Ethical hacking is the legal breaching of an organizations defence system, for the sole purpose of finding and fixing security loopholes. Ethical hacking, is still hacking nonetheless and there are some rules/laws governing this activity. Certified Ethical Hacker (CEH) is one of the most widely accepted IT Security certifications these days. To become a certified ethical hacker you must have the qualification and hands-on experience in assessing the security of computer systems using penetration testing techniques. The ethical hacker exam covers the following areas -
In this series of papers I will try to cover all the topics of CEH V.9 in 18 different modules. The objective of this paper is to cover the following -
In a short period of time, a lot of activities take place on the internet. For instance in about 60 seconds, 5 million videos on YouTube have been viewed, and 1.8k posts on Wordpress have been uploaded. This shows that there has been a massive shift to internet content consumption, which has also caught the interest of hackers.
As at 2014, there was an increase in data destruction, and methods that were once thought obsolete were making their comebacks; hackers were shifting their attacks directly to the victim’s device. The increase in information theft, has led to the need for information security. Information security, deals with ensuring that data and information is protected from theft.
By compartmentalizing its objectives into elements, we can further understand what information security is all about:
Attacks ranging from information theft to revenge theft, information security threats are widely driven by a motive, and the assurance that the structure to be attack has something of value. The constant search for valuable information has created the demand for hackers to tap into the vulnerabilities of breached structures.
Some of the top ratted attack vectors are -
Hacking which is defined as discovering loopholes for the purpose of exploitation, and manipulating security controls to pilfer or steal valuable information, is usually carried out by hackers. while the hacking definition is clear cut, the hackers are not. There are different types of hackers who ultimately do the same thing; hack, but for different reasons. Some of these are -
Regardless of the purpose, hacking can be differentiated into different phases -
Ethical hacking involves the legal breaching of systems, for the sole purpose of strengthening them. Ethical hackers, also white hats exploit vulnerabilities and protect an organizations system, to prevent other hackers from gaining access to them. In order to do this, they have to answer the following questions-
Information assurance - this ensures that all the elements of information security are adhered to during the transmission of information from source to destination.
Information security management system - helps organizations carry out activities with reduced risk. Threat modelling: This addresses vulnerabilities and structures that could cause risk, by analysing all information that plays a role in the organizations security system.
Enterprise information security architecture - this is a policy that governs the structure of an governments information security. Network security zoning: using different security levels, this control method ensures the system is protected.
Information security policies - they govern how the system’s security should be run by providing regulations that must be adhered to.
Indent management - this is needed after an attack has been carried out. A proper analysis of the incident, as well as the creation of a new security measure is necessary, to prevent a reoccurrence.
PCI-DSS is a standard set for all credit card information users, to adhere to, for secure and protected transactions. This policy apply to merchants, issuers, service providers, acquires, and even bodies who store the credit card holder’s information. The PCI standards council is the body that maintains this standard. Their objectives are:
To find more on PCI DSS read one of my previous paper on PCI DSS.
This act is primarily for health care institutions, which operate within the confines of information security. The rules governing this act are: Electronic and transaction and code set standards: these rules state that all businesses operating through electronic means are mandated to follow the same set of code cliques, transactions, and identifiers. Privacy rule: this allows for the federal protection of patient’s information.
Security rule dictates a number of administrative, physical and technical rules that bodies that protect health data could use, to ensure the elements of information security are covered. National identifier requirements: requires that identification numbers be given to health plan employees and health care givers for standard transactions.
DMCA combines two treaties gotten from the World intellectual property organization in 1996, to protect copyright entities and their owners from unscrupulous individuals or organizations. FISMA on the other hand, comprises of an extended baseline of regulations, geared towards allowing for the efficiency of information security controls, to the organizations that maintain federal properties and procedures. Some of these objectives are:
Published with the express permission of the author.