Ethical Hacking

Ethical Hacking:

Ethical hacking and ethical hacker are terms used to describe hacking performed by a company or individual to help identify potential threats on a computer or network. An ethical hacker attempts to bypass system security and search for any weak points that could be exploited by malicious hackers. This information is then used by the organization to improve the system security, in an effort to minimize or eliminate any potential attacks.Ethical hacking is also known as white hat hacking.

How  ethical  hacking  is  done ?

For hacking to be deemed ethical, the hacker must obey the following rules:
Expressed (often written) permission to probe the network and attempt to identify potential security risks.
You respect the individual's or company's privacy.
You close out your work, not leaving anything open for you or someone else to exploit at a later time.
You let the software developer or hardware manufacturer know of any security vulnerabilities you locate in their software or hardware, if not already known by the company.
The term "ethical hacker" has received criticism at times from people who say that there is no such thing as an "ethical" hacker. Hacking is hacking, no matter how you look at it and those who do the hacking are commonly referred to as computer criminals or cyber criminals. However, the work that ethical hackers do for organizations has helped improve system security and can be said to be quite effective and successful. Individuals interested in becoming an ethical hacker can work towards a certification to become a Certified Ethical Hacker, or CEH. This certification is provided by the International Council of E-Commerce Consultants (EC-Council). The exam itself costs about $500 to take and consists of 125 multiple-choice questions in version 8 of the test (version 7 consisted of 150 multiple-choice questions).

Ethical Hacking History

Since the 1980's, the Internet has grown in popularity and computer security has become a major concern for businesses and governments. Organizations would like to use the Internet to their advantage by utilizing the Internet as a medium for e-commerce, advertising, information distribution and access, as well as other endeavors. However, they remain worried that they may be hacked which could lead to a loss of control of private and personal information regarding the organization, its employees, and its clients.
In a search for ways to reduce the fear and worry of being hacked, organizations have come to the realization that an effective way to evaluate security threats is to have independent security exerts attempt to hack into their computer systems. In the case of computer security, these tiger teams or ethical hackers would use the same tools and techniques as an attacker, but rather than damage the system or steal information, they would evaluate the system security and report the vulnerabilities they found and provide instructions for how to remedy them .
From the early days of computers, ethical hacking has been used as an evaluation of system security. Many early ethical hacks were conducted by the United States Military to carry out security evaluations on their operating systems to determine whether they should employ a two-level (secret/top secret) classification system. However, with the growth of computing and networking in the early 1990's, computer and network vulnerability studies began to appear outside of the military organization. In December of 1993, two computer security researchers, Dan Farmer from Elemental Security and Wietse Venema from IBM, suggested that the techniques used by hackers can be used to asses the security of an information system. They wrote a report that was shared publicly on the Internet which described how they were able to gather enough information to compromise security and they provided several examples of how this information could be gathered and exploited to gain control of a system, and how such an attack could be prevented.
Farmer and Venema realized that the testing that they had performed was complex and time-consuming, so they packaged all of the tools that they had used during their work and developed an easy-to-use application free for download. Their program, called Security Analysis Tool for Auditing Networks, or SATAN, received a great amount of media attention due to its capabilities and implications. The SATAN tool provided auditing capability as well as capabilities to provide advice regarding how the user may be able to correct the problems that were discovered

Process of Ethical Hacking:

Like all good projects, ethical hacking too has a set of distinct phases. It helps hackers to make a structured ethical hacking attack.

Different security training manuals explain the process of ethical hacking in different ways, but for me as a Certified Ethical Hacker, the entire process can be categorized into the following six phases.

  • Reconnaissance

Reconnaissance is the phase where the attacker gathers information about a target using active or passive means. The tools that are widely used in this process are NMAP, Hping, Maltego, and Google Dorks.

  • Scanning

In this process, the attacker begins to actively probe a target machine or network for vulnerabilities that can be exploited. The tools used in this process are Nessus, Nexpose, and NMAP.

  • Gaining Access

In this process, the vulnerability is located and you attempt to exploit it in order to enter into the system. The primary tool that is used in this process is Metasploit.

  • Maintaining Access

It is the process where the hacker has already gained access into a system. After gaining access, the hacker installs some back doors in order to enter into the system when he needs access in this owned system in future. Metasploit is the preferred tool in this process.

  • Clearing Tracks

This process is actually an unethical activity. It has to do with the deletion of logs of all the activities that take place during the hacking process.

  • Reporting

Reporting is the last step of finishing the ethical hacking process. Here the Ethical Hacker compiles a report with his findings and the job that was done such as the tools used, the success rate, vulnerabilities found, and the exploit processes.
Next Post »