StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Ethical Hacking - Assignment Example

Cite this document
Summary
This assignment "Ethical Hacking" focuses on Legal Issues in the existing system of processing and storing information, additional considerations with respect to centralization and how the vulnerability profile for the organization might change under the centralization. …
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER93.7% of users find it useful
Ethical Hacking
Read Text Preview

Extract of sample "Ethical Hacking"

Ethical Hacking Answer a. Legal Issues in the existing system of processing and storing information There are certain legalissues that arise with the existing system of processing and storing information at Clangers Holdings LLC such as security concerns. There are legal considerations that restrain a tester such as being limited by the scope to test only some systems within the organisation (CPNI 2006, p. 3). A malicious attacker may also launch an attack on customers, business partners, or service providers. Legal issues arise because the penetration tester’s focus is similar to that of a hacker. However, his motivation is to improve network security of an organisation. Several professional and certification bodies require penetration testers to take informed decisions, which are driven by the nature of the situation. The UK government has established a body called CHECK that assists organisations in selecting providers (CPNI 2006, p. 21). Clangers Holdings has been found to possess out-of-date software on their computers. This software is prone to security risks owing to the fact that support of this software ceased since April 8, 2014 (Stamper 2014, p.2). Windows XP and Windows 8 have become soft targets because they do not enjoy security patches from Microsoft. These pose a serious threat to the Company’s information. Additional considerations in respect to centralisation Although centralising of operations offers great benefits such as safe and effective sharing of resources, it brings numerous security threats to the organisation’s data and information. Most of the Company’s information will require a certain level of user authentication; therefore, the Company should determine the most appropriate level of authentication and encryption. b. How the vulnerability profile for the organisation might change under the centralisation The vulnerability of the information increases with centralisation of Company’s operations. There are additional legal and technical issues that will arise in centralisation such as trademark infringement, increase in security concerns, and sharing of propriety data resources. Though centralisation will offer many technical benefits, it makes the company’s information vulnerable to threats because the system will be hosted in a web. It has been observed that there are some serious consequences that can be suffered by the network on which the penetration test is being run if its vulnerability is high. CPNI (2006, p. 18) suggests that proper back up should be done prior to testing. The vulnerability in Clangers’ network is high and penetration testing can cause damages, which include congestion and system crashing. It can result in intrusion by unauthorised intruders. Answer 2 a. Consistent Investigation The test methods should be as realistic as possible. A penetration test will be appropriate and will involve penetrating Clangers Holdings PLC’s computer system from ‘outside’ in order to detect vulnerabilities. According to poor performance especially in France, there is a possibility of vulnerabilities being exploited by unauthorised third parties. Penetration testing will reveal the level of threat to the security of Company’s IT systems, and also establish whether the security measures in place can be able to ensure IT security. There are a number of freeware and vulnerability scanners, which offer a convenient way of identifying susceptibility in the system to establish the risks involved. The main aim in penetration testing is not to access the company’s data but to check whether such data could be accessed. In order to achieve results in penetration testing and ensure that the client’s expectations have been met, it is essential to have clearly defined goals. Client goals that can be attained by penetration testing include improving security of technical systems, improving security of personnel and organisational infrastructure, and identification of vulnerabilities. Penetration test Criterion: 1. Information base Black-box White-box 2. Aggressiveness Passive/scanning Cautious Calculated Aggressive 3.Scope Full Limited Focused 4.Approach Covert/ Overt/noisy Stealthy 5.Technique Network- Other Physical Social based communication access engineering 6. Starting point Outside Inside Figure 1. Classification of penetration tests The above penetration test has been developed and it proves ideal in directing a test that will meet the client’s goals. This test will employ black-box-testing because it offers a wide information base to the tester without any insider knowledge. b. Legal implications after obtaining access to the private information There is no law requiring a company to commission security testing of