Friday, September 20, 2019
Hackers And Ethical Hackers
Hackers And Ethical Hackers Cyber security is one of the most critical aspects of security that any organization in the modern world must be concerned with. Why? Mostly because of Black-hat Hackers. The following review is a general discussion about hackers and its best countermeasure, Ethical Hacking. The reason I chose this topic is because it is of great interest to me, as I someday want to be an Ethical hacker as well. Review The word hacker in the past was defined as a person who loves playing a around with software or electronic systems. They wanted to discover new things on how computers operate. Today the term hacker has a different meaning altogether. It states that a hacker is someone who maliciously breaks into systems for personal gain. Technically, these criminals are crackers (criminal hackers). Crackers break into (crack) systems with malicious intent. They are out for personal gain: fame, profit, and even revenge. They modify, delete, and steal critical information, often making other people miserable. (Kevin Beaver, Stuart McClure 2004, p10) Most of the literature I read give the definition of the word hacker as previously stated or to mean mostly the same thing. The history of hacking dates back to the 1960s when a group of people in MIT hack the control systems of model trains to make them run faster, more effectively or differently than they were designed to. (Peter T. Leeson, Christopher J. Coyne, 2006). Because of such activity by these individuals computer owners and supervisors took away their access to computers. As a result the hacking community came up with their own code known as the hacker ethic: 1. Access to computers -and anything which might teach you something about the way the world works should be unlimited and total. Always yield to the Hands-On Imperative! 2. All information should be free. 3. Mistrust Authority Promote Decentralization. 4. Hackers should be judged by their hacking, not bogus criteria such as degrees, age, race or position. 5. You can create art and beauty in a computer. 6. Computers can change your life for the better. (Paul A Taylor, 2005) The above code is still followed today and not only by hackers but by others as well. Not all hackers today have the same level of expertise. Depending on the psychology and skills of a hacker they can be put into four groups.(M.G. Siriam) Old School Hackers is one group and they believe that the internet should be an open system. Script kiddies is another and they are computer novices that use tools created by professional hackers to hack systems. Most of the hackers today fit into this group. The next group is professional criminals or crackers. They break into systems for the purpose of stealing and selling information they gathered.. The final group is coders and virus writers. They are elite individuals with a very high skill in programming and operating systems that write code and use other people in charge of releasing their code to the wild. Organizations and institutions today are under a lot of stress to protect their information from external as well as internal security threats to their computer systems. As such most of them have come up with the solution of hiring Ethical Hackers. To catch a thief, you must think like a thief. Thats the basis for ethical hacking. Knowing your enemy is absolutely critical (Kevin Beaver, Stuart McClure, 2004, p13). In other wards Ethical hackers (white-hat hackers) are experienced security and network experts that perform an attack on a target system with permission from the owners, to find loop holes and vulnerabilities that other hackers could exploit. This process is also known has Red Teaming, Penetration Testing or Intrusion Testing. (www.networkdictionary.com) The end goal of ethical hackers is to learn system vulnerabilities so that they can be repaired for community self-interest and as a side-product also the common good of the people.(Bryan Smith, William Yurcik, David Doss, 2002) Every Ethical hacker should follow three important rules as follows: Firstly Working Ethically. All actions performed by the ethical hacker should support the organizations goals that he works for. Trustworthiness is the ultimate tenet. The misuse of information is absolutely forbidden. Secondly Respecting Privacy as all information that an ethical hacker gathers has to be treated with the utmost respect. Finally Not Crashing Your Systems. This is mostly due to no prior planning or having not read the documentation or even misusing the usage and power of the security tools at their disposal. (Kevin Beaver, Stuart McClure, 2004, p16-17) The main attacks or methods that an ethical hackers or even hackers perform are of as follows: Non Technical Attacks: No matter how secured an organization is in terms of software and hardware, it will always be vulnerable to security threats because securitys weakest link are people or its employees. Social engineering is a type of non technical attack where hackers exploit the trusting nature of human beings to gain information for malicious purposes. Other attacks can be of physical nature such as stealing hardware equipment or dumpster diving. Operating-System Attack: Hacking an operating system (OS) is a preferred method of the bad guys. OS attacks make up a large portion of hacker attacks simply because every computer has an operating system and OSes are susceptible to many well-known exploits.(Kevin Beaver, Stuart McClure, 2004, p15) Distributed denial of service attacks(DDoS): This is the most popular attack used by many hackers to bring down systems. Its a type of attack that overloads the network or server with a large amount of traffic so that it crashes and renders any access to the service. Internet Protocol (IP) spoofing: It is a way of disguising the hackers real identity. This method allows a hacker to gain unauthorized access to computers by sending a message to a computer with an IP address showing that the message is from a trusted host. To accomplish this, a hacker must use different tools to find an IP address of a trusted host, and then alter the packet headers so it appears that the packets are coming from the host. (Tanase 2003). The process of ethical hacking contains many different steps. The first thing that is done is to formulate a plan. At this stage getting approval and authorization from the organization to perform the penetration test is extremely important. (Kevin Beaver, Stuart McClure, 2004, p15). Next the ethical hacker uses scanning tools to perform port scans to check for open ports on the system. Once a cracker scans all computers on a network and creates a network map showing what computers are running what operating systems and what services are available, almost any kind of attack is possible (Bryan Smith, William Yurcik, David Doss, 2002) This method is used by hackers as well but for mainly for malicious purposes. After scanning has been done the ethical hacker selects the tools that are going to be used to perform certain tests on the target system. These tools can be used for password cracking, planting backdoors, SQL injection, sniffing etc. The tests need to be carefully performed bec ause if they are done incorrectly they could damage the system and could go unnoticed. (Bryan Smith, William Yurcik, David Doss, 2002) Finally the plan needs to be executed and the results of all the tests then need to be evaluated (Kevin Beaver, Stuart McClure, 2004, p22) Based on the results the ethical hacker tells the organization about their security vulnerabilities as well as how they can be patched to make it more secure. A grey hat hacker is a type of hacker that has the skills and intent of a ethical hacker in most situations but uses his knowledge for less than noble purposes on occasion. Grey hat hackers typically subscribe to another form of the hacker ethic, which says it is acceptable to break into systems as long as the hacker does not commit theft or breach confidentiality. Some would argue, however that the act of breaking into a system is in itself unethical.(Red Hat, Inc, 2002) Grey hats are also a form of good hackers that usually hack into organizations systems without their permission, but then at a later stage send them information on the loop holes in their system. They also sometimes threaten to release the holes they find unless action has been taken to fix it. (Peter T. Leeson, Christopher J. Coyne, 2006) Conclusion Testing the security of a system by breaking into it is not a new idea but is something that is practised in all aspects of industry. For example if an automobile company is crash-testing cars, or an individual is testing his or her skill at martial arts by sparring with a partner, evaluation by testing under attack from a real adversary is widely accepted as prudent.(C.C. Palmer, 2001) Since the security on the Internet is quite poor at present, ethical hacking is one of the only ways to ways to proactively plug rampant security holes. Until such time a proper social framework is founded, to differentiate the good guys (white hats) from the bad guys (black hats), a law must not be brought into effect, as this may risk taking away our last hope of stabilizing defense and not realize it until it is too late. In the end, it is up to the society to consider the social and ethical standards to apply to the ever-changing technology, so valuable information does not fall into the wrong han ds for the wrong purposes.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment