Which of the following is often one of the most overlooked areas of security: operational, technical, Internet, or physical? What is the name for a person who follows an employee through a locked door without own badge or key: tailgater, follower, visitor, or guest? Which application will help identify whether a website is vulnerable to SQL injection attacks: BlackWidow, Metasploit, Scrawlr, or SQL Block? What is the easiest method to get a password: brute-force cracking, guessing, dictionary attack, or hybrid attack?
For answers to these and more questions, check ‘CEH: Certified Ethical Hacker Study Guide’ by Kimberly Graves (www.wileyindia.com). The ‘ethical hacker’ is an individual who is usually employed with the organisation and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods as a hacker, she defines. “Hacking is a felony in the US and most other countries. When it is done by request and under a contract between an ethical hacker and an organisation, it is legal.”
Hackers and crackers
The realm of hackers and how they operate is generally unknown to most computer and security professionals, because hackers use specialised computer software tools to gain access to information. By learning the same skills and employing similar tools, you can defend your computer networks and systems against malicious attacks, the author assures.
She distinguishes ‘cracker’ as a malicious hacker (or a ‘black hat’) who uses hacking skills and toolset for destructive or offensive purposes such as disseminating viruses or performing denial-of-service (DoS) attacks to compromise or bring down systems and networks. “No longer just looking for fun, these hackers are sometimes paid to damage corporate reputations or steal or reveal credit card information, while slowing business processes and compromising the integrity of the organisation.”
Who can be an ethical hacker?
Ethical hackers who stay a step ahead of malicious hackers must be computer systems experts who are very knowledgeable about computer programming, networking, and operating systems, stipulates Graves. In-depth knowledge about highly targeted platforms such as Windows, Unix, and Linux is also a requirement, she adds.
“Patience, persistence, and immense perseverance are important qualities for ethical hackers because of the length of time and level of concentration required for most attacks to pay off. Networking, web programming, and database skills are all useful in performing ethical hacking and vulnerability testing.”
A chapter on ‘information gathering’ introduces readers to ‘footprinting,’ defined as the process of creating a blueprint or map of an organisation’s network and systems. Footprinting begins by determining the target system, application, or physical location of the target; and once this information is known, specific information about the organisation is gathered using non-intrusive methods, the author explains.
“For example, the organisation’s own web page may provide a personnel directory or a list of employee bios, which may prove useful if the hacker needs to use a social-engineering attack to reach the objective.” Quite eerily, one learns that a hacker may spend ‘90 per cent of the time profiling and gathering information on a target and 10 per cent of the time launching the attack.’
Compulsory addition to the IT security professionals’ shelf.