Ethical Hacking - Research Paper Example

Ethical Hacking 1. Threats There have been many cyber attacks in the past that have weighed heavily on the shoulders of the victims. Three of the many examples are described here. Black Hat Crackers worked to take advantage of computer systems, and Jonathan James has been a big name among black hat crackers. He was sentenced at the age of sixteen and told the press that all he did was for fun. One instance of his great hacking is installing a backdoor into a Defense Threat Reduction Agency server and hacking sensitive information and employees’ data. In June 2005, the computer specialist, Michael Haephrati and his wife Ruth, who belonged to London, were caught sending Trojan horse softwares to criminal parties. Due to this, the US Computer Emergency Readiness Team announced that criminals were sending email attachments with Trojan horses to anonymous people to get access to their computer systems. According to PR Log (2009), a Press Release, twenty fake identity factories had been sealed which were being operated by criminals who produced cloned driving licenses and utility bills. The Metropolitan Police was able to track down these factories in an Operation, arrested the criminals and closed the factories. If such criminals keep on getting caught, then this would be a good lesson for those who think of crossing the ethical boundaries in interacting with social media and in carrying out e-marketing. 2. Tools Black hat crackers gain access to a computer system with malicious attacks. They destroy files or steal the sensitive information and disclose it to other hackers or to the public without the victim ever knowing it. Dumpster Diving is a tool used by black hat hackers/crackers in which they gain access to the trash and recycle bins to get files that the users have deleted from their system. Then they use these files to gain access to their network. “Dumpster diving is looking for treasure in someone else's trash” (SearchSecurity.com, 2002). The main targets are the usernames and passwords. Large corporations throw away in real dumpsters as well as computers’ recycle bins sticky notes with invoices, emails, phone numbers, passwords and other sensitive information, and no one expects anyone to peep into this trash. Dumpster divers consider this trash as their real treasure. Dumpster diving has been in use since the advent of computers and works on all sophisticated operating systems. The key is never to throw in trash important information like social security numbers into trash bins. Emptying recycle bins regularly is also very necessary. 3. Networks Network security threats include malware, anti-DNS pinning, banner grabbing, backjacking, hacking, land attack, blue boxing, domain hijacking, identity theft, fraud, backdoor, DoS (Denial of Service) attacks, data flood, malicious code, document grinding, and enumeration. Anderson (2008), who works with NTI (New Technologies, Inc.) writes about an identity theft case: NTI was involved in a case where an individual assumed the identity of a past employee that had been discharged by a business. That identity was used, over the Internet, to terrorize a female Human Resources Manager who had fired the individual. After several weeks of investigation we discovered that the communications were fabricated by a peer worker within the corporation. In a network, those computers must be physically secured that hold sensitive information and network passwords on them. These may be kept in a separate room that is physically secured away from public. All sensitive servers and networks should be secured from the enemy by means of firewalls, code encryption and decryption (cryptography) and intrusion detection system because if the server has been physically accessed, then it is very easy to reboot it and gain access to its hard drives. Without an access control system, the information will be totally naked to everybody. Access control ranges from locking the door to locking the whole network from unauthorized or unauthenticated access. Firewalls should be configured to prevent links between public servers and the database components that store the cardholder’s information. The system must be secured through strong passwords that are not vendor-supplied. 4. SQL or Web An SQL injection is an attack that occurs when the hackers take advantage of such user input that is not validated by the system and which is vulnerable enough to pass malicious SQL commands through Web which causes a corrupt execution of the backend database. PC World Magazines report that many IP addresses from China have been attacking Microsoft websites through SQL injections and SQL server (Burleson, 2008). The attack used malware that corrupted users’ browsers whenever they visited Microsoft websites. Such SQL injections can be prevented by telling the developers to stop creating dynamic databases to prevent such user inputs or malicious SQL queries that hinder with the logic of the query in execution. SQL injection prevention can be made very simple if parameterized queries and stored procedures are used and user supplied input is escaped. 5. Wireless Wireless networking has gained immediate popularity in the last few years. To maintain security of wireless networks, such as smart phones and iPADs, is a bit difficult as compared to wired networks. The reason for this is that it is easier to interrupt the radio waves used by wireless networks to propagate information or signals than those pulses that are being propagated through cables and wires. However, WEP (wireless equivalent privacy) is a privacy protocol or a security system based on IEEE 802.11 which provides protection against intrusion to the WLANs. Still, WEP has been found to have discrepancies, such as, the size of WEP’s initialization vector (IV) is said to be very small along with non-specified key management. These weaknesses make many big businesses stuck to the good old wired networks until the security is made guaranteed. 6. Physical Security Physical security is generally defined as the measures taken to ensure the security of workforce, system devices and equipment, resources, documents and sensitive information stored on physical media (like hardware programs and networks) from damaging proceedings like unauthorized access, fire, espionage, burglary, theft, vandalism, accidental loss or intentional crime that could cause severe harm to an activity, organization or establishment. In addition to this, physical security also provides assistance on scheming of such structures which help in deterring hostile operations. In terms of computers and internet, physical security is defined as a blockade placed about a computing system using secured operating systems and other protective measures to prevent unauthorized access to the information stored on it. The first and foremost thing is that the system which contains sensitive and crucial information should be kept away from public place. Use the ‘lock everything’ approach. Physical security may start from as little a thing as locking the doors and windows and using security systems like burglar alarms and security cameras with automatic log footage, and end at as complex a method as securing the whole network. One must look for devices that lock the computer cases to desks and lock the disk drives and the CPU as well. There are alarms and case locks that prevent a foreign keyboard, mouse or any other electronic component to get attached to the system. Furthermore, the system must be password protected. If there is an external device attached to the system like a webcam, a microphone, a card reader, or a Bluetooth device, then it would be wise to remove them from the system during off-hours. It is important to ensure that the room or building where the network is being secured has properly locked door, windows, ceilings and gates with guards properly manned reception desks. Many organizations use card key system or human security to eliminate the risk of unauthorized access. With the help of this card key system, each employee accessing the network can be recognized separately. References Anderson, M.R. (2008). Identity theft in financial crime cases. Identity Theft: Computer Forensics to the Rescue. Retrieved September 22, 2010, from http://www.forensics-intl.com/art18.html Burleson, D. (2008). Massive SQL Injection Attacks hit Thousands. Retrieved September 22, 2011, from http://www.dba-oracle.com/oracle_news/news_sql_server_injection_attacks.htm PR Log. (2009, October 15). Fake ID Factories Raided, [Press release]. Bedfordshire: PRLog.Org. SearchSecurity.com. (2002). Dumpster Diving. Retrieved September 22, 2011, from http://searchsecurity.techtarget.com/definition/dumpster-diving Read More