SlideShare a Scribd company logo
Ethical Hacking
A high-level information security study on
protecting a company’s information system
infrastructure in the 21st century
Aaron Varrone
December 2011
Quinnipiac University- MS IT
CIS 652- Advanced Topics in Information Security- Independent Study
Varrone 1 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
Contents
ABSTRACT.............................................................................................................. 2
INTRODUCTION TO ETHICAL HACKING ................................................................. 3
What do Hackers do?.......................................................................................... 4
FOOTPRINTING AND RECONNAISSANCE............................................................... 5
SYSTEM HACKING.................................................................................................. 6
Types of Attacks.................................................................................................. 6
Why Cover Tracks? ............................................................................................. 8
PENETRATION TESTING......................................................................................... 8
Why Penetration Testing? .................................................................................. 8
COUNTERMEASURES............................................................................................. 9
How to defend against Footprinting? ............................................................... 10
How to defend against Password Cracking?...................................................... 10
How to defend against Privilege Escalation?..................................................... 10
How to defend against Malware? ..................................................................... 11
How to defend against Steganography? ........................................................... 11
REAL-WORLD EXAMPLES..................................................................................... 12
Hacker Boot Camp Helps Good Guys Outsmart Intruders ................................. 12
Government Agencies Seeking Code Breakers.................................................. 12
Ethical Hacking Proves to be an Excellent Test for Companies.......................... 13
Ethical Hacking Demand Helping Firm Achieve Record Profits.......................... 13
College Universities Teaching Students How to Hack........................................ 13
CONCLUSION....................................................................................................... 14
REFERENCES ........................................................................................................ 16
Varrone 2 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
ABSTRACT
As organizations in recent years continue to increase their investment into the
advancements of technology to upsurge productivity and efficiently, more and more
companies begin to realize that protecting of this technology is just as significant
(Information Security), if not; even more important in order to protect their
reputation and integrity as a company.
This paper provides a comprehensive high-level view of ethical hacking, such as
what it is, what it entails, and why companies hack into their own technology.
Additionally, counter measures including penetration testing and real-world
examples will be examined to give the reader a better understanding of ethical
hacking and why it’s such an essential element of Information Security in the
Information Systems/Technology field.
Varrone 3 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
INTRODUCTION TO ETHICAL HACKING
In simple terms, Ethical Hacking can be described as a process in which working
professionals (in the technology field) are hired on by an organization to perform a
variety of attacks to their own network, systems, and technology. The goal is quite
simple, and that is to ‘break into’, also known as ‘hack’ their way into the
organization’s information system where vulnerabilities are discovered and then
eventually ‘patched’ so that a real attack would have no harming consequences to
the company such as; data leakages, compromised systems, stolen proprietary
information, and so on. Hence where the word, ‘ethical’, comes into play, as these
hackers are solely hired on for this purpose. Professionals in this field include
outside security consultants hired by the company or even a direct role within the
company who possess expert computer skills in a wide variety of areas and systems
(networks, operating systems, application programming). Ethical hackers try to
answer three basic questions: what can the intruder see on the target system, what
can an intruder do with the information compromised, and will anyone notice that
the attack occurred?
Before proceeding further, a basic understanding of the umbrella, Information
Security field must be conveyed. There are three elements of Information Security:
Confidentiality- assurance that the information is accessible only to those
authorized to have access, Integrity- the reliability of data or resources in terms of
preventing improper and unauthorized changes, and Availability- assurance that the
systems responsible for delivering, storing, and processing information are
accessible when required by an authorized user. (EC-Council, 2011)
With this said, all three elements have a direct impact to the way in which network
and system security is portrayed, which leads us to our discussion of Ethical
Hacking. If all three of these elements are properly addressed and implemented
during the architecture of the way in which an organization’s systems interact, then
one would not have to be so concerned with their technology and securing of this
technology. As companies continue to grow and expand their horizon for the need of
information systems by increasing their investment on a year-to-year basis , so does
the need to protect and defend their infrastructure against malicious activities,
attacks, and destructive encounters.
The risk of not protecting one’s information system is too extraordinary as the
effects of a successful hacking attempt include: damage and theft of proprietary
information, client/customer data, personal information, impeding of business
operations and activities. All in which can lead to a company’s downfall. As great as
the technology is that many of these companies have adapted in creating an efficient
Varrone 4 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
operation, their lack on focusing their attention on security can contradict
themselves and instead create an inefficient and ineffective use of the technology.
Who is a Hacker?
A hacker can be defined as an individual with superb computer skills who has the
ability to create and explore into another system, which can be software programs
or hardware based devices. A motive behind a hacker’s mindset is to gain
knowledge or poke around to do illegal and disruptive activities that could result in
monetary benefits. For some, it’s a hobby to see how many systems and networks
they can control. There are four unique hacker classes:
Black Hats- individuals who resort to malicious or destructive activity for malicious
intent.
White Hats- individuals using them for defensive purposes, also known as security
analysts.
Suicide Hackers- individuals who aim to bring down critical infrastructure for a
“cause” and would rather be known for their destruction they commit. These
individuals are not worried about facing any type of severe penalty regardless of
fines or jail time sentences.
Gray Hats- are individuals who work both offensively and defensively at various
times whose intent is mostly for the well-being, however this is not always the case.
(EC-Council, 2011)
What do Hackers do?
There are five phases that goes through a hacker’s mindset:
Phase 1 Reconnaissance- refers to the preparatory phase where an attacker looks
to gather as much information about a target as they can prior to launching an
attack. Such examples include: employees’ names, phone numbers, and email
addresses, system names, and software installed on these systems. There are two
types of reconnaissance: Passive- which involves acquiring information without
directly interacting with the target or someone affiliated with the target, such as
searching for press releases or public records; and Active- which involves
interacting with the target directly by any means, for instance phoning calls to the
help desk or technical support center pretending to be an employee of the company.
Varrone 5 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
Phase 2 Scanning- refers to the “pre-attack phase” of when an attacker scans the
network seeking specific information on the basis of information gathered during
reconnaissance. Such examples include: port scanning, vulnerability scanners, and
dialers.
Phase 3 Gaining Access- Once access is achieved to the desired operating system,
application, or network; the attacker can escalate privileges to obtain complete
control of the system. Such examples include: password cracking, buffer overflows,
denial of service, and session hijacking.
Phase 4 Maintaining Access- After access has been attained, most hackers attempt
ways in which to retain their ownership of the system/application/device. Attackers
may prevent the system from being owned by other fellow hackers by securing their
access exclusively with backdoors, trojans, or rookits. Attackers then use the
compromised system to launch further attacks, which allows them to upload,
download, or manipulate data, configuration, and applications at any given time
period.
Phase 5 Covering Tracks- After a hacker’s activities have been carried out, smarter
attackers usually look for ways in which they can hide their malicious act by
covering their tracks and hiding their own identity. This can be achieved by
overwriting system, application, audit, and event logs or deleting any evidence that
may lead to prosecution.
(EC-Council, 2011)
FOOTPRINTING AND RECONNAISSANCE
Footprinting and reconnaissance are hacking methodologies used to uncover and
collect as much information as possible regarding an organization’s information
system. These two methods are carefully planned well ahead in time before an
attack is carried out. Basic information such as a company’s DNS, IP addresses,
system and network architectures, platforms, and applications used, is all prevalent
information that can be gathered and collected by an hacker to help carry out the
attack. While this information is collected, the hacker cautiously examines and
identifies vulnerabilities that can be exploited. An ethical hacker looks to examine
what information can be made available publicly by collecting information from the
internet or internally and then documents the effects this may have to the
organization, such as: privacy loss, corporate espionage, competitive intelligence,
and information leakage.
There are four types of Footprinting:
Varrone 6 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
Anonymous Footprinting- Gathering information from sources where the author
of the information cannot be traced nor identified.
Internet Footprinting- Collecting information about a target from the Internet.
