Ethical Hacking
From Computing and Software Wiki
m (Added a period to image caption.) |
(Added text for section 1.) |
||
| Line 1: | Line 1: | ||
[[Image:Whitehat.png|thumb|Ethical Hackers are often referred to as Whitehat Hackers or Whitehats.]] | [[Image:Whitehat.png|thumb|Ethical Hackers are often referred to as Whitehat Hackers or Whitehats.]] | ||
| - | '''Ethical Hacking''', also known as ''penetration testing'', ''intrusion testing'', or '' | + | '''Ethical Hacking''', also known as ''penetration testing'', ''intrusion testing'', or ''red teaming'', is the controversial act of locating weaknesses and vulnerabilities of computer and information systems by duplicating the intent and actions of malicious hackers. |
An '''Ethical Hacker''', also known as a ''whitehat hacker'', or simply a ''whitehat'', is a security professional who applies their hacking skills for defensive purposes on behalf of the owners of information systems. Nowadays, certified ethical hackers are among the most sought after information security employees in large organizations such as Wipro, Infosys, IBM, Airtel and Reliance among others. | An '''Ethical Hacker''', also known as a ''whitehat hacker'', or simply a ''whitehat'', is a security professional who applies their hacking skills for defensive purposes on behalf of the owners of information systems. Nowadays, certified ethical hackers are among the most sought after information security employees in large organizations such as Wipro, Infosys, IBM, Airtel and Reliance among others. | ||
| Line 8: | Line 8: | ||
=== Definition === | === Definition === | ||
| + | Ethical hacking refers to the act of locating weaknesses and vulnerabilities of computer and information systems by duplicating the intent and actions of malicious hackers. Ethical hacking is also known as ''penetration testing'', ''intrusion testing'', or ''red teaming''. An ethical hacker is a security professional who applies their hacking skills for defensive purposes on behalf of the owners of information systems. By conducting penetration tests, an ethical hacker looks to answer the following four basic questions: | ||
| + | #What information/locations/systems can an attacker gain access? | ||
| + | #What can an attacker see on the target? | ||
| + | #What can an attacker do with available information? | ||
| + | #Does anyone at the target system notice the attempts? | ||
| + | An ethical hacker operates with the knowledge and permission of the organization for which they are trying to defend. In some cases, the organization will neglect to inform their information security team of the activities that will be carried out by an ethical hacker in an attempt to test the effectiveness of the information security team. This is referred to as a ''double-blind environment''. In order to operate effectively and legally, an ethical hacker must be informed of the assets that should be protected, potential threat sources, and the extent to which the organization will support an ethical hacker's efforts. | ||
=== Ethical Hacking History === | === Ethical Hacking History === | ||
| + | Since the 1980's, the Internet has vastly grown in popularity and computer security has become a major concern for businesses and governments. Organizations would like to use the Internet to their advantage by utilizing the Internet as a medium for e-commerce, advertising, information distribution and access, as well as other endeavors. However, they remain worried that they may be hacked which could lead to a loss of control of private and personal information regarding the organization, its employees, and its clients. | ||
| + | In a search for ways to reduce the fear and worry of being hacked, organizations have come to the realization that an effective way to evaluate security threats is to have independent security exerts attempt to hack into their computer systems. In the case of computer security, these ''tiger teams'' or ''ethical hackers'' would use the same tools and techniques as an attacker, but rather than damage the system or steal information, they would evaluate the system security and report the vulnerabilities they found and provide instructions for how to remedy them. | ||
| - | + | From the early days of computers, ethical hacking has been used as an evaluation of system security. Many early ethical hacks were conducted by the United States Military to cary out security evaluations on their operating systems to determine whether they should employ a two-level (secret/top secret) classification system. However, with the growth of computing and networking in the early 1990's, computer and network vulnerability studies began to appear outside of the military organization. In December of 1993, two computer security researchers, Dan Farmer from Elemental Security and Wietse Venema from IBM, suggested that the techniques used by hackers can be used to asses the security of an information system. They wrote a report that was shared publicly on the Internet which described how they were able to gather enough information to compromise security and they provided several examples of how this information could be gathered and exploited to gain control of a system, and how such an attack could be prevented. | |
| + | Farmer and Venema realized that the testing that they had performed was complex and time-consuming, so they packaged all of the tools that they had used during their work and developed an easy-to-use application free for download. Their program, called Security Analysis Tool for Auditing Networks, or SATAN, received a great amount of media attention due to its capabilities and implications. The SATAN tool provided auditing capability as well as capabilities to provide advice regarding how the user may be able to correct the problems that were discovered. | ||
| + | == The Ethical Hacking Process == | ||
=== Planning === | === Planning === | ||
Revision as of 20:11, 6 April 2009
Ethical Hacking, also known as penetration testing, intrusion testing, or red teaming, is the controversial act of locating weaknesses and vulnerabilities of computer and information systems by duplicating the intent and actions of malicious hackers.
