Kevin Beaver - Hacking For Dummies

Anticipating all the possible vulnerabilities you’ll have in your systems and business processes is impossible. You certainly can’t plan for all types of attacks — especially the unknown ones. But the more combinations you try and the more often you test whole systems instead of individual units, the better your chances are of discovering vulnerabilities that affect your information systems in their entirety.

Don’t take your security testing too far, though; hardening your systems from unlikely (or even less likely) attacks makes little sense and will probably get in the way of doing business.

Your overall goals for security testing are to

Prioritize your systems so that you can focus your efforts on what matters.

Test your systems in a nondestructive fashion.

Enumerate vulnerabilities and, if necessary, prove to management that business risks exist.

Apply results to address the vulnerabilities and better secure your systems.

It’s one thing to know generally that your systems are under fire from hackers around the world and malicious users around the office; it’s another to understand specific potential attacks against your systems. This section discusses some well-known attacks but is by no means a comprehensive listing.

Many security vulnerabilities aren’t critical by themselves, but exploiting several vulnerabilities at the same time can take its toll on a system or network environment. A default Windows operating system (OS) configuration, a weak SQL Server administrator password, or a mission-critical workstation running on a wireless network may not be a major security concern by itself. But someone who exploits all three of these vulnerabilities simultaneously could enable unauthorized remote access and disclose sensitive information (among other things).

Complexity is the enemy of security.

Vulnerabilities and attacks have grown enormously in recent years because of virtualization, cloud computing, and even social media. These three things alone add immeasurable complexity to your environment. On top of that, with the new ways of the world and so many people working from home, the complexities have grown exponentially.

Exploits that involve manipulating people — your users and even you — are often the greatest vulnerability. Humans are trusting by nature, which can lead to social engineering exploits. Social engineering is exploiting the trusting nature of human beings to gain information — often via email phishing — for malicious purposes. With dramatic increases in the size of the remote workforce, social engineering has become an even greater threat, especially with more personal devices being used that are likely much less secure. Check out Chapter 6for more information about social engineering and how to guard your systems and users against it.

Other common, effective attacks against information systems are physical. Hackers break into buildings, computer rooms, or other areas that contain critical information or property to steal computers, servers, and other valuable equipment. Physical attacks can also include dumpster diving — rummaging through trash cans and bins for intellectual property, passwords, network diagrams, and other information.

Attacks on network infrastructures can be easy to accomplish because many networks can be reached from anywhere in the world via the Internet. Examples of network infrastructure attacks include the following:

Connecting to a network through an unsecured wireless access point attached behind a firewall

Exploiting weaknesses in network protocols, such as File Transfer Protocol (FTP) and Secure Sockets Layer (SSL)

Flooding a network with too many requests, creating denial of service (DoS) for legitimate requests

Installing a network analyzer on a network segment and capturing packets that travel across it, revealing confidential information in cleartext

Hacking an OS is a preferred method of the bad guys. OS attacks make up a large portion of attacks simply because every computer has an operating system. They are susceptible to many well-known exploits, including vulnerabilities that remain unpatched years later.

Occasionally, some OSes that tend to be more secure out of the box — such as the old-but-still-out-there Novell NetWare, OpenBSD, and IBM Series i — are attacked, and vulnerabilities turn up. But hackers tend to prefer attacking Windows, Linux, and macOS because they’re more widely used.

Here are some examples of attacks on operating systems:

Exploiting missing patches

Attacking built-in authentication systems

Breaking file system security

Installing ransomware to lock down the system to extort money or other assets

Cracking passwords and weak encryption implementations

Applications take a lot of hits by hackers. Web applications and mobile apps, which are probably the most popular means of attack, are often beaten down. The following are examples of application attacks and related exploits that are often present on business networks:

Websites and applications are everywhere. Thanks to what’s called shadow IT, in which people in various areas of the business run and manage their own technology, website applications are in every corner of the internal network and out in the cloud. Unfortunately, many IT and security professionals are unaware of the presence of shadow IT and the risks it creates.

Mobile apps face increasing attacks, given their popularity in business settings. There are also rogue apps discovered on the app stores that can create challenges in your environment.

Unsecured files containing sensitive information are scattered across workstation and server shares as well as out into the cloud in places like Microsoft OneDrive and Google Drive. Database systems also contain numerous vulnerabilities that malicious users can exploit.

Security professionals must carry out the same attacks against computer systems, physical controls, and people that malicious hackers do. (I introduce those attacks in the preceding section.) A security professional’s intent, however, is to highlight any associated weaknesses. Parts 2through 5of this book cover how you might proceed with these attacks in detail, along with specific countermeasures you can implement against attacks on your business.

To ensure that security testing is performed adequately and professionally, every security professional needs to follow a few basic tenets. The following sections introduce the important principles.

If you don’t heed these principles, bad things could happen. I’ve seen them ignored or forgotten by IT departments while planning and executing security tests. The results weren’t positive; trust me.

The word ethical in this context means working with high professional morals and values. Whether you’re performing security tests against your own systems or for someone who has hired you, everything you do must be aboveboard in support of the company’s goals, with no hidden agenda — just professionalism. Being ethical also means reporting all your findings, whether or not they may create political backlash. Don’t laugh; on numerous occasions, I’ve witnessed people brushing off security vulnerability findings because they didn’t want to rock the boat or to deal with difficult executives or vendors.