Organizational/Private Footprinting- Collecting information internally within the
organization.
Pseudonymous Footprinting- Collecting information that may be published under
a different name in an attempt to preserve privacy and confidentiality.
(EC-Council, 2011)
SYSTEM HACKING
There are several ways an attacker can gain access to a particular system, however
each way requires the ability for an attacker to exploit a weakness, vulnerability, or
even human-error.
Types of Attacks
Operating System Attacks- Attackers search for platform (operating system)
vulnerabilities and then exploit them. Such examples include: buffer overflow, bugs
and glitches, and unpatched operating systems.
Application-Level/Shrink Wrap Code Attacks- Programming is complex and
there are times where unsecure code is used over and over again to reduce this
complexity, such as utilizing existing libraries of code. If it’s there, why reinvent the
wheel? This leads to poor and nonexistent error checking in these applications
which can lead to buffer overflow attacks, cross-site scripting, denial of service, SQL
injection attacks, session hijacking, man-in-the-middle attacks, and so on.
Misconfiguration Attacks- Misconfigured systems occur when a change is made to
a file’s permission. If that’s the case, the file or application can no longer be
considered as secure. Administrators are expected to change the configuration and
limit authority of the devices before they are deployed to the network. Failure to do
this allows the default settings to be used to attack the system.
Password Cracking- Various techniques and tools are utilized to recover
passwords from computer systems. Hackers can use these tools to gain
unauthorized access to a vulnerable system. Most of these techniques are successful
due to weak or easily guessable passwords, such as dictionary words or default
Varrone 7 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
passwords. Such password cracking techniques include: dictionary attacks, brute
force attacks, hybrid attacks, syllable attacks, and rule-based attacks. Surprisingly an
increasingly number of non-technical password stealing techniques have been
reported in recent years, such as: shoulder surfing, social engineering, and dumpster
diving.
Spyware/Keyloggers- Refers to a program or device (software or hardware)
specifically hidden to record the user’s interaction with the system without the
user’s knowledge. The various types of spyware include: screen capturing spyware,
USB spyware, child monitoring spyware, video spyware (secretly monitors and
records webcams and video IM conversations, attacks can then be remotely viewed
via the web or mobile phone), audio/cellphone spyware, GPS spyware (uses the
global positioning system to determine location of a vehicle, person, or asset to
which it is attached or installed to), and even print spyware.
Viruses/Trojans/Worms- Are all examples of malware, unsolicited code or
software on a system that in most cases allows for data breaches, backdoor access
for a hacker to gain access to or executes damage that can harm the system. This
type of malware is commonly created with malicious code or tools and utilities that
have the ability to attack vulnerable systems (as long as the hacker knows where the
vulnerability exists).
Rootkits- Refers to code hidden within a kernel of the operating system that has the
ability to hide itself and cover up traces of the malicious intent. More specifically, it
replaces certain operating system calls and utilities with its own modified version.
From there, the attacker acquires root access (above a level of administrator) to the
system by installing a virus, trojan, worm, or other malware in order to exploit it.
This allows the attacker to maintain undetected access to the system. Such types of
rookits include: hypervisor level, kernel level, application level, hardware/firmware,
and boot loader.
Steganography- Is a technique consisting of hiding a secret message within an
ordinary message or file and extracting it at the destination to maintain its hidden
identity. The most popular use of this technique are when hackers utilize a graphic
image and embedding a code within that image file to perform a malicious activity.
This conceals the data within the file. Such techniques include: substitution,
transform domains, cover generation, distortion, statistical, and spread spectrum.
The various means of steganography besides images include: document, video, and
audio steganography.
(EC-Council, 2011)
Varrone 8 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
Why Cover Tracks?
Most hackers, with the exception of a suicidal one, will cover their traces to avoid
detection and possible jail sentence. However, this is not the only reason. By
covering their track, this allows the attacker to install backdoors to gain access in
the future. When this is executed, a clever hacker will usually escalate the
compromised account’s privileges without documenting the system change. As
previously mentioned, they can do this by manipulating the log files of an operating
system or altering the event logs. Once intruders have successfully gained
administrator type access on a system, they will attempt to cover their tracks in
every possible way that they can, including deleting recently modified files and
disabling audit logs. Disabling these logs is usually performed immediately after
obtaining administrator privileges.
PENETRATION TESTING
Penetration testing is a method of actively evaluating the security of an information
system or network by simulating an attack from a malicious source. Various
security measures are analyzed for weaknesses in design, technical flaws, and
vulnerabilities that can be exploited. There are two types of testing that is
performed: Black box testing, which simulates an attack from someone who is
unfamiliar with the system; and white box testing, which simulates an attacker that
has knowledge about the system, such as an employee. The results are recorded
and delivered to senior level management and technical audiences.
Why Penetration Testing?
Penetration testing allows the company to identify threats that may occur during
the testing stage discovered in its information system or network. Companies that
hire such testers have actually discovered that overall IT security costs are reduced
and provides a better return on security investment (ROSI) by identifying and
resolving vulnerabilities, weaknesses, and possible exploits that may have been
taken advantage of if the proper security measures weren’t enforce. Additionally,
companies are also seeing what type of IT security investments they really need to
focus on, as oppose to investing in a large enterprise-wide security solution that
covers everything, which may not always be necessary for every organization out
there.
Varrone 9 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
Additionally, these professionals provide an organization with assurance of a
thorough and comprehensive assessment of an organization’s security policy,
procedure, controls, and how they may decide to be implemented. Many industry-
wide regulations may be applied such as HIPAA (Health Insurance Portability and
Accountability Act), FDA (Food Drug Administration), PCI (Personal Confidential
Information); requiring specific certification and best practice security standards in
order to continue business. For instance, PCI regulation requires all hard drives to
be encrypted within the organization.
A Penetration Tester’s Best Friend
Vulnerability libraries are a penetration tester’s best friend as it documents all of
the discovering vulnerabilities that have been reported by testers, users, ethical
hackers, and even the programmers themselves. The majority of these
vulnerabilities are design flaws that will open an operating system and its
applications susceptible to an attack. These vulnerabilities are classified based on
severity levels (low, medium, or high) and exploit range (remote or local). Such
professionals need access to this research in order to identify and correct exposures
to their respective function. Many of these vulnerabilities are documented on
websites and databases available to the public, where even some of the more
‘proficient’ hackers, seek to expand those vulnerabilities to a further level.
A list of vulnerability research websites are listed below:
 The United States Computer Emergency Readiness Team (US-CERT)
Vulnerabitlity Database (kb.cert.org)
 National Vunerability Database Sponsored by DHS National Cyber Security
Division (National Institute of Standards and Technology) (nvd.nist.gov)
 Secunia – (secunia.com )
 SecuriTeam – (securiteam.com)
 SecurityTracker- (securitytracker.com)
COUNTERMEASURES
In conjunction with penetration testing, countermeasures are examined closely,
documented, and then reviewed by the ethical hacker to improve the security
posture at the company. There are several different countermeasures that are more
closely scrutinized than others, including but not limited to: footprinting, defending
against password cracking, defend against privilege escalation, defending against
malware including session hi-jacking, networking sniffing, man-in-the-middle,
denial of service, and against steganography attacks.
Varrone 10 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
How to defend against Footprinting?
Defending against footprinting includes: configuring routers and access control list
(ACL) to restrict the responses to footprinting request, implement/configure IDS
(Intrusion Detection System) to refuse suspicious traffic picked up in patterns,
locking down ports with a suitable firewall configuration, configuring web servers
to avoid information leakage, and lastly disable unwanted protocols. Ethical hackers
will additionally document and evaluate the content of information made available
publicly and work to remove any sensitive information discovered such as their
network architecture, applications, employees, and/or email addresses.
(EC-Council, 2011)
How to defend against Password Cracking?
By incorporating strict password guidelines within an organization’s security policy,
hackers will have that much more of a difficult time of successfully being able to
crack a password. These guidelines should include: requiring user’s to use a
combination of alphanumeric characters along with upper and lowercase numbers,
letters, and symbols. Additionally, by requiring users to change their password on a
more frequent basis- such as 30 days, this will help alleviate hackers from returning
to an account or system that has been compromised at one point in time. There
should be additional effort and resources available for monitoring system logs or
alarming events for possible attacks as well.
How to defend against Privilege Escalation?
As described above, once hackers obtain access to a system or account, they will
seek ways to escalate their privileges to that similar of an administrator. Therefore,
countermeasures to defend against the ability for them to escalate privileges is
examined:
 Use encryption as much as possible and wherever it can be done. Not all
systems, applications, devices have the ability to encrypt their data; but one
level of encryption (for instance, on a user’s workstations) will make it that
much more difficult for an intruder to gain access to.