An Ethical Hacker, also known as a whitehat hacker, or simply a whitehat, is a security professional who applies their hacking skills for defensive purposes on behalf of the owners of information systems. Nowadays, certified ethical hackers are among the most sought after information security employees in large organizations such as Wipro, Infosys, IBM, Airtel and Reliance among others.
Contents |
What is Ethical Hacking?
Definition
Ethical hacking refers to the act of locating weaknesses and vulnerabilities of computer and information systems by duplicating the intent and actions of malicious hackers. Ethical hacking is also known as penetration testing, intrusion testing, or red teaming. An ethical hacker is a security professional who applies their hacking skills for defensive purposes on behalf of the owners of information systems. By conducting penetration tests, an ethical hacker looks to answer the following four basic questions:
- What information/locations/systems can an attacker gain access?
- What can an attacker see on the target?
- What can an attacker do with available information?
- Does anyone at the target system notice the attempts?
An ethical hacker operates with the knowledge and permission of the organization for which they are trying to defend. In some cases, the organization will neglect to inform their information security team of the activities that will be carried out by an ethical hacker in an attempt to test the effectiveness of the information security team. This is referred to as a double-blind environment. In order to operate effectively and legally, an ethical hacker must be informed of the assets that should be protected, potential threat sources, and the extent to which the organization will support an ethical hacker's efforts.
Ethical Hacking History
Since the 1980's, the Internet has vastly grown in popularity and computer security has become a major concern for businesses and governments. Organizations would like to use the Internet to their advantage by utilizing the Internet as a medium for e-commerce, advertising, information distribution and access, as well as other endeavors. However, they remain worried that they may be hacked which could lead to a loss of control of private and personal information regarding the organization, its employees, and its clients.
In a search for ways to reduce the fear and worry of being hacked, organizations have come to the realization that an effective way to evaluate security threats is to have independent security exerts attempt to hack into their computer systems. In the case of computer security, these tiger teams or ethical hackers would use the same tools and techniques as an attacker, but rather than damage the system or steal information, they would evaluate the system security and report the vulnerabilities they found and provide instructions for how to remedy them.
From the early days of computers, ethical hacking has been used as an evaluation of system security. Many early ethical hacks were conducted by the United States Military to cary out security evaluations on their operating systems to determine whether they should employ a two-level (secret/top secret) classification system. However, with the growth of computing and networking in the early 1990's, computer and network vulnerability studies began to appear outside of the military organization. In December of 1993, two computer security researchers, Dan Farmer from Elemental Security and Wietse Venema from IBM, suggested that the techniques used by hackers can be used to asses the security of an information system. They wrote a report that was shared publicly on the Internet which described how they were able to gather enough information to compromise security and they provided several examples of how this information could be gathered and exploited to gain control of a system, and how such an attack could be prevented.
Farmer and Venema realized that the testing that they had performed was complex and time-consuming, so they packaged all of the tools that they had used during their work and developed an easy-to-use application free for download. Their program, called Security Analysis Tool for Auditing Networks, or SATAN, received a great amount of media attention due to its capabilities and implications. The SATAN tool provided auditing capability as well as capabilities to provide advice regarding how the user may be able to correct the problems that were discovered.
