Chapter1GettingStarted_EssentialKnowledge_CEHCertifiedEthicalHackerAll-in-OneExamGuideFourthEdition4thEdition.pdf

CHAPTER 1 Getting Started: Essential Knowledge

In this chapter, you will

•   Identify components of TCP/IP computer networking

•   Understand basic elements of information security

•   Understand incident management steps

•   Identify fundamentals of security policies

•   Identify essential terminology associated with ethical hacking

•   Define ethical hacker and classifications of hackers

•   Describe the five stages of ethical hacking

•   Define the types of system attacks

•   Identify laws, acts, and standards affecting IT security

Last year, my ISP point-of-presence router, comfortably nestled

in the comm-closet-like area I’d lovingly built just for such items

of IT interest, decided it had had enough of serving the humans

and went rogue on me. It was subtle at first—a stream dropped

here, a choppy communication session there—but it quickly be-

came clear Skynet wasn’t going to play nicely, and a scorched-

earth policy wasn’t off the table.

After battling with everything for a while and narrowing

down the culprit, I called the handy help desk line to get a new

router ordered and delivered for me to install myself, or to get a

friendly in-home visit to take the old one and replace it. After an-

swering the phone and taking a couple basic, and perfectly rea-

sonable, pieces of information, the friendly help desk employee

started asking me what I considered to be ridiculous questions:

“Is your power on? Is your computer connected via a cable or

wireless? Is your wireless card activated, because sometimes

those things get turned off in airplane mode?” And so on. I played

along nicely for a little while. I mean, look, I get it: they have to

ask those questions. But after 10 or 15 minutes of dealing with it

I lost patience and just told the guy what was wrong. He paused,

thanked me, and continued reading the scroll of questions no

doubt rolling across his screen from the “Customer Says No

Internet” file.

I survived the gauntlet and finally got a new router ordered,

which was delivered the very next day at 8:30 in the morning.

Everything finally worked out, but the whole experience came to

mind as I sat down to start the latest version of this book. I got to

looking at the previous chapters and thought to myself, “What

were you thinking? Why were you telling them about network-

ing and the OSI model? You’re the help desk guy here.”

Why? Because I have to. I’ve promised to cover everything

here, and although you shouldn’t jump into study material for

the exam without already knowing the basics, we’re all human

and some of us will. But don’t worry, dear reader: this edition

has hopefully cut down some of the basic networking goodies

from past versions. I did have to include a fantastic explanation

of the OSI reference model, what PDUs are at what level, and

why you should care, even though I’m pretty sure you know this

already. I’m going to do my best to keep it better focused for you

and your study. This chapter still includes some inanely boring

and mundane information that is probably as exciting as that

laundry you have piled up waiting to go into the machine, but it

has to be said, and you’re the one to hear it. We’ll cover the

many terms you’ll need to know, including what an ethical

hacker is supposed to be, and maybe even cover a couple things

you don’t know.

Security 101

If you’re going to start a journey toward an ethical hacking certi-

fication, it should follow that the fundamental definitions and

terminology involved with security should be right at the start-

ing line. We’re not going to cover everything involved in IT secu-

rity here—it’s simply too large a topic, we don’t have space, and

you won’t be tested on every element anyway—but there is a

foundation of 101-level knowledge you should have before wad-

ing out of the shallow end. This chapter covers the terms you’ll

need to know to sound intelligent when discussing security mat-

ters with other folks. And, perhaps just as importantly, we’ll

cover some basics of TCP/IP networking because, after all, if you

don’t understand the language, how are you going to work your

way into the conversation?

Essentials

Before we can get into what a hacker is and how you become

one in our romp through the introductory topics here, there are

a couple things I need to get out of the way. First, even though I

covered most of this in that Shakespearean introduction for the

book, I want to talk a little bit about this exam and what you

need to know, and do, to pass it. Why repeat myself? Because af-

ter reading reviews, comments, and e-mails from our first few

outings, it has come to my attention almost none of you actually

read the introduction. I don’t blame you; I skip it too on most

certification study books, just going right for the meat. But

there’s good stuff there you really need to know before reading

further, so I’ll do a quick rundown for you up front.

Second, we need to cover some security and network basics

that will help you on your exam. Some of this section is simply

basic memorization, some of it makes perfect common sense,

and some of it is, or should be, just plain easy. You’re really sup-

posed to know this already, and you’ll see this stuff again and

again throughout this book, but it’s truly bedrock stuff and I

would be remiss if I didn’t at least provide a jumping-off point.

The Exam

Are you sitting down? Is your heart healthy? I don’t want to dis-

tress you with this shocking revelation I’m about to throw out,

so if you need a moment, go pour a bourbon (another refrain

you’ll see referenced throughout this book) and get calm before

you read further. Are you ready? The CEH version 10 exam is

difficult, and despite hours (days, weeks) of study and multiple

study sources, you may still come across a version of the exam

that leaves you feeling like you’ve been hit by a truck.

I know. A guy writing and selling a study book just told you it

won’t be enough. Trust me when I say it, though, I’m not kid-

ding. Of course this will be a good study reference. Of course you

can learn something from it if you really want to. Of course I did

everything I could to make it as up to date and comprehensive

as possible. But if you’re under the insane assumption this is a

magic ticket, that somehow written word from October 2018 is

going to magically hit the word-for-word reference on a specific

test question in whatever timeframe/year you’re reading this, I

sincerely encourage you to find some professional help before

the furniture starts talking to you and the cat starts making

sense. Those of you looking for exact test questions and rote

memorization to pass the exam will not find it in this publica-

tion, nor any other. For the rest of you, those who want a little fo-

cused attention to prepare the right way for the exam and those

looking to learn what it really means to be an ethical hacker,

let’s get going with your test basics.

NOTE    I’ve been asked, a lot, what the difference is between

version 9 and version 10, and the answer is, really, not much. EC-

Council (ECC) added a bunch of stuff they tossed together as

“IoT,” beefed up a little cloud computing, and threw a few new

tools in for consideration. Otherwise, networking is still net-

working, and the same stuff you studied for previous versions

will apply here.

First, if you’ve never taken a certification-level exam, I

wouldn’t recommend this one as your virgin experience. It’s

tough enough without all the distractions and nerves involved in

your first walkthrough. When you do arrive for your exam, you

usually check in with a friendly test proctor or receptionist, sign

a few things, and get funneled off to your testing room. Every

time I’ve gone it has been a smallish office or a closed-in cubicle,

with a single monitor staring at you ominously. You’ll click

START and begin whizzing through questions one by one, click-

ing the circle to select the best answer(s) or clicking and drag-

ging definitions to the correct section. At the end there’s a

SUBMIT button, which you will click and then enter a break in

the time-space continuum—because the next 10 seconds will

seem like the longest of your life. In fact, it’ll seem like an eter-

nity, where things have slowed down so much you can actually

watch the refresh rate on the monitor and notice the cycles of AC

current flowing through the office lamps. When the results page

finally appears, it’s a moment of overwhelming relief or one of

surreal numbness.

If you pass, none of the study material matters and, frankly,

you’ll almost immediately start dumping the stored memory

from your neurons. If you don’t pass, everything matters. You’ll

race to the car and start marking down everything you can re-

member so you can study better next time. You’ll fly to social

media and the Internet to discuss what went wrong and to lam-

bast anything you didn’t find useful in preparation. And you’ll

almost certainly look for something, someone to blame. Trust

me, don’t do this.

Everything you do in preparation for this exam should be

done to make you a better ethical hacker, not to pass a test. If you

prepare as if this is your job, if you take everything you can use

for study material and try to learn instead of memorize, you’ll

be better off, pass or fail. And, consequentially, I guarantee if

you prepare this way your odds of passing any version of the test

that comes out go up astronomically.

The test itself? Well, there are some tips and tricks that can

help. I highly recommend you go back to the introduction and

read the sections “The Examination” and “The Certification.”

They’ll help you. A lot. Here are some other tips that may help:

•   Do not let real life trump EC-Council’s view of it. There will be

several instances somewhere along your study and eventual

exam life where you will say, aloud, “That’s not what happens in

the real world! Anyone claiming that would be stuffed in a

locker and sprayed head to toe with shaving cream!” Trust me

when I say this: real life and a certification exam are not neces-

sarily always directly proportional. On some of these questions,

you’ll need to study and learn what you need for the exam,

knowing full well it’s different in the real world. If you don’t

know what I mean by this, ask someone who has been doing this

for a while if they think social engineering is passive.

•   Go to the bathroom before you enter your test room. Even if you

don’t have to. Because, trust me, you do.

•   Use time to your advantage. The exam now is split into sections,

with a timeframe set up for each one. You can work and review

inside the section all you want, but once you pass through it you

can’t go back. And if you fly through a section, you don’t get

more time on the next one. Take your time and review

appropriately.

•   Make use of the paper and pencil/pen the friendly test proctor

provides you. As soon as you sit down, before you click START on

the ominous test monitor display, start writing down everything

from your head onto the paper provided. I would recommend

reviewing just before you walk into the test center those sections

of information you’re having the most trouble remembering.

When you get to your test room, write them down immediately.

That way, when you’re losing your mind a third of the way

through the exam and start panicking that you can’t remember

what an XMAS scan returns on a closed port, you’ll have a refer-

ence. And trust me, having it there makes it easier for you to re-

call the information, even if you never look at it.

•   Trust your instincts. When you do question review, unless you

absolutely, positively, beyond any shadow of a doubt know you

initially marked the wrong answer, do not change it.

•   Take the questions at face value. I know many people who don’t

do well on exams because they’re trying to figure out what the

test writer meant when putting the question together. Don’t read

into a question; just answer it and move on.

•   Schedule your exam sooner than you think you’ll be ready for it.

I say this because I know people who say, “I’m going to study for

six months and then I’ll be ready to take the exam.” Six months

pass and they’re still sitting there, studying and preparing. If you

do not put it on the calendar to make yourself prepare, you’ll

never take it, because you’ll never be ready.

Again, it’s my intention that everyone reading this book and

using it as a valuable resource in preparation for the exam will

attain the certification, but I can’t guarantee you will. Because,

frankly, I don’t know you. I don’t know your work ethic, your at-

tention to detail, or your ability to effectively calm down to take

a test and discern reality from a certification definition question.

All I can do is provide you with the information, wish you the

best of luck, and turn you loose. Now, on with the show.

The OSI Reference Model

Most of us would rather take a ballpeen hammer to our toenails

than to hear about the OSI reference model again. It’s taught up

front in every networking class we all had to take in college, so

we’ve all heard it a thousand times over. That said, those of us

who have been around for a while and have taken a certification

test or two also understand it usually results in a few easy test

answers—provided you understand what they’re asking for. I’m

not going to bore you with the same stuff you’ve heard or read a

million times before since, as stated earlier, you’re supposed to

know this already. What I am going to do, though, is provide a

quick rundown for you to peruse, should you need to refresh

your memory.

I thought long and hard about the best way to go over this

topic again for our review, and decided I’d ditch the same old

boring method of talking this through. Instead, let’s look at the

10,000-foot overhead view of a communications session between

two computers depicted in the OSI reference model through the

lens of building a network—specifically by trying to figure out

how you would build a network from the ground up. Step in the

Wayback Machine with Sherman, Mr. Peabody, and me, and let’s

go back before networking was invented. How would you do it?

NOTE    Even something as simple as the OSI model can get re-

ally overcomplicated if you read enough into it. For example’s

sake, we’re looking at it in this text as it relates to TCP/IP. While

TCP/IP generally rules the networking world, there are other

protocol stacks that do much the same thing. The OSI model just

helps us to talk about their networked connections.

First, looking at those two computers sitting there wanting to

talk to one another, you might consider the basics of what is

right in front of your eyes: What will you use to connect your

computers together so they can transmit signals? In other words,

what media would you use? There are several options: copper

cabling, glass tubes, even radio waves, among others. And de-

pending on which one of those you pick, you’re going to have to

figure out how to use them to transmit useable information.

How will you get an electrical signal on the wire to mean some-

thing to the computer on the other end? What part of a radio

wave can you use to spell out a word or a color? On top of all

that, you’ll need to figure out connectors, interfaces, and how to

account for interference. And that’s just Layer 1 (the Physical

layer), where everything is simply bits—that is, 1’s and 0’s.

Layer 2 then helps answer the questions involved in growing

your network. In figuring out how you would build this whole

thing, if you decide to allow more than two nodes to join, how do

you handle addressing? With only two systems, it’s no worry—

everything sent is received by the guy on the other end—but if

you add three or more to the mix, you’re going to have to figure

out how to send the message with a unique address. And if your

media is shared, how would you guarantee everyone gets a

chance to talk, and no one’s message jumbles up anyone else’s?

The Data Link layer (Layer 2) handles this using frames, which

encapsulate all the data handed down from the higher layers.

Frames hold addresses that identify a machine inside a particu-

lar network.

And what happens if you want to send a message out of your

network? It’s one thing to set up addressing so that each com-

puter knows where all the other computers in the neighborhood

reside, but sooner or later you’re going to want to send a mes-

sage to another neighborhood—maybe even another city. And

you certainly can’t expect each computer to know the address of

every computer in the whole world. This is where Layer 3 steps

in, with the packet used to hold network addresses and routing

information. It works a lot like ZIP codes on an envelope. While

the street address (the physical address from Layer 2) is used to

define the recipient inside the physical network, the network ad-

dress from Layer 3 tells routers along the way which neighbor-

hood (network) the message is intended for.

Other considerations then come into play, like reliable deliv-

ery and flow control. You certainly wouldn’t want a message just

blasting out without having any idea if it made it to the recipi-

ent; then again, you may want to, depending on what the mes-

sage is about. And you definitely wouldn’t want to overwhelm

the media’s ability to handle the messages you send, so maybe

you might not want to put the giant boulder of the message onto

our media all at once, when chopping it up into smaller, more

manageable pieces makes more sense. The next layer, Transport,

handles this and more for you. In Layer 4, the segment handles

reliable end-to-end delivery of the message, along with error

correction (through retransmission of missing segments) and

flow control.

At this point you’ve set the stage for success. There is media to

carry a signal (and you’ve figured how to encode that signal onto

that media), addressing inside and outside your network is han-

dled, and you’ve taken care of things like flow control and relia-

bility. Now it’s time to look upward toward the machines them-

selves and make sure they know how to do what they need to do.

The next three layers (from the bottom up—Session,

Presentation, and Application) handle the data itself. The Session

layer is more of a theoretical entity, with no real manipulation of

the data itself—its job is to open, maintain, and close a session.

The Presentation layer is designed to put a message into a for-

mat all systems can understand. For example, an e-mail crafted

in Microsoft Outlook may not necessarily be received by a ma-

chine running Outlook, so it must be translated into something

any receiver can comprehend—like pure ASCII code for delivery

across a network. The Application layer holds all the protocols

that allow a user to access information on and across a network.

For example, FTP allows users to transport files across networks,

SMTP provides for e-mail traffic, and HTTP allows you to surf

the Internet at work while you’re supposed to be doing some-

thing else. These three layers make up the “data layers” of the

stack, and they map directly to the Application layer of the

TCP/IP stack. In these three layers, the protocol data unit (PDU) is

referred to as data.

The layers, and examples of the protocols you’d find in them,

are shown in Figure 1-1.

Figure 1-1 OSI reference model

EXAM TIP    Your OSI knowledge on the test won’t be something

as simple as a question of what protocol data unit goes with

which layer. Rather, you’ll be asked questions that knowledge of

the model will help with; knowing what happens at a given layer

will assist you in remembering what tool or protocol the ques-

tion is asking about. Anagrams can help your memory: “All

People Seem To Need Daily Planning” will keep the layers

straight, and “Do Sergeants Pay For Beer” will match up the

PDUs with the layers.

TCP/IP Overview

Keeping in mind you’re supposed to know this already, we’re not

going to spend an inordinate amount of time on this subject.

That said, it’s vitally important to your success that the basics of

TCP/IP networking are as ingrained in your neurons as other im-

portant aspects of your life, like maybe Mom’s birthday, the size

and bag limit on redfish, the proper ratio of bourbon to anything

you mix it with, and the proper way to place toilet paper on the

roller (pull paper down, never up). This will be a quick preview,

and we’ll revisit (and repeat) this in later chapters.

TCP/IP is a set of communications protocols that allows hosts

on a network to talk to one another. This suite of protocols is ar-

ranged in a layered stack, much like the OSI reference model,

with each layer performing a specific task. Figure 1-2 shows the

TCP/IP stack.

Figure 1-2 TCP/IP stack

In keeping with the way this chapter started, let’s avoid a lot

of the same stuff you’ve probably heard a thousand times al-

ready and simply follow a message from one machine to an-

other through a TCP/IP network. This way, I hope to hit all the

basics you need without boring you to tears and causing you to

skip the rest of this chapter altogether. Keep in mind there is a

whole lot of simultaneous goings-on in any session, so I may take

a couple liberties to speed things along.

Suppose, for example, user Joe wants to get ready for the sea-

son opener and decides to do a little online shopping for his fa-

vorite University of Alabama football gear. Joe begins by open-

ing his browser and typing in a request for his favorite website.

His computer now has a data request from the browser that it

looks at and determines cannot be answered internally—that is,

not locally to Joe’s system. Why? Because the browser wants a

page that is not stored locally. So, now searching for a network

entity to answer the request, it chooses the protocol it knows the

answer for this request will come back on (in this case, port 80

for HTTP) and starts putting together what will become a session

—a bunch of segments sent back and forth to accomplish a goal.

Since this is an Ethernet TCP/IP network, Joe’s computer talks

to other systems using a format of bits arranged in specific or-

der. These collections of bits in a specific order are called frames

(Figure 1-3 shows a basic Ethernet frame), are built from the in-

side out, and rely on information handed down from upper lay-

ers. In this example, the Application layer will “hand down” an

HTTP request (data) to the Transport layer. At this layer, Joe’s

computer looks at the HTTP request and (because it knows HTTP

usually works this way) knows this needs to be a connection-ori-

ented session, with stellar reliability to ensure Joe gets every-

thing he asks for without losing anything. It calls on the

Transmission Control Protocol (TCP) for that. TCP will go out in a

series of messages to set up a communications session with the

end station, including a three-step handshake to get things going.

This handshake includes a Synchronize segment (SYN), a

Synchronize Acknowledgment segment (SYN/ACK), and an

Acknowledgment segment (ACK). The first of these—the SYN seg-

ment asking the other computer whether it’s awake and wants

to talk—gets handed down for addressing to the Internet layer.

Figure 1-3 An Ethernet frame

This layer needs to figure out what network the request will

be answered from (after all, there’s no guarantee it’ll be local—it

could be anywhere in the world). It does its job by using another

protocol (DNS) to ask what IP address belongs to the URL Joe

typed. When that answer comes back, it builds a packet for deliv-

ery (which consists of the original data request, the TCP header

[SYN], and the IP packet information affixed just before it) and

“hands down” the packet to the Network Access layer for

delivery.

EXAM TIP    I know it’s not covered right here (we’re going to get

to it later in Chapter 3), but you really need to know subnetting.

You’ll see anywhere from two to five questions per exam on it.

There are dozens and dozens of good resources on the Internet

to help you on this—just search for “learn subnetting” or some-

thing like that and practice.

Here, Joe’s computer needs to find an address on its local sub-

net to deliver the packet to (because every computer is only con-

cerned with, and capable of, sending a message to a machine in-

side its own subnet). It knows its own physical address but has

no idea what physical address belongs to the system that will be

answering. The IP address of this device is known—thanks to

DNS—but the local, physical address is not. To gain that, Joe’s

computer employs yet another protocol, ARP, to figure that out,

and when that answer comes back (in this case, the gateway, or

local router port), the frame can then be built and sent out to the

network (for you network purists out there screaming that ARP

isn’t needed for networks that the host already knows should be

sent to the default gateway, calm down—it’s just an introductory

paragraph). This process of asking for a local address to forward

the frame to is repeated at every link in the network chain: ev-

ery time the frame is received by a router along the way, the

router strips off the frame header and trailer and rebuilds the

frame based on new ARP answers for that network chain.

Finally, when the frame is received by the destination, the server

will keep stripping off and handing up bit, frame, packet, seg-

ment, and data PDUs, which should result—if everything has

worked right—in the return of a SYN/ACK message to get things

going.

NOTE    This introductory section covers only TCP. UDP—the

connectionless, fire-and-forget transport protocol—has its own

segment structure (called a datagram) and purpose. There are

not as many steps with best-effort delivery, but you’ll find UDP

just as important and valuable to your knowledge base as TCP.

To see this in action, take a quick look at the frames at each

link in the chain from Joe’s computer to a server in Figure 1-4.

Note that the frame is ripped off and replaced by a new one to

deliver the message within the new network; the source and

destination MAC addresses will change, but IPs never do.

Figure 1-4 Ethernet frames in transit

EXAM TIP    Learn the three-way handshake, expressed as SYN,

SYN/ACK, ACK. Know it. Live it. Love it. You will get asked about

this, in many ways and formats, several times on your exam.

Although tons and tons of stuff has been left out—such as port

and sequence numbers, which will be of great importance to

you later—this touches on all the basics for TCP/IP networking.

We’ll be covering it over and over again, and in more detail,

throughout this book, so don’t panic if it’s not all registering with

you yet. Patience, Grasshopper—this is just an introduction,

remember?

One final thing I should add here before moving on, however,

is the concept of network security zones. The idea behind this is

that you can divide your networks in such a way that you have

the opportunity to manage systems with specific security actions

to help control inbound and outbound traffic. You’ve probably

heard of these before, but I’d be remiss if I didn’t add them here.

The five zones ECC defines are as follows:

•   Internet Outside the boundary and uncontrolled. You don’t ap-

ply security policies to the Internet. Governments try to all the

time, but your organization can’t.

•   Internet DMZ The acronym DMZ (for Demilitarized Zone) comes

from the military and refers to a section of land between two ad-

versarial parties where there are no weapons or fighting. The

idea is you can see an adversary coming across the DMZ and

have time to work up a defense. In networking, the idea is the

same: it’s a controlled buffer network between you and the un-

controlled chaos of the Internet.

NOTE    DMZs aren’t just between the Internet and a network;

they can be anywhere an organization decides they want or

need a buffer—inside or outside various internets and intranets.

DMZ networks provide great opportunity for good security mea-

sures, but can also sometimes become an Achilles’ heel when too

much trust is put into their creation and maintenance.

•   Production Network Zone A very restricted zone that strictly

controls direct access from uncontrolled zones. The PNZ doesn’t

hold users.

•   Intranet Zone A controlled zone that has little-to-no heavy re-

strictions. This is not to say everything is wide open on the

Intranet Zone, but communication requires fewer strict controls

internally.

•   Management Network Zone Usually an area you’d find rife

with VLANs and maybe controlled via IPSec and such. This is a

highly secured zone with very strict policies.

Vulnerabilities

I struggled with just where, when, and how to add a discussion

on vulnerabilities in this book we’re putting together and finally

landed on here as the best place. Why? Because this is bedrock,

101-type information that many in security just assume you al-

ready know. I know it seems easy enough, and you can find vast

resources out there to help educate yourself quickly, but it seems

to me if nobody actually shows or tells you the hows and whys

on something, how can you be expected to just know it?

In our romp through “things you’re already supposed to

know,” we need to spend a few cursory moments on what, ex-

actly, defines a vulnerability and a few basics on vulnerabilities

in particular. A vulnerability is simply a weakness that can be

exploited by an attacker to perform unauthorized actions within

a computer or network system. Since our job as security profes-

sionals is to keep our systems safe, and your job as a pen tester is

to point out the weaknesses in security design, it follows that we

should all know vulnerability management well and do our best

at keeping vulnerabilities to a minimum.

So how does one know what vulnerabilities are out there and

what dangers they might provide? And is there a ranking system

of sorts to determine which vulnerabilities are more dangerous

than others? Glad you asked. First, if you’re looking for lists of

vulnerabilities and resources on them, try a few of the following

links to get you started (there are plenty others; these are just a

few of the ones available):

•   Microsoft Vulnerability Research (technet.microsoft.com)

•   Security Focus (www.securityfocus.com)

•   Hackerstorm (www.hackerstorm.co.uk)

•   Exploit Database (www.exploit-db.com)

•   Security Magazine (www.securitymagazine.com)

•   Trend Micro (www.trendmicro.com)

•   Dark Reading (www.darkreading.com)

Next, if you’re looking for ways to quantify the danger or risk

particular vulnerabilities have, try the Common Vulnerability

Scoring System (CVSS, https://www.first.org/cvss/), which is “a

published standard used by organizations worldwide” and “pro-

vides a way to capture the principal characteristics of a vulnera-

bility and produce a numerical score reflecting its severity. The

numerical score can then be translated into a qualitative repre-

sentation (such as low, medium, high, and critical) to help orga-

nizations properly assess and prioritize their vulnerability man-

agement processes.” Want more? How about the National

Vulnerability Database (NVD, https://nvd.nist.gov/vuln-

metrics/cvss), the “U.S. government repository of standards

based vulnerability management data represented using the

Security Content Automation Protocol (SCAP). This data enables

automation of vulnerability management, security measure-

ment, and compliance.”

