive era. (FIPS PUB, 2004) 1.2 Information and Data Raw data is processed by System to generate or produce the desired (required, meaningful) output called information. Data is raw material for data processing. It relates to fact, event and transactions. Information is data that has been processed and filtered in such a way as to be meaningful to the person who receives it. It is anything that is communicated and valuable for any business or individual. (Maeve Maddox, 2008) Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 11. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   11   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.         Figure 1. Data and Information Source: Created by authorTo understand the significance of information, it is essential to highligh the valuean Information. Information is something that can be found in any piece of datathat is required by individual or company. Even the credit card details, usernameand password, personal media (photos, videos, files); from business perspectivecompanies marketing plan, strategic decission, financial details, client details,source code, etc. which is very imporant for any business can be cosidered asinformation.Below diagram helps to undestand how data is being processed into infomation   Figure 2. Information System for Information Source: created by author  
  • 12. 12   1.0  Introduction     For a company some tools such as Market Intelligence system, financial tools, marketing models, market research system, etc takes data as an input. Where data can be target segment for a product or company, technology (available and required technology for any project or company), Economical condition of country, company or target segment(varies to requirement), competitor, channels (available and required for business) . Above system process the data (as said in earlier paragraph) to produce strategic decision for business; this strategic information could be business plan for next 5 years or product launching strategy which is very crucial for any business, similarly marketing plan for the product or company, financial report of the company which is very crucial for any business. Effective information security systems incorporate a range of policies, security products, technologies and procedures. Software applications, which provide firewall information security and virus scanners are not enough on their own to protect information. A set of procedures and systems needs to be applied to effectively deter access to information. There are people who make a living from hacking or breaking through information security systems. They use their technological skills to break into computer systems and access private information. A hacker with the right hardware can bypass firewalls, which are designed to prevent access to a computer’s network. This could result in the loss of vital information, or a virus could be planted and erase all information. A computer hacker can gain access to a network if a firewall is shut down for only a minute. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 13. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   13   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      1.3 Overview of Mumbai and PuneThe research being carried on two Indian metro cities Mumbai and Pune, it’ssignificant to throw limelight on needs, challenges, culture and situation of cities.(Mumbai Space, nd)The seven islands that came to constitute Mumbai (formerly known as Bombaytotal 437.71 sq. km) is the capital of Maharashtra state, with second largestpopulated city in the world after Shanghai (china). In 2009; Mumbai was namedan Alpha world city (Diserio.com, nd). City is commercial, financial andentertainment capital of India; Sea port city (Indias largest and busiest) has oneof the world’s largest harbor. According to the recent survey, Mumbai is the fifthmost expensive city in the world and contributes highest GDP than any other cityin India. (Mumbai Space, nd)Pune offers plentiful talent, technology and tolerance the few key attributes thatneeds to make a global city. Known for its international quality education, city isequipped with well known institutes and universities. By delivering successfulcommonwealth youth games in 2008, city set mark for international market whichalso had a great positive impact on the hotel, infrastructure and tourism industry.After Bangalore, Pune (India’s II tier city) is set for another largest IT hub in India.Infosys an Nasdaq listed Indian IT company delivers growing center in Pune.TCS, Wipro, Larsen & Toubro InfoTech, AccelTreesoftware, Advent software,Dynamicslogistics are just some of the known software players that have taken tothe city. Apart from software development, the city is carving a name for BPO;Accenture Services, Wipro and Quexstsolutions operate out of this city with morethan 100 software companies, the city provides class animation and gamingindustry to the globe. (Articles base, July 2009)Cyber crime cell located in Mumbai, states; ‘hacking, child pornography, cyberstalking, denial of service attack, virus dissemination, software piracy, IRC Crime,credit card fraud, net extortion, phishing, internet fraud’ are the most serious  
  • 14. 14   1.0  Introduction     issues that has been tackled in the metros and rest of India.(CCIC, 2005) High graph of Cybercrime in Mumbai, Pune and Bangalore, Mumbai has managed to set up Control of Cyber Crimes unit. To cope with this situation Mumbai Cyber Lab is a unique initiative of police-public collaboration for training the police officers of Mumbai police in investigation of cyber crime. Mumbai Police and NASSCOM jointly operate Mumbai Cyber Lab. (Mumbai online, 2010) 1.4 Problem Statement and definition Increased in sophisticated attacking tools (includes GUI hacking tools, viruses, spywares, hackers etc.) and required knowledge of attacker is decreasing, is a challenge for today’s (and forthcoming) data and information security, refer below diagram (Clampa M, 2010). Data stored, transferred and accesses via computers, networks, servers, digital components are being under constant attack and poses threats. Users both personal and corporate world are assuring information and data is secured by using software (Antivirus, Anti-spyware, Anti- spam), hardware (Hardware lock, Hardware encryption), firewalls (Software and hardware firewall) (Peter J, 2005), but the question is, are they enough to achieve security goals? If yes, than how successfully they are? If they are successful, and are in use, then why digital world using these techniques and methods are not fully secured? Or is there a need to have any other security mechanism? These questions are enough to have a view of overall security problem. Lots of efforts being taken to secure the viable information, yet people often found at least one news about data hacked, digital fraud and information stolen or similar news every day in newspaper column. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 15. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   15   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.         Figure 3. Rising of sophisticated attacking tool with time (Source: Ciampa M, 2010)This diagram states, since 1990 new treats are rising with more sophisticatedattacking tool (providing with graphical user interface which helps anybody to usethese tools without programming or systems knowledge) and hence requiredknowledge attack the system in reducing. This is major concern that gavepotential rise to new technology, methods, and techniques to counter suchattacker’s efforts.  
  • 16. 16   Chapter  2     CHAPTER 2 2.0 Research Question and Analysis This chapter focuses on research questions and objectives of the research. Based on the research questions and objectives secondary data is collected (Literature review) and primary data (questionnaire) are drafted and data collected; in order to answer the research questions and objectives. Basically objectives are giving a direction to the research based on which a conclusion is obtained to support the research. Each research question and objective is satisfied by the research, by collecting relevant data, analysing and concluding to achieve the objective.   2.1 Research Questions and Objectives 1. Why current security methods are not enough to tackle security? Objectives are n To understand the limitations of current security techniques. This objective helps to highlights limitation and capabilities of current security techniques practiced such as software, hardware’s, laws etc. this will help to understand what is lacking in the current practiced techniques and where new advanced security techniques are required to focus and work on. n To explore different techniques and methods used to enhance security. This objective will help to enlist different methods, tools, techniques used by different organization to ensure security. The objective behind focusing here is to understand the different or same approaches taken by different organizations and individuals for the same concern ‘security’. n To understand the expectations of information security those are not currently satisfied. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 17. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   17   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.       This objective would help to enlighten the expectation of information security. Expectations could be use of sophisticated dynamic security control and techniques that could monitor the system all the time, while trying different approaches to uncover vulnerabilities in system.Innovative techniques using high end technology is playing key role in breakingand securing security. Hackers smart enough to find easy to very complex way toseek inside the platform. This section will highlight the innovative sides ofhackers, winning side of destructive tools and the limitations of securing tools andtechnique.Questionnaires will be used to understand the expectation from informationsecurity. Secondary research to support the objective to understand thelimitations of current security techniques and to explore different techniques usedto enhance security. 2. How important is identifying appropriate countermeasure for security threat? Objectives are n To understand importance and urgency of information security. All the time discussing about Information security, but is it really important to secure data and information? What kind of information is valuable for organizations? The objective is to collect different view about information, from different organization in different sectors that which and what kinds of data are they concerned to secure. Why and How important is it to secure? n To understand the need of having effective countermeasure for security threats. This objective is slightly related and answerable from previous objective. Here it is known that information is viable and there is need to effective information security technique. Objective helps to understand that why there is need of effective and advanced security enhancing techniques.Information can be seen in many forms, from credit card information, forcompanies’ applications source codes to documentation and for individual familypictures to passwords and other related information. All have its importance at  
  • 18. 18   2.0  Research  Question  and  Analysis     different hierarchy from person to person. This will enlighten about having effective and efficient countermeasure. Questionnaires will be use to understand the need of having effective countermeasure for security threats. 3. What role ethical hacker plays in enhancing security and how it contributes? Objectives are n To understand the role and need of ethical hacker. This objective is basically divided in two parts role and need. Role states the key part the Ethical hacker played or playing in the system and need states even if organization has other current security techniques still they are approaching for Ethical hacking, what they are expecting from Ethical hackers, what is it that made organizations to approach Ethical hacker? What ethical hacker can provide them? n To explore the ethical hacking process and steps followed by ethical hacker. This objective will give an idea of Ethical hackers work, like the process of ethical hacking, what kind departments, people and resources available or involved? The policies, rules and regulation, laws that has to be considered by Ethical hacker, sometime company has to give extra access to the system to ethical hacker to test it, at the same time it is essential for company to make sure that ethical hacker do not misuse the system, this makes Ethical hacker to sign several papers including policies, laws etc. this all together forms a process and this objective will also help to see the similarities in the process among different organizations. And the way ethical hacker achieves his goal by satisfying the entire prerequisite (signing documents) also ensure that system is secured. n To understand the effectiveness of ethical hacking over other measures. This objective checks whether ethical hacking is successful process or not? If successfully then how successful it is as compared to other security measure? This measurement is denoted in percentage, each factor versus ethical hacking. Objective helps to understand whether ethical hacking practice is meeting up to user’s expectation. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 19. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   19   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      Secondary research (thorough literature review) will be done to understand roleand need of ethical hacker and exploring ethical hacking processOther objective is to understand advanced security practices.This objective deeply explains different types of information security practiced toensure security and that are not satisfied by general security tools andtechniques. Objectives focus mainly for new security enhancement technique thatcan be added with current general security practices.2.2 Primary Data  Primary data regarding research questions and objectives collected from ITorganization, banking IT (security) department, Business process outsourcing,Educational industry applying various data collection techniques and methods,this collected data will we used to answer the research question. Pune(Educational hub) and Mumbai (financial capital) both being IT hub, authors maintarget population is the IT Managers, Security officer, Ethical hacker, Network/System administrator along with individual such as students, teachers and othernon professional tech savvy who has better understanding and enoughknowledge on security threats and its counter measures.  
