November 30, 2015

GHR 101 – Basic Training Part 1

OBJECTIVES:

Basic Training Part 1 introduces you to ethical hacking and penetration testing, legally!  This is for security professional or those would wish to become one.  As of late 2015, there are over 300,000 unfilled IT security jobs open for the taking.  It’s a good time to get into the security field.  Follow along take and grab one of those jobs and build a lucrative career out of it.

Topic 101.1 – Security Basics

  • RULE : The Security Triad of confidentiality, Integrity, and Availability (CIA) are the pieces of most security policies.
  • RULE : The ‘C’ in CIA is for Confidentiality and addresses the privacy of the data.  Keeping it a secret via authentication and authorization.
  • RULE : The ‘I’ in CIA is for Integrity and it protects the data against tampering.  Hashing and crypto handle this in transit.
  • RULE : The ‘A’ in CIA is for the Availability of the data.  How useful can the data be if no one can get to it.  Redundancy, backups, and disaster recovery plans are a good start.
  • RULE : The 3 basic elements of Risk are: Assets, Threats, and Vulnerabilities.
  • RULE : Of the 3 risk elements, the 1st risk is Assets, which are any items of economic value such as physical hardware, data, or intellectual property.
  • RULE : Of the 3 risk elements, the 2nd risk is Threats, which are natural disasters, attackers, viruses, malware, circumstances, leaked confidential info, DOS, etc. that can affect confidentiality, Integrity, and Availability (CIA) of the assets.
  • RULE : Of the 3 risk elements, the 3rd risk is Vulnerabilities, which are weaknesses in the defenses would could be architectural, implementation of systems, software quality, lack of funds available to properly secure the entire attack surface, etc.

Topic 101.2 – Security Testing

  • RULE : Security testing is the primary objective of a Penetration Tester and Ethical Hackers.
  • RULE : Target Of Evaluation (TOE), is the term used to identify a system that’s being tested.
  • RULE : No-Knowledge Testing, aka “black box testing,” means that the pen tester doesn’t know anything about the TOE.
  • RULE : Full-Knowledge Testing, aka “white box testing,” means that the pen tester knows everything about the TOE like an administrator would.
  • RULE : Partial-Knowledge Testing, aka “gray box testing,” means that the pen tester knows somethings and has access to internal systems like an employee or insider would.
  • RULE : Red-Team exercises refer to leaders of an organization to secretly employ an ethical hacking team to realistically find vulnerabilities and weaknesses of their own organization without the rest of the employees nor their internal security team’s knowledge.  The Red-Team, attempt to breach the organization’s defenses by any means necessary.
  • RULE : Security tests have 3 types: High-level assessments, Network evaluations, and Penetration tests.
  • RULE : Of the 3 security test types, the 1st one is High-level assessments (level 1), which is a top down recon of the organization’s security policy, procedures, and guidelines.  No hands-on testing occurs, but the big question to be answered is always, “are the security policies being followed and enforced?
  • RULE : Of the 3 security test types, the 2nd one is Network evaluations (level 2), is in addition to the High-level and includes information gathering, scanning, vulnerability assessment, etc.
  • RULE : Of the 3 security test types, the 3rd one is Penetration tests (level 3), which is when the ethical hacking team takes on an adversarial role and ignores security policies, attacks weaknesses in the defense, and tries to gain access to assets during the testing.

Topic 101.3 – Who is a Hacker?

