Ethical Hacking - An Overview

The key ingredient that drives your business today is information. That's because most businesses cannot function if this ingredient is not available or is unreliable. Availability, integrity and confidentiality of information are paramount concerns today. The manufacturing records, sales records, financial records, customer records are all kept on computers. In today's networked world, these may be accessible from anywhere, via the Internet. Organizations can't be too sure that all digitized information is secure. Organizations want to be able to take advantage of the Internet for electronic commerce, advertising, information distribution and access, and other pursuits, but they are worried about the possibility of being “hacked.” In their search for a way to approach the problem, organizations came to realize that one of the best ways to evaluate the intruder threat to their interests would be to have independent computer security professionals attempt to break into their computer systems. This scheme is similar to having independent auditors come into an organization to verify its bookkeeping records.

Traditionally, a hacker is someone who likes to tinker with software or electronic systems. Recently, hacker has taken on a new meaning — someone who maliciously
breaks into systems for personal gain. Technically, these criminals are crackers (criminal hackers). Crackers break into (crack) systems with malicious intent. They are out for personal gain: fame, profit, and even revenge.

Ethical hacking — also referred to as penetration testing in the IT community — involves the same tools, tricks, and techniques that hackers use, but with one major difference: Ethical hacking is legal. Ethical hacking is performed with the target’s permission. The intent of ethical hacking is to discover vulnerabilities from a hacker’s viewpoint so systems can be better secured. It’s part of an overall information risk management program that allows for ongoing security improvements.

To catch a thief, think like a thief. That’s the basis for ethical hacking.
The Environment
Hackers are said to be among the top 5 threats to enterprise network security of an organization. With the advent of many web-enabled applications, new vulnerabilities and exploits are discovered each day, and these are openly discussed over the web. Attack scripts, hacking tools and techniques are also freely available to anyone over the internet. Most hackers develop initially as ‘script kiddies’ who test out various tools and techniques available over the internet on unsuspecting organization’s networks, before graduating into sophisticated professional hackers. It’s one thing to know that your systems generally are under attack from hackers around the world. It’s another to understand specific attacks against your systems that are possible. Broadly we can classify specific attacks on an organization’s systems as follows :-
• Non-technical attacks
o Social engineering attacks to gather passwords and other critical information.
o Physical attacks- destroying systems, going through important documents containing intellectual property of an organization.
• Technical attacks
o Network attacks – exploiting weakness in network transport mechanisms, creating denial of service for legitimate requests, sniffing the network traffic for any confidential information in clear text.
o Operating System attacks- breaking file system security, cracking passwords and encryption.
o Application attacks - Malicious software (malware) includes viruses, worms, Trojan horses, and spyware.
Understanding the need of ethical hacking
By simulating the actions that a hacker might perform, an organization can gain valuable insights into the effectiveness of the security controls in place over its information systems. Ethical Hacking can identify vulnerabilities that unauthorized users could exploit. It can also identify more pervasive gaps and deficiencies in the organization’s overall security processes including, for example, its ability to identify, escalate and respond to potential security breaches and incidents. Many organizations have deployed sophisticated security mechanisms, such as firewalls or intrusion detection systems (IDS), to help protect their information assets and to quickly identify potential attacks. However firewalls, IDS, can create a false feeling of safety. These security systems often focus on high-level vulnerabilities, such as viruses and traffic through a firewall, without affecting how hackers work. Attacking your own systems to discover vulnerabilities is a step to making them more secure. This is a proven method of greatly hardening your systems from attack.

Overall Goals of a Ethical Hacker
• Hack systems in a non-destructive fashion to identify exploits
before they are exploited.
• Enumerate vulnerabilities; gather evidences to prove to top
management that vulnerabilities exist.
• Apply solutions to remove vulnerabilities and better secure
systems.

Commandments for an Ethical Hacker
• Work Ethically
o Follow high professional morals and principles.
o Misuse of information should absolutely be forbidden.
o Activities must support the company’s agenda or goals.
• Work Diligently
o Plan the process of ethical hacking.
o At all time look to safeguard systems of the company under test.
o Use Hacking tools and techniques diligently.
• Respect Privacy
o Confidential information gathered should be safeguarded and
should not be used against the company.
o Share information with only the appropriate manager or any other
authorized person identified by the company.
In subsequent articles we shall deal with the process of ethical hacking carried out by most computer security professionals.