  • 20. 20   Chapter  3     CHAPTER 3 3.0 Research Theory and Framework Research supports Game Theory and Integrated Systems Theory are discussed below 3.1 Research Theories Theory Characteristics Source Game Theory Security Validation Papadopoulou and Greoriades, 2009 Game Theory Intrusion Detection Systems Otrok, Zhu, Yahyaoui, Bhattacharya, 2009 Integrated Systems Theory In early days author proposed Hong, Chi, Chao, consist of new theory called integrated Tang, 2003 systems theory for information security management. Security Policy Theory Risk Management Theory Control and Auditing Theory Management Systems Theory Contingency Theory Intrusion Detection Systems - It helps to detect the attack at runtime, post-attack or pre-attack. An ethical hacker who manages to detect the security threat from hacker or other attackers molds themselves to intrusion detection system. (Fadia 2007) therefore author believes the ethical hacking supports intrusion detection system, which again follows game theory. Game theory support for research is explained below. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 21. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   21   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      Security Validation - Ethical hacker needs to think strategically; what hacker istrying to do or what hacker could do? How can he do? And so on, according tothis ethical hacker has to make his/her moves, this move may or may not besimultaneous or sequential to hacker, i.e, ethical hacker and hacker may or maynot be attacking and defending simultaneously, an ethical hacker may be trying tofind vulnerabilities in the system, thinking different possible ways from hackerspoint of view.Papadopoulou and Greoriades (2009), says security recently gained tremendousattention in information systems. Despite the importance there is no appropriatemethod followed for the security. Traditionally, limited systems like computers,electronic devise and machines that were depended on such networks, Securityrequirements specification needs a practical approach. Today, Networksinfrastructure is constantly under attack by hackers and malicious software thataim to break into computers and steal valuable information. To combat andcountermeasure those threats, network designers need complex securityvalidation algorithms and techniques that will assure the minimum level ofsecurity for their future networks. Author supports game-theoretic approach tosecurity requirements validation.Theory proposed by Otrok H, Zhu B, Yahyaoui H and Bhattacharya P (2009)states, A game theory is a model for Intrusion Detection Systems. Intrusion canbe compared with hacker and alarm is raised in case of attack. Various soft-wares, firewalls and techniques can be followed to encounter such intrusionswould help to provide necessary countermeasures and strategies to implementon security.In 2003 Hong, Chi, Chao, Tang says, till now there is no specific informationsecurity management theory. As a result they combined 5 theories SecurityPolicy theory, Risk Management theory, Control and Auditing theory,Management Systems theory, Contingency theory to develop IntegratedInformation systems theory for information security management. The purpose,  
  • 22. 22   3.0  Research  Theory  and  Framework     importance and the characteristics of each theory in integrated information systems theory for information security management by Hong, Chi, Chao, Tang, 2003 are given below Theory Description Security Establishment of information security policy should include five Policy theory procedures, which are: 1. to assess and persuade top management; 2. to analyze information security requirements: 3. to form and draft a policy; 4. to implement the policy; and 5. to maintain this policy. Theory also covers comprehensive E-audit; e-risk management policy; computer security policy; cyber insurance policy; e-mail policy; Internet policy; and Software policy. Risk Risk management theory suggests that through organizational risk Management analysis and evaluation, the threats and vulnerabilities regarding theory information security could be estimated and assessed. The evaluation results could be used for planning information security requirements and risk control measures. Risk management is a process of establishing and maintaining information security within an organization. The crux of risk management is risk assessment; namely, through information security risk assessment, an organization could take appropriate measures to protect information cost effectively. Reid and Floyd 2001 cited by Hong, Chi, Chao, Tang, 2003 proposed a “risk analysis flow chart”, and considered that an organization should assess the threats and vulnerabilities of its information assets. Control and Control and auditing theory suggests that organizations should Auditing establish information security control systems; and after being theory implemented, auditing procedures should be conducted to measure the control performance. It includes organizational security, personal security, physical and environmental security, communication and operational security, systems development and maintenance security. Management Based on the organizational requirement s and security strategies, Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 23. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   23   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      Systems Sherwood, 1996 cited by Hong, Chi, Chao, Tang, 2003 proposedtheory information security architecture SALSA (Sherwood Associated Limited Security Architecture) which includes: business requirements, major security strategies, Security services, security mechanism and security products and technologies.Contingency Information security management is a part of contingencytheory management that is meant for the prevention, detection and reaction to the threats, vulnerabilities and impacts inside and outside of an organization or system.No predefined past framework is supported by the research. Author hasdeveloped framework based on the variables and factors suggested by CiampaM, 2010 and Sans, 2010.3.2 Research Framework3.2.1 Dependent Variables Enhancing Information Security3.2.2 Factors(Source: Ciampa M, 2010)Software’s Hardware’s Rules, policy, Ethical Hacker lawsAnti-Virus Forensic tools Parental/ access (Proposed by (source: Sans, 2010) control author)Anti-Spyware Hardware LockAnti-Adware Hardware FirewallSoftware Firewall Anti KeyloggerEncryption/Decryption Hardware encryptionOperating systems Bio Metrics tools (Source: Patrick Love, 2007)Patches  
  • 24. 24   3.0  Research  Theory  and  Framework     3.2.3 Proposed Framework   Figure 4. Proposed Framework Here dependent variable ‘enhancing information security’ has fours factors software’s, hardware’s, ‘policies, rules and laws’, Ethical Hacker. These factors together affect the behavior of Enhancing information securities behavior. Factors are tools, software’s, hardware’s techniques and methods that are used (single or in combination) to Enhance security. Idea behind research is investigating on Ethical hacker factor, Ciampa M (2010) states Software’s (including antivirus, software firewall etc.), hardware (including forensic tools, hardware lock etc.), ‘Rules, polices, and laws’ are different approaches for security here parental / access control can be a non - technical technique, while author’s concerns is to consider Ethical hacker as another technique. Ethical hacker is considered as a factor which can affect the behavior of ‘Enhancing information security’ (Dependent variable). Here Ethical hacking done by ethical hacker contains many approaches, Ethical hacker uses many techniques (those techniques are later explained in next chapter) to protect the information or system.   Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 25. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   25   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.       CHAPTER 4 4.0 LITERATURE REVIEW4.1 Current Information security Crime and ScenarioThis section will highlight on current security and cybercrime scenario in India.Below discussion will help to understand the importance of security, and majorthreats and security scenario in India; especially in Mumbai and Pune.Indian companies more worried about cyber-attacks than terrorism. (Cheek M,2010)According to research conducted by Symantec, Indian companies lost anaverage of 5.8 million rupees in January 2010, and 66% has experienced cyber-attacks in 2009.Symantec India managing director Vishal Dhupar said, “Security has become amain concern to Indian enterprises as cyber-attacks are posing a greater threatthan terrorism, natural disasters and conventional crimes”.Total 80% budget has been increased for forensic and penetration testingimplementation strategies.4.1.1 In-house Threat Rather than keeping eye and worrying about External threats, it may happen someone very close to you steal the most valuable thing available to you. In- house threat is the most readable topic in newspaper. Indian Banking and IT companies had frequent bad experiences with in-house threat to information security.4.1.1.1 Wipro Employee Cheats $4 million Indian IT giant experienced largest rip-off, chartered account of the company successfully cleaned $4mn from its financial books (i.e. an information source)  
  • 26. 26   4.0  Literature  review     in year 2010 Sources added following this incident Technology Giant has tightened its information security. (DC Correspondent, 2010) 4.1.1.2 Bank of America Employee steals customers’ data Employees fund guilty for stealing customers sensitive data and sell it to third party to create fake credit card with required information. This employee secretly steals customers information having account balance more than $1,00,000 and produce credit card.(Cheek M, 2010) 4.1.2 Nigerian Lottery Email scam India is catching up lottery email scan with lightning speed. Internet Users receiving mail on behalf of esteemed organizations (actually fake email id created in the name esteemed organization) declaring them as a winner for million dollars. Hackers try everything to win victims trust by specifying mail domain id that is matching to organizations name or banks name. Users are requested to fill the form attached with the documents (this may be infected with virus) that supposed to collect user’s information about bank account number, swift code, bank address as those things are required to transfer money to users account. Looking at artistic form and genuine responder, users fill the form and send it to the hacker. Here hackers pass this catch fish to its network, which make a note of mail id for further money stealing techniques (as it is known the user is not knowledgeable in this regard or less technically assure about security). Hackers confirm the report after verifying users form and request to the select one of the three options to claim the lottery amount. 1. To collect it by person Un-viable option as it not possible for user to visit declared, as it could be risky to visit there without any security. Hacker can turn into gangster to cleanup everything from claimer. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 27. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   27   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      2. To open an account in required country, as they money will get transferred tothis account and from where user can further transfer amount to their respectiveaccount in their country. Here as the claimer is not aware of the rules andprocedure of opening account in other country (Opening account in other thanhome country is not that easy, as it requires all residential documents, passport,income source, income statement, etc.). These two options shifts hope towardsthird and final option.3. To send account opening charges to the lottery person, so that they can openaccount on behalf of claimer. This is the real trap that is being laid by hacker tocatch in the safe hand. Some emotional touch and feelings are showingconversation to the claimer so that they win the trust and provide them requiredamount to open account. In` this even claimers often found negotiating theaccount opening charges and on this the deal may get closed stating that half ofthe account opening charge will be paid by claimer and remaining by agent. Andsimilarly wining prize will be distributed between both parties.Once the claimer transfers the amount to agent to open account, and received byagent all the communication is sealed; leaving claimer to complaint police.For example, hackers often found sending emails from hdfconlinebank.com butthe genuine domain is hdfcbank.com.4.1.3 Social Engineering Issues4.1.3.1 Social networking site issueThe biggest challenge and threat to today’s security is social engineering.Youngster’s queuing up hit the social networking server is increasing blindly, andnumber of malwares and viral scripts are targeting at the matching frequency.Users often found that their account is hacked and hackers misused personalinformation to defame the image or to make the profile work in weird way.  
  • 28. 28   4.0  Literature  review     4.1.3.2 UTI Bank Phishing Issue Phishing an part of social engineering issues is found commonly in day to day life. Ahmadabad based UTI bank (now Axis bank), one of the largest financial institution of India was serious target for phishing. URL of fake version of UTI banks homepage was circulated on the email users. This webpage asks for the login and password and rest all the things including logo, text are kept as same as original bank site. Incase user enters username and password thinking its genuine website, hackers get a view of details on the receiving side (Phisher’s database). (Cyber crime, 2007) (Screen shot of fake website is attached below) Fake HDFC banks webpage (below snapshot created by author).   Figure 5. Fake HDFC bank Webpage Source: Created by author Same things were happening on phone banking, users receives calls from hacker claiming to be calling from bank for verification (as required by Indian government) and ask person details like address, fathers name, card no. Etc. here user providing all the details get trap in the fraud. (Cyber crime, 2007) Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 29. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   29   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      4.1.4 Mass defacement of websitesOver 1900 Indian websites were defaced in the first three months of year 2010(Srikanth RP, 2010). Mass defacement GUI tool that’s provides the whole serverarchitectural view of web server. Suppose a website name www.sagar-info.com isto be defaced, hacker has created below tool which shows all the directories,permissions (chmod – change mode in image), linking, robots text file and otheradministrative features of the site that can be changed. These tools can be usedfor mass defacement of websites. (Armstrong Tim, 2010)   Figure 6. Statistics of defaced Indian website (Srikanth RP, 2010)Above graph shows, 1263 websites with .in (India) domain was hacked (defaced)in the first three months of January 2010 followed by 587 websites with .com(commercial) domain.  
  • 30. 30   4.0  Literature  review       Figure 7. Defacement of Indian websites (Armstrong Tim, 2010) According to Dr. Muthukumaran B (2008), Home Personal Computer users in India are the most frequently targeted sector of its 37.7 million Internet users. More than 86% of all attacks, mostly via bots were aimed with Mumbai and Delhi’s PC users. The major cyber crimes are DDOS Attack (Distributed Denial Of Service Attack), website defacement, viruses, Trojan and worms, social engineering (refer below diagram), phishing, spam etc. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 31. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   31   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      4.2 Security awareness among IndiansAccording to the survey conducted by Norton, Norton Online Report 2009 statesfew people are protecting themselves online, but leaving themselves vulnerable46% by visiting un-trusted Websites, 55% by not backing up data, 66% by notchanging passwords frequently and 33 % by giving out personal information oninternet.67% adults in India are least likely to install any security software   Figure 8. Statistics of security awareness in worldThe biggest difference in security awareness occurs in INDIA and Brazil.33% Indian do not use security software, and 52% Indian has unsafe passwords.  
  • 32. 32   4.0  Literature  review     4.3 Emerging Cyber security threats According to Government Accountability Office (2005), Sources of emerging cyber security threats 4.3.1 Hackers Based on the purpose and intention of hacking, hackers are mainly divided into to categories Black hat and White hat hackers. 4.3.1.1 Types of hackers 4.3.1.1.1 Black Hat Hackers - Hackers break into the networks for thrill of the challenge or for bragging right in hacker’s community. (Government Accountability Office, 2005)Hackers also write hacking tools, including the viruses, malware, scripts that perform various functions according to algorithm. Hackers break into the systems and cover track record. They even make it look some other third person has hacked the system. (Ciampa M, 2010 pg no 17) 4.3.1.1.2 White Hat Hackers– The Ethical Hackers stands with security to cope with intruder, social engineering, viruses, threats and vulnerability so called in network, infrastructure and individually (Syed S, 2006). These are good hackers who practices hacking on the system with the permission of systems owner; in order to find the security flaws by applying various hacking techniques and if found any, they cover the security hole. This helps the owner to identify systems week point from where the Black hat hacker could have penetrated. Although for being good for the owner, Ethical hacker gets paid for the work. (Syed S, 2006). 4.3.2 Spyware/ Malware Spyware is a general term used to describe program that violates a user’s personal security. (Microsoft, 2010) Programs that displays pop on the screen, collects personal information, or changes the configuration without users concern is spyware. Spyware programs Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 33. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   33   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      are designed in a way that it is difficult to remove. Even if uninstalled from thesystem, you might find that the program reappears as soon as you restart yourcomputer. (Microsoft, 2010)The Anti-spyware alliance defines spyware as “tracking software that is deployedwithout adequate notice, consent, or user control”.According to Ciampa Mark, 2010 Spyware can • Spyware implemented in ways that damage a users control over the system. • Uses the system resources, including another programs installed in the system. • Collecting and distributing personal and sensitive information over the network. • Material changes that affect the user experience, privacy, or system security.Two spyware characteristics make users more worried areSpyware creators are motivated by profit: Spyware coder’s goal is to generateincome by acquiring personal information and use it personally by gaining accessover the banking account or by selling the information to users corporatecompetitor. This motivation makes spyware more intrusive than any othermalware and comparatively difficult to detect and remove once infected. (CiampaM, 2010, Pg no 113-114)Harmful Spyware are difficult to identify: This not necessary that all thesoftware’s that keeps track on users, decontrols and blocks the users arespywares. With the proper notice, consent, and control, some of these samebehaving programs and technologies can provide benefits. For example, parentalcontrol and user monitoring tools can help parents keep track of the online  
