This document provides an overview of hacking fundamentals, including definitions of key terminology, different types of hackers, common attack vectors, and data security laws and regulations. It discusses the history of hacking and different hacking methods. The document also lists free online training resources and recommended videos for learning more about hacking techniques and cybersecurity.

1. Hacking Fundamentals
Luis Herrera, CISM, CRISC, CEH, Pentest+, ITILv3, PSM1
Nov-2018

2. 2 IBM Security
World’s Biggest Data Breaches

3. 3 IBM Security
Data Breach Statistics Jan 2017

4. 4 IBM Security
Data Breach Statistics Nov 2018

5. 5 IBM Security
Laws and Regulations in the World
US Federal Laws addressing broad issues but relating to DSP:
̶ Children’s Online Privacy Protection Act of 1998 (COPPA)
̶ Uniting and Strengthening America by Providing Appropriate
Tools Required to Intercept and Obstruct Terrorism Act of 2001
(Patriot Act)
̶ Family Educational Rights and Privacy Act of 1974 (FERPA)
̶ Sarbanes-Oxley Act (SOX)
̶ Fair Credit Reporting Act of 1970 (FCRA)
̶ Fair & Accurate Credit Transaction Act of 2003 (FACTA) –
revisions to FCRA to protection against identity theft and other
purposes
Industry Specific:
̶ Credit Card Industry: Payment Card Industry Data Security
Standard (PCIDSS)
̶ Healthcare: Health Insurance Portability and Accountability Act
(HIPAA)
̶ Healthcare: Health Information Technology for Economic and
Clinical Health Act (HITECH Act)
̶ Banking: Basel II
̶ Educational Institutions: Family Educational Rights and Privacy
Act (FERPA)
̶ Financial Services Modernization Act of 1999 (Graham, Leach,
Bliley (GLBA)
̶ Insurance: Solvency II and Model Audit Rule
US Federal Government:
̶ Privacy Act of 1974
̶ Federal Information Security Management Act (FISMA)
State Laws:
̶ State regulators have shifted their approach to protection of
personal information from reactive to proactive
̶ Currently, 46 States have ‘Data Breach Notification Laws’ –
these require notice to affected individuals and in some cases to
government officials
̶ California: State Bill 1386 - most recent change to include health
information as SPI
̶ Massachusetts data security law: 201 CMR 17.00 – newest and
most stringent standards for the protection of personal
information of residents of the Commonwealth
European Union
 European Data Protection Directive (1995)
Canada
 PIPEDA
(2001 – 2004)-
Taiwan
 Computer Processed Personal Data Protection Law (1995)
South Korea
 Information and Communication Network Utility and Information
Protection Law (2000)
Japan
 Personal Data Protection Act (2005)
APEC
 Guidelines (2004)
Russia
 Federal law on Personal Data
(January 2007)
Australia
 Privacy Amendment Act (2001)
New Zealand
 Privacy Act (1993)
Chile
 Protection of Private Life Law (1999)
Argentina
 Protection of Personal Data Law
(2000)
Dubai
 Data Protection Law
European Union
 European Data Protection Directive (1995)
Canada
 PIPEDA
(2001 – 2004)-
Taiwan
 Computer Processed Personal Data Protection Law (1995)
South Korea
 Information and Communication Network Utility and Information
Protection Law (2000)
Japan
 Personal Data Protection Act (2005)
APEC
 Guidelines (2004)
Russia
 Federal law on Personal Data
(January 2007)
Australia
 Privacy Amendment Act (2001)
New Zealand
 Privacy Act (1993)
Chile
 Protection of Private Life Law (1999)
Argentina
 Protection of Personal Data Law
(2000)
Dubai
 Data Protection Law
Emerging Private Sector
Privacy Laws
Existing Private Sector
Privacy Laws

6. 6 IBM Security
What is Hacking?
In the 60’s some MIT engineers
started cracking passwords
from each other to play pranks,
it is said that’s where the
Hacker term was first coined.
In the 70’s the phreakers
became popular and Captain
Crunch was a celebrity, using a
toy they were able to make
long distance calls for free.

7. 7 IBM Security
Types of Hackers
Black Hats
Individuals with extraordinary
computing skills, resorting to
malicious or destructive
activities and are also known as
crackers
White Hats
Individuals professing hacker
skills and using them for
defensive purposes and are
also known as security analysts
Gray Hats
Individuals who work both
offensively and defensively at
various times
Suicide Hackers
Individuals who aim to bring
down critical infrastructure for a
"cause" and are not worried
about facing jail terms or any
other kind of punishment
Script Kiddies
An unskilled hacker who
compromises systems by
running scripts, tools and
software developed by others
Cyber Terrorists
Individuals with wide range of
skills, motivated by religious or
political beliefs to create fear by
large-scale disruption of
computer networks
State Sponsored Hackers
Individuals employed by the
government to penetrate and
gain top-secret information and
to damage information systems
of other governments
Hacktivist
Individuals who promote a
political agenda by hacking,
especially by defacing or
disabling websites

8. 8 IBM Security
Essential Terminology
Vulnerability
Existence of a weakness,
design, or implementation error
that can lead to an unexpected
event compromising the security
of the system
Exploit
A breach of IT system security
through vulnerabilities
Payload
Is the part of an exploit code
that performs the intended
malicious action, such as
destroying, creating backdoors,
and hijacking computer
Hack Value
It is the notion among hackers
that something is worth doing or
is interesting
Bot
A "bot" is a software application
that can be controlled remotely
to execute or automata
predefined tasks
Zero-Day Attack
An attack that exploits computer
application vulnerabilities before
the software developer releases
a patch for the vulnerability
Daisy Chaining
It involves gaining access to one
network and/or computer and
then using the same information
to gain access to multiple
networks and computers that
contain desirable information
Doxing
Publishing personally
identifiable information about an
individual collected from publicly
available databases and social
media

9. 9 IBM Security
Elements of Information Security

10. 10 IBM Security
Functionality, Usability & Security Triangle

11. 11 IBM Security
Top Attack Vectors

12. 12 IBM Security
OWASP Top 10 Vulnerabilities

13. 13 IBM Security
From Oct 2013 thru Mar 2015

14. 14 IBM Security
Social Engineering

15. 15 IBM Security
Social Engineering examples

16. 16 IBM Security
Free Online Training
https://www.offensive-security.com/metasploit-unleashed/ https://www.cybrary.it/
https://www.reddit.com/r/hacking/ https://www.youtube.com/results?search_query=hacking
https://discord.me/page/pentestsec

17. 17 IBM Security
Recommended videos
Discovery Channel - The Secret History Of Hacking
https://www.youtube.com/watch?v=Y47m1cOyKjA&list=WL&index=7
Defeating The Hackers - BBC Documentary
https://www.youtube.com/watch?v=HQJMg6FdcvQ
The Internet's Own Boy: The Story of Aaron Swartz
https://www.youtube.com/watch?v=9vz06QO3UkQ
DEFCON - The Full Documentary
https://www.youtube.com/watch?v=3ctQOmjQyYg

18. ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU