Are Your Students Ready To Play
The (Ethical) Hacking Game?
Welcome!
Presenter: Steven Graham | Senior Director, EC-Council
> About EC-Council
> Global, Member Based Information Security Certification Body
> 320+ partners in over 70 Countries
> 60,000 Trained Professionals over 21,000 Certified
> Primary Certifications:
>
>
>
>
>
Network Security Administrator (E|NSA)
Certified Ethical Hacker (C|EH)
Computer Hacking Forensic Investigator (C|HFI)
Certified Security Analyst/ Licensed Penetration Tester (E|CSA/L|PT)
27 total industry certifications. More info at www.eccouncil.org
Agenda
> Why Information Security is Important
> Oops, I gave my Visa to a Hacker! (Heartland Breach)
> Cyber War on our own soil? Is it Possible? (Bot-Nets)
> Individual Responsibilities tied to National Security and our responsibility
as educators (DOD-National Strategy to Secure Cyberspace)
> Understanding IT Security Roles and Responsibilities, and
educating to them.
> Incorporating Information Security into existing Education
programs with the EC-Council | Press
> The Ethical Hacking Game – and introduction to Ethical
Hacking – overview & Phase 1 - Reconnaissance
> Discussion
Why Information Security is Important
> Oops, I gave my Visa to a Hacker! (the Heartland Breach
Exposed)
> January of 2009 Heartland Payment Systems, responsible for the
processing of 100 Million Credit Card Transactions for 175,000 unique
Merchants every month, announced their compromise.
> Bob Carr, CEO sells 80,000 Shares for 1.4 million right before public
announcement of the breach
> Stock Plummets
Why Information Security is Important
> Oops, I gave my Visa to a Hacker! (the Heartland Breach
Exposed)
1 day marked a
January 6th, 2009
43% Drop in Stock
Price: 18.83
January 21st, 2009
Value with Shares
Volume: 329k
Price: 14.11
Jumping from 839K
Volume: 839k
To over 4 million
January 22nd, 2009
Price: 8.18
Volume: 4 Million
Why Information Security is Important
> Oops, I gave my Visa to a Hacker! (the Heartland Breach
Exposed)
> In a recent USA TODAY interview, Heartland’s President and CFO,
Robert Baldwin Noted, in late 2008, hackers had access for “longer
than weeks”, no specific information was released.
> Visa & MasterCard Notified Heartland of suspicious transactions
stemming from their accounts, then investigators found a “Data-Stealing”
program.
> 3 weeks access, potentially 750 million credit card transactions exposed!
Why Information Security is Important
> Oops, I gave my Visa to a Hacker! (the Heartland Breach
Exposed)
> Lessons Learned
>
>
>
>
End-to-end encryption was not in place
Intrusion Detection, Intrusion Prevention systems were insufficient
Proactive Scanning for anomalies failed or was not present.
Cyber criminals Exploited Vulnerabilities in Heartland Systems compromising
the financial Data of millions of customers.
> Preventative security measures were insufficient despite best efforts and
compliance to standard industry regulations.
Why Information Security is Important
> Cyber War on our own soil? Is it Possible? (Bot-Nets)
> The simple answer, YES AND IT’S HAPPENING NOW!
> 2008 attacks against SecureWorks managed clients originating countries:
>
>
>
>
>
>
>
>
#10 Canada originated 107,483 Attacks
#9 Germany originated 110,493 Attacks
#8 Taiwan originated 124,997 Attacks
#7 Russia originated 130,572 Attacks
#6 Japan originated 142,346 Attacks
#5 Poland originated 153,205 Attacks
#4 South Korea originated 162,289 Attacks
#3 Brazil originated 166,987 Attacks
Why Information Security is Important
> Cyber War on our own soil? Is it Possible? (Bot-Nets)
> The simple answer, YES AND IT’S HAPPENING NOW!
> 2008 attacks against SecureWorks managed clients originating countries:
>#2 China originated 7,700,000 Attacks
>#1 United States of America
originated 20,600,000 Attacks
emanating from Computers inside US
Borders
Why Information Security is Important
> Cyber War on our own soil? Is it Possible? (Bot-Nets)
> What is prompting these attacks?
> “Owned computers” by large become a part of various “BotNets” and
can be remotely controlled.
> Hackers gain access to combined computing resources through
distribution of passive Malware, Virus’, and Trojans.
> Compromised/unprotected Personal Computers, Library Networks,
School Networks, Govt. Networks, and Corporate Networks contribute
to the proliferation of BotNets.
Example Workings of a BotNet
•
•
•
•
•
•
•
Stage 1, Stage 2:
The Bot Master sends malicious trojan/botnet client over the Internet and infects a victim
Stage 3:
The bot client connects to the Command Centre( Malicious Server)and informs the status of
being infected
Stage4:
Command Centre informs the Bot Master about the victim
Stage 5:
The attacker sends attack information to the command centre
Stage6,
The command centre triggers the victim with the set of instructions sent by the Bot Master to
search for other victim computers with similar vulnerabilities
Stage 7:
The compromised computer scans the Internet for other similar systems and infects them with
malicious code
Stage 8:
This way the attacker creates a huge network of bots that are ready to act based on the
instructions sent by the attacker.
The network of bots is referred to as botnet
Example Workings of a BotNet
1
Creates a vicious
Trojan/ Bot Client
Victim
8
Bot Master
7
8
5
Victim
INTERNET
2
4
3
Command Centre
6
7
Victim
8
7
7
Victim
8
Victim
EC-Council
Why Information Security is Important
>
How does this apply to me as an educator?
–
According to the DOD’s National Strategy to Secure Cyber Space:
“Each American who depends on cyberspace, the
network of information networks, must secure the
part that they own or for which they are responsible.”
– To further explain, Threats & Vulnerabilities a 5 Level
Problem. Consider where your graduates go.
1.
2.
3.
4.
5.
Home Users/Small Business
Large Enterprises
Critical Sectors/Infrastructures
National Issues
Global
Typical Security Job Roles and
responsibilities
Job Level
Typical Roles
Corresponding EC-Council Certifications & Designations
IT/IS
Executive
Information
Assurance,
Design, and
Compliance
MSS/ECSO (Coming Soon)
IT/IS
Manager
Information
Assurance
oversight and
Personnel
management
IT/IS
Specialist
Specialization
roles including
Pen Testing,
Forensics,
Disaster Recover,
Voice over IP,
Secure
Programming,
etc.
IT/IS Admin
Network
Installation,
Configuration,
maintenance,
Information
Assurance
IT/IS
Technician
Standard Network
installation &
configuration
Information
Worker
Access to
Computing
systems
Penetration
Testing Specialist
Forensics Specialist
Disaster Recovery
Specialist
VOIP Specialist
Secure
Programmer
Why Information Security is Important
>
Information Security Job Roles/Responsibilities.
>
Front Line (Receptionist, secretaries, Information Workers, HR,
Accounting, Non-IT personnel)
>
Responsibilities – Protect Corporate information
>
>
Vulnerable to – Social Engineering attacks leaking sensitive
information, or portions of the “big Picture” allowing attackers to gain
access. Computer Virus/Worms/Trojans, Etc.
1st Level IT, Help Desk, Support Specialists, Network
Administrators.
>
Responsibilities – Adhere to Security/General IT Policy. Standard
Configurations and supporting roles to superiors, internal and
external clients.
>
Vulnerable to – Social Engineering, Mis-configurations, Common
mistakes exposing serious vulnerability
Why Information Security is Important
>
Information Security Job Roles/Responsibilities.
>
2nd Level IT Network Engineers, Managers, Auditors,
Specialists
>
>
>
Responsibility – System Design and maintenance, constant
assessment, Security Patching, Hardware/software break-fix
upgrade. Typically first line contact with outsourced
firms/consultants. E-Discovery/Preservation. DR/BC
Vulnerabilities – Mis-configuration, Policy Gaps, Outsource
mistakes/decisions/assessment. Admin Level Access.
Executives – Director of IT, CIO, CISO, CEO
>
Responsibility – Compliance, Compliance, Compliance
>
Vulnerability - ALL VULNERABILITIES END UP HERE.
Incorporating Information Security Titles in
existing Education Programs.
EC-Council | Press
Security Fundamentals – General Education – entry level Computer Science
Security | 5 Titles
•
Social Site and Online Behavior
•
Cyber Dangers
•
ID Theft
Security Essentials – Entry Level Computer Science
E|NSA Network Defense Titles:
•
Network fundamentals and protocols
•
Network threats and security policy
•
Perimeter defense mechanisms
•
Securing network devices, operating system and troubleshooting
•
Patch Management and Log Analysis
Incorporating Information Security Titles in
existing Education Programs.
EC-Council | Press
Ethical Hacking & Counter Measures – Computer Science/Security – entry level to
advanced Computer Science
C|EH Ethical Hacking Titles
•
•
•
•
The CEH Hacking cycle and Penetration Testing
Threats and defensive mechanisms
Hacking Web applications
Securing Linux and Defense against Buffer Overflows
•
Securing Network Infrastructure
Incorporating Information Security Titles in
existing Education Programs.