  • 34. 34   4.0  Literature  review     activities of their children while surfing, and remote login to sneak into children’s machine or even to operate office machine from home. Genuine software’s sometimes open pop up and redirects to company’s license page. While virus creator, creates program on installing it directs browser page to genuine looking site and starts downloading malware. Such scenarios make it difficult for user to identify legitimate software’s in system. (Ciampa M, 2010, Pg no 113-114) Usually spyware gets into the system through instant messaging, various P2P (peer to peer) programs, online gaming, many porn/crack sites, ad-based banners where users are lured to install free full software’s and more. (Shetty S, 2005) Malware is a general term used to refer to a wide variety of malicious programs. It includes threats such as viruses, worms. Trojan horses, Spyware and any other malicious programs. (Ciampa M, 2010. Pg no 26) 4.3.3 Viruses Computer virus is a malicious set of instructions (that replicates itself) that need carrier in order to survive. Carrier can be of two types, via Document or Program, i.e. viruses can be attached to any of these carrier and transmit to users system, whereas viruses starts its execution when this document is opened or program is executed. Most viruses are harmful can cause system to crash, delete files, download and installing un-trusted infected malicious code, degrading security settings, and infect other files. (Ciampa M, 2010, Pg no 41) “It is estimated that there are over eight million computer viruses in existence.” (Ciampa M, 2010, Pg no 41) Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 35. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   35   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      4.3.4 Social Engineering/ Phishing (Microsoft SE, 2010)Social engineering is a way for where attacker tries to gain access over thesystem. Basic purpose of social engineering is secretly installing spyware or totrick user into handing over their login details, sensitive financial or personalinformation.Phishing is the most common part of social engineering. Phishing scams includefraudulent Web sites or e-mail messages that fool the user into divulging personalinformation. (Microsoft SE, 2010)For social engineering attack example refer section 4.1.34.3.4 Bot network operatorBot network operators are hackers, instead of breaking into systems for challengeor bragging right, they take over multiple systems to enable them to coordinateattacks and distribute malware, spam and phishing scams, the services of thisnetwork are sometime made available on underground markets (e.g., purchasinga denial –of-service attack, servers to spam or phishing scam, etc.) (GovernmentAccountability Office, 2005)Bot networks in which attacker remotely take control of machine without usersconcern is increasing at alarming rate. Machines infected with bots code behaveanomalously and download malicious code, which may contain Trojan, or evensends email to others (this emails may be sent for illegal purpose, as lifethreatening, or abusing email to someone to whom we even don’t know).Machines that are not in users control are referred to zombie machine. Attackersoften target bunch for machine to operate like zombie and then to scan forvulnerable system and attack the Server/system. By using backdoor methodwhich bypass the authentication layer (antivirus) and hits target; backers residesas known and required application in the system (this creates an impression thatattacking machine is the source but the victims not aware of the real attacker. (Dr.Muthukumaran B, 2008)  
  • 36. 36   4.0  Literature  review     Frequently news flash with some websites servers down cause of attack, one of the best possible reasons could be denial of service attack. Attacker’s targets bunch of machine to operate them as zombie and then it operate the entire zombie machine at once to target the server in order to reduce the performance or to crash it. DOS attack is often very difficult to trace to know who the real attacker is. Attacker does not attack the target server from their own machine but uses zombies to attack. (Dr. Muthukumaran B, 2008) Example of DDOS   Figure 9. Distributed Denial of service attack (Source: Kome D, 2010) Here spoofed SYN generator is attacker who operates zombie machine (TCP server) by synchronizing them with targets source IP address (internet protocol address) and attacks target/victim networks through these zombie machines. Approximately $ 120 million worth of mobiles phone are being lost or stolen every year, where users find it difficult to protect their details stored in phone, contacts and other vital information that can misused by stranger. Almost 69% of Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 37. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   37   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      information stealing case is observed in current and ex-employees and 31% byhackers. India has to go a long way in protecting the vital information. (Dr. B.Muthukumaran, 2008)4.3.5 Insider threatThe disgruntled organization insider is a principal source of computer crimes.Insiders may not need a great deal of knowledge about computer intrusionsbecause their knowledge of a target system often allows them to gain unrestrictedaccess to cause damage to the system or to steal system data. The insider threatalso includes outsourcing vendors. Employees who accidentally introducemalware into systems also fall into this category. (Government AccountabilityOffice, 2005)For insiders threat attack refer section 4.1.14.3.5 Key loggerKey logger is a program that records each key pressed (i.e., whatever user typeson their keyboard is recorded) and this stream of keystroke can be used byhacker to obtained users confidential data along with login details, pins, creditcard information etc. generally backdoor Trojans comes bundled with keylogger.(Kaspersky lab, nd).Key logger can be installed via secondary disk (flash drive, floppy, local network)or via internet bundled with any document, program or other malware. Key loggercan also be considered as spyware, but as key loggers only function is to recordall key strokes, its scope is far more less than spyware and can be considered asa part of spyware.   Figure 10. Key Logger Flow – Step 1
  • 38. 38   4.0  Literature  review     Figure 11. Key Logger Flow – Step 2 (Source:Kaspersky lab, nd) 4.4 Conclusion for Information security crime and scenario India being one of the fastest developing nations, its security awareness among individuals is very less. Above security attacks and techniques clears that attackers (hackers) are getting innovative and static security measure won’t work anymore. High quality dynamic attacks like social networking, phishing that are handled by hacker himself which need to be tackled in the same way.   Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 39. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   39   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      4.5 General security tools and techniquesLooking the current cyber situation in India (mentioned in section 4.1) and asstated by Government Accountability Office (2005), Sources of emerging cybersecurity threats mentioned section 4.1 and section 4.3 requires standardcountermeasures. According to Ciampa Mark, 2010 some of the most importantinformation security counter measures are as specified below in three categories.Note: Ciampa Mark has given much more security measure under software’s,hardware’s, but author being focused on Ethical Hacking; has considered mostrelevant and important countermeasures that are required to eliminate today’ssecurity threats. Software’s Hardware’s Rules, policies, laws Anti-Virus Bio Metrics tools Parental/ access (Source: Patrick Love, 2007) control Anti-Spyware Hardware Encryption Software Firewall Hardware Firewall Patches Anti Key loggerInformation security attempts to safeguard these characteristics of information.4.5.1 Antivirus (Ciampa M, 2010)  Program scans digital Medias like computers, servers, systems for infection aswell as to monitor computer activity and examine media for documents, files,email attachments that might contain a virus. In case a virus is detected furtheraction can be taken whether to quarantine, delete or heal the infected file4.5.1.1 Drawback  
  • 40. 40   4.0  Literature  review     Software periodically needs to get updated with latest’s updates for virus definitions. 4.5.1.2 Working of Antivirus Antivirus software can use two techniques to identify viruses. 1. Examining the files for known viruses by comparing it with virus dictionary (virus definition database) 2. Examining and identifying suspicious behavior of computer. Commercial antivirus program use both approaches. 4.5.1.3 Virus dictionary approach In the virus dictionary approach, software examines each file and refer virus dictionary for files information’s, infection type and infection removal algorithm, this dictionary contains information related to known viruses. If a file and the piece of code in virus dictionary matches anti-virus software can perform user required operation like delete, quarantine it so that the file is inaccessible to other programs and its virus is unable to spread, or heal the file by removing the virus from the file. Dictionary definition approach requires periodic update of virus dictionary entries. As a new virus is identified, programmers in antivirus companies work on fixing it and include its solution in the virus dictionary. Although this technique is effective, virus writer started developing encrypted malicious code which does not allow matching the malicious code with one in the virus definition. In this case, suspicious behavior approach is usefully. 4.5.1.4 Suspicious behavior approach This technique monitors the behaviors of all applications and programs installed. If a program found to be writing in executable file (.exe in Windows, .dmg in Mac OS), then this considered as suspicious behavior and the user is altered for this for user actions to remove or heal the suspicious file. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 41. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   41   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      This technique therefore is effective when the new virus is found and its entry isnot there in virus definition. However, it also finds a large number of falsepositives and if user "Accepts" ever warning, then AV software is useless to user.4.5.1.5 Concerns:Malicious code writers using various complexes encrypting method and thenpacking it with genuine software (often called as cracked) software makes itdifficult to detect for antivirus software. Example: Camouflaged viruses requirescomplex unpacking engine, which could decrypt it before examine the file.Unfortunately, most anti-virus programs do not provide countermeasuretechnique and therefore unable to detect encrypted viruses.4.5.2 Firewall (Gouda M and Liu A, 2006)  Firewall is a security guard placed at the point of entry between the outsidenetwork and inside network, in such a way that all incoming and outgoing data inthe form of packets is passed through security guard.Firewall examine every packet going out and in and decide whether to accept ordiscard it according to the set of rules and protocols defined at the time of firewallsetup The set of rules often conflicts when scanning the packets, at this stage thefirst rule is considered in priority.   Figure 12. Software FirewallThe current practice of designing firewall has three major problems. 1. Consistency - Difficult to order and prioritize the rules correctly.  
  • 42. 42   4.0  Literature  review     2. Completeness - Difficult to scan thoroughly each and every packet. 3. Compactness - Difficult to restrict the number of rules. As some rules may be redundant and some rules may be combined into one rule. Even in case of having hundreds of firewall, one need to understand the risk in real time and need to change the rules periodically. With complex rule configurations, routers and other same category devices to monitor, it makes it hard to run it smoothly and keep track of each and every process. By focusing on the right firewall at the right time one can diminish every risk before it could affect the system. (Hamelin M, 2010) 4.5.2.1 Limitations Nothing is same for all the time; with latest upgraded treats it is also essential to change the rules. There is need to disable, create, change and delete those rules. Change can impact either negatively or positively. (Hamelin M, 2010) The disadvantages of personal firewalls include: • Difficult to manage centrally - Personal firewalls need to be configured on every client, which adds to management overhead. • Only basic control - Configuration tends to be a combination of static packet filtering and permission-based blocking of applications only. • Performance limitations - Personal firewalls are designed to protect single personal computers. Using them on a personal computer that serves as a router for a small network will lead to degraded performance. (Microsoft TechNet, 2004) Firewalls do not have a change-management process built-in, so documenting changes has never become best (or even standard) practice for many organizations. If a firewall administrator makes a change because of an emergency or some other form of business disruption, chances are he is under pressure to make it happen as quickly as possible, and process goes out of the window. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 43. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   43   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      4.5.2.3 Advantage to hacker“Hackers like the fact that firewall teams never remove rules – this is how manycompromises occur”. (Hamelin M, 2010)4.5.3 PatchesPatches are small piece of software (of Operating system, application software)that is design to update or fix problems with computer programs. This includesfixing bugs, improving security, improving performance, covering loop holes etc.(Godbole Nina, 2009, pg no. 540)Patches are part of operating systems and application software, these are addedto address the vulnerabilities in application programs and operating systems, thatare uncovered after the software or OS has been released. Operating systemssuch as Windows, Mac, Linux, and Android found regularly provided security andother add-on patches. These patches are meant to serve the the application oroperating system in more accurate form in order to secure the system fromunauthorized access. (Ciampa M, 2010)Regularly patches provided by software vendor made a provision to automaticallydownload and install patches or alert the user regarding new patches availabilitydepending on the configuration done by user.Example:Microsoft releases its patches on the second Tuesday of each month, called“patchy Tuesday”, unless the patch address a particularly serious vulnerabilityand it is then released immediatelySystem à Vendor à Vendors Patching severSystem à Thorough media containing patches  
  • 44. 44   4.0  Literature  review     4.5.4 Anti-Spyware Software Antispyware protect the system from suspicious pop-ups, slow performance; unwanted use of systems resource by malware and security threats caused by spyware. (Microsoft, nd) Working of Antispyware is same as of Antivirus as described in Anti-virus 4.5.5 Anti Key logger Anti Key logger is program to keep the user safe from Key logger programs (scripts), it helps user from being get track of its key stroke. Two types of Key logger 1. Signature based anti – Keylogger: This application looks for keylogger installed in the form of DLL (Dynamic Library Link) files, executable program and in the registry. Such keylogger can identify known keylogger whose signature is stored in database. Constant update is required to keep the signature database updated with new keylogger removal script. 2. Hook based anti – Keylogger: Windows inbuilt function SetWindowsHookEx( ) is responsible for monitoring keystroke or mouse- click performed on the system and is used by hook based Keylogger for illegal purpose. SetWindowsHookEx( ) being an inbuilt function most antivirus, anti spyware program fails to detect it as a threat. Hook based anti-Keyloggers block this functions access given to keylogger. This result in the Keylogging program generating empty log as no stroke can be monitored using given function. (Shetty S, 2005) Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 45. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   45   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      4.5.5.1 LimitationHook base anti-keylogger operates on inbuilt function of windows operatingsystem; this does not satisfy its need on other operating system.  
