What is the ethical hacker and what is the need of ethical hacker.
An Ethical Hacker is an expert hired by a company to attempt to attack their network and computer system the same way a hacker would. Ethical Hackers use the same techniques and tactics as those used by illegal hackers to breach corporate security systems. The end result is the company's ability to prevent an intrusion before it ever occurs.
A company can't know if their security system is solid unless they test it. It's hard, though, for a company's IT team to thoroughly ring out the system. Try as they might, the techs can't go at the system with all the malicious or mischievous motives of a true illegal hacker. To thoroughly uncover vulnerabilities, the theory goes; you must examine your security system through the eyes of an illegal hacker.
The word hacking has strongly negative connotations, and, for the most part, rightly so. But ethical hacking is much different. It takes place with the explicit permission of the company whose system is being attacked. In fact, their "good guy" role is underscored by the nickname "white hat" Ethical Hackers have been given. The nickname is a throwback to old Westerns where the good cowboys could be identified by their white hats.
The company and the Ethical Hacker enter into a legally binding contract. The contract, sometimes called a "get out of jail free card," sets forth the parameters of the testing. It's called the "get out of jail free card" because it's what harbors the Ethical Hacker from prosecution. Hacking is a felony, and a serious one at that. The terms of the agreement are what transform illegal behavior into a legal and legitimate occupation.
Once the hacker has exhausted his attempts, he reports back to the company with a list of the vulnerabilities he uncovered. The list in and of itself, however, is not particularly useful. What's most valuable is the instructions for eliminating the vulnerabilities that the Ethical Hacker provides.
An Ethical Hacker works to uncover three key pieces of information. First, he determines what information an illegal hacker can gain access to. Next, he explores what an illegal hacker could do with that information once gained. Last, the Ethical Hacker ascertains whether an employee or staff member would be alerted to the break-in, successful or not.
At first it might sound strange that a company would pay someone to try to break into their system. Ethical hacking, though, makes a lot of sense, and it is a concept companies have been employing for years. To test the effectiveness and quality of product, we subject it to the worst case scenario. The safety testing performed by car manufacturers is a good example. Current regulatory requirements including HIPAA, Sarbanes Oxley, and SB-1386 and BS 799 require a trusted third party to check that systems are secure.
In order to get the most out of the assessment, a company should decide in advance the nature of the vulnerabilities they're most concerned with. Specifically, the company should determine which information they want to keep protected and what they're concerned would happen if the information was retrieved by an illegal hacker.
Companies should thoroughly assess the qualifications and background of any Ethical Hacker they are considering hiring. This individual will be privy to highly sensitive information. Total honesty and integrity is of the utmost importance.
Friday, February 26, 2010
Sunday, February 14, 2010
Ethical Hacking
What is Ethical Hacking?
Art and Science of determining vulnerabilities within the existing network architecture. The idea of Ethical hacking is to put yourself in the shoes of the hacker and access and monitor the flaws in your own network. It is used to determine the security flaws in the network before the hacker does by using similar tools and techniques as the hacker. If we go by what history has to tell us, Hackers have always been many steps ahead of network security professionals therefore it definitely makes a lot of sense to be prepared.
Types of Ethical Hacking
White Box: Full knowledge of the system. What this means is that you have full information about the system. i.e. you know what IP the database server is running on and what version of the operating system is running on that box etc. This makes it easy for you to learn about the various details and then fingerprint that very system.
Black Box: You have NO knowledge of the system infrastructure. As a Ethical hacker, this should be the one that can help you see things from a hacker’s perspective as you like the hacker doesnt have any initial knowledge about the system)
Vulnerability Assessment:Usually done by using an automated script. The only negative is that your testing will be as good as your tool. The positive is pretty clear, you run an automated script which covers certain things and you are all set for those covered topics.
Penetration Testing: Comprehensive review of vulnerabilities, how to exploit those vulnerabilities and understanding how networks react to them.
Art and Science of determining vulnerabilities within the existing network architecture. The idea of Ethical hacking is to put yourself in the shoes of the hacker and access and monitor the flaws in your own network. It is used to determine the security flaws in the network before the hacker does by using similar tools and techniques as the hacker. If we go by what history has to tell us, Hackers have always been many steps ahead of network security professionals therefore it definitely makes a lot of sense to be prepared.
Types of Ethical Hacking
White Box: Full knowledge of the system. What this means is that you have full information about the system. i.e. you know what IP the database server is running on and what version of the operating system is running on that box etc. This makes it easy for you to learn about the various details and then fingerprint that very system.
Black Box: You have NO knowledge of the system infrastructure. As a Ethical hacker, this should be the one that can help you see things from a hacker’s perspective as you like the hacker doesnt have any initial knowledge about the system)
Vulnerability Assessment:Usually done by using an automated script. The only negative is that your testing will be as good as your tool. The positive is pretty clear, you run an automated script which covers certain things and you are all set for those covered topics.
Penetration Testing: Comprehensive review of vulnerabilities, how to exploit those vulnerabilities and understanding how networks react to them.
Subscribe to:
Posts (Atom)