Apply Your Knowledge
As an ethical hacker, it is important to not only be able to test security systems, but also understand that a good policy structure drives effective security.
Exercises
1.1. Review the SANS Policy Project
While this Chapter discusses policy, laws, and rules of engagement, now is a good time to review the SANS policy page. This information should be useful when helping organizations promote the change to a more secure setting.
Estimated Time: 15 minutes.
- Go to the SANS policy page located at www.sans.org/resources/policies.
- Click on the example policy and templates hyperlink.
- Review the Acquisition Assessment Policy. It defines responsibilities regarding corporate acquisitions and the minimum requirements of an acquisition assessment to be completed by the information security group.
- Next, review the Risk Assessment Policy. This policy template defines the requirements and provides the authority for the information security team to identify, assess, and remediate risks to the organization's information infrastructure associated with conducting business.
- Finally, review the Ethics Policy. This template discusses ethics and defines the means to establish a culture of openness, trust, and integrity in the organization.
Exam Questions
1. |
What is the main federal statute that addresses computer hacking under U.S. Federal Law? |
2. |
Which of the following addresses the secrecy and privacy of information? |
3. |
Hacker attacks, unauthorized access, and viruses and malware can all be described as what? |
4. |
Who are the individuals who perform legal security tests while sometimes performing questionable activities? |
5. |
Which of the following is the most important step for the ethical hacker to perform during the pre-assessment? |
6. |
Which of the following is one primary difference between a malicious hacker and an ethical hacker? |
7. |
This type of security test might seek to target the CEO's laptop or the organization's backup tapes to extract critical information, usernames, and passwords. |
8. |
Which of the following best describes an attack that altered the contents of two critical files? |
9. |
Which individuals believe that hacking and defacing websites can promote social change? |
10. |
In 2000, Mafiaboy launched an attack that knocked out eBay and Yahoo! for several hours. This attack targeted which of the following? |
11. |
This type of security test typically takes on an adversarial role and looks to see what an outsider can access and control. |
12. |
How many components are in a security evaluation? |
Answers to Exam Questions
A1: |
1. B. Section 1029 is one of the main federal statutes that address computer hacking under U.S. federal law. All other answers are incorrect, as Sections 2510 and 2701 are part of the Electronic Communication Privacy Act and address information as storage and information in transit. Section 1028 is incorrect because it deals with fraud and related activity in connection with identification documents. |
A2: |
2. B. Confidentiality addresses the secrecy and privacy of information. Physical examples of confidentiality include locked doors, armed guards, and fences. Logical examples of confidentiality can be seen in passwords, encryption, and firewalls. Answer A is incorrect as integrity deals with the correctness of the information. Answer C is incorrect as availability deals with the issue that services and resources should be available when legitimate users need them. Answer D is incorrect as authentication is the means of proving someone is who he says he is. Authentication is typically verified by password, pins, tokens, or biometrics. |
A3: |
3. B. A threat is any agent, condition, or circumstance that could potentially cause harm, loss, damage, or compromise an IT asset or data asset. All other answers are incorrect because risk is the probability or likelihood of the occurrence or realization of a threat. A vulnerability is a weakness in the system design, implementation, software, code, or other mechanism. An exploit refers to a piece of software, tool, or technique that takes advantage of a vulnerability, leading to privilege escalation, loss of integrity, or denial of service on a computer system. |
A4: |
4. A. Grayhat hackers are individuals who vacillate between ethical and unethical behavior. Answer B is incorrect, as ethical hackers do not violate ethics or laws. Answer C is incorrect because crackers are criminal hackers, and answer D is incorrect, as whitehat hackers are another term for ethical hackers. |
A5: |
