The term "white hat" in Internet slang refers to an ethical hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization's information systems. Ethical hacking is a term coined by IBM meant to imply a broader category than just penetration testing. White-hat hackers are also called "sneakers", red teams, or tiger teams.
History
One of the first instances of an ethical hack being used was a
“security evaluation” conducted by the United States Air Force of the
Multics operating systems for "potential use as a two-level (secret/top
secret) system." Their evaluation found that while Multics was
"significantly better than other conventional systems," it also had "...
vulnerabilities in hardware security, software security, and procedural
security" that could be uncovered with "a relatively low level of
effort." The authors performed their tests under a guideline of realism,
so that their results would accurately represent the kinds of access
that an intruder could potentially achieve. They performed tests that
were simple information-gathering exercises, as well as other tests that
were outright attacks upon the system that might damage its integrity.
Clearly, their audience wanted to know both results. There are several
other now unclassified reports that describe ethical hacking activities
within the U.S. military. The idea to bring this tactic of ethical hacking to assess security of systems was formulated by Dan Farmer and Wietse Venema. With the goal of raising the overall level of security on the Internet and intranets,
they proceeded to describe how they were able to gather enough
information about their targets to have been able to compromise security
if they had chosen to do so. They provided several specific examples of
how this information could be gathered and exploited to gain control of
the target, and how such an attack could be prevented. They gathered up
all the tools that they had used during their work, packaged them in a
single, easy-to-use application, and gave it away to anyone who chose to
download it. Their program, called Security Analysis Tool for Auditing
Networks, or SATAN, was met with a great amount of media attention around the world.
Tactics
While penetration testing concentrates on attacking software and
computer systems from the start – scanning ports, examining known
defects and patch installations, for example – ethical hacking, which
will likely include such things, is under no such limitations. A full
blown ethical hack might include emailing staff to ask for password
details, rummaging through executive’s dustbins or even breaking and
entering – all, of course, with the knowledge and consent of the
targets. To try to replicate some of the destructive techniques a real
attack might employ, ethical hackers arrange for cloned test systems, or
organize a hack late at night while systems are less critical.
Some other methods of carrying out these include:
- DoS attacks
- Social engineering tactics
- Security scanners such as:
- W3af
- Nessus
- Frameworks such as:
- Metasploit
No comments:
Post a Comment