  • RULE : Originally a hacker was a person who loved to explore computers and computer networks to see how they worked.  They were the smart people who knew more than everyone else about computers at a deep level.
  • RULE :  Over time, the paranoid media labeled all criminal and malicious activity via computer, the work of hackers.
  • RULE : In response to the bad label of hacker, the computer industry responded with a new for the criminal hacker, which was cracker.
  • RULE : More recently, hackers have been further categorized into White hat hackers, Black hat hackers, Gray hat hackers, and Suicide hackers.
  • RULE : White hat hackers are the good guys.  The admins and consultants of organizations that are protecting their company’s assets.
  • RULE : Black hat hackers are the bad guys.  They perform illegal activity at others expense.
  • RULE : Gray hat hackers are in the middle.  Mostly good, but can turn to the dark side on occasions for various reasons.  A strong temptation to turn bad stems from being unhappy at work. If you are the boss who gave the guy a bad review or a crappy pay raise, then you may be the next target.
  • RULE : Suicide hackers.  These violent creatures are so hell bent on an attack, that they will carry it out knowing they will be caught and prosecuted.
  • RULE : Today crackers are referred to as attackers.
  • RULE : Types of attackers include Phreakers (aka Phone Phreaks), Script Kiddies, disgruntled employees, Software Crackers, System Crackers, Cyberterrorists, and Cybercriminals.
  • RULE : Phreakers are the original hackers who figured out the inner workings of telephone PBX systems to make free phone calls.
  • RULE : Script Kiddies are newbies (non-hackers) who download pre-written vulnerability assessment and hacking tools and launch them at targets of their choosing or blindly at the Internet.
  • RULE : Disgruntled employees can do a lot of damage because they are already behind the organization’s perimeter defenses.  They also understand where the most damage can be done.
  • RULE : Software Crackers typically reverse engineer commercial software to either steal the source code for resale as another product for profit, inject malware into the software and allow free access to the software in order to spread the malware, or simply bypass the license or registration keys to use the software without paying for it.
  • RULE : Cyberterrorists and Cybercriminals are funded to conduct espionage activities on governments and corporations.
  • RULE : System Crackers have specific expertise in attacking vulnerabilities of systems and networks by targeting operating systems.

Topic 101-4 – Ethical Hackers

  • RULE : Ethical hackers perform the same penetration testing and attempt to gain access just as an attacker would, but with the intent to do harm.
  • RULE : Penetration tests are sometimes performed in a double-blind environment in that the organizations security team has no idea that the Red Team (hired ethical hackers) is coming.  Nor, the mere existence of the Red Team.
  • RULE : Ethical hacker teams require these skills: Microsoft Windows (PCs and servers), Linux, switches, routers, firewalls, mainframes, network protocols, project management.
  • RULE : Modes of ethical hacking include: information gathering, external penetration testing, internal penetration testing, network gear testing, DoS testing, wireless network testing, application testing, social engineering, physical security testing, authentication system testing, database testing, communication system testing, stolen equipment attack.
  • RULE : Information gathering refers to acquiring the information that is leaking out of the organization by job postings, employee social media accounts, following key employees to a bar on a Friday night and sitting close enough to pick up conversations they have about work.
  • RULE : External penetration testing refers to what an attacker on the outside of the firewalls could gain access to.
  • RULE : Internal penetration testing refers to testing what an authorized employee could do.
  • RULE : Network gear testing refers to testing the security of the switches, routers, firewalls, wireless LAN controllers, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS).
  • RULE : DoS testing refers to stressing or overloading the systems and/or network to keep the actual users of these systems from being able to use them.
  • RULE : Wireless network testing includes wifi, RFID, ZigBee devices, etc.
  • RULE : Application testing refers to the entire application attack surface from input validation on input boxes to how the data moves from client and server and to how it gets stored.
  • RULE : Social engineering refers to manipulating the organization’s employees into giving up sensitive information or allowing physical access inside the organization.
  • RULE : Physical security testing refers to door locks, badge readers, gate access, equipment locks, placement of security cameras, closed circuit television (CCTV), alarms, response times of security guards, etc.
  • RULE : Authentication system testing refers to attempting to bypass the authentication controls
  • RULE : Database testing refers to targeting SQL servers.
  • RULE : Communication system testing refers to voice communications with PBX’s, VoIP communications, modems, etc.
  • RULE : Stolen equipment attack refers to stealing a physical device like the CEO or administrators laptop, yanking out a mirrored hard drive from a server, stealing backup tapes, etc. Where the goal is to acquire critical intel like usernames and passwords.
  • RULE : While performing ethical hacks, never exceed your rules of engagement.  You will win if you gain a command prompt on the domain controller, but you will be in serious trouble if you take the server down and cause a production outage while doing it.
  • RULE : While performing ethical hacks, you as an ethical hacker should protect yourself from lawsuits.  Non-Disclosure Agreements (NDA), professional liability insurance, errors and omissions policies are all good ways to do this.
  • RULE : Professional liability insurance that protects companies and individuals against claims made by clients for inadequate work or negligent actions.
  • RULE : Errors and omissions insurance often covers both court costs and any settlements up to the amount specified on the insurance contract.
  • RULE : While performing ethical hacks, maintain confidentiality of any information and intelligence gathered.
  • RULE : While performing ethical hacks, be ethical and don’t cause harm or damage to the organization or it’s people.