5. B. Obtain written permission to hack. Ethical hackers must always obtain legal, written permission before beginning any security tests. Answers A, C, and D are incorrect because ethical hackers should not hack web servers. They should gather information about the target, but this is not the most important step; obtaining permission is not enough to approve the test and should come in written form. |
A6: |
6. D. Ethical hackers use the same methods but strive to do no harm. Answers A, B, and C are incorrect because malicious hackers might use the same tools and techniques that ethical hackers do. Malicious hackers might be less advanced as even script kiddies can launch attacks; ethical hackers try not to bring down servers, and they do not steal credit card databases. |
A7: |
7. C. A stolen equipment test is performed to determine what type of information might be found. The equipment could be the CEO's laptop or the organization's backup tapes. Answer A is incorrect as insider attacks seek to determine what malicious insiders could accomplish. Answer B is incorrect, as physical entry attacks seek to test the physical controls of an organization such as doors, locks, alarms, and guards. Answer D is incorrect because outsider attacks are focused on what outsiders can access and, given that access, what level of damage or control they can command. |
A8: |
8. A. Integrity provides for the correctness of information. Integrity allows users of information to have confidence in its correctness. Integrity can apply to paper documents as well as electronic ones. Answer B is incorrect, as an attack that exposed sensitive information could be categorized as an attack on confidentiality. Answer C is incorrect because availability deals with the issue that services and resources should be available when legitimate users need them. Answer D is incorrect, as authentication is the means of proving someone is who he says he is. Authentication is typically verified by password, pins, tokens, or biometrics. |
A9: |
9. D. Hactivists seek to promote social change; they believe that defacing websites and hacking servers is acceptable as long as it promotes their goals. Regardless of their motives, hacking remains illegal, and they are subject to the same computer crime laws as any other criminal. Answer A is incorrect, as ethical hackers work within the boundaries of laws and ethics. Answer B is incorrect because grayhat hackers are those individuals who cross the line between legal and questionable behavior. Answer C is incorrect because blackhat hackers are criminal hackers and might be motivated to perform illegal activities for many different reasons. |
A10: |
10. C. The attack was considered DoS, which targets availability. Although it does not provide the attacker access, it does block legitimate users from accessing resources. Answer A is incorrect, as integrity provides for the correctness of information. Answer B is incorrect, as the confidentiality of information and data was not exposed. Answer D is incorrect because authentication is the means to prove a person's identity. Authentication is typically verified by password, pins, tokens, or bio-metrics. |
A11: |
11. A. A penetration test can be described as an assessment in which the security tester takes on an adversarial role and looks to see what an outsider can access and control. Answer B is incorrect because a high level evaluation examines policies and procedures; answer C is incorrect because a network evaluation consists of policy review, some scanning, and execution of vulnerability assessment tools. Answer D is incorrect, as a policy assessment is another name for a high level evaluation. |
A12: |
12. B. There are three components to a security evaluation, which include preparation, conducting the evaluation, and the conclusion. The conclusion is the post assessment period where reports are written and recommendations are made. As the evaluation process is composed of three components, answers A, C, and D are incorrect. |
Suggested Reading and Resources
www.eccouncil.org/CEH.htmCEH certification details
www.usdoj.gov/criminal/cybercrime/usc1029.htmU.S. Department of Justice
http://securityfocus.com/news/7771Adrian Lamo NY Times court case
http://tlc.discovery.com/convergence/hackers/articles/history.htmlA history of hackers and hacking
http://searchnetworking.techtarget.com/general/0,295582,sid7_gci1083724,00.htmlGuide to penetration testing
http://www.networkcomputing.com/1201/1201f1b1.htmlVulnerability assessment methodologies
www.pbs.org/wgbh/pages/frontline/shows/cyberwarPBS Cyberwar special on hackers and red teams
www.sandia.gov/media/NewsRel/NR2000/redteam.htmGovernment red teams
http://www.cert.orgVulnerability and exploit information
www.microsoft.com/technet/security/topics/policiesandprocedures/secrisk/srsgch01.mspxRisk management and the role of policies
The Technical Foundations of Hacking
|