The digital revolution has transformed the way we go about our daily lives. The freedom to do countless activities online, such as shopping or socializing, has become an integral part of what we now want and expect. The promise of the digital revolution is the freedom for users to do more and enjoy more in every aspect of their daily lives, at work, at home or on the go.
However, the evolution of these technologies has focused (and still focuses in many cases) on ease of use. Since the first development of the Internet protocols, security solutions have been developed as add-ons to the existing, inherently insecure, standards. Many cases of this exist, with the TCP/IP protocol suite being the primary example. This has made it easier for criminals and malicious users to exploits existing systems.
Additionally, the decreasing level of skill required for the launching of attacks, has made it easier for the not so technically gifted malicious users to perform these activities successfully. Training on networking and system hacking is freely available online. Many books are being written on the subjects. Excellent and easy to use hacking tools can easily be obtained.
Because of this the need for cybersecurity professionals has increased continuously. Information security has to be applied to every system connected to the Internet. The extent to which a system needs to be secure varies according to the value of the information we are trying to secure.
This module attempts to introduce students to the world of cybersecurity. In particular, the module focuses on teaching basic principles of Penetration Testing. To achieve this, it begins by explaining in brief and simple terms a common methodology used to perform ethical hacking against target systems. Subsequently, each phase of the methodology is described in depth, with practical examples. Then, it continues by exploring different types of defenses that can be applied against cyber-attacks. Additionally, several other topics are covered such as legal & ethical issues related to cyber security, social engineering, and more.
Principles of Penetration Testing
The Hacking Myth
Many people have the idea of hackers being someone with extraordinary skills that enables them to hack into computer systems to find valuable and sensitive information. The term hacker invokes images of a computer geek, who types a few commands and makes a computer return interesting, sensitive and confidential information. Despite the myth, hackers do not need to be computer geniuses. A good hacker needs to understand how computer systems and networks works, be persistent, and have access to a handful of tools and techniques that exploit common vulnerabilities in the security of target systems [1].
What is a Hacker
Originally, it referred to a person who was intellectually curious and enjoyed understanding the inner workings of systems. However, in modern days the term has taken on mostly a negative meaning.
The term hacker is now used to describe individuals who use their capabilities to attack computer systems with malicious intent and without permission. Hacking is defined as the unauthorised use of computer resources.
Ethical hackers
An ethical hacker is a security professional who applies her/his hacking skills to perform security tests and attacks to determine vulnerabilities in a system or network. Ethical hacking is often performed as part of continuous security assessments with the aim of exposing vulnerabilities to achieve a robust and secure computer infrastructure.
Ethical hackers have the necessary hands-on security skills and a practical understanding of a malicious hacker intentions, methods and techniques. This together with a detailed understanding of corrective measures allows for to a security assessment to be conducted effectively. An ethical hacker is differentiated from an attacker only by his intent and lack of malice.
Generally, an ethical hacker seeks answers to three basic questions:
What can an attacker/intruder see on the target system?
What can an attacker/intruder do with that information?
What are the signs of an attacker attempts or successes?
Terminology in this area is quite varied, but it is important to have an understanding of the main terms. Hackers can often be defined into three general classes:
Black hat - criminal hackers who use their skills for illegal or malicious intent.
White hat - ethical hackers who use their hacking abilities to explore and increase security of information systems and defend them from malicious attacks.
Grey hat - hackers who may release information about security holes to public without regard for the consequences.
Penetration Testing or Ethical Hacking?
Penetration testing and Ethical Hacking are often used interchangeably. However, according to [2], the term has one distinct difference. Penetration testing is a formal process used to identify vulnerabilities in a system or network.
Ethical Hacking on the other hand, is an all-embracing term that includes all hacking methods, and other related cyber-attack methods.
Ethical hacking has a wider scope. Penetration testing is a more narrowly focused phase.
Both have the same overall objective, i.e. assessing the security posture of a system in order to reveal vulnerabilities.
For this module we will mainly use the term penetration testing, to describe a formal procedure used to assess the security of a system.
Penetration Testing Methodology
Penetration testing follows a fixed methodology. This can be broadly divided into four main phases, which include pre-attack and attack phases. These are: Reconnaissance, Scanning, Exploitation and Retaining Access. This methodology is often referred to as the Zero-Entry Hacking Methodology (Figure 2). Extensive explanation of each phase will be given in the next chapters. A brief summery is given below.