its system. However, there are binding legal provisions in relation to treatment of personal and organisation data, the organisation of an internal control system, and security handling of data relevant to tax and commercial law. Organisations are required to understand that penetration testing in most cases entails breaking the law. However, the tester is bound to maintain and treat the data or information obtained as confidential. The tester has the obligation of protecting his client’s secrets. The tester should not disclose highly sensitive information on vulnerabilities in the client’s network to third parties (CPNI 2006, p. 18). The tester is bound to observe secrecy in respect to information obtained from the client. Secondly, the tester should document all the testing procedures and results in the contract. c. Strategies would you suggest to Mrs. Soup-Dragon to reduce the possibility of access to private data Securing and operating organisation’s systems is becoming a challenging and demanding task. The aim of ‘crackers’, who in this case are assumed to be the former employees is to gain access to data in private networks or maliciously disrupt data processing. The processing, which will be carried out through SQL-web, based services and authentication should come in as the first step towards data protection from unauthorised users. The second strategy is to test the most important parts of the system first. These will include routers, web servers, email servers, and firewalls. Thirdly, security testing should be integrated into the risk management process because testing can uncover hidden misconfigurations and other vulnerabilities. There are several methods that a tester can employ to gather information. One of the most ideal methods is to conduct a network survey. SANS (2002, p. 4) suggest Nmap to be an ideal tool for network testing. Nmap runs on Linux. After conducting a network survey, the tester should conduct port scanning on the systems and network. A suggestion to Mrs Soup-Dragon in order to ensure that the tester does not gain access to private data is to have IP addresses on the areas with private information and data. Answer 3 a. Cause of performance problems The cause of negative performance issues might be the trademark infringement due to migration of staff to the competitor Company, Chicken SARL. Some confidential business information may have been leaked by the migrating staff and it may have been used by the competitor to capture some of the customers from Clangers Holdings PLC. The performance of the competitor company can be linked to the staff it has taken from Clangers Holdings PLC. Crackers (former employees) possessing privileged information about the company may be using their knowledge of internal affairs of their former company to benefit their current competitor company. They may be posing this danger because they are familiar with the organisational and technical infrastructure of the company. They may also have exposed Clangers Holdings PLC existing vulnerabilities to the competitor company especially concerning old and up-to-date computer. b. Mitigation of the problem Data security comprises three properties namely integrity, availability, and confidentiality. It appears that there is lack of confidentiality in Clangers Holdings arising from Company’s data being leaked to the competitors by the former employees. Lack of confidentiality may be the main cause of loss of employees and customers. Former employees may be stealing information from the company among other issues such as lack of privacy, and copyrights infringement. A high level of defence needs to be put in place. The first level of defence that the Company needs to consider is the use of passwords, encryption, and firewall technology. The proposed encryption of data is ideal for Clangers Holdings because it will lender data unreadable by the former employees who may have been accessing the Company’s information. There are certain vulnerabilities that may be present in Clangers’ system. At this point, the tester can use the tools available to automate vulnerability detection such as Nessus (SANS 2002, p.6). This tool produces a list of vulnerabilities that exist in a certain network as well as the mitigation steps. The tester can also employ social engineering; however, he has to establish whether the organisation approves such a method. Social engineering helps the tester to get past the company’s physical security. c. Making use of these problems as part of investigations The tester can establish whether some Company’s information has been leaked to the competitor companies through various ways. The tester can base his investigations on the problems being witnessed in France. The tester can make it a key requirement to test the system infrastructure in order to establish whether these ‘out-of-date’ systems are the cause of problems being reported. One of the critical aspects of security testing relies on probing security risk. Using these problems as a part of the investigation may involve two diverse approaches. These approaches are; testing security mechanisms and whether they are implemented in a proper manner, and performing risk-based security testing basing it on the attacker’s