Introduction to Ethical Hacking

Learning outcomes:

Information gathering and non-intrusive
Threat assessment, how serious is the threat?
What can be lost if it's exposed? (Trade secrets? Unimportant info?
How likely is the threat to be exposed? What data might be exposed?
Different vulnerabilities are exposed in different ways, red/blue team vs outside pen test vs Security Audit
Threat assessment is large scope, non-intrusive, and only a starting point

Pretends to be the Adversary
Will use all the tools a hacker would including OSINT, tools and phishing
Can use things like card cloners, taking over security cams, depploying sniffers and loggers, or even Social Engineer employees

The people protecting the company from inside
Will do risk assessments, scans, and monitoring
Takes the plan and information gathered to work on a protection plan for the company
Will install, deploy and maintain security controls on the internal systems

Penetration test is from the outside in, usually an outside third party
Snapshot in time, Vulnerabilities found aren't guaranteed to always be there, just what was found when testing was done
Re-Assessments usually needed, can be yearly
Needs authorization, paperwork and proper signatures
Can have Legal Issues! Very important to follow rules

Who can say yes? Under who's authority is this being undertaken?
Is the scope VERY clearly spelled out?
When is the test?
Who is doing the test, what info can be shared, and what is turned in at the end?
Who needs to be notified of the test?
Location matters, how do we handle out of state? out of country? Information in the Cloud?

How does the cloud affect this?
What laws apply?
If the company is in California, with branches in 4 other states, pen tester comes from Mass, which laws from which states apply?

Time frame of the test?
Which tools are allowed (DDOS? Social Engineering? Physical access?)
Do you have cooperation from IT?
How is the data gathered handled? Who can see it? How are you covering tracks? NDA?
What is being tested?
IP address ranges allowed? (what about things like external websites if they sub contract out?)
Physical Locations, some? All? None?
Cloud?

Suggested Activities and Discussion Topics:

As you go about your Pen test of a company, you notice a massive breach for both customers and employees. You find significant data is out on Pastebin including SS# for a couple employees, do you stop the pen test to inform the company? Keep going because you know you'll find more and the good of many out weighs the few?
Should there be different rules for pen testing different areas? For example, should infrastructure like power grids and water treatment systems have specialized rules for who can perform the test and how pen testing works? What about health systems, and wearables? For example what about smart devices that mesure heart rate? Or sugar levels? Or period trackers?
Automated vulnerability testing, should researchers be allowed to do automated vulnerability testing? Does it make a difference if it's more or less invasive? What about when the system isn't reasonably security (small business, hospital, education etc)? What precautions should be taken to make this better?
CISO and personal risk, should CISOs (Chief Information Security Officers) take personal responsibility for companies that are breeched or hacked? As in, should a CISO go to jail for security negligence? Should they be fired if a breech/hack happens? How does corporate organizational deficiencies (Not following the outlined procedures, not documenting, not following best practices, etc) affect this?

Would you like to see some more classes? Click here