As a pen tester, you need to remain as up to date on active

vulnerabilities as possible (knowledge of new ones pop up all

the time). ECC drops all vulnerabilities into a series of categories,

and they are for the most part self-explanatory:

•   Misconfiguration A misconfiguration of the service or applica-

tion settings.

•   Default Installations Sometimes the installation of an applica-

tion or service using default locations and settings opens a vul-

nerability (sometimes discovered well after the release of the ap-

plication or service).

•   Buffer Overflows Covered later in this book, buffer overflows

are flaws in execution allowing an attacker to take advantage of

bad coding.

•   Missing Patches (Unpatched Servers) Despite patching for a

known security flaw being available, many systems are not

patched for a variety of reasons, leaving them vulnerable to

attack.

•   Design Flaws These are flaws universal to all operating systems

—things like encryption, data validation, logic flaws, and so on.

•   Operating System Flaws These are flaws in a specific OS

(Windows versus Linux, and so on).

•   Application Flaws Flaws inherit to the application coding and

function itself.

•   Open Services Services that are not actively used on the system

but remain open anyway (usually due to negligence or igno-

rance) can be targets.

•   Default Passwords Leaving a default password in place on a

system is asking for trouble.

Lastly, just because a vulnerability exists doesn’t necessarily

mean your system is at huge risk. For example, my computer sit-

ting right here in my home office is vulnerable to bear attack:

there is, literally, no way it could survive a mauling by a grizzly

bear. But what are the odds a bear is gonna come through my

front door and, maybe enraged by the red LED stripes across the

front and back, attack the system? And what are the odds that,

even if the bear came into the house, I wouldn’t blast it with my

357 Magnum sidearm, preventing the attack in the first place?

Sure it’s a ridiculous example, but it proves a point: vulnera-

bilities are always present on your system, and your job as a se-

curity professional is to put as many security controls as realisti-

cally possible in place to prevent their exploitation.

Vulnerability and risk assessments are designed specifically to

look at potential vulnerabilities on your system versus the actual

likelihood of their exploitation. How hard would it be to exploit

the vulnerability? Is it even possible for an attacker given the se-

curity controls put into place? While we’re on that subject, what

are those security controls and how do they work in preventing

access or exploitation? All of these are questions auditors and se-

curity folks deal with on a daily basis. Start with a solid baseline

of your system, a full and complete inventory of what you have

and what those systems are vulnerable to, then plan and act

accordingly.

NOTE    Vulnerability management tools, as listed and defined

by ECC, include but are not limited to Nessus

(www.tenable.com), Qualys (www.qualys.com), GFI Languard

(www.gfi.com), Nikto (https://cirt.net), OpenVAS

(www.openvas.org), and Retina CS (www.beyondtrust.com).

Security Basics

If there were a subtitle to this section, I would have called it

“Ceaseless Definition Terms Necessary for Only a Few Questions

on the Exam.” There are tons of these, and I gave serious

thought to skipping them all and just leaving you to the glossary.

However, because I’m in a good mood and, you know, I

promised my publisher I’d cover everything, I’ll give it a shot

here. And, at least for some of these, I’ll try to do so using contex-

tual clues in a story.

Bob and Joe used to be friends in college, but had a falling out

over doughnuts. Bob insisted Krispy Kreme’s were better, but Joe

was a Dunkin’ fan, and after much yelling and tossing of fried

dough they became mortal enemies. After graduation they went

their separate ways exploring opportunities as they presented

themselves. Eventually Bob became Security Guy Bob, in charge

of security for Orca Pig (OP) Industries, Inc., while Joe made

some bad choices and went on to become Hacker Joe.

After starting, Bob noticed most decisions at OP were made in

favor of usability over functionality and security. He showed a

Security, Functionality, and Usability triangle (see Figure 1-5) to

upper management, visually displaying that moving toward one

of the three lessened the other two, and security was sure to suf-

fer long term. Management noted Bob’s concerns and summarily

dismissed them as irrational, as budgets were tight and business

was good.

Figure 1-5 The Security, Functionality, and Usability triangle

One day a few weeks later, Hacker Joe woke up and decided

he wanted to be naughty. He went out searching for a target of

hack value, so he wouldn’t waste time on something that didn’t

matter. In doing so, he found OP, Inc., and smiled when he saw

Bob’s face on the company directory. He searched and found a

target, researching to see if it had any weaknesses, such as soft-

ware flaws or logic design errors. A particular vulnerability did

show up on the target, so Joe researched attack vectors and dis-

covered—through his super-secret hacking background contacts

—an attack the developer of some software on the target appar-

ently didn’t even know about since they hadn’t released any

kind of security patch or fix to address the problem. This zero-

day attack vector required a specific piece of exploit code he

could inject through a hacking tactic he thought would work.

After obfuscating this payload and embedding it in an attack, he

started.

After pulling off the successful exploit and owning the box, Joe

explored what additional access the machine could grant him.

He discovered other targets and vulnerabilities, and successfully

configured access to all. His daisy-chaining of network access

then gave him options to set up several machines on multiple

networks he could control remotely to execute really whatever

he wanted. These bots could be accessed any time he wanted, so

Joe decided to prep for more carnage. He also searched publicly

available databases and social media for personally identifiable

information (PII) about Bob and then posted his findings. After

this doxing effort, Joe took a nap, dreaming about what embar-

rassment Bob would have rain down on him the next day.

EXAM TIP    Another fantastic bit of terminology from ECC-land

you may see is “threat modeling.” It’s exactly what it sounds like

and consists of five sections: Identify Security Objectives,

Application Overview, Decompose Application, Identify Threats,

and Identify Vulnerabilities.

After discovering PII posts about himself, Bob worries that

something is amiss, and wonders if his old nemesis is back and

on the attack. He does some digging and discovers Joe’s attack

from the previous evening, and immediately engages his inci-

dent response team (IRT) to identify, analyze, prioritize, and re-

solve the incident. The team first reviews detection and quickly

analyzes the exploitation, in order to notify the appropriate

stakeholders. The team then works to contain the exploitation,

eradicate residual back doors and such, and coordinate recovery

for any lost data or services. After following this incident man-

agement process, the team provides post-incident reporting and

lessons learned to management.

