Ethical Hacking - Assignment Example

Ethical Hacking Answer a. Legal Issues in the existing system of processing and storing information There are certain legalissues that arise with the existing system of processing and storing information at Clangers Holdings LLC such as security concerns. There are legal considerations that restrain a tester such as being limited by the scope to test only some systems within the organisation (CPNI 2006, p. 3). A malicious attacker may also launch an attack on customers, business partners, or service providers. Legal issues arise because the penetration tester’s focus is similar to that of a hacker. However, his motivation is to improve network security of an organisation. Several professional and certification bodies require penetration testers to take informed decisions, which are driven by the nature of the situation. The UK government has established a body called CHECK that assists organisations in selecting providers (CPNI 2006, p. 21). Clangers Holdings has been found to possess out-of-date software on their computers. This software is prone to security risks owing to the fact that support of this software ceased since April 8, 2014 (Stamper 2014, p.2). Windows XP and Windows 8 have become soft targets because they do not enjoy security patches from Microsoft. These pose a serious threat to the Company’s information. Additional considerations in respect to centralisation Although centralising of operations offers great benefits such as safe and effective sharing of resources, it brings numerous security threats to the organisation’s data and information. Most of the Company’s information will require a certain level of user authentication; therefore, the Company should determine the most appropriate level of authentication and encryption. b. How the vulnerability profile for the organisation might change under the centralisation The vulnerability of the information increases with centralisation of Company’s operations. There are additional legal and technical issues that will arise in centralisation such as trademark infringement, increase in security concerns, and sharing of propriety data resources. Though centralisation will offer many technical benefits, it makes the company’s information vulnerable to threats because the system will be hosted in a web. It has been observed that there are some serious consequences that can be suffered by the network on which the penetration test is being run if its vulnerability is high. CPNI (2006, p. 18) suggests that proper back up should be done prior to testing. The vulnerability in Clangers’ network is high and penetration testing can cause damages, which include congestion and system crashing. It can result in intrusion by unauthorised intruders. Answer 2 a. Consistent Investigation The test methods should be as realistic as possible. A penetration test will be appropriate and will involve penetrating Clangers Holdings PLC’s computer system from ‘outside’ in order to detect vulnerabilities. According to poor performance especially in France, there is a possibility of vulnerabilities being exploited by unauthorised third parties. Penetration testing will reveal the level of threat to the security of Company’s IT systems, and also establish whether the security measures in place can be able to ensure IT security. There are a number of freeware and vulnerability scanners, which offer a convenient way of identifying susceptibility in the system to establish the risks involved. The main aim in penetration testing is not to access the company’s data but to check whether such data could be accessed. In order to achieve results in penetration testing and ensure that the client’s expectations have been met, it is essential to have clearly defined goals. Client goals that can be attained by penetration testing include improving security of technical systems, improving security of personnel and organisational infrastructure, and identification of vulnerabilities. Penetration test Criterion: 1. Information base Black-box White-box 2. Aggressiveness Passive/scanning Cautious Calculated Aggressive 3.Scope Full Limited Focused 4.Approach Covert/ Overt/noisy Stealthy 5.Technique Network- Other Physical Social based communication access engineering 6. Starting point Outside Inside Figure 1. Classification of penetration tests The above penetration test has been developed and it proves ideal in directing a test that will meet the client’s goals. This test will employ black-box-testing because it offers a wide information base to the tester without any insider knowledge. b. Legal implications after obtaining access to the private information There is no law requiring a company to commission security testing of its system. However, there are binding legal provisions in relation to treatment of personal and organisation data, the organisation of an internal control system, and security handling of data relevant to tax and commercial law. Organisations are required to understand that penetration testing in most cases entails breaking the law. However, the tester is bound to maintain and treat the data or information obtained as confidential. The tester has the obligation of protecting his client’s secrets. The tester should not disclose highly sensitive information on vulnerabilities in the client’s network to third parties (CPNI 2006, p. 18). The tester is bound to observe secrecy in respect to information obtained from the client. Secondly, the tester should document all the testing procedures and results in the contract. c. Strategies would you suggest to Mrs. Soup-Dragon to reduce the possibility of access to private data Securing and operating organisation’s systems is becoming a challenging and demanding task. The aim of ‘crackers’, who in this case are assumed to be the former employees is to gain access to data in private networks or maliciously disrupt data processing. The processing, which will be carried out through SQL-web, based services and authentication should come in as the first step towards data protection from unauthorised users. The second strategy is to test the most important parts of the system first. These will include routers, web servers, email servers, and firewalls. Thirdly, security testing should be integrated into the risk management process because testing can uncover hidden misconfigurations and other vulnerabilities. There are several methods that a tester can employ to gather information. One of the most ideal methods is to conduct a network survey. SANS (2002, p. 4) suggest Nmap to be an ideal tool for network testing. Nmap runs on Linux. After conducting a network survey, the tester should conduct port scanning on the systems and network. A suggestion to Mrs Soup-Dragon in order to ensure that the tester does not gain access to private data is to have IP addresses on the areas with private information and data. Answer 3 a. Cause of performance problems The cause of negative performance issues might be the trademark infringement due to migration of staff to the competitor Company, Chicken SARL. Some confidential business information may have been leaked by the migrating staff and it may have been used by the competitor to capture some of the customers