  • 46. 46   4.0  Literature  review     4.5.6 Biometrics Tools (Zegiorgis S, 2002) “Biometry is a statistical analysis of patterns obtained by compiling readings of physiological characteristics (found in a person’s palm, finger, iris and voice) or behavioral characteristics (found in a person’s handwriting or keyboard keystrokes) for positively identifying a living person.” This technology tools record behavioral and physiological functions of the person, stores it in the database or compares the traces with the records already stored in the database. Biometrics tools include verification and authentication of person, by ensuring the confidentiality of information, identity theft proof, safe, non-intrusive and reduced administration costs compared to passwords. BT effective can be increased when it is used in combination with RFID’s (Radio Frequency Identification Device) and Smart cards. User defined passwords can easily be cracked or stolen, whereas as face print, iris scan, voice print, and fingerprint are unique to each individual and really not possible to crack. These Biometric tools store compressed digital hash of iris scan, voice print, and fingerprint in the database. (Zegiorgis S, 2002) This process can only be used on living person as biometrics application does not collect data that is processed on dead people. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 47. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   47   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      4.5.6.1 Working of biometrics toolsBiometric Tools process for finger print scanner (or any other as mentionedabove) performs authentication and verification in stages. • The first stage - Enrollment stage, a mechanism which scans and captures the ridges and undulations of fingertip. • Captured data is then compressed to make faster assessable and suitable to store in the database.   Figure 13. Stage 2 of BTP processOnce the database is loaded with processed data; it is ready to verify andauthenticate genuine person. • Next stage is comparison/evaluation stage where the system / processor compares the newly captured data; with one that is already stored in the database. • The final presentation stage where the matching or not matching condition is checked and similar or not similar message is returned using application interface.   Figure 14. Final stage of BTP process  
  • 48. 48   4.0  Literature  review     Biometrics tools program resolves pattern recognition problem by separating forged from original using complexes unique comparisons. IRIS scanner example Figure 15. IRIS scanner example (Source: BBC News, 2010) In a one-to-many comparison, the pattern of an identity is compared against all patterns already stored in the database with the purpose of identifying whose identity is the current pattern. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 49. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   49   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      4.5.6.2 Benefits of using BTPsBiometric technologies are perfect for legal privacy and protection of: • Information in database and teller identification (in banking domain) using fingerprint, iris, or facial recognition. • Automatic Teller Machine/ Cash Deposit Machine (ATM/CDM) using iris and facial recognition. • Transactions, accessing information in transit over the telephone using voice recognition. • Online transactions using biometric recognition. • Point of sale (POS) transactions using signature dynamics and fingerprint.4.5.6.3. ConcernsError rate (1% to 3%) and maintenance is major concern of Biometrics tools withprohibitive costs of these high-tech security systems. Error rate is increasing andif failing to recognize the real person and wrongly saying genuine person is notgenuine. Contact lenses could throw off the iris scanning devices and hackerscan create dummy finger prints using silicon imprints that can be made from waxmodel.4.5.6.4 LimitationThere are some important considerations when you are planning to addbiometrics to your network access-control plans. The most important, of course,is what you plan to use the technology for. Biometrics solutions are still a bitcostly, even if prices have come down over the years and continue to fall, so youneed to apply the right tool where it really is needed.There are less expensive alternatives to biometrics, but for high-securityapplications biometric access control still is the platinum standard. (Patrick L,2007)  
  • 50. 50   4.0  Literature  review     4.5.7 Hardware Encryption 4.5.7.1 Encryption Encryption refers to algorithmic schemes that encode plain text into non-readable form or cyphertext, providing privacy. The receiver of the encrypted text uses a "key" to decrypt the message, returning it to its original plain text form. The key is the trigger mechanism to the algorithm. (Wise Geek, nd)   There are different types of hardware encryption 4.5.7.1.1 Network Encryption Encryption hardware tools installed in such a way that each packet (bits of data) send in/ out to/ from the system is encrypted and can be stored in server/ or used by receiver side. Here server or receiver having encryption hardware provided valid decryption key can decrypt the data. In this in-between sender and receiver intruders (hackers) try to access data, they land up in getting the encrypted data which would be of no use unless they have valid hardware decryption key. (Via, nd)   Figure 16. Hardware based Encryption (Source: Via, nd) Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 51. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   51   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      4.5.7.1.2 Disk EncryptionsSimilarly as stated above, the data available to user can be stored in encryptedform in primary disk (hard disk) using such encryption hardware. Disk encryptionhardware encrypts the data stored in the disk so that even if any virus attacksseek information can only get encrypted data.In below diagram, pluggable device (AES 256-bit hardware encryption tool) ishardware used for encryption is loaded with encryption algorithm.   Figure 17. Disk Encryption Source: Net security (2008)4.5.8 Hardware FirewallHardware firewall is standalone hardware product, now-a-day’s hardware firewallin found to be inbuilt in all major ‘modem and router’. When multiple systems areconnected to one router, its inbuilt firewall is responsible to protect each systemconnected via it. Hardware firewalls can be effective with little or no configuration,and they can protect every machine on a local network.  
  • 52. 52   4.0  Literature  review     A hardware firewall uses packet filtering to examine the header of a packet to determine its source and destination. This information is compared to a set of predefined or user-created rules that determine whether the packet is to be forwarded or dropped. (Beal V, 2010)   Figure 18. Hardware Firewall Source: (Microsoft Technet, 2004) Hardware firewall scanning all the packets coming in and out 4.5.8.1 Limitation • Single point of failure Depending on the number of redundant components, there may still be a single point of failure for inbound and/or outbound access. • Cost The cost is higher than a firewall without redundancy and may also require a higher class of firewall to be able to incorporate redundancy. • Possible traffic bottleneck A single firewall could be a traffic bottleneck depending on the number of connections and throughput required. (Microsoft Technet, 2004) Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 53. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   53   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      4.5.9 Laws, Rules and Policies  (Ciampa M, 2010, pg 203)  Security policies are the documents that outline the protections that should beenacted to ensure that the organizations assets face minimal risk. Securitypolicies can also be seen as management’s rules that have to be followed byevery member of the company.At more technical level, this can be seen as rules for accessing the system (alsosystem access timing, as in banking teller and vault custodian won’t be able touse the system after specific period of time as a security concern), and plan ofhaving access to specific information by specific member may be according todesignation. For example: system programmer should not have access tostrategic planning of the company. Marketing person should not have access tosource code of the program etc. other rules can be considered as accessprohibited to illegal sites (adult, warez, torrent sites)4.5.9.1 Benefits • It creates security awareness among the member and binds to law. • It helps to ensure that employees (or children’s in case of home) is monitored and directed to ensure security.4.5.9.2 LimitationsAs said, rules are created to break. Most of the times it is found that, if all therules are followed then no attack or theft will take place, but hacker and thiefbeing illegal and trying their best to get what they want at their own risk. Itscompany’s duty to protect themselves from rule beaker as there could be highchances of damage.  
  • 54. 54   4.0  Literature  review     4.6 Penetrating Firewall, Antivirus, Antispyware According to Government of Accountability Office (2005), United States, ‘New emerging cyber threats (spam, spyware, phishing i.e., Social engineering) can easily bypass most used traditional security controls such as Antivirus, Firewall, Antispyware and other traditional security countermeasures.   Figure 19. Emerging cyber security threats can bypass traditional security controls Source: (Government Accountability Office, 2005) In figure no. 19, Spam, Spyware and Phishing can be seen penetrating two layers, network controls and workstation controls. Here new threats has successfully managed to bypass the first layer formed by Firewall + Spam Filter + Antivirus, Intrusion detection system (Network control) and penetrates further from second layer of Firewall + Antivirus (workstation control) to hit the desired target. This clarifies that new threats has to be managed with new sophisticated complex method (rather than traditional methods) that can understand the attackers (hackers) mind, behavior, strategies, intention similarly the need, priority and policies of company to stop the attack. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 55. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   55   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      Author claims that Ethical hacking as discussed in section 4.4 and section 4.7can be used as the advanced security technique, where ethical hackers practicesthe same (hackers) attacking strategies to find the vulnerability, before hackersattack on system. Ethical hacker effectively attacks the system, and if found anysecurity hole, then works on the solution according to the requirement and coverthe security hole to make the system secure.4.7 Ethical Hacking  Need of advanced security techniqueIn 21st century innovations, competitions and development results strongdependency on IT. This opened new and attractive doors for the hackingcommunity across the world. ‘Attackers have evolved from computer enthusiaststo professional hackers’ (Geibstein, 2006; cited by Dlamini, Eloff, Eloff, 2008).Bruce Schneier quoted in Anderson (2008; cited by Dlamini, Eloff, Eloff, 2008)argues that “it is only amateurs who still target machines; career criminals nowtarget people who operate them not just for fun but for financial gains thorough”.Attackers using hacking skills to show that they can avoid or bypassauthentication process to access each other’s files later to use them in the theft ofconfidential information. This has resulted in information and data security threatslike identity theft, social engineering, spam, phishing, and fraud, etc. Nowadaysthe intention of an hacker is financial gains that may come from losing informationand data (one cannot think of targeting financial database always, money can beobtained by obtaining valuable information and data) and to avoid the “long armof law”, hacker will do everything to cover his/her tracks that was left whileattacking the target.4.7.1 HackersFarsole A, Kashikar A, Zunzunwala A (2010) says, traditionally, a hacker wassomeone who loves to mess with software, hardware or any system. Hackers  
  • 56. 56   4.0  Literature  review     enjoy manipulating, digging, exploring and love discovering new ways to work electronically in computer or network system. Recently, hacker has taken on a new meaning - someone who maliciously breaks into systems for personal profit. These are criminal hacker called as crackers who break into (crack) systems with malicious data/ programs or scripts. Hackers aim is to gain fame, profit, and even revenge. They modify, delete, and steal critical information that can be found with victim. 4.7.2 Ethical hackers Ethical hackers are good hackers, who attempt to break into clients (said computers) computer systems, in the same way hackers could have done, would employ the same tools and techniques as the intruders, but they would neither damage the target systems nor steal information. Instead, they would evaluate the target systems’ security and report back to the top management of the company (owner, boss or the concerned person) with the vulnerabilities they found and instructions for how to remedy them. If required Ethical hackers also cover the security holes in the system that was found while exploring it. (Palmer C, 2001) Ethical Hackers “(White-hat Hackers) so-called "ethical" hackers who work with clients (organization) in order to help them secure their systems. White-hats can be: members of team system hardening specialist’s researchers, programmer looking for vulnerabilities (with the goal of finding them and removing them before the black-hat hackers). Contrast: Whereas a "white-hate" is considered a "good guy", a "black-hat" describes the "bad" hackers. (Juergen Haas, nd) Understanding the need of hacking your own system Author believes, “To catch a thief, think like a thief. That’s the basic for ethical hacking.” Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 57. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   57   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      4.7.3 Ethical HackingThe Ethical hacking is hacking for the good purpose, Ethical hackers whopractise ethical hacking stands with security to cope with intruder, socialengineering, viruses, threats and vulnerability so called in network, infrastructureand individually (Syed, 2006). Ethical hacking and information security have beenrecognized as the key growth areas for organization (Youm, 2010). Thistechnique ensures that system is not vulnerable to hackers attack.4.7.4 Why Ethical Hacking?Although Anti-virus, Anti-spyware/Adware, firewalls, biometrics, hardwareencryption, other software and hardware’s are basic security means to secureinformation and storage systems, to analyze and eliminate the threat, but toencounter new emerging threats such as phishing, social engineering, DDOSattack as mentioned in section 4.1 and section 4.3, new techniques are need tobe practiced (Peter, 2005). Ethical hacking services are a part of the informationsecurity community. It focuses on where organizations fail to ensure successthrough security issues, here security may be part of network, system, finance,assets, intellectual and so on. It is the practice to use professional talent in the“black arts” of hacking and vulnerability detection. Such engagement can beprocured (outsourced) to a third party or by establishing internal team. Ethicalhacking should be a means to identify vulnerabilities weaknesses, security holesin an organization’s security posture. (Kraus R, 2009)With upgrading technology hackers enhance their knowledge and using neverbefore used technique, Ethical hackers thinks the same way but act for the goodpurpose.  
  • 58. 58   4.0  Literature  review     4.7.4.1 Evaluation of a system’s An ethical hacker’s evaluation technique answers three basic questions: 1. What information hacker (intruder) can see in the system? 2. Is it valuable information, what hacker can do with that information? 3. Does anyone at the target notice the intruder’s attempts or successes? Paperwork and discussion begins with the managements (owners/ clients) answers to questions discussed below (Garfinkel, Spafford and Schwartz, 2003) 1. What are you trying to protect? 2. What are you trying to protect against? 3. How much time, effort, and money are you willing to expend to obtain adequate protection? Surprisingly clients may have or find different answers for those questions • A banking institutes might say “our customers information and login details” • Engineering firm might answer “our new product designs,” and • A Web retailer might answer “our customer database.” Also includes employee names and addresses (which are privacy and safety risks), computer and network information (which could provide assistance to an intruder), and other organizations with which this organization collaborates (which provide alternate paths into the target systems through a possibly less secure partner’s system). 4.7.4.2 Types of attack for Ethical Hacking and Hacking As author stated in current situation section, Indian cyber crime is increasing at high rate with new attacking techniques. Most difficult to detect, interpret, and manipulating attacks such as Mass web defacement, internal threats, social engineering (phishing), DDOS (distributed denial of service attacks), viral/ malware attacks has rock the Indians. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 59. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   59   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      Farsole, Kashikar, Zunzunwala (2010) says, “Ethical hackers should practicefollowing different types of attacks, as such attacks are carried by hackers it isessential for ethical hackers to use the same attacks on system and ensure thesecurity.”4.7.4.2.1 Non-technical attacksThis may include attacks with less or no virus, programming. This can be done bybeing little more smart and get all the information from clients (client themselvesprovides) providing that you are genuine person or organization (hackersproduces himself as a genuine person). Social engineering Phishing, Pharming),phone phishing are few most successful techniques in non technical attacks.Other common and effective attacks against information systems are physical.Hackers break into buildings, computer rooms, or other areas containing criticalinformation or property. Physical attacks can include dumpster diving (rummagingthrough trash cans and dumpsters for intellectual property, passwords, networkdiagrams, and other information)4.7.4.2.2 Network-infrastructure attacksNetwork attack are the most easy to hack into the system, as network reachesanywhere in the world through internet. Some most common and importantnetwork attacks are as follows • Connecting into a network through a rogue modem attached to a computer behind a firewall • Flooding a network with too many requests, creating a denial of service (DOS) for legitimate requests • Installing a network analyzer on a network and capturing every packet that travels across it, revealing confidential information in clear text  
  • 60. 60   4.0  Literature  review     4.7.4.2.3 Operating-system attacks Operating system is the core part of any system; OS plays vast part in hacker attacks simply because it depends on OS that which exploits (security holes) and vulnerabilities that could be find. For example, Windows vulnerability may not be found in UNIX and so on, that’s why attacks on OS are OS dependent, attack the windows may or may not be same in UNIX. So determining OS and hacking according is the common practice among hackers. Here are some examples of attacks on operating systems: • Cracking passwords and encryption mechanisms • Attacking built-in authentication systems • Breaking file-system security 4.7.4.2.4. Application and other specialized attacks Applications are any software that user install for personal use for example word, Winamp, Media player, email clients, browser etc. Exploiting application software and exploiting through application software’s is most general techniques used by hacker. One infected program can infected and change the behavior of other application and system programs. • Hypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP) applications are frequently attacked because most firewalls and other security mechanisms are configured to allow full access to these programs from the Internet. • Malicious software (malware) includes viruses, worms, Trojan horses, and spyware. Malware clogs networks and takes down systems. • Spam (junk e-mail) is wreaking havoc on system availability and storage space. And it can carry malware. These are the most happening attack by hacker whereas the same attacks are carried by ethical hacker in ethical hacking which helps to vulnerabilities and security holes. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 61. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   61   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      4.8 The Ethical Hacking Process(Beaver K, 2007)The process need to plan in advance. All strategically, technical, environment andmanagement issues must be considered. Backup off data must be ensured, sothat if anything goes unexpected clients would not left in any data state. Andalways test the system for impact analysis after the process.Ethical hacking process should look on the following points • Specific systems to be tested • Risks that are involved • When the tests are performed and your overall timeline • How the tests are performed • How much knowledge of the systems you have before you start testing • What is done when a major vulnerability is discovered?4.8.1 Formulating your plan • Specific systems to be tested • Looking at different Risks involved • Preparing schedule to carry test and overall timeline • Gather and explore knowledge of systems we have before testing • What action will be taken when vulnerability is discovered? • Specific deliverables  
  • 62. 62   4.0  Literature  review     4.8.2 Selecting tools Make sure you have the right tools for ethical hacking; otherwise accomplishing the task effectively is difficult. Having said that, just because you use the right tools doesn’t mean that you will discover all vulnerabilities. Make sure you that you’re using the right tool for the task: • To crack passwords, you need a cracking tool such as LC4, John the Ripper, or pwdump. A general port scanner, such as SuperScan, may not crack passwords. • For an in-depth analysis of a Web application, a Web-application assessment tool (such as Whisker or WebInspect) is more appropriate than a network analyzer (such as Ethereal). 4.8.3 Executing the plan • Obtain all information about target and own computer, network, system. • Narrow the scope to targeting one specific area/sector. • Perform actual scans and tests to uncover vulnerabilities on systems. • Be ready for the attack, perform and exploit any vulnerability. 4.8.4 Evaluating results Prepare and pass a formal report to management (boss) or to client, outlining results and any recommendations. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 63. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   63   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.       CHAPTER 5 5.0 Research MethodologyThis chapter will be focusing and providing discussions on two major issueswhich are the research methods for data collection and the purposes of each kindof data collection methods. The author will be considering certain issues, forinstance, “how will the data be collected or generated?” and secondary “how thedata that is analyzed become useful information?”5.1 IntroductionThe author’s objectives is to identify the types of valuable information stored inthe system or network, to identify various security tools and techniques used byusers, to identify users expectation from security tools and techniques, to identifythe need, importance and urgency of the advanced security technique, and mainobjectives of this research is to identify whether Ethical hacking can be anotheradvanced security enhancing technique. Refer chapter no. 4 for more details.This information is obtained or generated with help of questionnaire withsupporting secondary research. Secondary research includes data collected fromvarious books, journals, newspaper, websites, online articles etc. which stronglysupports and proves collected primary data.5.2 Purpose of ResearchPurpose of research, is to identify the advanced information security enhancingtechnique and that can have advantage over the traditional security tools such asantivirus, firewall, biometric etc., as discussed in section 4.5.This research will help corporate and personal individual as a new securityenhancing technique is suggested to secure them (information) from highlymalicious environment (network).  