EC-Council | Press
Computer Forensics – Computer Science/Security – entry level to advanced Computer
Science
C|HFI Computer Forensics Titles:
•
•
•
•
•
•
Investigating procedures and role of an expert witness
Computer Forensic Lab Requirements Ethical Hacking: Hacking Web
applications
Investigating file systems, hard disks and operating systems for evidence
Investigating data and image files for evidence
Investigating network intrusions and cyber attacks
Investigating attacks on wireless network and devices
Incorporating Information Security Titles in
existing Education Programs.
EC-Council | Press
Penetration Testing – Computer Science/Security – Advanced Computer Science
E|CSA Computer Security Analyst/ Advanced Penetration Testing Titles:
•
•
•
•
•
Security analysis and advanced tools
Customer agreements and reporting procedures Penetration Testing
Methodologies
Network Perimeter Testing Procedures
Communication Media Testing Procedures
Network Threat Testing Procedures
Now, It’s time to play!
EC-Council
Slides extracted from EC-Council’s Intro to Ethical Hacking
Here comes the part you all came for 
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
ECC Fulfills the Need
• Ethical Hacking and Countermeasures
(C|EH)
– CEH understand tools and techniques
used
• Attack tools – by those outside the network
• Compromise tools – by those inside the
network
– “Thinking like a hacker”
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Problem Definition –
Why Security?
Direct impact of security breach on
corporate asset base and goodwill
Increasing complexity of computer infrastructure administration and
management
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
What Does a Malicious Hacker
Do?
Reconnaissance
• Active/passive
Reconnaissance
Scanning
Clearing
Tracks
Gaining access
• Operating system level/application level
• Network level
• Denial of service
Maintaining
Access
Scanning
Maintaining access
• Uploading/altering/ downloading
programs or data
Clearing tracks
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Gaining
Access
Phase 1 - Reconnaissance
Reconnaissance refers to the preparatory phase where an attacker seeks to
gather as much information as possible about a target of evaluation prior to
launching an attack
Generally noted as "rattling the door knobs" to see if someone is watching and
responding
Discovered information “filed” for future use when more is known about the
target as a whole
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Reconnaissance Types
Passive reconnaissance involves acquiring
information without directly interacting with
the target
• For example, searching public records or news
releases
Active reconnaissance involves
interacting with the target directly by
any means
• For example, telephone calls to the help
desk or technical department
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Step 1:
Reconnaissance
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Part 1: Footprinting
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Revisiting Reconnaissance
1
Reconnaissance refers to the preparatory
phase where an attacker seeks to gather as
much information as possible about a target
of evaluation prior to launching an attack
Reconnaissanc
e
5
2
Clearing Tracks
Scanning
4
Maintaining
Access
3
Gaining Access
It involves three phases: footprinting,
scanning and enumeration of the network
Footprinting is conducted externally, while
scanning and network enumeration take
place both externally AND internally
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Defining Footprinting
Footprinting is the blueprint of the security
profile of an organization, undertaken in a
methodological manner
Footprinting is one of the three pre-attack
phases
An attacker spends 90% of the time in
profiling an organization and another 10%
in the attack
Footprinting results in a unique
organization profile with respect to
networks
(Internet/intranet/extranet/wireless) and
systems involved
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Why is Footprinting
Necessary
Footprinting is necessary to systematically and methodically
ensure that all possible pieces of information related to the
technologies in use are identified
Footprinting is often the most difficult task conducted o
determine the security posture of an entity
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Unearthing Initial Information
Hacking tool
Sam Spade
Commonly includes:
• Domain name lookup
• Locations
• Contacts (telephone / mail)
Information Sources:
• Open source
• Whois
• Nslookup
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Finding a Company’s
URL
Search for a company’s URL using a search engine such as Google
Type the company’s name in the search engine to get the company’s
URL
Google provides rich information to perform passive reconnaissance
Check newsgroups, forums, and blogs for sensitive information
regarding the network, the organization, and its employees
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Tool: WebFerret
WebFerret searches the web quickly and thoroughly by instantly submitting the search query to
multiple search engines
All of the results are displayed in a single concise window
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Extracting Archive 0f a
Website
You can get information on a company
website since its launch at
www.archive.org
• For example: www.eccouncil.org
You can see updates made to the
website
You can look for an employee database,
past products, press releases, contact
information, and more
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
www.archive.org
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
www.archive.org (cont’d)
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Anonymity with Caches
Hackers may get a copy of sensitive data even if the admin pulls the plug on that pesky
Web server They can crawl the entire website without even sending a single packet to the
original server
If the web server does not get so much as a packet, it can not write any thing to log files
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Yahoo People Search
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Footprinting Through Job
Sites
You can gather a company’s infrastructure details from job postings
Look for the company’s infrastructure postings such as “looking for
system administrator to manage Solaris 10 network”
This means that the company uses Solaris in their network
• E.g., www.jobsdb.com
Job requirements
Employee profile
Hardware
information
Software
information
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Footprinting Through Industry
Sites
• Industry trade associations may provide
information about the target network as
well
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Passive Information
Gathering
Passive information gathering is done by finding out the
freely available information over the Internet and by
various other techniques without coming in contact with the
organization’s servers
Organizational websites are an exception as the
information gathering activities carried out by an attacker
do not raise suspicion
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Competitive Intelligence
Gathering
“Business moves fast. Product cycles are measured in months, not
years. Partners become rivals quicker than you can say ‘breach of
contract.’ So how can you possibly hope to keep up with your
competitors if you can't keep an eye on them?” –FastCompany.com
Competitive intelligence gathering is the process
of gathering information about your competitors
from resources such as the Internet
Non-interfering and subtle in nature
Both a product and a process
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Tool: HTTrack Web Site Copier
This tool mirrors an entire
website to the desktop
You can footprint the
contents of an entire
website locally rather than
visiting the individual pages
Valuable footprinting tool
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Tool: SpiderFoot
SpiderFoot is a free, open-source, domain footprinting tool which
will scrape the websites on that domain, as well as search
Google, Netcraft, Whois, and DNS to build up information like:
Subdomains
Affiliates
Web server versions
Users
Similar domains
Email addresses
Netblocks
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Tool: Expired Domains
Expired Domains enable searching for expiring domain names
by keyword, domain, character length, and other criteria
The program can download an updated list of domain names
with the click of a button
Multiple filter rules can be created to find domain names that
are of interest
A list of “interesting” domain names can be printed or exported
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Tool: Maltego
Maltego can be used for the information gathering phase of penetration
testing making it possible for less experienced testers to work faster and
more accurately
Maltego provides you with a graphical interface that makes seeing
information relationships instant and accurate - making it possible to see
hidden connections
Maltego has applications in:
•
•
•
•
•
Forensic investigations
Law enforcement
Intelligence operations
Identity fraud investigation
Identity verification processes
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
E-Mail Spiders
Have you ever wondered how Spammers generate a huge mailing database?
They pick up tons of e-mail addresses by searching in the Internet
All they need is a web spidering tool picking up e-mail addresses and storing
them to a database
If these tools run the entire night, they can capture hundreds of thousands of
e-mail addresses
Tools:
• Web data Extractor
• 1st E-mail Address Spider
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Part 2: Google
Hacking
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
What is Google Hacking
Google hacking is a term that refers to the art of creating
complex search engine queries in order to filter through large
amounts of search results for information related to computer
security
In its malicious format, it can be used to detect websites that
are vulnerable to numerous exploits and vulnerabilities as
well as locate private, sensitive information about others,
such as credit card numbers, social security numbers, and
passwords
Google Hacking involves using Google operators to locate
specific strings of text within search results
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
What a Hacker Can Find With
Google Hacking
Information that the Google Hacking Database identifies:
Advisories and server vulnerabilities
Error messages that contain too much information
Files containing passwords
Sensitive directories
Pages containing logon portals
Pages containing network or vulnerability data such as firewall
logs
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
SiteDigger Tool
SiteDigger searches Google’s cache to look for vulnerabilities, errors,
configuration issues, proprietary information, and interesting security nuggets
on websites
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
C|EH Cont.
Source Decks continue on with complete presentations of:
•Scanning
•Gaining Access
•Maintaining Access
•Covering Your Tracks
Over 3500 Tools, virus;, malware, robo-demo videos recorded in our advanced
hacking lab, and examples included in curriculum.
Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited.
Conclusion
Thank you for your Time. Discussion is now open.
Contact:
Cengage:
EC-Council:
Steven Graham
Senior Director | US
steve.graham@eccouncil.org
3819 Osuna NE,
Albuquerque, NM 87109
Web: http://iclass.eccouncil.org/
US Office: 505.341.3228 x102
Elizabeth Sugg
Senior Curriculum Services Manager, Digital Solutions Group
Cengage Learning
PO Box 563, Nyack, New York 10960
c 845-337-0253
(o) 845-358-4836| (e) elizabeth.sugg@cengage.com | www.cengage.com
Presentation Sources:
EC-Council
www.eccouncil.org
iclass.eccouncil.org
USA Today:
http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm
Heartland Processing Systems
www.2008breach.com
Secure Works
http://www.secureworks.com/media/press_releases/20080922-attacks/
EC-Council
Certified Ethical Hacker Curriculum Version 6.0 – Botnets
Department of Defense (US)
http://www.dhs.gov/xlibrary/assets/National_Cyberspace_Strategy.pdf