NOTE    Here’s a great three-dollar term you might see on the

exam: EISA. Enterprise Information Security Architecture is a

collection of requirements and processes that help determine

how an organization’s information systems are built and how

they work.

Post-incident reporting suggested to leadership they focus

more attention on security, and, in one section of the report in

particular, that they adopt the means to identify what risks are

present and quantify them on a measurement scale. This risk

management approach would allow them to come up with solu-

tions to mitigate, eliminate, or accept the identified risks (see

Figure 1-6 for a sample risk analysis matrix).

Figure 1-6 Risk analysis matrix

EXAM TIP    The risk management phases identified by EC-

Council are Risk Identification, Risk Assessment, Risk Treatment,

Risk Tracking, and Risk Review. Each phase is fairly self-explana-

tory, and you may see mention of them on your exam.

Identifying organizational assets, the threats to those assets,

and their vulnerabilities would allow the company to explore

which countermeasures security personnel could put into place

to minimize risks as much as possible. These security controls

would then greatly increase the security posture of the systems.

NOTE    Security controls can also be categorized as physical,

technical, and administrative. Physical controls include things

such as guards, lights, and cameras. Technical controls include

things such as encryption, smartcards, and access control lists.

Administrative controls include the training, awareness, and

policy efforts that are well intentioned, comprehensive, and well

thought out—and that most employees ignore. Hackers will com-

bat physical and technical controls to get to their end goal, but

they don’t give a rip about your administrative password policy

—unless it’s actually followed.

Some of these controls were to be put into place to prevent er-

rors or incidents from occurring in the first place, some were to

identify an incident had occurred or was in progress, and some

were designed for after the event to limit the extent of damage

and aid swift recovery. These preventative, detective, and correc-

tive controls can work together to reduce Joe’s ability to further

his side of the great Doughnut Fallout.

EXAM TIP    Know preventive, detective, and corrective mea-

sures. Examples of each include authentication (preventative),

alarm bells for unauthorized access to a physical location, alerts

on unauthorized access to resources, audits (detective), and

backups and restore options (corrective). You will definitely be

asked about them, in one way or another.

This effort spurred a greater focus on overall preparation and

security. Bob’s quick action averted what could have been a total

disaster, but everyone involved saw the need for better planning

and preparation. Bob and management kicked off an effort to

identify the systems and processes that were critical for opera-

tions. This business impact analysis (BIA) included measure-

ments of the maximum tolerable downtime (MTD), which pro-

vided a means to prioritize the recovery of assets should the

worst occur. Bob also branched out and created Orca Pig’s first

set of plans and procedures to follow in the event of a failure or

a disaster—security related or not—to get business services back

up and running. His business continuity plan (BCP) included a

disaster recovery plan (DRP), addressing exactly what to do to re-

cover any lost data or services.

Bob also did some research his management should have, and

discovered some additional actions and groovy acronyms they

should know and pay attention to. When putting numbers and

value to his systems and services, the ALE (annualized loss ex-

pectancy) turned out to be the product of the ARO (annual rate of

occurrence) and the SLE (single loss expectancy). For his first ef-

fort, he looked at one system and determined its worth, includ-

ing the cost for return to service and any lost revenue during

downtime, was $120,000. Bob made an educated guess on the

percentage of loss for this asset if a specific threat was actually

realized and determined the exposure factor (EF) turned out to

be 25 percent. He multiplied this by the asset value and came up

with an SLE of $30,000 ($120,000 × 25%). He then figured out

what he felt would be the probability this would occur in any

particular 12-month period. Given statistics he garnered from

similarly protected businesses, he thought it could occur once

every five years, which gave him an ARO of 0.2 (one occurrence /

five years). By multiplying the estimate of a single loss versus

the number of times it was likely to occur in a year, Bob could

generate the ALE for this asset at $6000 ($30,000 × 0.2).

Repeating this across Orca Pig’s assets turned out to provide

valuable information for planning, preparation, and budgeting.

EXAM TIP    ALE = SLE × ARO. Know it. Trust me.

At the end of this effort week, Bob relaxed with a Maker’s

Mark and an Arturo Fuente on his back porch, smiling at all the

good security work he’d done and enjoying the bonus his leader-

ship provided as a reward. Joe stewed in his apartment, angry

that his work would now be exponentially harder. But while Bob

took the evening to rest on his laurels, Joe went back to work,

scratching and digging at OP’s defenses. “One day I’ll find a way

in. Just wait and see. I won’t stop. Ever.”

NOTE    Oftentimes security folks tend to get caught up in the

101-level items and catch words we all know. We make sure we

investigate vulnerabilities, manage risks, and establish policies,

while we sometimes ignore the biggest issue we have right in

front of us—the users. ECC calls this out in User Behavior

Analytics (UBA). UBA is a process of tracking user behaviors

themselves, and extrapolating those behaviors in light of mali-

cious activity, attacks, and frauds. There are behavior-based in-

trusion detection systems (IDSs) out there, but don’t overlook

UBA in your own security efforts.

Now, wasn’t that better than just reading definitions? Sure,

there were a few leaps, and Bob surely wouldn’t be the guy do-

ing ALE measurements, but it was better than trying to explain

all that otherwise. Every italicized word in this section could

possibly show up on your exam, and now you can just remem-

ber this little story and you’ll be ready for almost anything. But

although this was fun, and I did consider continuing the story

throughout the remainder of this book (fiction is so much more

entertaining), some of these topics need a little more than a pass-

ing italics reference, so we’ll break here and go back to more

“expected” writing.

CIA

Another bedrock in any security basics discussion is the holy

trinity of IT security: confidentiality, integrity, and availability

(CIA). Whether you’re an ethical hacker or not, these three items

constitute the hallmarks of security we all strive for. You’ll need

to be familiar with two aspects of each term in order to achieve

success as an ethical hacker as well as on the exam: what the

term itself means and which attacks are most commonly associ-

ated with it.

Confidentiality, addressing the secrecy and privacy of informa-

tion, refers to the measures taken both to prevent disclosure of

information or data to unauthorized individuals or systems and

to ensure the proper disclosure of information to those who are

authorized to receive it. Confidentiality for the individual is a

must, considering its loss could result in identity theft, fraud,

and loss of money. For a business or government agency, it could

be even worse. The use of passwords within some form of au-

thentication is by far the most common measure taken to ensure

confidentiality, and attacks against passwords are, amazingly

enough, the most common confidentiality attacks.

