1 Ethics of Ethical Hacking
• Role of ethical hacking in today’s world
• How hacking tools are used by security professionals
• General steps of hackers and security professionals
• Ethical issues among white hat, black hat, and gray hat hackers
This book has not been compiled and written to be used as a tool by individuals who wish
to carry out malicious and destructive activities. It is a tool for people who are interested in
extending or perfecting their skills to defend against such attacks and damaging acts.
Let’s go ahead and get the commonly asked questions out of the way and move on
from there.
Was this book written to teach today’s hackers how to cause damage in more effective
ways?
Answer: No. Next question.
Then why in the world would you try to teach people how to cause destruction and
mayhem?
Answer: You cannot properly protect yourself from threats you do not
understand. The goal is to identify and prevent destruction and mayhem, not
cause it.
I don’t believe you. I think these books are only written for profits and royalties.
Answer: This book actually was written to teach security professionals what the
bad guys already know and are doing. More royalties would be nice, so please
buy two copies of this book.
Still not convinced? Why do militaries all over the world study their enemies’ tactics,
tools, strategies, technologies, and so forth? Because the more you know what your
enemy is up to, the better idea you have as to what protection mechanisms you need to
put into place to defend yourself.
Most countries’ militaries carry out scenario-based fighting exercises in many
different formats. For example, pilot units will split their team up into the “good guys”
and the “bad guys.” The bad guys use the tactics, techniques, and fighting methods of a
specific type of enemy—Libya, Russia, United States, Germany, North Korea, and so on.
The goal of these exercises is to allow the pilots to understand enemy attack patterns,
and to identify and be prepared for certain offensive actions so they can properly react in
the correct defensive manner.
This may seem like a large leap for you, from pilots practicing for wartime to corporations
trying to practice proper information security, but it is all about what the team is
trying to protect and the risks involved.
Militaries are trying to protect their nation and its assets. Several governments around
the world have come to understand that the same assets they have spent millions and
billions of dollars to protect physically are now under different types of threats. The
tanks, planes, and weaponry still have to be protected from being blown up, but they are
all now run by and are dependent upon software. This software can be hacked into,
compromised, or corrupted. Coordinates of where bombs are to be dropped can be
changed. Individual military bases still need to be protected by surveillance and military
police, which is physical security. Surveillance uses satellites and airplanes to watch for
suspicious activities taking place from afar, and security police monitor the entry points
in and out of the base. These types of controls are limited in monitoring all of the physical
entry points into a military base. Because the base is so dependent upon technology
and software—as every organization is today—and there are now so many communication
channels present (Internet, extranets, wireless, leased lines, shared WAN lines, and
so on), there has to be a different type of “security police” that covers and monitors these
technical entry points in and out of the bases.
So your corporation does not hold top security information about the tactical military
troop movement through Afghanistan, you don’t have the speculative coordinates
of the location of bin Laden, and you are not protecting the launch codes of nuclear
bombs—does that mean you do not need to have the same concerns and countermeasures?
Nope. The military needs to protect its assets and you need to protect yours.
The example of protecting military bases may seem extreme, but let’s look at many of
the extreme things that companies and individuals have had to experience because of
poorly practiced information security.
Figure 1-1, from Computer Economics, 2006, shows the estimated cost to corporations
and organizations around the world to survive and “clean up” during the aftermath of
some of the worst malware incidents to date. From 2005 and forward, overall losses due
to malware attacks declined. This reduction is a continuous pattern year after year. Several
factors are believed to have caused this decline, depending upon whom you talk to.
These factors include a combination of increased hardening of the network infrastructure
and an improvement in antivirus and anti-malware technology. Another theory
regarding this reduction is that attacks have become less generalized in nature, more
specifically targeted. The attackers seem to be pursuing a more financially rewarding
strategy, such as stealing financial and credit card information. The less-generalized
attacks are still taking place, but at a decreasing rate. While the less-generalized attacks
can still cause damage, they are mainly just irritating, time-consuming, and require a lot
ofwork-hours from the operational staff to carry out recovery and cleanup activities. The
more targeted attacks will not necessarily continue to keep the operational staff carrying
out such busy work, but the damage of these attacks is commonly much more devastating
to the company overall.
Download E-Book
No comments:
Post a Comment