 Systems should be patched on a continuing basis as patching cycles never end
and there will always be room to resolve vulnerabilities, bugs, and other fixes
in an application or operating system.
Varrone 11 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
 Run services within a system’s environment as an “unprivileged” account, this
way if this account does become compromised, the intruder can’t do much
since access is restricted.
 Restrict interactive logon privileges and run users and applications on the
least possible privileges.
 Implement multi-factor authentication and authorization such as biometrics
and token keys. If an intruder only has compromised one authentication type
in a multi-factor verification environment, the hacker is left with the same
result as when they first started, and that’s clearly no system access.
(EC-Council, 2011)
How to defend against Malware?
Malware and other unsolicited software can be tricky at times if the malicious files
are not detected by an anti-virus product, which in this case would be known as a
zero-day threat. In any circumstance to help alleviate the issue and reduce risk;
install, maintain, administer, and update the anti-virus product within the
environment. This includes updates to signature files, scan engine versions,
program versions, patches and hot fixes releases. Additionally by installing and
administering a personal and enterprise firewall with application and device control
policies and restrict and limit web-access, can all diminish the company’s risk from
exposure.
How to defend against Steganography?
Steganography is one of the more difficult types of attacks to defend against as code
is hidden and embedded into an existing application or file. Since these types of
attacks are performed in the background, an ordinary user or even a computer
expert may have trouble ‘noticing’ if anything has been altered before the file or
application was changed. The best ways to defend against these type of attacks is to
use steganography detection tools that specifically look for these changes from file
to file and application to application. These tools are also known as file integrity
verification checks. One of the more common steganography detection tools used is
a product called Stego Watch.
Varrone 12 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
REAL-WORLD EXAMPLES
The number of information security professionals in the workforce continues to rise
as companies have realized that as their usage of technology continues to grow, so
does the risk associated with using the technology. Technology is becoming much
more complex with the advancements that are made which further complicates how
attacks are performed and ultimately carried out by an intruder.
With this said, below are some real-life examples of how organizations (including:
government agencies and non-for-profit such as universities) have utilized ethical
hacking tactics to protect their technology from being hacked into, breached, and
ultimately compromised.
Hacker Boot Camp Helps Good Guys Outsmart Intruders
Rudy Chavez, a former Unix system administrator, employed by IT services firm
Booz Allen Hamilton, became a certified ethical hacker one month later. The
company that he was employed for decided they would benefit by having a ‘hacker
of their own’ to help outsmart other cybercriminals at their own game, sending
Chavez off to an ethical hacking boot camp. During the boot camp, which consisted
of a combination of classroom instruction and computer-lab time, Chavez learned
how legitimate tools, technologies, and techniques are being issued for illegal
activities and hostile purposes. Chavez claims that the sophistication and
pervasiveness of the tools out there allows for great havoc and that although
generally the IT security field takes a defensive approach, the training has lead him
to take an offensive posture and help him understand how these attacks happen.
(Information Week, 2005)
Government Agencies Seeking Code Breakers
Even government agencies are searching for hacking talent. According to the
Toronto Star, a widely recognized newspaper in Canada, reports that a British spy
agency is using an anonymous code-breaking web page to recruit self-taught
hackers that they might not have found otherwise. The page was launched in
November of 2011. A spokesman for the U.K.’s Government Communications
Headquarters even admitted that recruiting Oxford and Cambridge graduates is not
always in the best interest for the agency. They also claim that most cyber-
specialists enter their organization as graduates, however with the quickly evolving
world of cybercrime, they feel it’s essential to look for candidates who may be self-
taught but have a keen interest in code-breaking and ethical hacking.
(Taylor, 2011)
Varrone 13 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
Ethical Hacking Proves to be an Excellent Test for Companies
As the growth of extortion attempts by hackers against firms continue to rise at an
alarming rate, Mark Hanvey, Chief Security Officer of Cable & Wireless, U.K.’s second
largest fixed line telecommunications operator, states that he is encouraged to see
companies investing in ethical hacking to protect their commercial assets. He states
that ethical hacking is an excellent test for systems and is helping out companies,
however he urges that risk can never be eliminated, only minimized, which is done
by putting in effective monitoring and counter measures tactics, such as around the
clock monitoring. As long as companies continue to invest in effective information
security systems, and this starts with hacking your own; organizations can stay
away from being on the news the next day about a possible data breach.
(Hanvey, 2005)
Ethical Hacking Demand Helping Firm Achieve Record Profits
A computer service company hired by large corporations for their expert in security
consulting, NCC, has achieved record profits thanks to the increase demand for its
ethical hacking services. These companies are hiring the firm for them to hack into
their own systems so that vulnerabilities can be found. Rob Cotton, chief executive
of the firm has stated that because of the nature of the economy, many companies
are seeing an alarming number of increase in threats. The Financial Times reports
that revenue has risen to 31 percent because of this service, which only very few
companies have to offer.
(Stafford, 2006)
College Universities Teaching Students How to Hack
A study conducted in 2007 revealed that the average computer is attacked by
hackers more than 2,200 times a day which comes out to about once every 40
seconds and that hackers have stolen an estimated $49 billion in the United States
alone in 2006. Geoffrey Lund, leader of the software-applications program at
University of Abertary Dundee in Scotland has stated that he has helped design a
new course to teach students on how to hack and defend against network systems.
Although classes that teach hacking techniques are rare and controversial as
administrators at the school were nervous about teaching such potential destructive
techniques, he claims that ethics are also covered in the classroom, and that they do
conduct background checks on students beforehand as a prerequisite. Lund states
that the course prepares students for a rapidly growing job market by teaching that
the best defense is a good offense. The class is set up with a network of
Varrone 14 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
approximately 20 computers isolated from the rest of the university system where
the students then practice hacking into or even bringing down the network. By
hacking into these systems and network, students are able to learn about
weaknesses of an intuition’s system. Alexander Graham, an experienced information
technology professional who even enrolled in the course had stated that he is
shocked by how much damage a malicious hacker can do. He claims the course is
extremely helpful and believes in the philosophy of “Know thy enemy, then you can
defeat them” at their own game.
(Vance, 2007)
CONCLUSION
Ethical Hacking is a growing trend that appears to be on all types of organizations’
radar. As evident from this study, we see a large number of money invested to
ensure that they are protected against risks associated with hacking attacks. The
increasing alarming number of attacks against these organizations are well known
and the losses can be easily quantified.
As hacking involves creative thinking; vulnerability testing and security audits
cannot guarantee that an information system is secure. To rebuttal this,
organizations must implement a defense in depth strategy by penetrating into their
own systems and network. Ethical hacking becomes necessary as it allows one to
counter the attack and reverse engineer malicious attackers by anticipating
methods they used to launch an attack and break into a system. An ethical hacker
can only help the organization better understand their system from a security
perspective, however it is still up to the organization to place the right guards
around the technology.
Securing of these information systems does comes with its challenges. For instance,
compliance to government laws and regulations must be followed and maintained.
Companies (depending on the industry) must be willing to spend vast amounts of
dollars on education, training, and awareness in order to stay in compliance. Such
industries for example have strict laws that prevent data from being outsourced
outside the country (or if it is outsourced, requires the use of encryption), similar to
sensitive personal information. Other industries may require certain security
measures in placed in order to continue business operations. These regulations add
another challenge to security, ensuring that the proper measures are being
enforced. Additionally, it is difficult to centralize security in a distributed computing
environment as the evolution of technology evolves, so does the complexity in
administering, managing, and monitoring sophisticated and complex attacks. As we
turn everything we do into the palm of our hands; mobile security, adaptive
Varrone 15 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
authentication, and social media strategies from an offensive and defensive
perspective are only the stepping stones on what’s next to expect in the digital age
that we live in today.
“The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge.”
–Stephen Hawking, Theoretical Physicist and Cosmologist
Varrone 16 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
REFERENCES
EC-Council. (2011). Ethical Hacking and Countermeasures v7.1 Course.
Hanvey, M. (2005, June 22). Ethical Hacking An Excellent Test of Mettle for Security
Systems. The Financial Times, p. 16.
Information Week. (2005, June 23). Hacker Boot Camp Helps Good Guys Outsmart
Internet Troublemakers; The number of IT security professionals is expected
to grow to nearly 800,000 by 2008, and more of them need to think like
hackers to be effective. Information Week.
Stafford, P. (2006, July 19). NCC Ethically Hacks its Way to Record. The Financial
Times, p. 24.
Taylor, L. C. (2011, December 2). British spies recruit 'ethical hackers'. Toronto Star.
Vance, E. (2007, April 13). Students at the University of Abertay Dundee Learn
Computer Hacking to Defend Networks. The Chronicle of Higher Education.