  • 64. 64   5.0  Research  Methodology     5.3 Research philosophy   Figure 20. The Research process "Onion" Source: (Saunders, Lewis and Thornhill, 2003, p. 83) The author choose the research process ‘onion’ method, where all data collection methods either secondary or primary data that will be analyzed and interpreted. The first layer of the ‘onion’ method is research philosophy. Here it is divided into three important parts that play a crucial role in research work (Saunders, Lewis &Thornhill 2003, p. 83). They are: Ø Positivism Ø Realism Ø Interpretivism Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 65. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   65   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      The second layer of the ‘onion’ method is the research approach which explainsthe differences between deductive approach and inductive approach. The thirdlayer is on research strategies. Here the strategies can be considered in manyways such as experiment, survey, case study, grounded theory ethnography,action-research, cross-sectional and longitudinal studies. The fourth layer isbased on time horizons where the author has some questions pertaining to theproject at hand but the answers will pan out “It depends on the researchquestions” (Saunders, Lewis & Thornhill, 2003, p. 84). The last layer will be thedata collection methods based on gathering of secondary and primary data,sampling size, interviews, questionnaires and observation.According to (Saunders, Lewis & Thornhill 2003, p. 84), “Your researchphilosophy depends on the way that you think about the development ofknowledge”. There are three perspectives on research philosophy that play vitalroles to determine how knowledge should develop and evaluated as beingacceptable.Positivism is applicable to data and information gathered from various sources inliterature reviews. Previous researches and studies obtained from reliablesources were accepted and used as they were undertaken by from professionals.Interpretivism is applicable in order to reflect the current situation because some ofthe value of generalization from positivism may not be applicable since changesmay have occurred from the period of the related case being researched.Lastly, the concept of realism is “…based on the belief that a reality exists basedon the independent of human thoughts and beliefs” (Saunders, Lewis & Thornhill,2003, p. 84).The author believes that this concept out of the three research philosophieswould be the most important.  
  • 66. 66   5.0  Research  Methodology     5.4 Research Strategies 5.4.1 Research Approaches According to Saunders, “Your research project will involve the use of theory” (Saunders, Lewis, Thornhill 2003, p. 392) and this research project develops theory from the result derived from data analysis. So far, two different approaches Deductive (Top to bottom) and Inductive (bottom to top) are introduced. Deductive Approach ( Top to Down ) Inductive Approach ( Down to Top ) Deductive approach (Top to bottom) is the ideal and most suitable approach to be adopted by the author. Rigorous literature review is done with theory, and hypothesis is generated, later conducting primary and secondary data analysis that supports objectives, which provide results and confirmation. 5.4.2 Time Horizons The research length is an important factor. There are two approaches which are ‘cross-sectional’ and ‘longitudinal’ approach (Saunders, Lewis & Thornhill 2003, p. 95). Time utilized to gather, analyze and explain the details of the project during the given time, was approximately 7 months. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 67. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   67   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      5.5 Data Collection MethodsAs data collection methods will greatly affect the results of finding, the author hasdecided to use below methods5.5.1 Sampling DesignTwo sampling methods; quota sampling and snowball sampling are used for twodifferent respondent types. For Respondent type professional quota sampling isused whereas for students and other snowball sampling is used.“5.5.1.1 Quota sampling is the non-probability equivalent of stratified sampling.Like stratified sampling, the researcher first identifies the stratums and theirproportions as they are represented in the population. Then convenience orjudgment sampling is used to select the required number of subjects from eachstratum. This differs from stratified sampling, where the stratums are filled byrandom sampling. (Statpac.com, nd)5.5.1.2 Snowball sampling is a special no probability method used when thedesired sample characteristic is rare. It may be extremely difficult or costprohibitive to locate respondents in these situations. Snowball sampling relies onreferrals from initial subjects to generate additional subjects. (Statpac.com, nd)”As respondent type ‘students and other’ are very difficult to identify in authorsresearch (that is, criteria for surveying students and others cannot be satisfiedeasily by most of students), for this purpose author has choose snowballsampling. Tech savvy students were approached as respondent who againsuggests few names that were valid and suitable for the survey.Quota sampling being most widely used and suitable for research was chosen byauthor for respondent type professional.5.5.2 Sample Frame and Sample SizeSample size generated using following formula is 164. Confidence level selectedas 95% and confidence interval 7% (survey systems, nd), as the targeted sample  
  • 68. 68   5.0  Research  Methodology     is professional, experienced in security field, and has sound knowledge results in high confidence level. This perfect target sample increases the confidence level to 95%, which is again recommended by survey systems. 5.5.2.1 Sample size formula: Sample Size = Z 2 * (p) * (1-p) c2 Where: Z = Z value (e.g. 1.96 for 95% confidence level) p = percentage picking a choice, expressed as decimal (.5 used for sample size needed) c = confidence interval, expressed as decimal 5.5.3 Target Region Pune and Mumbai being India’s most valuable IT hub, (Discover Pune, 2010) almost every Information Technology company available in India has its footprint either in Mumbai, Pune or both. Both cities have more than 200 IT companies together(Articles base, July 2009) (Mumbai online, 2010). Mumbai also being the financial capital of India (Mumbai Organization, 2010) and Pune Education Hub (Rediff Business, 2007), all resources are available from high-tech transportation to high skilled employees and world-class employers. 5.5.4 Target Industries It is essential that company or a person must be concerned and aware of company’s security or personal systems security. For companies, author visited various IT companies, banks IT Department, Educational Industries, BPO (Business Process Outsourcing) Industry that practices various security measures to secure information and system in their organization. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 69. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   69   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      5.3.5 Target SampleOut of 164 samples, 34 companies or industries were targeted and 4 employeesin each company. 34 * 4 = 136 approx. 140 i.e., with rest 24 respondentsselected as students, teachers or others who are tech savvy and quite aware ofhigh tech security practises. From 140 respondents and 4 from each of the 34company are on average basic, and were not restricted to the same rule, as fromfew companies only 3 or 4 respondent could be interviewed while from other oneit was 5 or 6 respondent according the size and availability of the target sample.People interviewed in companies were designated as senior programmers, ITManagers, Security/ Tech. officer, Network/ System Administrator and Ethicalhacker.In case of IT manager they had the idea and final report that is generated in thesecurity process and also understand the need and pros and cons of it. Security/Network administrator who is in charge of whole system/ network in the companygrants permission and access within the network. Technology/ Security Officerare the in charge and boss of security department are aware of the securityissues in the company. Senior programmer has programming skills that providevarious logical issues in the program that can turn in vulnerability wereinterviewed. Ethical hacker who is the basic idea behind this research wasinterviewed to understand the environment, different possibilities, problems;experience as he is the one who is in direct war with the treats, vulnerabilities andhacker, Ethical hacker would provide vital information.Indeed, even any person who understands ethical hacking aware of securitypractises and practising on its own machine (laptop, computer) was beaccessed.”  
  • 70. 70   5.0  Research  Methodology     5.6 Data Collection Data was collected and divided into two major categories: secondary and primary data. 5.6.1 Secondary Data Collection Saunders, Lewis & Thornhill (2003, p. 208) state that secondary data includes both quantitative and qualitative data that are gathered in both descriptive and explanatory research strategy. Secondary data is being stated in literature review. 5.6.2 Primary Data Collection Primary data are such data gathered and assembled specifically for the project at hand. Compared to secondary data, it is more accurate and detailed. Thus, Primary data collection is the main method to gather useful data. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 71. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   71   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.       CHAPTER 6 6.0 Data AnalysisData analysis chapter is focused on the findings of Primary data collected andsecondary data (collected in literature review). Questionnaire is bifurcated insections are discussed along with the findings for each of the section. Laterbased on the ‘primary data and secondary data’ findings conclusion is made tosupport the research.6.1 Primary Data QuestionnaireDetails on the distribution of questionnaires:Geographic Location 1. Mumbai 2. PuneCalculated sample size 164Number of questionnaires distributed 170 formsNumber of replies 158Percentage of replies to distributed questionnaires 92%Percentage of replies based on sample size (164) 97%Questionnaire is divided in four sections namely section A, B, C and D. ‘SectionA’ aims to study general information about respondent. It will collect informationon respondent’s gender, designation, and type of industry respondent is workingin.Section B determines the type of information stored in system or network andsecurity measures (tools) used by respondent. This section collects informationabout general security tools and techniques used by respondent as mentionedunder factors in chapter stated by (Ciampa M, 2010) and to understand the type  
  • 72. 72   6.0  Data  Analysis     of valuable information stored (or has) in the respondents system or network. Section 4.7.4.1 was considered to design section. ‘Section C’ is to understand respondents view on information security, which enlighten author about the respondents view, expectation, need and experiences of security. Section 4.7.4.1 was considered to design section. ‘Section D’ is to understand respondent’s advanced practices on security. In general, this section wills answers queries regarding ethical hacking. Designed ‘Section D’ collects advance practices of respondents that prove whether ethical hacking (or part of ethical hacking) is practiced and whether it is acceptable and useful method to ensure security over the general security techniques. ‘Section D’s designed questions are based on section 4.7 (especially on section 4.7.4.2 by Farsole, Kashikar, Zunzunwala (2010), section 4.7.8 by Beaver K, (2007) and section 4.7.4.1) . Farsole, Kashikar, Zunzunwala (2010) states, in Ethical hacking attacks are practiced on own system inorder to ensure (check) the system is not vulnerable to any outsiders or insiders attack, in case any security threat is found then respondents action has been collected by author. Author has designed section D, looking the kind of attacks practiced in Ethical hacking as mentioned section 4.7.4.2 stated by Farsole, Kashikar, Zunzunwala (2010). At the end section D collects respondents view on the attacks performed mentioned in sections are useful, effective, advanced and problem solving for information security or not. 6.2 Analysis approach Questionnaires received were analyzed and drafted in excel. Respondents response was input to excel, where all the result was combined together to get the combined view of all the response. Firstly, the questionnaires were separated according to respondent’s designation, and data was provided as inputs to 6 different excel sheets (as author has considered 6 different respondent designations - type). Later all those response from 6 sheets were combined together to form 7th excel sheet, this sheet gives combined view of all response Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 73. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   73   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      together; where the responses from all 6 respondent designation were sum uptogether and following graphs and conclusion are produced6.4 Results of the questionnaires6.4.1 Analysis of Section A6.4.1.1 Gender   Graph 1: GenderOut of 158 respondents 96 were male and 62 were female. According censusIndia, (nd), sex ratio of India is 922 female for 1000 male. This shows author isnot biasing towards gender.6.4.1.2 Respondents Designation   Graph 2. Respondents Designation  
  • 74. 74   6.0  Data  Analysis     42 respondents were network or system administrator, 16 were Ethical hacker( few companies found to be having ethical hacking certified professional), 23 were Senior programmer having 3+ years’ experience in any programming language including web development, 23 were IT manager, 30 were security or technology officer ( few companies has special cyber/ technical security department who appoints officer to manage security in company), and 24 were ‘Others’ out of which 6 were masters students in IT field who were tech savvy and were very much interested in technology, 11 were professors in university and private institute teaching specially security subjects, 3 were tech savvy junior programmer, 4 were software tester. 6.4.1.3 Industry Type   Graph 3. Industry Type 94 respondents were from IT companies, 30 were from Banking IT department (also includes cyber security department), 34 from Business process outsourcing and 32 from ‘Other’ includes Educational industry, Manufacturing industries IT department. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 75. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   75   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.       6.4.2 Analysis of Section B6.4.2.1 Type of Information stored by respondent in system   Graph 4. Types of Information stored.High graphs show the system contains all valuable information for allrespondents, whereas in personal system respondents tops in storing personalmedia files (158 respondents stores), followed by login details includesusername/ passwords/ security pin (148 respondents stores) which can beconsidered as most valuable information, then Confidential Document (147respondents stores), Identification detail() and Office Documents,.Whereas in companies system most rated confidential (145 respondents), systemprocess manual (139 respondents) which contains all the working, configuration,recipes of the system, database (132 respondents) this includes all tables usedby software developer, network/system admin and other valuable informationstored in structured order, Employee details(129) and financial details (129),  
  • 76. 76   6.0  Data  Analysis     Alpha version, Customers data, Source code for IT companies, Financial details of the company, Strategic Information this includes the future plans of the company and Other. 6.4.2.2 Security tools used by respondents 6.4.2.2.1 Software security tool and techniques   Graph 5. Software security tools important and usage Majority of respondents says antivirus is the most important (106 respondent), followed by important (43 respondent) and all the respondents agree that antivirus is important for security leaving not important bar to zero. Antispyware is rate important and most important by 109 respondents, whereas 7 respondents has never used anti spyware were most of them were IT masters student. Software firewall is important and useful provided by 142 respondents, whereas no respondent say it is not important. Patches developed by OS developer and application developer is supported by 129 respondents whereas as 1 respondent says it not important. Overall all the software security tools mentioned are important and useful for the security. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 77. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   77   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      6.4.2.2.2 Hardware security tools and techniques   Graph 6. Hardware security tools importance and usageHardware firewall has rated by 141 respondents as important and useful, which isthe highest among other hardware security. Biometric tools follow hardwarefirewall with 101 respondents, whereas 18 respondents have never usedbiometrics as a security tool. Hardware encryption is supported by 109respondents whereas 26 respondents have never used hardware encryption and5 respondents say it’s not important.Overall all the hardware security tools mentioned are important and useful for thesecurity.  
