skit
Tuesday, 2 April 2013
Tuesday, 20 November 2012
Hacking expert
White hat
The term
"white hat" in Internet slang refers to an ethical hacker, or a computer security expert, who
specializes in penetration testing and in other testing methodologies to ensure the security of an
organization's information systems.[1] Ethical hacking is a term coined by IBM meant to imply a broader category than just penetration testing.[2] White-hat hackers are also called "sneakers",[3] red teams, or tiger teams.[4]
Contents
|
One of the first instances of an ethical hack being used was a
“security evaluation” conducted by the United States Air Force of the Multics
operating systems for "potential use as a two-level (secret/top secret)
system." Their evaluation found that while Multics was "significantly
better than other conventional systems," it also had "...
vulnerabilities in hardware security, software security, and procedural
security" that could be uncovered with "a relatively low level of
effort." The authors performed their tests under a guideline of realism,
so that their results would accurately represent the kinds of access that an
intruder could potentially achieve. They performed tests that were simple
information-gathering exercises, as well as other tests that were outright
attacks upon the system that might damage its integrity. Clearly, their
audience wanted to know both results. There are several other now unclassified
reports that describe ethical hacking activities within the U.S. military.[4] The idea to bring this tactic of ethical hacking
to assess security of systems was formulated by Dan Farmer and Wietse
Venema. With the goal of raising the overall level of security on
the Internet and intranets, they proceeded to describe how they were able to
gather enough information about their targets to have been able to compromise
security if they had chosen to do so. They provided several specific examples
of how this information could be gathered and exploited to gain control of the
target, and how such an attack could be prevented. They gathered up all the
tools that they had used during their work, packaged them in a single,
easy-to-use application, and gave it away to anyone who chose to download it.
Their program, called Security Analysis Tool for Auditing Networks, or SATAN, was met with a great amount of media attention around the world
in 1992.[4]
While penetration testing concentrates on attacking software and
computer systems from the start – scanning ports, examining known defects
and patch installations, for example – ethical hacking, which will likely
include such things, is under no such limitations. A full blown ethical hack
might include emailing staff to ask for password details, rummaging through
executive’s dustbins or even breaking and entering – all, of course, with
the knowledge and consent of the targets. To try to replicate some of the
destructive techniques a real attack might employ, ethical hackers arrange for
cloned test systems, or organize a hack late at night while systems are less
critical.[2]
Some other methods of carrying out these include:
§ Security scanners such as:
§ Frameworks such as:
Such methods identify and exploit known vulnerabilities, and attempt to evade security to gain entry into secured areas.
Struan Robertson, legal director at Pinsent Masons LLP, and editor
of OUT-LAW.com, says “Broadly speaking, if the access to a
system is authorized, the hacking is ethical and legal. If it isn’t, there’s an
offence under the Computer Misuse Act. The unauthorized access offence covers everything from guessing
the password, to accessing someone’s webmail account, to cracking the security
of a bank. The maximum penalty for unauthorized access to a computer is two
years in prison and a fine. There are higher penalties – up to 10 years in
prison – when the hacker also modifies data”, Unauthorized access even to
expose vulnerabilities for the benefit of many is not legal, says Robertson.
“There’s no defense in our hacking laws that your behavior is for the greater
good. Even if it’s what you believe.”[2]
The United States National Security Agency offers certifications such as the CNSS 4011. Such a certification
covers orderly, ethical hacking techniques and team-management. Aggressor teams
are called "red" teams. Defender teams are called "blue"
teams.[3]
Subscribe to:
Posts (Atom)