More Related Content

What's hot

Secure Shell - a Presentation on Ethical Hacking
Secure Shell - a Presentation on Ethical HackingSecure Shell - a Presentation on Ethical Hacking
Secure Shell - a Presentation on Ethical Hacking
Nitish Kasar
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
Akshay Kale
 
185
185185
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Mukul Agarwal
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Binit Kumar
 
presentation on ethical hacking
 presentation on ethical hacking  presentation on ethical hacking
presentation on ethical hacking
Amol Deshmukh
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Vishesh Singhal
 
System Security in Ethical Hacking
System Security in Ethical HackingSystem Security in Ethical Hacking
System Security in Ethical Hacking
Vanipriya Sakthivel
 
TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKING
SHERALI445
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Ganesh Vadulekar
 
Ethical Hacking and Network Security
Ethical Hacking and Network SecurityEthical Hacking and Network Security
Ethical Hacking and Network Security
sumit dimri
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Tharindu Kalubowila
 
Ethical hacking.
Ethical hacking.Ethical hacking.
Ethical hacking.
Khushboo Aggarwal
 
Unit ii-hackers and cyber crimes
Unit ii-hackers and cyber crimesUnit ii-hackers and cyber crimes
Unit ii-hackers and cyber crimes
Sweta Kumari Barnwal
 
hacking presentation slide
hacking presentation slide hacking presentation slide
hacking presentation slide
Tauhidul islam
 
Ethical hacking course
Ethical hacking courseEthical hacking course
Ethical hacking course
ChitraKuder
 
basic knowhow hacking
basic knowhow hackingbasic knowhow hacking
basic knowhow hacking
Anant Shrivastava
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hack
Dharmesh Makwana
 
Introduction to hacking
Introduction to hackingIntroduction to hacking
Introduction to hacking
nitish mehta
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Aditya Vikram Singhania
 

What's hot (20)

Secure Shell - a Presentation on Ethical Hacking
Secure Shell - a Presentation on Ethical HackingSecure Shell - a Presentation on Ethical Hacking
Secure Shell - a Presentation on Ethical Hacking
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
185
185185
185
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
presentation on ethical hacking
 presentation on ethical hacking  presentation on ethical hacking
presentation on ethical hacking
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
System Security in Ethical Hacking
System Security in Ethical HackingSystem Security in Ethical Hacking
System Security in Ethical Hacking
 
TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKING
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Ethical Hacking and Network Security
Ethical Hacking and Network SecurityEthical Hacking and Network Security
Ethical Hacking and Network Security
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Ethical hacking.
Ethical hacking.Ethical hacking.
Ethical hacking.
 
Unit ii-hackers and cyber crimes
Unit ii-hackers and cyber crimesUnit ii-hackers and cyber crimes
Unit ii-hackers and cyber crimes
 
hacking presentation slide
hacking presentation slide hacking presentation slide
hacking presentation slide
 
Ethical hacking course
Ethical hacking courseEthical hacking course
Ethical hacking course
 
basic knowhow hacking
basic knowhow hackingbasic knowhow hacking
basic knowhow hacking
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hack
 
Introduction to hacking
Introduction to hackingIntroduction to hacking
Introduction to hacking
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Viewers also liked

Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Mohammad Affan
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Muzaffar Ahmad
 
CMIT 321 FINAL EXAM 2016
CMIT 321 FINAL EXAM 2016CMIT 321 FINAL EXAM 2016
CMIT 321 FINAL EXAM 2016
HamesKellor
 
DATABASE DESIGN AND MANAGEMENT - By Hansa Edirisinghe
DATABASE DESIGN AND MANAGEMENT - By Hansa EdirisingheDATABASE DESIGN AND MANAGEMENT - By Hansa Edirisinghe
DATABASE DESIGN AND MANAGEMENT - By Hansa Edirisinghe
Hansa Edirisinghe
 
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
Hansa Edirisinghe
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hacking
samprada123
 
Spiritual leadership
Spiritual leadershipSpiritual leadership
Spiritual leadership
MaRi Eagar
 
Ethical Dilemmas in Business
Ethical Dilemmas in BusinessEthical Dilemmas in Business
Ethical Dilemmas in Business
Shahzad Khan
 

Viewers also liked (9)

Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
CMIT 321 FINAL EXAM 2016
CMIT 321 FINAL EXAM 2016CMIT 321 FINAL EXAM 2016
CMIT 321 FINAL EXAM 2016
 
DATABASE DESIGN AND MANAGEMENT - By Hansa Edirisinghe
DATABASE DESIGN AND MANAGEMENT - By Hansa EdirisingheDATABASE DESIGN AND MANAGEMENT - By Hansa Edirisinghe
DATABASE DESIGN AND MANAGEMENT - By Hansa Edirisinghe
 
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hacking
 
Spiritual leadership
Spiritual leadershipSpiritual leadership
Spiritual leadership
 
Ethical Dilemmas in Business
Ethical Dilemmas in BusinessEthical Dilemmas in Business
Ethical Dilemmas in Business
 

Similar to Ethical Hacking A high-level information security study on protecting a company’s information system infrastructure in the 21st century