approach. Answer 4 a. Security issues arising from the use of old computers Windows XP has no support from its developers while Windows 8 is considered to be slow. In 2013, Microsoft released Windows 8.1; seven months later, the company almost completely stopped its support for Windows XP, the most popular operating system since 2001. This poses danger to Clangers Holdings PLC, and this danger comes in two perspectives; the operating system it is using is no longer supported by its developer, and the vulnerability of its network system. This makes Clangers Holdings PLC system to be open to a milliard of vulnerabilities. Windows XP is outdated and it is being pushed out of market by more up-to-date systems. Windows XP will pose several risks of attacks to Clangers Holdings PLC. These risks involve exploits, and infection of computers with dangerous malware. Kaspersky Lab (2014) has established the vulnerability of Windows and other Microsoft products to attacks. The Company should consider migrating to Windows 7 which is considered to be the most effective version. b. Actions to combat these security issues The introduction of centralisation of operations will require the Company to acquire new and fast reliable computers as well as establish an appropriate IT governance model that will ensure a secured environment that complies with all relevant organisational IT policies. This will require the Company to have a set of capabilities such as data security management. Software should be updated regularly. Software vendors such as Microsoft update their software regularly either over the internet, or using the Web Pages. The Company should consider updating all their software to Windows 7. The Company should also address Web Vulnerabilities since it is centralising its operations. According to IXIA (2011, p.7), among the total number of reported security issues, Web vulnerabilities comprise 49 percent representing over 20,000 cases. The vulnerabilities that are predominant include SQL injection, cross-site scripting, and file includes whose vulnerability is similar to SQL injection. The company should consider addressing these vulnerabilities in its endeavour to centralise its operations. The company should also seek improvement of virtual machine support and legal support. c. Making use of security issues as part of investigation into the security of the organisation’s private networks These security issues can be used as part of investigation in a testing part dubbed ‘vulnerability scanning.’ Vulnerability scanner resembles a port scanner. However, it takes the concept of vulnerability scanning into the next level. In vulnerability, scanning information on the associated vulnerabilities will be provided. These scanners will also provide information on how the discovered vulnerabilities can be mitigated. The tester can make the client to grasp the importance of vulnerability scanning to establish and mitigate most security issues. Other important vulnerabilities that can be identified through this procedure are out-dated software versions and system upgrades that deviate from the Company’s security policy. A clear understanding between the tester and the organisation concerning employing this system procedure can raise the client’s confidence in the tester. Since penetration testing will be involved, vulnerability scanning has been known to establish a firm foundation for penetration testing (NIST, 2003, p.26). References CPNI 2006. Commercially Available Penetration Testing: Best Practice Guide. Center for the Protection of National Infrastructure. Available from: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CDMQFjAB&url=http%3A%2F%2Fwww.cpni.gov.uk%2FDocuments%2FPublications%2F2006%2F2006030-GPG_Penetration_testing.pdf&ei=Cg_iVMD7BIqw7Abls4DACg&usg=AFQjCNGQUOf7iQ0OSO6hCtNKXg5cVXakVg&bvm=bv.85970519,d.ZGU IXIA. 2011. Network Security Testing. White Paper. Kaspersky Lab. 2014. Kaspersky Security Network Report: Windows Usage & Vulnerabilities. Available [12 February 2015] from http://www.kaspersky_lab_KSN_report_windows_usage_eng-new .pdf NIST. 2008. Technical Guide to Information Security Testing and Assessment. National Institute of Standards and Technology. Special Publication. SANS 2002. Conducting a Penetration Test on an Organisation. SANS Institute. Stamper, J. 2014. Windows XP and Desktop Migration: Why There’s No Time Like The Present. Lombard. Available from: www.lombard.co.uk/pdf/brochures/total-cost-of-ownership.pdf Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(Ethical Hacking Assignment Example | Topics and Well Written Essays - 2000 words, n.d.)
Ethical Hacking Assignment Example | Topics and Well Written Essays - 2000 words. https://studentshare.org/information-technology/1859434-ethical-hacking-bsc-undergraduate
(Ethical Hacking Assignment Example | Topics and Well Written Essays - 2000 Words)
Ethical Hacking Assignment Example | Topics and Well Written Essays - 2000 Words. https://studentshare.org/information-technology/1859434-ethical-hacking-bsc-undergraduate.
“Ethical Hacking Assignment Example | Topics and Well Written Essays - 2000 Words”. https://studentshare.org/information-technology/1859434-ethical-hacking-bsc-undergraduate.
  • Cited: 0 times