from Clangers Holdings PLC. The performance of the competitor company can be linked to the staff it has taken from Clangers Holdings PLC. Crackers (former employees) possessing privileged information about the company may be using their knowledge of internal affairs of their former company to benefit their current competitor company. They may be posing this danger because they are familiar with the organisational and technical infrastructure of the company. They may also have exposed Clangers Holdings PLC existing vulnerabilities to the competitor company especially concerning old and up-to-date computer. b. Mitigation of the problem Data security comprises three properties namely integrity, availability, and confidentiality. It appears that there is lack of confidentiality in Clangers Holdings arising from Company’s data being leaked to the competitors by the former employees. Lack of confidentiality may be the main cause of loss of employees and customers. Former employees may be stealing information from the company among other issues such as lack of privacy, and copyrights infringement. A high level of defence needs to be put in place. The first level of defence that the Company needs to consider is the use of passwords, encryption, and firewall technology. The proposed encryption of data is ideal for Clangers Holdings because it will lender data unreadable by the former employees who may have been accessing the Company’s information. There are certain vulnerabilities that may be present in Clangers’ system. At this point, the tester can use the tools available to automate vulnerability detection such as Nessus (SANS 2002, p.6). This tool produces a list of vulnerabilities that exist in a certain network as well as the mitigation steps. The tester can also employ social engineering; however, he has to establish whether the organisation approves such a method. Social engineering helps the tester to get past the company’s physical security. c. Making use of these problems as part of investigations The tester can establish whether some Company’s information has been leaked to the competitor companies through various ways. The tester can base his investigations on the problems being witnessed in France. The tester can make it a key requirement to test the system infrastructure in order to establish whether these ‘out-of-date’ systems are the cause of problems being reported. One of the critical aspects of security testing relies on probing security risk. Using these problems as a part of the investigation may involve two diverse approaches. These approaches are; testing security mechanisms and whether they are implemented in a proper manner, and performing risk-based security testing basing it on the attacker’s approach. Answer 4 a. Security issues arising from the use of old computers Windows XP has no support from its developers while Windows 8 is considered to be slow. In 2013, Microsoft released Windows 8.1; seven months later, the company almost completely stopped its support for Windows XP, the most popular operating system since 2001. This poses danger to Clangers Holdings PLC, and this danger comes in two perspectives; the operating system it is using is no longer supported by its developer, and the vulnerability of its network system. This makes Clangers Holdings PLC system to be open to a milliard of vulnerabilities. Windows XP is outdated and it is being pushed out of market by more up-to-date systems. Windows XP will pose several risks of attacks to Clangers Holdings PLC. These risks involve exploits, and infection of computers with dangerous malware. Kaspersky Lab (2014) has established the vulnerability of Windows and other Microsoft products to attacks. The Company should consider migrating to Windows 7 which is considered to be the most effective version. b. Actions to combat these security issues The introduction of centralisation of operations will require the Company to acquire new and fast reliable computers as well as establish an appropriate IT governance model that will ensure a secured environment that complies with all relevant organisational IT policies. This will require the Company to have a set of capabilities such as data security management. Software should be updated regularly. Software vendors such as Microsoft update their software regularly either over the internet, or using the Web Pages. The Company should consider updating all their software to Windows 7. The Company should also address Web Vulnerabilities since it is centralising its operations. According to IXIA (2011, p.7), among the total number of reported security issues, Web vulnerabilities comprise 49 percent representing over 20,000 cases. The vulnerabilities that are predominant include SQL injection, cross-site scripting, and file includes whose vulnerability is similar to SQL injection. The company should consider addressing these vulnerabilities in its endeavour to centralise its operations. The company should also seek improvement of virtual machine support and legal support. c. Making use of security issues as part of investigation into the security of the organisation’s private networks These security issues can be used as part of investigation in a testing part dubbed ‘vulnerability scanning.’ Vulnerability scanner resembles a port scanner. However, it takes the concept of vulnerability scanning into the next level. In vulnerability, scanning information on the associated vulnerabilities will be provided. These scanners will also provide information on how the discovered vulnerabilities can be mitigated. The tester can make the client to grasp the importance of vulnerability scanning to establish and mitigate most security issues. Other important vulnerabilities that can be identified through this procedure are out-dated software versions and system upgrades that deviate from the Company’s security policy. A clear understanding between the tester and the organisation concerning employing this system procedure can raise the client’s confidence in the tester. Since penetration testing will be involved, vulnerability scanning has been known to establish a firm foundation for penetration testing (NIST, 2003, p.26). References CPNI 2006. Commercially Available Penetration Testing: Best Practice Guide. Center for the Protection of National Infrastructure. Available from: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CDMQFjAB&url=http%3A%2F%2Fwww.cpni.gov.uk%2FDocuments%2FPublications%2F2006%2F2006030-GPG_Penetration_testing.pdf&ei=Cg_iVMD7BIqw7Abls4DACg&usg=AFQjCNGQUOf7iQ0OSO6hCtNKXg5cVXakVg&bvm=bv.85970519,d.ZGU IXIA. 2011. Network Security Testing. White Paper. Kaspersky Lab. 2014. Kaspersky Security Network Report: Windows Usage & Vulnerabilities. Available [12 February 2015] from http://www.kaspersky_lab_KSN_report_windows_usage_eng-new .pdf NIST. 2008. Technical Guide to Information Security Testing and Assessment. National Institute of Standards and Technology. Special Publication. SANS 2002. Conducting a Penetration Test on an Organisation. SANS Institute. Stamper, J. 2014. Windows XP and Desktop Migration: Why There’s No Time Like The Present. Lombard. Available from: www.lombard.co.uk/pdf/brochures/total-cost-of-ownership.pdf Read More