How Malicious Attackers Beget Ethical Hackers?

How Malicious Attackers
Beget Ethical Hackers
You need protection from hacker shenanigans; you need (or need to become)
an ethical hacker. An ethical hacker possesses the skills, mindset, and tools of a
hacker but is also trustworthy. Ethical hackers perform the hacks as security
tests for their systems based on how a hacker or rogue insider would work.
Ethical hacking — which encompasses formal and methodical penetration
testing, white-hat hacking, and vulnerability testing — involves the same
tools, tricks, and techniques that hackers use, but with one major difference:
Ethical hacking is legal because it’s performed with the target’s permission.
Chapter 1: Introduction to Ethical Hacking 11
The intent of ethical hacking is to discover vulnerabilities from a malicious
attacker’s viewpoint so systems can be better secured. It’s part of an overall
information risk management program that allows for ongoing security
improvements. Ethical hacking can also ensure that vendors’ claims about
the security of their products are legitimate.
If you perform ethical hacking tests for clients or simply want to add another
certification to your credentials, you may want to consider becoming a
Certified Ethical Hacker, a certification program sponsored by EC-Council.
See www.eccouncil.org/CEH.htm for more information.
Understanding the Need to
Hack Your Own Systems
To catch a thief, you must think like a thief. That’s the basis for ethical hacking.
It’s absolutely critical to know your enemy. See Chapter 2 for details
about how malicious attackers work.
The law of averages works against security. With the increased number
and expanding knowledge of hackers, combined with the growing number of
system vulnerabilities and other unknowns, the time will come when all computer
systems are hacked or compromised in some way. Protecting your
systems from the bad guys — and not just the generic vulnerabilities that
everyone knows about — is absolutely critical. When you know hacker tricks,
you can find out how vulnerable your systems really are.
Hacking preys on weak security practices and undisclosed vulnerabilities.
Firewalls, encryption, and virtual private networks (VPNs) can create a false
feeling of safety. These security systems often focus on high-level vulnerabilities,
such as viruses and traffic through a firewall, without affecting how
hackers work. Attacking your own systems to discover vulnerabilities is a
big step toward making them more secure. This is the only proven method of
greatly hardening your systems from attack. If you don’t identify weaknesses,
it’s a matter of time before the vulnerabilities are exploited.
As hackers expand their knowledge, so should you. You must think like them
and work like them in order to protect your systems from them. You, as the
ethical hacker, must know the activities that hackers carry out and how to
stop their efforts. You should know what to look for and how to use that
information to thwart hackers’ efforts.
12 Part I: Building the Foundation for Ethical Hacking
You don’t have to protect your systems from everything. You can’t. The only
protection against everything is to unplug your computer systems and lock
them away so no one can touch them — not even you. That’s not the best
approach to information security and is certainly not good for business.
What’s important is to protect your systems from known vulnerabilities and
common attacks.
It’s impossible to anticipate all the possible vulnerabilities you’ll have in
your systems and business processes. You certainly can’t plan for all possible
attacks — especially the ones that are currently unknown. However, the
more combinations you try — the more you test whole systems instead of
individual units — the better your chances of discovering vulnerabilities that
affect your information systems in their entirety.
Don’t take ethical hacking too far, though. It makes little sense to harden your
systems from unlikely attacks. For instance, if you don’t have a lot of foot traffic
in your office and no internal Web server running, you may not have as
much to worry about as an Internet hosting provider would have. Your overall
goals as an ethical hacker should be as follows:
 Hack your systems in a nondestructive fashion.
 Enumerate vulnerabilities and, if necessary, prove to management that
vulnerabilities exist and can be exploited.
 Apply results to remove the vulnerabilities and better secure your
systems.