Ashar Shaikh A-84 SEMINAR.pptx
Ashar Shaikh A-84 SEMINAR.pptxAshar Shaikh A-84 SEMINAR.pptx
Ashar Shaikh A-84 SEMINAR.pptx
asharshaikh8
 
61370436 main-case-study
61370436 main-case-study61370436 main-case-study
61370436 main-case-study
homeworkping4
 
Selected advanced themes in ethical hacking and penetration testing
Selected advanced themes in ethical hacking and penetration testingSelected advanced themes in ethical hacking and penetration testing
Selected advanced themes in ethical hacking and penetration testing
CSITiaesprime
 
BASICS OF ETHICAL HACKING
BASICS OF ETHICAL HACKINGBASICS OF ETHICAL HACKING
BASICS OF ETHICAL HACKING
Drm Kapoor
 
Cyber Security PPT
Cyber Security PPTCyber Security PPT
Cyber Security PPT
ashish kumar
 
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
Ahmad Sharifi
 
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
IOSR Journals
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
ijtsrd
 
GETTING STARTED WITH THE ETHICAL HACKING.pptx
GETTING STARTED WITH THE ETHICAL HACKING.pptxGETTING STARTED WITH THE ETHICAL HACKING.pptx
GETTING STARTED WITH THE ETHICAL HACKING.pptx
BishalRay8
 
What is Ethical Hacking-defination, examples and techniques.pdf
What is Ethical Hacking-defination, examples and techniques.pdfWhat is Ethical Hacking-defination, examples and techniques.pdf
What is Ethical Hacking-defination, examples and techniques.pdf
JawaidAbdulHameed
 
Cyber terrorism
Cyber terrorismCyber terrorism
Cyber terrorism
Nihal Jani
 
IRJET- Impact of Ethical Hacking on Business and Governments
IRJET-  	  Impact of Ethical Hacking on Business and GovernmentsIRJET-  	  Impact of Ethical Hacking on Business and Governments
IRJET- Impact of Ethical Hacking on Business and Governments
IRJET Journal
 
Module 1Introduction to cyber security.pptx
Module 1Introduction to cyber security.pptxModule 1Introduction to cyber security.pptx
Module 1Introduction to cyber security.pptx
Skippedltd
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
Patrick Bouillaud
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
Ban Selvakumar
 
Ethical hacking1
Ethical hacking1Ethical hacking1
Ethical hacking1
Faheen Ahmed
 
Ethical Hacking And Hacking Attacks
Ethical Hacking And Hacking AttacksEthical Hacking And Hacking Attacks
Ethical Hacking And Hacking Attacks
Aman Gupta
 
Case Study.pdf
Case Study.pdfCase Study.pdf
Case Study.pdf
DamaineFranklinMScBE
 
Module 1 (legality)
Module 1 (legality)Module 1 (legality)
Module 1 (legality)
Wail Hassan
 
Vulnerability Prevention Using Ethical Hacking.pdf
Vulnerability Prevention Using Ethical Hacking.pdfVulnerability Prevention Using Ethical Hacking.pdf
Vulnerability Prevention Using Ethical Hacking.pdf
MithunJV
 

Similar to Ethical Hacking A high-level information security study on protecting a company’s information system infrastructure in the 21st century (20)

Ashar Shaikh A-84 SEMINAR.pptx
Ashar Shaikh A-84 SEMINAR.pptxAshar Shaikh A-84 SEMINAR.pptx
Ashar Shaikh A-84 SEMINAR.pptx
 
61370436 main-case-study
61370436 main-case-study61370436 main-case-study
61370436 main-case-study
 
Selected advanced themes in ethical hacking and penetration testing
Selected advanced themes in ethical hacking and penetration testingSelected advanced themes in ethical hacking and penetration testing
Selected advanced themes in ethical hacking and penetration testing
 
BASICS OF ETHICAL HACKING
BASICS OF ETHICAL HACKINGBASICS OF ETHICAL HACKING
BASICS OF ETHICAL HACKING
 
Cyber Security PPT
Cyber Security PPTCyber Security PPT
Cyber Security PPT
 
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
 
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
GETTING STARTED WITH THE ETHICAL HACKING.pptx
GETTING STARTED WITH THE ETHICAL HACKING.pptxGETTING STARTED WITH THE ETHICAL HACKING.pptx
GETTING STARTED WITH THE ETHICAL HACKING.pptx
 
What is Ethical Hacking-defination, examples and techniques.pdf
What is Ethical Hacking-defination, examples and techniques.pdfWhat is Ethical Hacking-defination, examples and techniques.pdf
What is Ethical Hacking-defination, examples and techniques.pdf
 
Cyber terrorism
Cyber terrorismCyber terrorism
Cyber terrorism
 
IRJET- Impact of Ethical Hacking on Business and Governments
IRJET-  	  Impact of Ethical Hacking on Business and GovernmentsIRJET-  	  Impact of Ethical Hacking on Business and Governments
IRJET- Impact of Ethical Hacking on Business and Governments
 
Module 1Introduction to cyber security.pptx
Module 1Introduction to cyber security.pptxModule 1Introduction to cyber security.pptx
Module 1Introduction to cyber security.pptx
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
 
Ethical hacking1
Ethical hacking1Ethical hacking1
Ethical hacking1
 
Ethical Hacking And Hacking Attacks
Ethical Hacking And Hacking AttacksEthical Hacking And Hacking Attacks
Ethical Hacking And Hacking Attacks
 
Case Study.pdf
Case Study.pdfCase Study.pdf
Case Study.pdf
 
Module 1 (legality)
Module 1 (legality)Module 1 (legality)
Module 1 (legality)
 
Vulnerability Prevention Using Ethical Hacking.pdf
Vulnerability Prevention Using Ethical Hacking.pdfVulnerability Prevention Using Ethical Hacking.pdf
Vulnerability Prevention Using Ethical Hacking.pdf
 

Recently uploaded

Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 

Recently uploaded (20)

Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 

Ethical Hacking A high-level information security study on protecting a company’s information system infrastructure in the 21st century