  • 78. 78   6.0  Data  Analysis     6.4.2.2.3 Security rules, law, policies and access control   Graph 7. Security rules, polices, laws and permission importance and usage 128 Respondents favors companies security, rules, laws and policies are important for security, whereas 9 respondents mostly some ethical hacker and students do not believe in laws as most hackers attack illegally. Parental control / access control is favored by 140 respondents whereas 3 respondents say it is not important. Overall all the software security tools mentioned are important and useful for the security. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 79. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   79   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      6.4.3 Analysis of Section C6.4.3.1 Respondents view on information security   Graph 8. Respondents view on Information SecurityMajority of respondents (Respondents Company) are victim of information stolenor hacked, 27 respondents out of 158 say they are never hacked or was never avictim of information stolen.Most respondents say general security tools do not satisfy their security needswhereas less equal respondents do not agree with other. 22 respondents stronglysatisfied by general security tools and techniques.Majority of respondents (Respondents Company) need advanced securitytechnique to ensure security. As the attackers are using high tech advancedattacking techniques most respondents (even the satisfied respondents) arelooking for advanced security tools and techniques.  
  • 80. 80   6.0  Data  Analysis     6.4.3.2 Respondents’ expectation from security techniques   Graph 9. Respondents Expectations from security techniques Most respondents say they need security techniques that can understand attacker’s strategies, intention and techniques, so that the countermeasure would be depends on it. Once it is known how hackers can exploit the system, the security hole can be cover before the attack. More sophisticated complex security tools favored by most respondent, they seek more sophisticated bundled tools like internet security software which combine multiple security tools to encounter security threats. Respondent’s valuable information priority may change from time to time, as for developer in the initial stage alpha version (source code of module) is the valuable information, but once the software is build completely the focus shifts to whole software source code. Majority Respondents expects dynamic technique that can understand respondent’s priority and need. Surprisingly no respondent say they don’t need dynamic technique. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 81. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   81   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      Another majority of respondents expects real time security and techniques thatcould understand companies’ laws, policies and priorities.6.4.4 Analysis of Section DIn this section respondents were asked, if they practice attacks to find anysecurity threat (Security holes) in the system, and if found; then work on it tocover or eliminate threat in order to ensure security.6.4.4.1 Attacked for unauthorized access to the system   Graph 10. Results for unauthorized access to the system152 respondents say they have tried getting unauthorized access to the systemwhile other 6 respondents never tried.6.4.4.2 Breaking system’s password   Graph 11. Breaking system’s password152 respondents say they have tried breaking system/ computer password usingdifferent techniques and tools, while other 6 respondents never tried.  
  • 82. 82   6.0  Data  Analysis     6.4.4.2.1 Operating system attack   Graph 12. Response for Operating system attack Respondents tried breaking system and application password has found breaking system using brute force attack, using password monitoring tool more useful whereas FTP/ remote attack, Tweaking OS file system and tweaking biometrics has not been used by most of the respondents. In all; respondents found all the operating systems attacks useful as all very useful and useful bars are high than neutral, not useful and never used bar. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 83. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   83   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      6.4.4.3 Getting information by faking target   Graph 13. Getting information by faking targets140 respondents try to get confidential information from client / employee/ friendsby faking them, whereas 18 respondents never tried.6.4.4.3.1Non- technical attack   Graph 14. Response for Non-Technical attack  
  • 84. 84   6.0  Data  Analysis     Majority of respondents almost 88% have found non technical attacks useful, attacks such as getting login details by faking employees/ friends/clients, creating fake social networking site, banking site, email address to get confidential details, making phone call to clients/ employee/friends/ pretending to be calling real person and get the information, installing key logger (acting as a genuine tools) has rated on high bar 88% of respondents. Making phone call attacks has widely accepted by 146 respondents (summing very useful and useful). 6.4.4.4 Violating companies/ individual rules, policies, law These attacks can also be considered as non –technical attack, as this mostly focus on breaking the rules, it has been considered as another type of attack.   Graph 15. Violating companies/ individual rules, policies, law 136 respondents try to get break and violate companies/ individual rules, laws policies, whereas 22 respondents never tried it. This 22 respondents includes mostly students, professors as mostly they are not bind to hard and fast rules and very less IT managers and security officer who has access to all system never felt an need to try. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 85. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   85   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      6.4.4.4.1 Violating (breaking) laws, rules and policies attack   Graph 16. Response for violating rules/ polices/ laws.Out of 136 respondents, 128 respondents have found accessing prohibitedwebsites, database and access the server useful technique; it found that usersuse the server/ database for other than the purpose. In banking, it is found thatemployers often try to see friend’s financial details. Also accessing some socialnetworking or mail clients is restricted to the employees still employees lookdifferent ways to access restricted domain. 117 respondents say accessingsystem/computer without users concern is useful. Whereas 97 respondents say,faking security guard (owner of home/ system) is useful. Employees often foundtaking flash drives at company’s desk, by faking security guard, which is notallowed and this violates security policy.Such attacks can ensure the risk of insider’s threat; all three techniques arehighly marked by respondents suggests very useful technique.  
  • 86. 86   6.0  Data  Analysis     6.4.4.5 Breaking network infrastructure   Graph 17. Breaking Network infrastructure 149 respondents try to break the personal or private (companies) network, whereas 9 respondents never tried breaking. Network infrastructure is the most vulnerable and valuable attack. Today every machine in the company is on network. Packets moving in and out carrying information are the most valuable information for the company and individual. Such concern has made more respondents to try breaking into network infrastructure to ensure the network is not or less vulnerable. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 87. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   87   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      6.4.4.5.1 Attacking Network infrastructure   Graph 18. Response for attacking network infrastructure128 respondents says flooding the network with DDOS attack and tweakingmodem, routers password, setting with available programs or other passwordcracking techniques is useful. Network attacks being popular DOS attacking,network analyzer tools are widely available on internet and are used byrespondent to ensure security. 136 respondents say network analyzer is useful toget information about vulnerable and unused ports system. 105 respondents saystools used for bypassing hardware firewall is useful whereas 22 respondents hasnever used tools to bypass firewall.  
  • 88. 88   6.0  Data  Analysis     6.4.4.6 Action taken after identifying security threat (vulnerability)     Graph 19. Response on action taken after identifying security threat 81 respondents say on identifying security threats after practicing different attack to find security threats/ hole or vulnerability in the system, they refer the problem to the top management / owner and then act according to them. While just next, 71 respondents says they correct the problem after identifying any issue. This is generally based on the companies rule, if the management do not interfere respondents often go for correcting the problem. Whereas 4 respondents, 2 of them are professors and 2 junior programmers who used those techniques for trying purpose. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 89. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   89   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      6.4.4.7 Respondent’s acceptance of attacks to ensure security     Graph 20. Response on acceptance of attacks to ensure security136 respondents found the above security attacks useful, strategically problemsolving and advanced; as to some extent it satisfies respondents expectation asstated in question 9 (section C) of questionnaire8 respondents do not agree with those attacks will fully ensure security and needmuch more different attacking techniques and practices, whereas 14 respondentsay ‘can’t say’.  
  • 90. 90   Chapter  7     CHAPTER 7 7.0 Discussion and Conclusion The final chapter of thesis discusses as to what the researcher has done in preparing this report by discussing finding of primary (questionnaire) and secondary data providing a recommended framework based on the researcher’s theory and the limitation of research and implications of research findings by reviewing research questions and research objectives. As discussed in section 6.1 (Primary Data Questionnaire), researcher had bifurcated questionnaire in for sections, each section with its own objective and significance. Researcher has discussed and concluded each of the sections below.   7.1 Discussion and Conclusion on section A Here discussion and conclusion is based on section 6.4.1. Percentage of replies based on sample size of 164 turn out to be 97% with 158 respondents reply. Out of 158 respondents 96 are male and 62 are female i.e., male – female ratio turns out to be 60: 40 Percent (Graph. 1). According to demographics of India female ratio is 922 for 1000 male and same roughly same for Pune and Mumbai (Census India, 2001). Latest Indian sex ratio for 2011 is not available yet; as in India census took place after every 10 years. Most of respondents (42) are Network/ system administrator and security officer (30) as they are easily available in IT Company with active attendance (Graph 2). Researcher had considered admin over others as they manages the companies (or individual) server and network which is highly targetable by attacker (hacker). Admin were effectively found managing the Data center. It is found that the security/ tech officer are working as the lead of system administrator. Ethical hacker, senior programmer and IT manager with others (individual studding ethical hacking, professors and Tech savvy respondents) are surveyed. Most of Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 91. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   91   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      the small IT, banking IT domain companies do not hire separate ethical hackerbut they ask security officer or senior system administered to take or perform thetask of ethical hacker in order to target the system to understand the systemflaws. Whereas Senior programmer’s have coding skills with handoff technicalunderstanding of internal architecture and coding of application, network andsystem software, whereas IT managers who manages the Project or Companyhave track and rights to suggests the task performed in the company underproject.Contribution of Information Technology/ Information Systems industry (92respondents) is the highest among others; Banking IT department (30respondents), BPO (34 respondents), and other (Includes educational industry,manufacturing industries IT dept., 32 respondents (Graph 3). IT/IS, bankingsector, and BPO sector have found to be highly conscious about security andalways ahead to implement new security technique. As BPO undertakesoutsourcing projects it’s highly essential for them to protect client’s asset(information) for getting vulnerable to attacker (competitors).ConclusionAs discussed above all the selected gender with sample size, respondent’scategory and industry are highly eligible, relevant, supportive and needful toanswer the research questions and objective. IT/IS sector, Banking, BPO domainhave found to highly security conscious as the business to needs it while network/system admin, security office and ethical hacker found to be working effectively inthe those industry.  