For example, your logon to a network usually consists of a

user ID and a password, which is designed to ensure only you

have access to that particular device or set of network resources.

If another person were to gain your user ID and password, they

would have unauthorized access to resources and could mas-

querade as you throughout their session. Although the user ID

and password combination is by far the most common method

used to enforce confidentiality, numerous other options are

available, including biometrics and smartcards.

EXAM TIP    Be careful with the terms confidentiality and au-

thentication. Sometimes these two are used interchangeably, and

if you’re looking for only one, you may miss the question alto-

gether. For example, a MAC address spoof (using the MAC ad-

dress of another machine) is considered an authentication at-

tack. Authentication is definitely a major portion of the confi-

dentiality segment of IT security.

The Stone Left Unturned

Security professionals deal with, and worry about, risk manage-

ment a lot. We create and maintain security plans, deal with

endless audits, create and monitor ceaseless reporting to govern-

ment, and employ bunches of folks just to maintain “quality” as

it applies to the endless amounts of processes and procedures

we have to document. Yet with all this effort, there always seems

to be something left out—some stone left unturned that a bad

guy takes advantage of.

Don’t take my word for it; just check the news and the statis-

tics. Seemingly every day there is a news story about a major

data breach somewhere. OPM lost millions of PII records to

hackers. eBay had 145 million user accounts compromised.

JPMorgan Chase had over 70 million home and business records

compromised, and the list goes on and on. In 2015, per Breach

Level Index (http://breachlevelindex.com) statistics, over 3 bil-

lion data records—that we know about—were stolen, and the

vast majority were lost to a malicious outsider (not accidental,

state sponsored, or the always-concerning disgruntled employee

malicious insider).

All this leads to a couple questions. First, IT security profes-

sionals must be among the most masochistic people on the

planet. Why volunteer to do a job where you know, somewhere

along the line, you’re more than likely going to fail at it and, at

the very least, be yelled at over it? Second, if there are so many

professionals doing so much work and breaches still happen, is

there something outside their control that leads to these fail-

ures? As it turns out, the answer is “Not always, but oftentimes

YES.”

Sure, there were third-party failures in home-grown web ap-

plications to blame, and of course there were default passwords

left on outside-facing machines. There were also several legiti-

mate attacks that occurred because somebody, somewhere

didn’t take the right security measure to protect data. But, at

least for 2015, phish-ing and social engineering played a large

role in many cases, and zero-day attacks represented a huge seg-

ment of the attack vectors. Can security employees be held ac-

countable for users not paying attention to the endless array of

annual security training shoved down their throats advising

them against clicking on e-mail links? Should your security engi-

neer be called onto the carpet because employees still, still, just

give their passwords to people on the phone or over e-mail

when they’re asked for them? And I’m not even going to touch

zero day—if we could predict stuff like that, we’d all be lottery

winners.

Security folks can, and should, be held to account for ignoring

due diligence in implementing security on their networks. If a

system gets compromised because we were lax in providing

proper monitoring and oversight, and it leads to corporate-wide

issues, we should be called to account. But can we ever uncover

all those stones during our security efforts across an organiza-

tion? Even if some of those stones are based on human nature? I

fear the answer is no. Because some of them won’t budge.

Integrity refers to the methods and actions taken to protect

the information from unauthorized alteration or revision—

whether the data is at rest or in transit. In other words, integrity

measures ensure the data sent from the sender arrives at the re-

cipient with no alteration. For example, imagine a buying agent

sending an e-mail to a customer offering the price of $300. If an

attacker somehow has altered the e-mail and changed the offer-

ing price to $3000, the integrity measures have failed, and the

transaction will not occur as intended, if at all. Oftentimes, at-

tacks on the integrity of information are designed to cause em-

barrassment or legitimate damage to the target.

Integrity in information systems is often ensured through the

use of a hash. A hash function is a one-way mathematical algo-

rithm (such as MD5 and SHA-1) that generates a specific, fixed-

length number (known as a hash value). When a user or system

sends a message, a hash value is also generated to send to the re-

cipient. If even a single bit is changed during the transmission of

the message, instead of showing the same output, the hash func-

tion will calculate and display a greatly different hash value on

the recipient system. Depending on the way the controls within

the system are designed, this would result in either a retransmis-

sion of the message or a complete shutdown of the session.

EXAM TIP    Bit flipping is one form of an integrity attack. In bit

flipping, the attacker isn’t interested in learning the entirety of

the plain-text message. Instead, bits are manipulated in the ci-

pher text itself to generate a predictable outcome in the plain

text once it is decrypted.

Availability is probably the simplest, easiest-to-understand

segment of the security triad, yet it should not be overlooked. It

refers to the communications systems and data being ready for

use when legitimate users need them. Many methods are used

for availability, depending on whether the discussion is about a

system, a network resource, or the data itself, but they all at-

tempt to ensure one thing—when the system or data is needed,

it can be accessed by the appropriate personnel.

Attacks against availability almost always fall into the “denial-

of-service” realm. Denial-of-service (DoS) attacks are designed to

prevent legitimate users from having access to a computer re-

source or service and can take many forms. For example, attack-

ers could attempt to use all available bandwidth to the network

resource, or they may actively attempt to destroy a user’s au-

thentication method. DoS attacks can also be much simpler than

that—unplugging the power cord is the easiest DoS in history!

NOTE    Many in the security field add other terms to the secu-

rity triad. I’ve seen several CEH study guides refer to the term

authenticity as one of the “four elements of security.” It’s not

used much outside the certification realm, however; the term is

most often used to describe something as “genuine.” For exam-

ple, digital signatures can be used to guarantee the authenticity

of the person sending a message. Come test time, this may help.

Access Control Systems

While we’re on the subject of computer security, I think it may

be helpful to step back and look at how we all got here, and take

a brief jog through some of the standards and terms that came

out of all of it. In the early days of computing and networking,

it’s pretty safe to say security wasn’t high on anyone’s to-do list.

As a matter of fact, in most instances security wasn’t even an af-

terthought, and unfortunately it wasn’t until things started get-

ting out of hand that anyone really started putting any effort

into it. The sad truth about a lot of security is that it came out of

a reactionary stance, and very little thought was put into it as a

proactive effort—until relatively recently, anyway.

