Ethical Hacking & Countermeasures Basic Theory

Description

Mind Map on Ethical Hacking & Countermeasures Basic Theory, created by David Bain on 20/05/2014.
David Bain
Mind Map by David Bain, updated more than 1 year ago
David Bain
Created by David Bain over 10 years ago
74
4

Resource summary

Ethical Hacking & Countermeasures Basic Theory
  1. Security Principles
    1. Security is a supporting process
      1. Security requirements come fron
        1. Valuable data
          1. Personal / private data
            1. Valuable resources
              1. E-Payments
                1. Gov. Secrects
                  1. Criminal conspiracy
                  2. Info Security preserves
                    1. Confidentiality
                      1. Information is not made available or disclosed to unauthorised individuals
                      2. Integrity
                        1. Safeguarding the accuracy and completeness of assets
                        2. Availability
                          1. Being accessible and usable upon demand by an authorised entity
                          2. Reliability
                            1. Trustworthiness of the data and system
                            2. Authenticity
                              1. Like integrity, confirms accuracy of who / what is accessing assets
                              2. Accountability
                                1. Know who did what and be sure of it
                              3. Systems
                                1. Application or software
                                  1. Libraries
                                    1. Hardware
                                      1. Supply chain
                                        1. Users and customers
                                        2. Assets have tangible or intangible value
                                          1. More definitions
                                            1. Vulnerabilities: exploitable system weakness
                                              1. Threat: Event with potential to cause harm or damage
                                                1. Risk: The potential for a threat to exploit a vulnerability and open up assets
                                                2. Elements of security
                                                  1. Social context
                                                    1. Social norms impact on people's behaviour
                                                      1. If policies are against social norms, people won't comply
                                                    2. Risk
                                                      1. "A threat or possibility that an action of even will affect an organisations ability to achieve goals"
                                                        1. Security Measures

                                                          Annotations:

                                                          • Risk analysis and management flow
                                                          1. Risks
                                                            1. Vulnerabilities
                                                              1. Threats
                                                                1. Assets
                                                              2. Identify and assess levels of risk
                                                                1. Values of assets
                                                                  1. Threats to those assets
                                                                    1. Any vulnerabilities and their severity
                                                                    2. Outcomes of analysis
                                                                      1. All assets identified and rated by importance
                                                                        1. Threats identified and rated
                                                                          1. Vulnerabilities identified and rated
                                                                            1. Documented in risk register
                                                                            2. Problems
                                                                              1. Biz measures in money not actual security risk
                                                                                1. Accuracy on the likliehood of threats
                                                                                2. Risk levels
                                                                                  1. DON'T use financial scale for risk
                                                                                    1. High
                                                                                      1. Major impact on organisation
                                                                                      2. Medium
                                                                                        1. Noticeable impact
                                                                                        2. Low
                                                                                          1. Can be absorbed
                                                                                        3. Risk analysis steps
                                                                                          1. Decide on scope
                                                                                            1. Draw context diagram
                                                                                              1. Decide on boundary
                                                                                                1. Make assumptions
                                                                                                2. Identify assets
                                                                                                  1. Types of asset include: Hardware, software, data, people, docs, supplies, money
                                                                                                  2. Identify threats
                                                                                                    1. I.e. loss of confidentiality, integrity, completeness or avilability
                                                                                                      1. Rank either High, med or low / 1 out of 10.
                                                                                                    2. Identify vulnerabilities to threats
                                                                                                      1. Current system: Look at known issues and weaknesses
                                                                                                        1. New System: Look at what software is to be used and what security it offers.
                                                                                                          1. Further reading: ISO 27001
                                                                                                        2. Chart them with an attempt Vs success rate
                                                                                                        3. Risk assesment
                                                                                                          1. Impact valuation Vs vulnerability
                                                                                                        4. Risk management & response
                                                                                                          1. Adoption of security measures related to risks to the assets
                                                                                                            1. Bad: Withdraw from activity, accept it and do nothing
                                                                                                              1. Good: reduce it with prevention, detection, reaction and insurance
                                                                                                            2. Ethics and Professionalism
                                                                                                              1. Common fallacies
                                                                                                                1. All info should be free
                                                                                                                  1. System resources are wasted
                                                                                                                    1. Hackers keep authorities at bay
                                                                                                                    2. Ethics provide rules and morals
                                                                                                                      1. Ethical theories
                                                                                                                        1. Authoritarianism: held by most people, no single auth.
                                                                                                                          1. Consequentialism: Greatest happiness of greatest number, got to protect minorities
                                                                                                                            1. Deontologism: Should everyone act in a certain way, can rule breaks be justified?
                                                                                                                              1. Relativism: Knowledge of cultural variation, some absolutes.
                                                                                                                            2. Professionals have specific problems, work affects others, new situations.
                                                                                                                              1. Computing ethics include the privacy of data and people, safety of systems (i.e. transport) and accountability (decision making)
                                                                                                                                1. Codes of conduct act as a reminder, guidance to newbies, based on a wealth of experience, allow for professional perspective.
                                                                                                                                  1. BCS codes of conduct to protect public interest, have a duty to authorities and to the profession.
                                                                                                                                    1. People may react negitivly as it doesn't wholly relate to them, they don't like it or it isn't addressing their particular issue
                                                                                                                                    2. Approaching ethical issues
                                                                                                                                      1. Identify controversial practice
                                                                                                                                        1. Analyse ethical issue
                                                                                                                                          1. Deliberate on ethical issue (apply theories to analyse)
                                                                                                                                          2. Ethical hacking works in unchartered territory
                                                                                                                                            1. Must be able to debate controversial moral issues
                                                                                                                                            2. Basic Hacking Techniques
                                                                                                                                              1. Insider and outsider attacks
                                                                                                                                                1. Security is equal to the countermeasures in place
                                                                                                                                                2. Types of hacker
                                                                                                                                                  1. White hat: authorised to test the security via agreed means
                                                                                                                                                    1. Grey hat: Claim to test security for the good of everyone
                                                                                                                                                      1. Black hat: Attempt to break security and profit from it in some form
                                                                                                                                                      2. The hacking stack
                                                                                                                                                        1. Social
                                                                                                                                                          1. Application
                                                                                                                                                            1. Application software
                                                                                                                                                              1. Systems software
                                                                                                                                                                1. Transport
                                                                                                                                                                  1. Physical
                                                                                                                                                                    1. Key loggers, bin rummage, listening equipment
                                                                                                                                                                    2. Denial of service, intrusion.
                                                                                                                                                                    3. OS, routers, hardware devices via viruses
                                                                                                                                                                    4. Injected PDF's & content, incorrect security function
                                                                                                                                                                  2. Social engineering, blackmail
                                                                                                                                                                  3. Layer selection based on nature (of target), skills and time.
                                                                                                                                                                  4. The process
                                                                                                                                                                    1. Plan, identify targets, contacts and scope
                                                                                                                                                                      1. Footprint
                                                                                                                                                                        1. Occurs at more than one layer
                                                                                                                                                                        2. Execute attack
                                                                                                                                                                          1. Analyse and Evaluate
                                                                                                                                                                          2. Hackers aim to disrupt: Privacy, Availability, Non-repudiation, Integrity, Confidentiality.
                                                                                                                                                                            1. Non-Repudiation: e-commerce, sender cannot deny sending message, recipient cannot deny having the message
                                                                                                                                                                              1. Privacy: not to be confused with security.
                                                                                                                                                                              2. Planning pen test
                                                                                                                                                                                1. Methodologies
                                                                                                                                                                                  1. OSSTMM
                                                                                                                                                                                    1. ISSAF
                                                                                                                                                                                      1. NIST SP 800-115
                                                                                                                                                                                      2. Rules of engagement
                                                                                                                                                                                        1. Handling reports
                                                                                                                                                                                        2. Diagnostics
                                                                                                                                                                                          1. What worked / didn't work and why
                                                                                                                                                                                            1. Is it accurate, complete?
                                                                                                                                                                                              1. How long will it take?
                                                                                                                                                                                            Show full summary Hide full summary

                                                                                                                                                                                            Similar

                                                                                                                                                                                            Computing Hardware - CPU and Memory
                                                                                                                                                                                            ollietablet123
                                                                                                                                                                                            SFDC App Builder 2
                                                                                                                                                                                            Parker Webb-Mitchell
                                                                                                                                                                                            Data Types
                                                                                                                                                                                            Jacob Sedore
                                                                                                                                                                                            Intake7 BIM L1
                                                                                                                                                                                            Stanley Chia
                                                                                                                                                                                            CCNA Security Final Exam
                                                                                                                                                                                            Maikel Degrande
                                                                                                                                                                                            Software Processes
                                                                                                                                                                                            Nurul Aiman Abdu
                                                                                                                                                                                            Design Patterns
                                                                                                                                                                                            Erica Solum
                                                                                                                                                                                            CCNA Answers – CCNA Exam
                                                                                                                                                                                            Abdul Demir
                                                                                                                                                                                            Security Guard Training
                                                                                                                                                                                            Summit College
                                                                                                                                                                                            Abstraction
                                                                                                                                                                                            Shannon Anderson-Rush
                                                                                                                                                                                            Spyware
                                                                                                                                                                                            Sam2