  • 1. Ethical Hacking A high-level information security study on protecting a company’s information system infrastructure in the 21st century Aaron Varrone December 2011 Quinnipiac University- MS IT CIS 652- Advanced Topics in Information Security- Independent Study
  • 2. Varrone 1 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century Contents ABSTRACT.............................................................................................................. 2 INTRODUCTION TO ETHICAL HACKING ................................................................. 3 What do Hackers do?.......................................................................................... 4 FOOTPRINTING AND RECONNAISSANCE............................................................... 5 SYSTEM HACKING.................................................................................................. 6 Types of Attacks.................................................................................................. 6 Why Cover Tracks? ............................................................................................. 8 PENETRATION TESTING......................................................................................... 8 Why Penetration Testing? .................................................................................. 8 COUNTERMEASURES............................................................................................. 9 How to defend against Footprinting? ............................................................... 10 How to defend against Password Cracking?...................................................... 10 How to defend against Privilege Escalation?..................................................... 10 How to defend against Malware? ..................................................................... 11 How to defend against Steganography? ........................................................... 11 REAL-WORLD EXAMPLES..................................................................................... 12 Hacker Boot Camp Helps Good Guys Outsmart Intruders ................................. 12 Government Agencies Seeking Code Breakers.................................................. 12 Ethical Hacking Proves to be an Excellent Test for Companies.......................... 13 Ethical Hacking Demand Helping Firm Achieve Record Profits.......................... 13 College Universities Teaching Students How to Hack........................................ 13 CONCLUSION....................................................................................................... 14 REFERENCES ........................................................................................................ 16
  • 3. Varrone 2 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century ABSTRACT As organizations in recent years continue to increase their investment into the advancements of technology to upsurge productivity and efficiently, more and more companies begin to realize that protecting of this technology is just as significant (Information Security), if not; even more important in order to protect their reputation and integrity as a company. This paper provides a comprehensive high-level view of ethical hacking, such as what it is, what it entails, and why companies hack into their own technology. Additionally, counter measures including penetration testing and real-world examples will be examined to give the reader a better understanding of ethical hacking and why it’s such an essential element of Information Security in the Information Systems/Technology field.
  • 4. Varrone 3 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century INTRODUCTION TO ETHICAL HACKING In simple terms, Ethical Hacking can be described as a process in which working professionals (in the technology field) are hired on by an organization to perform a variety of attacks to their own network, systems, and technology. The goal is quite simple, and that is to ‘break into’, also known as ‘hack’ their way into the organization’s information system where vulnerabilities are discovered and then eventually ‘patched’ so that a real attack would have no harming consequences to the company such as; data leakages, compromised systems, stolen proprietary information, and so on. Hence where the word, ‘ethical’, comes into play, as these hackers are solely hired on for this purpose. Professionals in this field include outside security consultants hired by the company or even a direct role within the company who possess expert computer skills in a wide variety of areas and systems (networks, operating systems, application programming). Ethical hackers try to answer three basic questions: what can the intruder see on the target system, what can an intruder do with the information compromised, and will anyone notice that the attack occurred? Before proceeding further, a basic understanding of the umbrella, Information Security field must be conveyed. There are three elements of Information Security: Confidentiality- assurance that the information is accessible only to those authorized to have access, Integrity- the reliability of data or resources in terms of preventing improper and unauthorized changes, and Availability- assurance that the systems responsible for delivering, storing, and processing information are accessible when required by an authorized user. (EC-Council, 2011) With this said, all three elements have a direct impact to the way in which network and system security is portrayed, which leads us to our discussion of Ethical Hacking. If all three of these elements are properly addressed and implemented during the architecture of the way in which an organization’s systems interact, then one would not have to be so concerned with their technology and securing of this technology. As companies continue to grow and expand their horizon for the need of information systems by increasing their investment on a year-to-year basis , so does the need to protect and defend their infrastructure against malicious activities, attacks, and destructive encounters. The risk of not protecting one’s information system is too extraordinary as the effects of a successful hacking attempt include: damage and theft of proprietary information, client/customer data, personal information, impeding of business operations and activities. All in which can lead to a company’s downfall. As great as the technology is that many of these companies have adapted in creating an efficient
  • 5. Varrone 4 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century operation, their lack on focusing their attention on security can contradict themselves and instead create an inefficient and ineffective use of the technology. Who is a Hacker? A hacker can be defined as an individual with superb computer skills who has the ability to create and explore into another system, which can be software programs or hardware based devices. A motive behind a hacker’s mindset is to gain knowledge or poke around to do illegal and disruptive activities that could result in monetary benefits. For some, it’s a hobby to see how many systems and networks they can control. There are four unique hacker classes: Black Hats- individuals who resort to malicious or destructive activity for malicious intent. White Hats- individuals using them for defensive purposes, also known as security analysts. Suicide Hackers- individuals who aim to bring down critical infrastructure for a “cause” and would rather be known for their destruction they commit. These individuals are not worried about facing any type of severe penalty regardless of fines or jail time sentences. Gray Hats- are individuals who work both offensively and defensively at various times whose intent is mostly for the well-being, however this is not always the case. (EC-Council, 2011) What do Hackers do? There are five phases that goes through a hacker’s mindset: Phase 1 Reconnaissance- refers to the preparatory phase where an attacker looks to gather as much information about a target as they can prior to launching an attack. Such examples include: employees’ names, phone numbers, and email addresses, system names, and software installed on these systems. There are two types of reconnaissance: Passive- which involves acquiring information without directly interacting with the target or someone affiliated with the target, such as searching for press releases or public records; and Active- which involves interacting with the target directly by any means, for instance phoning calls to the help desk or technical support center pretending to be an employee of the company.
  • 6. Varrone 5 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century Phase 2 Scanning- refers to the “pre-attack phase” of when an attacker scans the network seeking specific information on the basis of information gathered during reconnaissance. Such examples include: port scanning, vulnerability scanners, and dialers. Phase 3 Gaining Access- Once access is achieved to the desired operating system, application, or network; the attacker can escalate privileges to obtain complete control of the system. Such examples include: password cracking, buffer overflows, denial of service, and session hijacking. Phase 4 Maintaining Access- After access has been attained, most hackers attempt ways in which to retain their ownership of the system/application/device. Attackers may prevent the system from being owned by other fellow hackers by securing their access exclusively with backdoors, trojans, or rookits. Attackers then use the compromised system to launch further attacks, which allows them to upload, download, or manipulate data, configuration, and applications at any given time period. Phase 5 Covering Tracks- After a hacker’s activities have been carried out, smarter attackers usually look for ways in which they can hide their malicious act by covering their tracks and hiding their own identity. This can be achieved by overwriting system, application, audit, and event logs or deleting any evidence that may lead to prosecution. (EC-Council, 2011) FOOTPRINTING AND RECONNAISSANCE Footprinting and reconnaissance are hacking methodologies used to uncover and collect as much information as possible regarding an organization’s information system. These two methods are carefully planned well ahead in time before an attack is carried out. Basic information such as a company’s DNS, IP addresses, system and network architectures, platforms, and applications used, is all prevalent information that can be gathered and collected by an hacker to help carry out the attack. While this information is collected, the hacker cautiously examines and identifies vulnerabilities that can be exploited. An ethical hacker looks to examine what information can be made available publicly by collecting information from the internet or internally and then documents the effects this may have to the organization, such as: privacy loss, corporate espionage, competitive intelligence, and information leakage. There are four types of Footprinting:
  • 7. Varrone 6 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century Anonymous Footprinting- Gathering information from sources where the author of the information cannot be traced nor identified. Internet Footprinting- Collecting information about a target from the Internet. Organizational/Private Footprinting- Collecting information internally within the organization. Pseudonymous Footprinting- Collecting information that may be published under a different name in an attempt to preserve privacy and confidentiality. (EC-Council, 2011) SYSTEM HACKING There are several ways an attacker can gain access to a particular system, however each way requires the ability for an attacker to exploit a weakness, vulnerability, or even human-error. Types of Attacks Operating System Attacks- Attackers search for platform (operating system) vulnerabilities and then exploit them. Such examples include: buffer overflow, bugs and glitches, and unpatched operating systems. Application-Level/Shrink Wrap Code Attacks- Programming is complex and there are times where unsecure code is used over and over again to reduce this complexity, such as utilizing existing libraries of code. If it’s there, why reinvent the wheel? This leads to poor and nonexistent error checking in these applications which can lead to buffer overflow attacks, cross-site scripting, denial of service, SQL injection attacks, session hijacking, man-in-the-middle attacks, and so on. Misconfiguration Attacks- Misconfigured systems occur when a change is made to a file’s permission. If that’s the case, the file or application can no longer be considered as secure. Administrators are expected to change the configuration and limit authority of the devices before they are deployed to the network. Failure to do this allows the default settings to be used to attack the system. Password Cracking- Various techniques and tools are utilized to recover passwords from computer systems. Hackers can use these tools to gain unauthorized access to a vulnerable system. Most of these techniques are successful due to weak or easily guessable passwords, such as dictionary words or default
  • 8. Varrone 7 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century passwords. Such password cracking techniques include: dictionary attacks, brute force attacks, hybrid attacks, syllable attacks, and rule-based attacks. Surprisingly an increasingly number of non-technical password stealing techniques have been reported in recent years, such as: shoulder surfing, social engineering, and dumpster diving. Spyware/Keyloggers- Refers to a program or device (software or hardware) specifically hidden to record the user’s interaction with the system without the user’s knowledge. The various types of spyware include: screen capturing spyware, USB spyware, child monitoring spyware, video spyware (secretly monitors and records webcams and video IM conversations, attacks can then be remotely viewed via the web or mobile phone), audio/cellphone spyware, GPS spyware (uses the global positioning system to determine location of a vehicle, person, or asset to which it is attached or installed to), and even print spyware. Viruses/Trojans/Worms- Are all examples of malware, unsolicited code or software on a system that in most cases allows for data breaches, backdoor access for a hacker to gain access to or executes damage that can harm the system. This type of malware is commonly created with malicious code or tools and utilities that have the ability to attack vulnerable systems (as long as the hacker knows where the vulnerability exists). Rootkits- Refers to code hidden within a kernel of the operating system that has the ability to hide itself and cover up traces of the malicious intent. More specifically, it replaces certain operating system calls and utilities with its own modified version. From there, the attacker acquires root access (above a level of administrator) to the system by installing a virus, trojan, worm, or other malware in order to exploit it. This allows the attacker to maintain undetected access to the system. Such types of rookits include: hypervisor level, kernel level, application level, hardware/firmware, and boot loader. Steganography- Is a technique consisting of hiding a secret message within an ordinary message or file and extracting it at the destination to maintain its hidden identity. The most popular use of this technique are when hackers utilize a graphic image and embedding a code within that image file to perform a malicious activity. This conceals the data within the file. Such techniques include: substitution, transform domains, cover generation, distortion, statistical, and spread spectrum. The various means of steganography besides images include: document, video, and audio steganography. (EC-Council, 2011)
  • 9. Varrone 8 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century Why Cover Tracks? Most hackers, with the exception of a suicidal one, will cover their traces to avoid detection and possible jail sentence. However, this is not the only reason. By covering their track, this allows the attacker to install backdoors to gain access in the future. When this is executed, a clever hacker will usually escalate the compromised account’s privileges without documenting the system change. As previously mentioned, they can do this by manipulating the log files of an operating system or altering the event logs. Once intruders have successfully gained administrator type access on a system, they will attempt to cover their tracks in every possible way that they can, including deleting recently modified files and disabling audit logs. Disabling these logs is usually performed immediately after obtaining administrator privileges. PENETRATION TESTING Penetration testing is a method of actively evaluating the security of an information system or network by simulating an attack from a malicious source. Various security measures are analyzed for weaknesses in design, technical flaws, and vulnerabilities that can be exploited. There are two types of testing that is performed: Black box testing, which simulates an attack from someone who is unfamiliar with the system; and white box testing, which simulates an attacker that has knowledge about the system, such as an employee. The results are recorded and delivered to senior level management and technical audiences. Why Penetration Testing? Penetration testing allows the company to identify threats that may occur during the testing stage discovered in its information system or network. Companies that hire such testers have actually discovered that overall IT security costs are reduced and provides a better return on security investment (ROSI) by identifying and resolving vulnerabilities, weaknesses, and possible exploits that may have been taken advantage of if the proper security measures weren’t enforce. Additionally, companies are also seeing what type of IT security investments they really need to focus on, as oppose to investing in a large enterprise-wide security solution that covers everything, which may not always be necessary for every organization out there.
  • 10. Varrone 9 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century Additionally, these professionals provide an organization with assurance of a thorough and comprehensive assessment of an organization’s security policy, procedure, controls, and how they may decide to be implemented. Many industry- wide regulations may be applied such as HIPAA (Health Insurance Portability and Accountability Act), FDA (Food Drug Administration), PCI (Personal Confidential Information); requiring specific certification and best practice security standards in order to continue business. For instance, PCI regulation requires all hard drives to be encrypted within the organization. A Penetration Tester’s Best Friend Vulnerability libraries are a penetration tester’s best friend as it documents all of the discovering vulnerabilities that have been reported by testers, users, ethical hackers, and even the programmers themselves. The majority of these vulnerabilities are design flaws that will open an operating system and its applications susceptible to an attack. These vulnerabilities are classified based on severity levels (low, medium, or high) and exploit range (remote or local). Such professionals need access to this research in order to identify and correct exposures to their respective function. Many of these vulnerabilities are documented on websites and databases available to the public, where even some of the more ‘proficient’ hackers, seek to expand those vulnerabilities to a further level. A list of vulnerability research websites are listed below:  The United States Computer Emergency Readiness Team (US-CERT) Vulnerabitlity Database (kb.cert.org)  National Vunerability Database Sponsored by DHS National Cyber Security Division (National Institute of Standards and Technology) (nvd.nist.gov)  Secunia – (secunia.com )  SecuriTeam – (securiteam.com)  SecurityTracker- (securitytracker.com) COUNTERMEASURES In conjunction with penetration testing, countermeasures are examined closely, documented, and then reviewed by the ethical hacker to improve the security posture at the company. There are several different countermeasures that are more closely scrutinized than others, including but not limited to: footprinting, defending against password cracking, defend against privilege escalation, defending against malware including session hi-jacking, networking sniffing, man-in-the-middle, denial of service, and against steganography attacks.
  • 11. Varrone 10 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century How to defend against Footprinting? Defending against footprinting includes: configuring routers and access control list (ACL) to restrict the responses to footprinting request, implement/configure IDS (Intrusion Detection System) to refuse suspicious traffic picked up in patterns, locking down ports with a suitable firewall configuration, configuring web servers to avoid information leakage, and lastly disable unwanted protocols. Ethical hackers will additionally document and evaluate the content of information made available publicly and work to remove any sensitive information discovered such as their network architecture, applications, employees, and/or email addresses. (EC-Council, 2011) How to defend against Password Cracking? By incorporating strict password guidelines within an organization’s security policy, hackers will have that much more of a difficult time of successfully being able to crack a password. These guidelines should include: requiring user’s to use a combination of alphanumeric characters along with upper and lowercase numbers, letters, and symbols. Additionally, by requiring users to change their password on a more frequent basis- such as 30 days, this will help alleviate hackers from returning to an account or system that has been compromised at one point in time. There should be additional effort and resources available for monitoring system logs or alarming events for possible attacks as well. How to defend against Privilege Escalation? As described above, once hackers obtain access to a system or account, they will seek ways to escalate their privileges to that similar of an administrator. Therefore, countermeasures to defend against the ability for them to escalate privileges is examined:  Use encryption as much as possible and wherever it can be done. Not all systems, applications, devices have the ability to encrypt their data; but one level of encryption (for instance, on a user’s workstations) will make it that much more difficult for an intruder to gain access to.  Systems should be patched on a continuing basis as patching cycles never end and there will always be room to resolve vulnerabilities, bugs, and other fixes in an application or operating system.