CHECK THESE SAMPLES OF Ethical Hacking

Intrusion Prevention

When the term hacker came into existence and the way media portrayed a hacker's image, many individuals who thought that the media's definition of hacking is cool and trendy, started using their abilities in illegal ways.... Later on when companies and individual started facing issues caused due to the hackers who were a part of the dark side of hacking, many individuals who were previously involved in illegal and unethical hacking started providing services as ethical hackers....
3 Pages (750 words) Essay

Can Gray Hacking Be Justified

This paper has also articulated Ethical Hacking from numerous perspectives, emphasizing that Ethical Hacking is not a solution for all network security problems.... This essay deals with the issue of a criminal activity, namely, hacking or cracking.... The interconnectedness of the term ethical with hacking is known as being oxymoron, parallel to calling someone a frank offender.... … The author focuses on the ethical Hackers which have a made a niche for themselves in the Defense in Depth continuum....
4 Pages (1000 words) Research Paper

Upholding Ethics at Siggy Clear Energy

Studies have shown that training classes that are aimed at all of the employees in a company are the best teachers with regard to ethical behavior.... nforcing the new ethics programsSeeing the changes that need to be made in order to improve the company, the Learning Team suggests the following in order to address the needed changes in the Ethics program within the company: gaining proper feedbacks from company employees and ethical training for employees....
2 Pages (500 words) Essay

Ethical Steps in Decision Making

Nurses are able to handle any problems that come their way by utilizing the ethical decision making process-which is a method that enables a nurse to make a decision using a specified… The goal of the ethical decision making process is to enable the nurse make a choice between various options and ensure that they uphold ethical standards where there are no clearly set guidelines on how to act, with regards to the situation confronting the nurse at the given Task ethical Steps in Decision Making In a psychiatric nursing career, one never knows when a predicament will come their way....
2 Pages (500 words) Essay

Law vs. Ethics ( In Training) Business Law Assignments

Laws and ethics regardless of their mode of the institution or enforcement, their core purpose, is to ensure people's welfare and harmony in the… This is because in some instances, what people perceive to be legal is also ethical whereas in other occasions, they do not overlap because what is illegal may be ethical and vice versa.... This is because in some instances, what people perceive to be legal is also ethical whereas in other occasions, they do not overlap because what is illegal may be ethical and vice versa....
2 Pages (500 words) Essay

Goals of auditing and Risk Management

Likewise, inherent risks are also present apart from the unknown and known risks to these assets.... However, risks can be mitigated… Security consultants conduct testing reviews and code audits for exploiting vulnerabilities and current and potential threats for an application.... One of the known practices for this activity is known as The people involved in this process are certified practitioners, as they dig down the application connected to a networked environment for known and unknown threats....
3 Pages (750 words) Research Paper

Unauthorized Access to a Computer System and Defensible Networks

Ethical Hacking is a good practice as it helps companies to enhance security of their computer system.... However, this opened up the field of hacking and has led to cyber thieves… The objective of this paper therefore is to describe ethical issues regarding hacking and related certifications, and also defensible networks. According to Bejtlich (2003) sometimes there are ethical reasons for unauthorized access to a computer Ethical reason for un ized access to a computer system and defensible networks Ethical reason for unauthorized access to a computer system and defensible networks In human history it has been said that the discovery of computers was the best thing that ever happened to man....
1 Pages (250 words) Assignment
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us