  • 92. 92   7.0  Discussion  and  Conclusion     7.2 Discussion and Conclusion on section B As discussed in section 6.4.2, Types of information stored in system has high graph, states that the system and network contains extremely valuable information from respondent’s point of view. This section focuses on research question 2 with objective “to understand importance and urgency of information security.” and “to understand the need of having effective countermeasure for security threats” with supportive secondary research provided in chapter 4 and section. 4.1 (Current Information security Crime and Scenario), section 4.2 (Security awareness among Indians), section 4.3 (Emerging Cyber security threats) as they suggest the growth in crime using high end sophisticated technology. This suggest how the security threats are rising for the valuable information that is stored in system and few more dynamic effective measures need to practiced. Types of information stored in system by respondent suggests below figures, Personal System Response Response Personal media files 158 Office Documents 117 Confidential Document 147 Identification 122 details Login Detail 148 Other 121 (Username/Password/Pins) Companies system Response Response Employee details 129 Alpha version 108 Confidential documents 145 Customers data 113 System process manual 139 Source code 122 Financial details 129 Strategic 123 Information Database 132 Other 69 As stated in above table, almost all 158 respondents has rated high to all kind of information stored in system. In personal system - personal media files, login details, confidential documents identification like licensee copy, passport copy, id Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 93. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   93   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      proof, school/college documents, area of interest etc. are stored in the system. Incompanies system – respondents found to be storing confidential documents,system process manual, financial details, database (clients, product, transactionin banking process, other data), strategic information (next five years plan,company secrets, marketing plan, new project plan etc.), source code (in ITcompanies) in the system. Altogether it clears that the system (or the network ofthe system) contains extremely valuable information of the respondents.As discussed in section 6.4.2.2, it provides respondents views on current staticsecurity techniques and methods used by respondents. These security tool andtechniques includes security software’s, security hardware’s and ‘rules, policiesand laws’ are all factors suggested by Ciampa, 2010 (as stated in section 3.2.2).This section focuses on Research question 1 (section 2.1) to satisfy the objective“To explore different techniques and methods used to enhance security.”In section 6.4.2.2, all software security techniques (Antivirus, Anti-spyware,firewall and patches mentioned in section 3.2.2) (Graph 5.) are used andrecommended by respondents along with hardware security tools (biometrictools, hardware firewall and hardware encryption [disk encryption] mentioned insection 3.2.2) (Graph. 6) and also Security rules, law, policies and access control(mentioned in section 3.2.2) (Graph 7). From throughout the high graph, it isfound that most of the respondents are using and recommended all the securityfactors namely security software, hardware and rules to practice to ensureinformation security.ConclusionBased on the above discussion author points that the static security factorssuggested by Ciampa, 2010 are essential to ensure information security are alsoused and recommend by the respondents.  
  • 94. 94   7.0  Discussion  and  Conclusion     7.3 Discussion and Conclusion on section C   Authors discussion in above section (section 7.2), states static factors are needed for security; whereas in this section author has surveyed whether the above security methods are sufficient to tackle today’s dynamic threats. As mentioned in section. 4.1 (Current Information security Crime and Scenario) and section 4.3 (Emerging Cyber security threats), above discussed static security factors are not sufficient to encounter threats, as said in section 4.7 (Ethical hacking), paragraph the need of Ethical hacking clarifies that new advanced techniques is need to countermeasure the said attacking techniques. In this section author has discussed and concluded on the respondents view on information security as stated in section 6.4.3.1. (Graph 8) Out of 158 respondents, 118 respondents are victim of information hacked/ stolen and 27 respondents are not victim while 13 responds states neutral they are not ware if they are. 86 respondents are not satisfied by security techniques mentioned in section 3.2.2, while 16 respondents are neutral (sometimes they are satisfied and sometimes not) and rest of the respondents are satisfied by security technique mentioned in section 3.2.2. 163 respondents need much more advanced security technique over static security techniques mentioned in section 3.2.2 and say it will help to enhance protection to information system from Hacker (attacker), whereas 15 respondents are neutral and other do not feel the need of new and advanced security technique. Section 6.4.3.2, respondent’s expectation from security techniques (Graph 9), answers research question 1 to satisfy the objective “to understand the Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 95. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   95   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      expectations of information security those are not currently satisfied.” and “tounderstand the limitations of current security techniques”As explained from Graph 9, 144 respondents highly expect something dynamicthat can understand hackers (attacker’s) strategy, techniques and actaccordingly; as it will help to prevent attack rather than curing after attack. Highgraph for need of sophisticated complex security tools, dynamic securitytechniques or method that changes according to need and urgency, andtechniques that must be able to understand companies/ individual policies, lawsand priorities are expected by most of the respondents. All expectation togetherpoints that; there is a need for advanced security technique as mentioned insection 4.7 Ethical hacking.ConclusionTo countermeasure advanced dynamic attack by hacker, one needs an advancedtechnique over the current security technique stated by Ciampa, 2010 in section3.2.2. Tools and techniques suggested by Ciampa, 2010 are need but notsufficient to tackle the security risk. Security method that can prevent the attackbefore it took place, can understand the individuals and corporate needs, andshould understand hacker’s strategy to act accordingly.  
  • 96. 96   7.0  Discussion  and  Conclusion     7.4 Discussion and Conclusion on section D This section answers research question 3, satisfies objective “to explore different techniques and methods used to enhance security” and “to understand the role and need of ethical hacker”. Secondary research highly supported section D is mentioned in section 4.7 Ethical hacking, section 4.7.4.2 (Types of attack for Ethical Hacking and Hacking by Farsole, Kashikar, Zunzunwala, 2010) and in section 4.8 (Ethical hacking process by Beaver K, 2007). According to Farsole, Kashikar, Zunzunwala (2010), Ethical hacking must practice certain set of attacks that are fully described and discussed in section 4.7.4.2, from which questionnaires section D are derived. Whereas ethical hacking process by beaver K, 2007 reflects in the same section D of questionnaire. In section 6.4.4, Graph 10 states most respondents try to gain unauthorized access to the system. This is the usual practices even by individual to guess the password of colleagues system or in corporate employee often found trying to access the server for performing various task. Author’s personal experience has found that employees in company often try to get access to the server to finish their task. Employees in the company have access to the server for limited time, once the time allocated to employee is over the rights of employee is revoked. In case the employee is unable to finish their task in the given time found to be trying to access the server by colleague’s login or by any unauthorized way. Graph 11 and Graph 12 suggests all the attacks mentioned by Farsole, Kashikar, Zunzunwala, 2010 in section 4.7.4.2 are practiced. Breaking the system or network password using different attacks like using brute force – in this attack code developed by hacker or ethical hacker tries to get the access to system by generating stream of characters, digits and passing it put in the password field till the password matches. Dictionary based attack in which all the words in the dictionary are passed to password filed in the system, in case the user keeps any dictionary based word as password would get hacked. Password guessing, this is Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 97. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   97   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      very common practiced in which individual found to guess the password and triesto access the login. All other attacks mentioned in Graph 12 are practiced andsuggested by respondents. Keylogger is explained in chapter 4 under section4.3.5. Operating Systems and Biometrics devices mentioned in chapter 4 undersection 4.5.6 are also tweaked (programmed and corrupted by injecting foreignparticles [hardware] or malicious code) in order to get access to the system andnetwork. Almost 35 respondents never tried to (or not found useful) tweakbiometric devices and Operating system.In section 6.4.4.3 Getting information or entry by faking individual (system),Graph 13 states total 140 respondents tried these techniques to get confidentialinformation or unauthorized entry or access. Those attacks cover under Non-technical attacks, where hacker or ethical hacker do not use high technicalexpertise ( or use very less technical knowledge) to target the system or area ofinterest. High Graph 14 states non-technical attacks are popular and useful, asmost the non technical attackers practice these ways respondents too practice toensure security.Attacks under Graph 14. Making phone calls to friends, colleges or competitorsasking them confidential information pretending to be calling the real andconcerned person. For example, a hacker could call a person pretending to bebanking customer care and asking the target about personal identification details(sometimes including username and password). In case if the person crossquestion hacker about the need to such details, hackers are smart enough toresponds that, according to RBI (Reserve Bank of India) rule bank needs to verifyall the details of customer. Such a way few individual gets trapped in the trapwithout any technical attack.Respondents rated high to each attack in this category. Another popular lesstechnical attack is creating fake companies or social networking website to getlogin or other confidential details of target. This topic is discussed in detail in  
  • 98. 98   7.0  Discussion  and  Conclusion     chapter no 4, under section 4.1.3 social engineering issues with figure 5 providing the snapshot of fake bank website. Installing keylogger and obtaining login details is also highly rated, refer chapter 4, Section 4.3.5 for details on keylogger attack. In section 6.4.4.4 (Graph 16), Violating companies/ individual rules, policies and law by accessing prohibited websites, database, server and by accessing system with without permission of concerned person are rated high followed by entering the company by faking security guard. This can also be considered as non – technical attacks; but as these attacks suggest it is more focused in breaking laws and policies author has parted these attacks from non-technical attack. Attacks mentioned in 6.4.4.4 are commonly found and practiced by respondents to keep track on the security hole. In section 6.4.4.5 (Graph 18), attacking network infrastructure is the highly destructive techniques practiced by almost all hackers. Distributed Denial of Service Attack (DDOS) explained Chapter 4; under section 4.3.4 - Bot network operator, with Figure 9. Distributed Denial of service attack (DDOS). Tool, codes and techniques to bypass hardware firewall and intrusion detection system is discussed in chapter 4; under section 4.6 - Penetrating Firewall, Antivirus, Antispyware with Figure 19. Emerging cyber security threats can bypass traditional security controls. Whereas Tweaking network modem, router, access point’s password by practicing many techniques as discussed earlier by password breaking, passing malicious code via router, using WEP (Wired Equivalent Privacy) Key hack or by injecting foreign material in the hardware. Network analyzer tool or command (netstat -nr) to identify unused open ports to target the system are used by hackers to penetrate the system is being practiced by the respondents to keep the system secured from attackers. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 99. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   99   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      In section 6.4.4.6 - Action taken after identifying security threat (vulnerability),Graph 19. Suggests the 71 respondents correct the problem by identifying thesolution, 81 respondents refer the problem to the top management and actaccording (as suggested by beaver K, 2007 in section 4.8.4 – Evaluating results),while other leave the problem as it is. Almost 152 respondents correct approachto identify and block the threat is also advised by beaver K, 2007.In section 6.4.4.7 (Graph 20) - Response on the acceptance of attacks to ensuresecurity favor the research. 136 respondents say yes, they prefer abovediscussed attacks to find the security holes in the system, network andenvironment. Security attacks to be performed on own system or network toensure security as discussed in section D found be more advanced, effective,useful and strategically problem solving by 136 respondents.ConclusionFour different types of attacks suggested in section 4.7.4.2, proved to beaccepted and signalled by majority of respondents in Mumbai and Pune. Majorityalso practice to solve the security holes identified in the system to ensuresecurity.  
  • 100. 100   7.0  Discussion  and  Conclusion     7.5 Limitations of Research Research based on two cities Mumbai and Pune restricting the research within the west India, south Indian cities like Bangalore, Chennai also being known for strong IT/ banking/ BPO industry presence has been skipped from the research which could have added more accuracy to research. Four different types of attacks mentioned in section 4.7.4.2 are limited, as the Ethical hacking process is vastly distributed in vast area. In order to limit the scope of research author restricted the Ethical Hacking process from being elaborated. Due to unfortunate reason like time complication, Author chooses Microsoft excel to analyze questionnaire over Statistical Package and Social Science tool. 7.6 Future Research Based on the limitations of research, future research would be focusing on the similar topic but by considering all the limitation stated above. This research being focused on advantages of ethical hacking, future research would also consider disadvantages before making the final conclusion.   7.7 Conclusion In the conclusion, author believes in the today’s business and technology era, threats to information security are rising at uncatchable speed and the current static security techniques are not sufficient to tackle the advance attacking techniques deployed by hacker (attacker). Attacker’s tools can easily bypass the static security, advanced security technique ethical hacking proved to be more effective, strategically problem solving and advanced over security methods provided by security software, hardware and rules as stated in section 3.2.2.Ethical hacking also helps to prevent the attack, as the ethical hacker may Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 101. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   101   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      find the security hole in the system or network and cover it before the attackercould find the same security hole in the system.No doubt static security software, hardware’s and polices are useful and indeedneeded, but implementing Ethical hacking would enhance the security toinformation system.Research concludes that “Ethical hacking is another technique to enhanceInformation Security.”  