  • 12. Varrone 11 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century  Run services within a system’s environment as an “unprivileged” account, this way if this account does become compromised, the intruder can’t do much since access is restricted.  Restrict interactive logon privileges and run users and applications on the least possible privileges.  Implement multi-factor authentication and authorization such as biometrics and token keys. If an intruder only has compromised one authentication type in a multi-factor verification environment, the hacker is left with the same result as when they first started, and that’s clearly no system access. (EC-Council, 2011) How to defend against Malware? Malware and other unsolicited software can be tricky at times if the malicious files are not detected by an anti-virus product, which in this case would be known as a zero-day threat. In any circumstance to help alleviate the issue and reduce risk; install, maintain, administer, and update the anti-virus product within the environment. This includes updates to signature files, scan engine versions, program versions, patches and hot fixes releases. Additionally by installing and administering a personal and enterprise firewall with application and device control policies and restrict and limit web-access, can all diminish the company’s risk from exposure. How to defend against Steganography? Steganography is one of the more difficult types of attacks to defend against as code is hidden and embedded into an existing application or file. Since these types of attacks are performed in the background, an ordinary user or even a computer expert may have trouble ‘noticing’ if anything has been altered before the file or application was changed. The best ways to defend against these type of attacks is to use steganography detection tools that specifically look for these changes from file to file and application to application. These tools are also known as file integrity verification checks. One of the more common steganography detection tools used is a product called Stego Watch.
  • 13. Varrone 12 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century REAL-WORLD EXAMPLES The number of information security professionals in the workforce continues to rise as companies have realized that as their usage of technology continues to grow, so does the risk associated with using the technology. Technology is becoming much more complex with the advancements that are made which further complicates how attacks are performed and ultimately carried out by an intruder. With this said, below are some real-life examples of how organizations (including: government agencies and non-for-profit such as universities) have utilized ethical hacking tactics to protect their technology from being hacked into, breached, and ultimately compromised. Hacker Boot Camp Helps Good Guys Outsmart Intruders Rudy Chavez, a former Unix system administrator, employed by IT services firm Booz Allen Hamilton, became a certified ethical hacker one month later. The company that he was employed for decided they would benefit by having a ‘hacker of their own’ to help outsmart other cybercriminals at their own game, sending Chavez off to an ethical hacking boot camp. During the boot camp, which consisted of a combination of classroom instruction and computer-lab time, Chavez learned how legitimate tools, technologies, and techniques are being issued for illegal activities and hostile purposes. Chavez claims that the sophistication and pervasiveness of the tools out there allows for great havoc and that although generally the IT security field takes a defensive approach, the training has lead him to take an offensive posture and help him understand how these attacks happen. (Information Week, 2005) Government Agencies Seeking Code Breakers Even government agencies are searching for hacking talent. According to the Toronto Star, a widely recognized newspaper in Canada, reports that a British spy agency is using an anonymous code-breaking web page to recruit self-taught hackers that they might not have found otherwise. The page was launched in November of 2011. A spokesman for the U.K.’s Government Communications Headquarters even admitted that recruiting Oxford and Cambridge graduates is not always in the best interest for the agency. They also claim that most cyber- specialists enter their organization as graduates, however with the quickly evolving world of cybercrime, they feel it’s essential to look for candidates who may be self- taught but have a keen interest in code-breaking and ethical hacking. (Taylor, 2011)
  • 14. Varrone 13 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century Ethical Hacking Proves to be an Excellent Test for Companies As the growth of extortion attempts by hackers against firms continue to rise at an alarming rate, Mark Hanvey, Chief Security Officer of Cable & Wireless, U.K.’s second largest fixed line telecommunications operator, states that he is encouraged to see companies investing in ethical hacking to protect their commercial assets. He states that ethical hacking is an excellent test for systems and is helping out companies, however he urges that risk can never be eliminated, only minimized, which is done by putting in effective monitoring and counter measures tactics, such as around the clock monitoring. As long as companies continue to invest in effective information security systems, and this starts with hacking your own; organizations can stay away from being on the news the next day about a possible data breach. (Hanvey, 2005) Ethical Hacking Demand Helping Firm Achieve Record Profits A computer service company hired by large corporations for their expert in security consulting, NCC, has achieved record profits thanks to the increase demand for its ethical hacking services. These companies are hiring the firm for them to hack into their own systems so that vulnerabilities can be found. Rob Cotton, chief executive of the firm has stated that because of the nature of the economy, many companies are seeing an alarming number of increase in threats. The Financial Times reports that revenue has risen to 31 percent because of this service, which only very few companies have to offer. (Stafford, 2006) College Universities Teaching Students How to Hack A study conducted in 2007 revealed that the average computer is attacked by hackers more than 2,200 times a day which comes out to about once every 40 seconds and that hackers have stolen an estimated $49 billion in the United States alone in 2006. Geoffrey Lund, leader of the software-applications program at University of Abertary Dundee in Scotland has stated that he has helped design a new course to teach students on how to hack and defend against network systems. Although classes that teach hacking techniques are rare and controversial as administrators at the school were nervous about teaching such potential destructive techniques, he claims that ethics are also covered in the classroom, and that they do conduct background checks on students beforehand as a prerequisite. Lund states that the course prepares students for a rapidly growing job market by teaching that the best defense is a good offense. The class is set up with a network of
  • 15. Varrone 14 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century approximately 20 computers isolated from the rest of the university system where the students then practice hacking into or even bringing down the network. By hacking into these systems and network, students are able to learn about weaknesses of an intuition’s system. Alexander Graham, an experienced information technology professional who even enrolled in the course had stated that he is shocked by how much damage a malicious hacker can do. He claims the course is extremely helpful and believes in the philosophy of “Know thy enemy, then you can defeat them” at their own game. (Vance, 2007) CONCLUSION Ethical Hacking is a growing trend that appears to be on all types of organizations’ radar. As evident from this study, we see a large number of money invested to ensure that they are protected against risks associated with hacking attacks. The increasing alarming number of attacks against these organizations are well known and the losses can be easily quantified. As hacking involves creative thinking; vulnerability testing and security audits cannot guarantee that an information system is secure. To rebuttal this, organizations must implement a defense in depth strategy by penetrating into their own systems and network. Ethical hacking becomes necessary as it allows one to counter the attack and reverse engineer malicious attackers by anticipating methods they used to launch an attack and break into a system. An ethical hacker can only help the organization better understand their system from a security perspective, however it is still up to the organization to place the right guards around the technology. Securing of these information systems does comes with its challenges. For instance, compliance to government laws and regulations must be followed and maintained. Companies (depending on the industry) must be willing to spend vast amounts of dollars on education, training, and awareness in order to stay in compliance. Such industries for example have strict laws that prevent data from being outsourced outside the country (or if it is outsourced, requires the use of encryption), similar to sensitive personal information. Other industries may require certain security measures in placed in order to continue business operations. These regulations add another challenge to security, ensuring that the proper measures are being enforced. Additionally, it is difficult to centralize security in a distributed computing environment as the evolution of technology evolves, so does the complexity in administering, managing, and monitoring sophisticated and complex attacks. As we turn everything we do into the palm of our hands; mobile security, adaptive
  • 16. Varrone 15 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century authentication, and social media strategies from an offensive and defensive perspective are only the stepping stones on what’s next to expect in the digital age that we live in today. “The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge.” –Stephen Hawking, Theoretical Physicist and Cosmologist
  • 17. Varrone 16 | P a g e Ethical Hacking- A high-level information security study on protecting a company’s information system infrastructure in the 21st century REFERENCES EC-Council. (2011). Ethical Hacking and Countermeasures v7.1 Course. Hanvey, M. (2005, June 22). Ethical Hacking An Excellent Test of Mettle for Security Systems. The Financial Times, p. 16. Information Week. (2005, June 23). Hacker Boot Camp Helps Good Guys Outsmart Internet Troublemakers; The number of IT security professionals is expected to grow to nearly 800,000 by 2008, and more of them need to think like hackers to be effective. Information Week. Stafford, P. (2006, July 19). NCC Ethically Hacks its Way to Record. The Financial Times, p. 24. Taylor, L. C. (2011, December 2). British spies recruit 'ethical hackers'. Toronto Star. Vance, E. (2007, April 13). Students at the University of Abertay Dundee Learn Computer Hacking to Defend Networks. The Chronicle of Higher Education.