Topic 101.5 – Test Plans

  • RULE : Organizations can decide to due penetration testing and ethical hacking activities for reasons such as:
    • Breach in security has happened.
    • Compliance with state or federal laws.
    • Due diligence in finding the vulnerabilities before an attacker does.
  • RULE : The information security standard that organizations can follow is ISO 17799
  • RULE : ISO17799  is considered a security benchmark and includes these elements:
    • Security policy.
    • Security organization.
    • Asset control and classification.
    • Environment and physical security.
    • Employee security.
    • Computer and network management.
    • Access controls.
    • System development and maintenance.
    • Business continuity planning.
    • Compliance.
  • RULE : The 3 phases of ethical hacking activities are:
    • Scoping the assessment, establish the goals an guidelines.
    • Perform the assessment.
    • Post-assessment activities.
  • RULE : Basic questions to help develop the goals and guidelines are these:
    • What is the organization’s objective that this testing with help them get to?
    • What results are they expecting?
    • What is the budget for testing?
    • How much time will be allocated towards testing?
    • What time frame will the testing be performed?  The organization might not want testing performed during peak production times.
    • Will this be a Red Team exercise or will employees know the testing is being performed?
    • Will the customers be notified?
    • How far will the testing go (root the box, gain a prompt on the server, retrieve the network administrator’s password, etc.)?
    • Who gets a phone call if something goes wrong?
    • What are the deliverables?
  • RULE : Get approval for testing in writing.
  • RULE : Again, get approval in writing before testing begins.
  • RULE : While testing is going on, you should keep management informed, especially if you find a big problem.  Don’t surprise management with the report.
  • RULE : If you find a critical vulnerability, stop all testing and immediately inform management.  The actual security of the organization is always top priority, don’t leave the organization at risk because you haven’t finished the report yet.
  • RULE : The report should be comprehensive and self-contained.
  • RULE : The report typically contains these sections:
    • Intro.
    • Statement of work.
    • Results and conclusions.
    • Recommendations for remediation.
  • RULE : Any digital copies of the report need to be protected like the crown jewels.  If it leaks out, it is a direct road map on how to exploit the organization.  Encrypt it at rest and in transit.
  • RULE : Physical copies of the report need to be marked “Confidential.”

Topic 101.6 – Ethics and Legality

  • RULE : Hacking is covered under the U.S. Code title 18.
  • RULE : U.S. Code title 18 is the “Crimes and Criminal Procedure“, it has 5 parts.
  • RULE : Under part 1 of the U.S. code title 18, is 123 chapters.
  • RULE : Of the 123 chapters in part 1 of the U.S. code title 18, ethical hackers are interested in chapter 47, which is the “Fraud and False Statements” chapter.
  • RULE : In the Fraud and False Statements chapter are sections numbered 1001 to 1040.  Ethical hackers are interested in sections 1029 and 1030.
  • RULE : Section 1029 is named “Fraud and related activity with access devices.
  • RULE : Section 1029 basically states, that you will be prosecuted if you knowingly and with the intent to defraud, produce, use, or traffic in counterfeit “access devices.”
  • RULE : Access devices can obviously be hardware, but believe it or not, a software application also falls under this section.
  • RULE : Section 1030 is named “Fraud and related activity in connection with computers.
  • RULE : Section 1030 basically states, that you can smoke turd in hell, if you bypass authentication and escalate your privileges.  Employees can get hit with this one if they carry out fraudulent activities.
  • RULE : Other laws that address hacking include:
    • Electronic Communication Privacy Act.
    • Computer Fraud and Abuse Act of 1984.
    • The Cyber Security Enhancement Act of 2002.
    • The United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (aka USA PATRIOT).
    • The Federal Information Security Management Act (aka FISMA).
    • Federal Sentencing Guidelines of 1991.
    • Economic Espionage Act of 1996.
    • U.S. Child Pornography Prevention Act of 1996.  This is just my opinion and I haven’t read this law in it’s entirety but, I hope it states, in long legal words, that people guilty of this crime should be tortured and eventually killed at a C.I.A. black site out of the country where they can not be protected from our silly ass laws.  These sick bastards should have no rights to oxygen on this planet.