null
US
Sign In
Sign Up for Free
Sign Up
We have detected that Javascript is not enabled in your browser. The dynamic nature of our site means that Javascript must be enabled to function properly. Please read our
terms and conditions
for more information.
Next up
Copy and Edit
You need to log in to complete this action!
Register for Free
904015
Ethical Hacking & Countermeasures Basic Theory
Description
Mind Map on Ethical Hacking & Countermeasures Basic Theory, created by David Bain on 20/05/2014.
No tags specified
ehc
security
computer science
Mind Map by
David Bain
, updated more than 1 year ago
More
Less
Created by
David Bain
over 10 years ago
74
4
0
Resource summary
Ethical Hacking & Countermeasures Basic Theory
Security Principles
Security is a supporting process
Security requirements come fron
Valuable data
Personal / private data
Valuable resources
E-Payments
Gov. Secrects
Criminal conspiracy
Info Security preserves
Confidentiality
Information is not made available or disclosed to unauthorised individuals
Integrity
Safeguarding the accuracy and completeness of assets
Availability
Being accessible and usable upon demand by an authorised entity
Reliability
Trustworthiness of the data and system
Authenticity
Like integrity, confirms accuracy of who / what is accessing assets
Accountability
Know who did what and be sure of it
Systems
Application or software
Libraries
Hardware
Supply chain
Users and customers
Assets have tangible or intangible value
More definitions
Vulnerabilities: exploitable system weakness
Threat: Event with potential to cause harm or damage
Risk: The potential for a threat to exploit a vulnerability and open up assets
Elements of security
Social context
Social norms impact on people's behaviour
If policies are against social norms, people won't comply
Risk
"A threat or possibility that an action of even will affect an organisations ability to achieve goals"
Security Measures
Annotations:
Risk analysis and management flow
Risks
Vulnerabilities
Threats
Assets
Identify and assess levels of risk
Values of assets
Threats to those assets
Any vulnerabilities and their severity
Outcomes of analysis
All assets identified and rated by importance
Threats identified and rated
Vulnerabilities identified and rated
Documented in risk register
Problems
Biz measures in money not actual security risk
Accuracy on the likliehood of threats
Risk levels
DON'T use financial scale for risk
High
Major impact on organisation
Medium
Noticeable impact
Low
Can be absorbed
Risk analysis steps
Decide on scope
Draw context diagram
Decide on boundary
Make assumptions
Identify assets
Types of asset include: Hardware, software, data, people, docs, supplies, money
Identify threats
I.e. loss of confidentiality, integrity, completeness or avilability
Rank either High, med or low / 1 out of 10.
Identify vulnerabilities to threats
Current system: Look at known issues and weaknesses
New System: Look at what software is to be used and what security it offers.
Further reading: ISO 27001
Chart them with an attempt Vs success rate
Risk assesment
Impact valuation Vs vulnerability
Risk management & response
Adoption of security measures related to risks to the assets
Bad: Withdraw from activity, accept it and do nothing
Good: reduce it with prevention, detection, reaction and insurance
Ethics and Professionalism
Common fallacies
All info should be free
System resources are wasted
Hackers keep authorities at bay
Ethics provide rules and morals
Ethical theories
Authoritarianism: held by most people, no single auth.
Consequentialism: Greatest happiness of greatest number, got to protect minorities
Deontologism: Should everyone act in a certain way, can rule breaks be justified?
Relativism: Knowledge of cultural variation, some absolutes.
Professionals have specific problems, work affects others, new situations.
Computing ethics include the privacy of data and people, safety of systems (i.e. transport) and accountability (decision making)
Codes of conduct act as a reminder, guidance to newbies, based on a wealth of experience, allow for professional perspective.
BCS codes of conduct to protect public interest, have a duty to authorities and to the profession.
People may react negitivly as it doesn't wholly relate to them, they don't like it or it isn't addressing their particular issue
Approaching ethical issues
Identify controversial practice
Analyse ethical issue
Deliberate on ethical issue (apply theories to analyse)
Ethical hacking works in unchartered territory
Must be able to debate controversial moral issues
Basic Hacking Techniques
Insider and outsider attacks
Security is equal to the countermeasures in place
Types of hacker
White hat: authorised to test the security via agreed means
Grey hat: Claim to test security for the good of everyone
Black hat: Attempt to break security and profit from it in some form
The hacking stack
Social
Application
Application software
Systems software
Transport
Physical
Key loggers, bin rummage, listening equipment
Denial of service, intrusion.
OS, routers, hardware devices via viruses
Injected PDF's & content, incorrect security function
Social engineering, blackmail
Layer selection based on nature (of target), skills and time.
The process
Plan, identify targets, contacts and scope
Footprint
Occurs at more than one layer
Execute attack
Analyse and Evaluate
Hackers aim to disrupt: Privacy, Availability, Non-repudiation, Integrity, Confidentiality.
Non-Repudiation: e-commerce, sender cannot deny sending message, recipient cannot deny having the message
Privacy: not to be confused with security.
Planning pen test
Methodologies
OSSTMM
ISSAF
NIST SP 800-115
Rules of engagement
Handling reports
Diagnostics
What worked / didn't work and why
Is it accurate, complete?
How long will it take?
Media attachments
Screen_Shot_2014-05-20_at_14.36.39 (image/png)
Show full summary
Hide full summary
Want to create your own
Mind Maps
for
free
with GoConqr?
Learn more
.
Similar
Computing Hardware - CPU and Memory
ollietablet123
SFDC App Builder 2
Parker Webb-Mitchell
Data Types
Jacob Sedore
Intake7 BIM L1
Stanley Chia
CCNA Security Final Exam
Maikel Degrande
Software Processes
Nurul Aiman Abdu
Design Patterns
Erica Solum
CCNA Answers – CCNA Exam
Abdul Demir
Security Guard Training
Summit College
Abstraction
Shannon Anderson-Rush
Spyware
Sam2
Browse Library