  • 102. 102   References     References   A. Partida and D. Andina (2010), IT Security Management: IT Securiteers - Setting up an IT Security Function, Volume 6 Articles base (July 2009), Pune emerges as a major IT hub of India, Free online articles directory, (online)(cited on 19 Oct 2010) available from url http://www.articlesbase.com/hotels-articles/pune-emerges-as-a-major-it-hub-of-india- 1082424.html BBC News, 2010, ‘Biometric technology’, (online) (cited on 15 Aug 2010), available from http://news.bbc.co.uk/2/shared/spl/hi/guides/456900/456993/html/nn3page1.stm Beal Vangie (2010), The Differences and Features of Hardware & Software Firewalls,(online)(cited on 18 Sept 2010) available from URL http://www.webopedia.com/DidYouKnow/Hardware_Software/2004/firewall_types.as p Beaver Kevin (2007), Hacking For Dummies®,(2nd Edition), John Wiley & Sons, Hoboken, NJ Ciampa Mark (2010), ‘Security awareness – Applying practical security in your world’, (3rd edition), Course Technology, USA Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 103. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   103   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      CCIC (2005), cyber crimes, Cyber crime investigation cell, (online)(cited on 19 Oct2010) available from url http://www.cybercellmumbai.com/cyber-crimes/Census India (2001), ‘Indian Sex ratio’, (online)(cited on 23 Aug 2010) available fromURL http://censusindia.gov.in/Census_Data_2001/India_at_glance/fsex.aspxDave Taylor,What is hardware-based disk encryption?, (online)(cited on 23 Aug2010) available from url http://www.askdavetaylor.com/what_is_hardware-based_disk_encryption.htmlDiscover Pune (2010), ‘Pune major IT companies’, (online) (cited on 07 Sept 2010)available from http://www.discoverpune.com/Pune-IT-Companies.aspxDiseriao.com, GAWC- world cities list (online)(cited on 20 Oct 2010) available fromurl http://www.diserio.com/gawc-world-cities.htmlDlamini, Eloff J and Eloff M (2008), ‘Information security: The moving target’ (online)(cited on 23 Feb 2010). Available fromhttp://linkinghub.elsevier.com/retrieve/pii/S0167404808001168Fadia A (2007), ‘Network Intrusion Alert: An Ethical Hacking Guide to IntrusionDetection’, ‘Security’, Course Technology PTR, Boston MAFarsole Ajinkya, Kashikar Amruta, Zunzunwala Apurva (2010), ‘Ethical Hacking’,International Journal of Computer Applications, Volume 1 – No. 10  
  • 104. 104   References     FIPS PUB 199(2004), ‘Standards for Security Categorization of Federal Information and Information Systems’, ‘Computer Security Division’ (online) (Cited on 28 Nov 2010) available from http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199- final.pdf Garfinkel, Spafford and Schwartz (2003), ‘Practical Unix & Internet Security’,(3rd edition), OReilly & Associates, Sebastpol, CA Godbole Nina (2009), Information systems security - Security management, metrics, frameworks and best practices,( first edition), Wiley publication, India Gouda M, Liu A (2006), "Structured Firewall Design", Computer Networks, Science Direct, 1106 -1120 Governemnet Accountability Office (2005), Emerging Cybersecurity Issues Threaten Federal Information Systems, Information security, United States Government Accountability Office, Pg 2 Hamelin M (2010),"Preventing firewall meltdowns", Network Security, Issue 6, Pages 15-16. Juergen Hass (nd),White hat hackers(Ethical-hacking), About linux (online)(cited on 29 July 2010) available from url http://linux.about.com/cs/linux101/a/white- hat_hacke.htm Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 105. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   105   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      Kaspersky lab (nd), ‘computer security faq’, ‘computer threats faq’ (online)(cited on29 July 2010) available from URL http://www.kaspersky.com/threats_faqKraus Rob (2009), “Ethical hacking from start to success”, Information systemssecurity association, (online) (cited on 8 march 2010) available fromhttp://web2.dubaichamber.ae/pdf/crb/csr_alyoum/CSR%20Al%20Youm%20Issue%201-2010.pdfMaeve Maddox (2008), ‘Data and Information’, (online)(cited on 20 Oct 2010)available from url http://www.dailywritingtips.com/data-and-information/Mumbai online (2010),Control of Cyber Crimes in Mumbai, (online)(cited on 21 oct2010) available from url http://mumbaionline.in/Emergency/PoliceServices/Cyber-Crime.aspxMumbai organization (2010), ‘Commercial Capital Mumbai’, (online) (cited on 21 Oct2010) available from http://www.mumbai.org.uk/commercial-capital-mumbai.htmlMumbai Space, ‘Mumbai city guide’, (online)(cited on 20 Oct 2010) available from urlhttp://www.mumbaispace.com/cityinfo/index.htmMicrosoft.com (nd), ‘What is antispyware software?’, ‘Microsoft Online Safety’(online) (cited on 13 Sept 2010) available from urlhttp://www.microsoft.com/protect/terms/antispyware.aspxMicrosoft (2010), ‘Microsoft Online Safety’, (online)(cited on 23 Aug 2010) availablefrom URL http://www.microsoft.com/protect/terms/antispyware.aspx  
  • 106. 106   References     Microsoft Technet (2004), ‘Internal Firewall Design’ , (online)(cited on 09 Aug 201) available from url http://technet.microsoft.com/en- us/library/cc700827.aspx#XSLTsection132121120120 Microsoft SE (2010), ‘Microsoft Online Safety’, (online)(cited on 15 Aug 2010) available from URL http://www.microsoft.com/protect/terms/socialengineering.aspx Net security (2008), "Top Secret level" hardware encryption on 2.5-Inch SATA drives(online)(cited on 03 Aug 2010) available from url http://www.net- security.org/secworld.php?id=6531 Otrok H, Zhu B, Yahyaoui H and Bhattacharya P (2009), ‘An Intrusion Detection Game Theoretical Model’, Information Security Journal: A Global Perspective,(online)(cited on 10 March 2010) Available from http://www.qatar.cmu.edu/iliano/courses/06S-GMU-ISA767/project/papers/alazzawe- mehmet-nawaz.pdf Palmer C (2001), Ethical Hacking, IBM Systems Journal, VOL 40, NO 3 Papadopoulou V and Gregoriades A (2009), ‘Network Security Validation Using Game Theory’, Computer Science journal, (online)(cited on 8 march) available fromhttp://portal.acm.org/citation.cfm?id=1693992&CFID=80281268&CFTOKEN=43 780789 Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 107. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   107   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      Patrick Love (2007), ‘Biometric tools’, SC Magazine, (online) (cited on 24 July 2010)available from URLhttp://www.securecomputing.net.au/Tools/Print.aspx?CIID=94031Peter john (2005), ‘Major Threats To Information Security’, (online)(cited on 24 July2010), available from http://www.acm.org/ubiquity/views/pf/v7i02_InfoSecurity.pdfRediff Business (2007), ‘Pune set to become largest education hub’, (online)(citedon) available from http://www.rediff.com/money/2008/feb/13pune.htmSaunder, M, Lewis, P & Thornhill, A 2003, Research Methods for BusinessStudents, 3rd edn, Prentice Hall, United KingdomStatpac.com, ‘Survey Sampling Methods’, (online) (cited on 29 July 2010 ) availablefrom URL http://www.statpac.com/surveys/sampling.htmSurvey systems (2010), Sample size formula, ‘Creative research system’, (online)(cited on 25 Aug 2010) available from www.surveysystems.com/Syed Saleem (2006), ‘Ethical Hacking as a risk management technique’, paperpresented at InfoSecCD Conference’06, September 22-23, 2006, Kennesaw, GA,USAShetty Sachin (2005), ‘Introduction to Spyware Keyloggers’, ‘Symantec SecurityArticles’, (online)(cited on 25 Aug 2010) available from urlhttp://www.symantec.com/connect/articles/introduction-spyware-keyloggers  
  • 108. 108   References     Uffy J (2010), ‘Game Theory’, dept. of economics University of Pittsburgh (online) (cited on 8 march 2010) http://www.pitt.edu/~jduffy/econ1200/Lectures.htm Via (nd), Why hardware encryption is better than software encryption(online)(cited on 22 Aug 2010) available from url http://www.via.com.tw/en/initiatives/padlock/whyhardwareisbetter.jsp Wise Geek, ‘What is Encryption?’, (online)(cited on 22 Aug 2010) available from url http://www.wisegeek.com/what-is-encryption.htm Yaun al (2010), Brining Corporate Social Responsibility to the Dubai business community’, Dubai Chamber – Center for responsible Business, (online) ( cited on 5 march 2010), Available from http://web2.dubaichamber.ae/pdf/crb/csr_alyoum/CSR%20Al%20Youm%20Issue%2 01-2010.pdf Zegiorgis Seyoum (2002), ‘Biometric Technology Stomps Identity Theft’, SANS Institute InfoSec Reading Room, page no 1-8 Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 109. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   109   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.       Appendix 1. QuestionnaireQuestionnaireI am Sagar Dhande, pursuing ‘Master of Science in Management Information Systems’at INTI University College, Malaysia. Currently I am completing my master’s project, andthis is the final part of my master’s degree.Regarding my project, title is “Threats to Information security are rising. Is ‘Ethicalhacking’ another technique to enhance information security? ” And this research is basedon Mumbai and Pune (Metro cities in Maharashtra, India).During the questionnaires, there are four sections namely Section A, B, C and D. SectionA aims to study general information about respondent. Section B is to determine the typeof information stored in system or network and security measures (tools) used byrespondent. Section C is to understand respondents view on information security andSection D is to understand respondent’s advanced practices on security.  
  • 110. 110   Appendix  1.  Questionnaire     Section A: General information about respondent. 1. Gender Male Female 2. Designation Network/ System Administrator Ethical Hacker Senior Programmer IT Manager Security/ Tech. Officer Other 3. Industry type Information Technology (IT/IS) Banking Business Process Outsourcing (BPO) Other Section B: Understand type of information stored and necessary information security tools used by respondent. Respondents are requested to indicate type of valuable information store in system/ computer or network. Please tick what types of file you store. You can tick multiple options. 4. What kind of information you store (or have) in your or companies system? Personal System Personal media files Office Documents Confidential Document Identification details Login Detail (Username/Password/Pins) Other Companies System Employee details Alpha version Confidential documents Customers data System process manual Source code Financial details Strategic Information Database Other Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 111. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   111   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.       5. What security measure do you (or company) use? Rate its importance. Respondents are requested to indicate the extent, using 5 Likert scale [(1) = Very Important; (2) = Important; (3) = Sometimes, (4) = Not Important and (5) Do not use response framework. Please tick appropriate option. Sometimes Do not Use Important Important Important No Security tools/ Technique Very Not Software’s 1 Antivirus 2 Anti Spyware 3 Firewall 4 Patches Hardware’s 5 Biometric tools 6 Hardware firewall Hardware encryption (Disk 7 Encryption) Rules and laws Companies security rules, 8 laws, policies 9 Parental control  
  • 112. 112   Appendix  1.  Questionnaire     Section C: Respondents view on information security Respondents are requested to indicate the extent, using 5 Likert Scale [(1) = Strongly Agree; (2) = Agree; (3) = Neutral; (4) = Disagree and (5) = Strongly Disagree; response framework. Please tick appropriate option. Disagree Disagree Strongly Strongly No Expectations Neutral Agree Agree 6. I am/ was (We are/ were) victim of information stolen/ Hacked Above security measures mentioned in section B (Que. 6) 7. do not satisfy my/ our security needs I/ we need much more advanced security technique over the 8. above security technique’s mentioned in Section B (Que. 6) 9. What do you expect from the security tools/ techniques? Please tick appropriates options. Disagree Disagree Strongly Strongly No Expectations Neutral Agree Agree Understand attackers 1 strategies, techniques and act accordingly More sophisticated complex 2 security technique Dynamic technique that 3 changes according to need and urgency 4 Real-time security Able to understand companies/ 5 Individual polices, rules, laws and priorities Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 113. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   113   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.      Section D: Understanding respondents advanced ‘Security’ practicesAs security technique; if you practice below attacks to find any security threat (Securityholes) in the system, and if found; then work on it to cover or eliminate the threat in orderto ensure security. Please select appropriate security attack undertaken by you, toensure no attackers can bypass your security. Please tick appropriate option. 10. Do you (or company) try different ways to gain unauthorized access to the system? Yes No 11. Do you (or company) try to break the computer / server or system password? Yes No i. If yes, then how do you rate the below Operating systems attack techniqueBelow Operating System attacks, state how respondent found and used those techniques.Respondents are asked to indicate the extent to using 5 Likert Scale [(1) = Very Useful; (2) =Useful; (3) = Neutral; (4) = Not useful and (5) = Never used response framework. Please tickappropriate option. Very useful Not usefulNo Technique Neutral Useful Never usedOperating System Attack Breaking the password by Using 1 Password Guessing/ Brute force or Dictionary based attack Using Password monitoring tools 2 (Ex: Sniffers, keylogger) 3 Using FTP/ telnet, remote attack 4 Tweaking OS file system 5 Tweaking biometric devices  
  • 114. 114   Appendix  1.  Questionnaire     12. Do you (or company) try to get confidential information from client / employee/ friends by faking them? Yes No i. If yes, then how do you rate below Non-Technical Attacks technique? Please tick appropriate option. Not useful Neutral No Technique Useful useful Never used Very Non - Technical Attack Obtaining login details by faking 1 clients/ employees Creating fake companies, social networking, banking site or email 2 address to get login and confidential details Making phone calls to clients/ employees/ friends, pretending to 3 be calling real person and leak confidential information Installing key logger or other 4 tracking tools (acting as genuine tool) in the target system 13. Do you (or company) try to violate companies or individual rules, policies; laws’ and enters/ breaks the system? Yes No Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 115. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   115   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.       i. If yes, how do you violate rules, polices and law? Please tick appropriate option. Not useful NeutralNo Technique Useful useful Never used Very Enter company/ system by faking 1 security guard/ owner By accessing system/ Computer 2 without users concern Accessing prohibited websites, 3 database, and server. 14. Do you (or company) try to break into the private or personal network infrastructure? Yes No i. If yes, please rate the effectiveness, importance and use of below Network – infrastructure attack technique. Please tick appropriate option. Neutral Useful useful usefulNo Technique Never used Very NotNetwork - Infrastructure Attack Flooding the network with 1 Distributed Denial of Service Attack (DDOS) Tools used for bypassing 2 Hardware firewall Using network analyzer and get 3 unused vulnerable ports to access intermediate packets Tweaking network modem, router’s password with programs, 4 scripts and other password cracking techniques  
  • 116. 116   Appendix  1.  Questionnaire     15. While practicing all above security attacks (in terms of finding security threats), If found any vulnerability/ threats then please tick what actions taken from below table. You can tick multiple options. 1. Correct the problem by identifying solution 2. Leave the problem as it is 3. Refer problem to the top management or boss (Owner) 4. Other 16. Do you (or company) find the above advanced security techniques mentioned in section D are more advanced, effective, strategically problem solving and useful? Please tick one option. Yes No Can’t say We are done. I offer my utmost thanks for your response and paying valuable time to complete this research. Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  
  • 117. Threats  to  Information  Security  are  rising.  Is  “Ethical  Hacking  another  technique   117   to  enhance  information  security?”  Research  based  on  Mumbai  and  Pune,  India.       Appendix 2. Gantt chart  
  • 118. 118   Appendix  2.  Gantt  chart       Sagar  .R.  Dhande   Coventry  ID.  2973641(INTI  –  I09005084)   May  2009  Session  

×