I will be writing here on this blog about some notes which i had prepared long back while understanding web application security and also the methodologies.
What is Ethical Hacking?
Art and Science of determining vulnerabilities within the existing network architecture. The idea of Ethical hacking is to put yourself in the shoes of the hacker and access and monitor the flaws in your own network. It is used to determine the security flaws in the network before the hacker does by using similar tools and techniques as the hacker. If we go by what history has to tell us, Hackers have always been many steps ahead of network security professionals therefore it definitely makes a lot of sense to be prepared.
Types of Ethical Hacking
White Box: Full knowledge of the system. What this means is that you have full information about the system. i.e. you know what IP the database server is running on and what version of the operating system is running on that box etc. This makes it easy for you to learn about the various details and then fingerprint that very system.
Black Box: You have NO knowledge of the system infrastructure. As a Ethical hacker, this should be the one that can help you see things from a hacker’s perspective as you like the hacker doesnt have any initial knowledge about the system. ( Also read: Notes on Web Application testing)
Vulnerability Assessment: Usually done by using an automated script. The only negative is that your testing will be as good as your tool. The positive is pretty clear, you run an automated script which covers certain things and you are all set for those covered topics.
Penetration Testing: Comprehensive review of vulnerabilities, how to exploit those vulnerabilities and understanding how networks react to them.
Also, when talking to a lot of students who are new in the arena of web application development, i get a feeling that they want to know a lot about how hackers are able to do all “those things”. For such enthusiasts i would like to share some of the skills of a good hacker.
Skills of the Hacker
1.) Should possess Extensive Knowledge : This means that you need to know everything about everything. Though it sounds unrealistic, but this is true.
2.) Should already be a security expert in other areas ( like perimeter security etc).
3.) Should have experience as network or system administrator. The concept is pretty simple, you can’t hack a PBX box, if you don’t know how to operate one. Or you can’t hack a Linux/Unix box if you don’t know various Unix commands.
4.) Should have good working knowledge of various OS.
5.) Good understanding of ports, protocols and TCP/IP.
6.) You also need to have a good understanding of common security vulnerabilities and their fixes like buffer overflow etc.
7.) Good understanding of the various security tools and techniques.
Hope this posts helps in laying a foundation. In the coming posts, i will write more about how ethical hacking can help you know some of the most dreaded flaws that exist in your network. Stay tuned.
Also read: [Notes]: Web Application Security Testing
You can follow me on Twitter at http://twitter.com/vaibhav1981
Do stay tuned to Technofriends for more, one of the best ways of doing so is by subscribing to our feeds. You can subscribe to Technofriends feed by clicking here.