Reconnaissance
Reconnaissance is the preparatory phase of passively (without directly interacting with the target) and actively (interacting with the target directly by any means) gathering information on the target of evaluation.
Investigate the target using publicly available information
It discovers detail such as: individual hosts, IP addresses, IP address ranges, naming conventions, hidden servers or networks, and services on the network.
Generally, 90% of the time taken to implement an attack is taken in gathering information.
Scanning
Scanning is a pre-attack phase which focuses on using the information discovered during reconnaissance, to examine the network.
Scanning refers to the activity of identifying live hosts, their open ports, running services & vulnerabilities.
Hackers are seeking any information that can help them perpetrate an attack.
Exploitation
Exploitation is often focused on gaining access to a system. This is where the real hack takes place. Vulnerabilities discovered during the reconnaissance and scanning phase are now exploited to gain access. Examples of attacks include stack-based buffer overflows, SQL injection and session hijacking.
Maintaining Access
Once an attacker has gained access, the aim is to maintain access for future exploitation and attacks. Sometimes hackers harden systems and secure future access with the installation of malware often a backdoor or rootkit. To ensure the success of this phase an attacker would also clear all tracks left during the attack.
Figure 2 - Zero Entry Hacking Methodology
Types of Penetration Testing
There are two main types of penetration testing:
External – tests and analyses publicly available information, conducts network scanning and enumeration, and runs exploits from outside the network perimeter, usually via the Internet.
Internal – assessment performed on the network from within the company, with the tester acting either as an employee with some access to the network or as a black hat with no knowledge of the environment.
Additionally, penetration tests tend to be differentiated according to the different types of attacks they simulate. Each type simulates an attacker with different levels of knowledge about the target of evaluation:
Blackbox testing simulates an attack by a malicious outside hacker – a type of penetration testing in which the tester has no information or assistance from the client.
Whitebox testing takes the premise that the security tester has complete knowledge of the network infrastructure.
Graybox testing assumes a partial knowledge of the system relevant to a specific type of attack by an internal attacker.
Legal Issues and Formal Documentation
Ethical Hacking should always be completed within the boundaries of a legal contract.
Sometimes a security assessment of this type could result in the loss of services and disruption, but more importantly can lead to legal implications.
It is therefore essentials for an ethical hacker to have an understanding of the Law. An ethical hacker must operate with the permission and knowledge of the organisation that they are trying to defend. Therefore, before an assessment can take place, an agreement must state the terms of engagements under which the security practitioner can interact with the network. It can specify the desired code of conduct, the procedures to be followed, and the nature of interaction between the testers and the network.
From the point of view of an ethical hacker it is also essential to have a formal approval.
As an ethical hacker performing a penetration test it is vital to get a signed agreement with the client in the form of a document outlining:
scope of work - to identify what is to be tested
nondisclosure agreement - confidential information
liability release, releasing the ethical hacker from any actions or disruption caused by the assessment
These provide the boundaries which the ethical hacker should work in to avoid potential problems with the customer and protects her/him from potential damages caused to the company infrastructure.
Determining the specific scope of the penetration assessment is essential to decide if the test is a targeted test (what is to be tested and what is not) or a comprehensive assessment (uncovering as many vulnerabilities as possible). A targeted test aims to identify vulnerabilities in specific systems and practices. On the other hand, a comprehensive assessment is a coordinated effort by the ethical hacker to uncover as many vulnerabilities as possible throughout the network.
>Either way, it is always important to maintain a log of all the activities undertaken, the subsequent results, or a note of the absence of results. The ethical hacker should also ensure that all work is time stamped and communicated to the concerned person within the organisation.
Penetration Testing Deliverables
The main deliverable of a penetration test is a report, detailing incidents occurred during testing & the activities undertaken.
The final report should contain:
Executive summary summarizing the objectives and findings.
The areas covered such as objectives, observations, activities undertaken, and incidents reported.
List, analysis, explanation & conclusion of findings, in order of highest risk.
Summary of recommend corrective measures.
Supporting evidence - log files from tools
Positive findings or good security implementations