This is not to say nobody tried at all. As a matter of fact, in

1983 some smart guys at the U.S. Department of Defense saw the

future need for protection of information (government informa-

tion, that is) and worked with the NSA to create the National

Computer Security Center (NCSC). This group got together and

created a variety of security manuals and steps, and published

them in a book series known as the “Rainbow Series.” The cen-

terpiece of this effort came out as the “Orange Book,” which held

something known as the Trusted Computer System Evaluation

Criteria (TCSEC).

TCSEC was a United States government Department of

Defense (DoD) standard, with a goal to set basic requirements

for testing the effectiveness of computer security controls built

into a computer system. The idea was simple: if your computer

system (network) was going to handle classified information, it

needed to comply with basic security settings. TCSEC defined

how to assess whether these controls were in place, and how

well they worked. The settings, evaluations, and notices in the

Orange Book (for their time) were well thought out and proved

their worth in the test of time, surviving all the way up to 2005.

However, as anyone in security can tell you, nothing lasts

forever.

TCSEC eventually gave way to the Common Criteria for

Information Technology Security Evaluation (also known as

Common Criteria, or CC). Common Criteria had actually been

around since 1999, and finally took precedence in 2005. It pro-

vided a way for vendors to make claims about their in-place se-

curity by following a set standard of controls and testing meth-

ods, resulting in something called an Evaluation Assurance Level

(EAL). For example, a vendor might create a tool, application, or

computer system and desire to make a security declaration.

They would then follow the controls and testing procedures to

have their system tested at the EAL (Levels 1–7) they wished to

have. Assuming the test was successful, the vendor could claim

“Successfully tested at EAL-4.”

Common Criteria is, basically, a testing standard designed to

reduce or remove vulnerabilities from a product before it is re-

leased. Besides EAL, three other terms are associated with this

effort you’ll need to remember:

•   Target of evaluation (TOE)   What is being tested

•   Security target (ST)   The documentation describing the TOE

and security requirements

•   Protection profile (PP)   A set of security requirements specifi-

cally for the type of product being tested

While there’s a whole lot more to it, suffice it to say CC was de-

signed to provide an assurance that the system is designed, im-

plemented, and tested according to a specific security level. It’s

used as the basis for government certifications and is usually

tested for U.S. government agencies.

Lastly in our jaunt through terminology and history regarding

security and testing, we have a couple terms to deal with. One of

these is the overall concept of access control itself. Access control

basically means restricting access to a resource in some selective

manner. There are numerous terms you can fling about in dis-

cussing this to make you sound really intelligent (subject, initia-

tor, authorization, and so on), but I’ll leave all that for the glos-

sary. Here, we’ll just talk about a couple of ways of implement-

ing access control: mandatory and discretionary.

Mandatory access control (abbreviated to MAC) is a method of

access control where security policy is controlled by a security

administrator: users can’t set access controls themselves. In

MAC, the operating system restricts the ability of an entity to ac-

cess a resource (or to perform some sort of task within the sys-

tem). For example, an entity (such as a process) might attempt to

access or alter an object (such as files, TCP or UDP ports, and so

on). When this occurs, a set of security attributes (set by the pol-

icy administrator) is examined by an authorization rule. If the

appropriate attributes are in place, the action is allowed.

By contrast, discretionary access control (DAC) puts a lot of

this power in the hands of the users themselves. DAC allows

users to set access controls on the resources they own or control.

Defined by the TCSEC as a means of “restricting access to objects

based on the identity of subjects and/or groups to which they be-

long,” the idea is controls are discretionary in the sense that a

subject with a certain access permission is capable of passing

that permission (perhaps indirectly) on to any other subject (un-

less restrained by mandatory access control). A couple of exam-

ples of DAC include NTFS permissions in Windows machines

and Unix’s use of users, groups, and read-write-execute

permissions.

EXAM TIP    You won’t see many questions concerning Common

Criteria or access control mechanisms on your exam, but I can

guarantee you’ll see at least a couple. Pay attention to the four

parts of Common Criteria (EAL, TOE, ST, and PP) and specific ex-

amples of access control.

Security Policies

When I saw EC-Council dedicating so much real estate in its writ-

ing to security policies, I groaned in agony. Any real practitioner

of security will tell you policy is a great thing, worthy of all the

time, effort, sweat, cursing, and mind-numbing days staring at a

template, if only you could get anyone to pay attention to it.

Security policy (when done correctly) can and should be the

foundation of a good security function within your business.

Unfortunately, it can also turn into a horrendous amount of

memorization and angst for certification test takers because it’s

not always clear.

A security policy can be defined as a document describing the

security controls implemented in a business to accomplish a

goal. Perhaps an even better way of putting it would be to say

the security policy defines exactly what your business believes is

the best way to secure its resources. Different policies address a

variety of issues, such as defining user behavior within and out-

side the system, preventing unauthorized access or manipula-

tion of resources, defining user rights, preventing disclosure of

sensitive information, and addressing legal liability for users

and partners. There are worlds of different security policy types,

with some of the more common ones identified here:

•   Access Control Policy This identifies the resources that need

protection and the rules in place to control access to those

resources.

•   Information Security Policy This identifies to employees what

company systems may be used for, what they cannot be used

for, and what the consequences are for breaking the rules.

Generally employees are required to sign a copy before access-

ing resources. Versions of this policy are also known as an

Acceptable Use Policy.

•   Information Protection Policy This defines information sensi-

tivity levels and who has access to those levels. It also addresses

how data is stored, transmitted, and destroyed.

•   Password Policy This defines everything imaginable about pass-

words within the organization, including length, complexity,

maximum and minimum age, and reuse.

•   E-mail Policy Sometimes also called the E-mail Security Policy,

this addresses the proper use of the company e-mail system.

•   Information Audit Policy This defines the framework for audit-

ing security within the organization. When, where, how, how of-

ten, and sometimes even who conducts information security au-

dits are described here.

There are many other types of security policies, and we could

go on and on, but you get the idea. Most policies are fairly easy

to understand simply based on the name. For example, it

shouldn’t be hard to determine that the Remote Access Policy

identifies who can have remote access to the system and how

they go about getting that access. Other easy-to-recognize poli-

cies include User Account, Firewall Management, Network

Connection, and Special Access.

Lastly, and I wince in including this because I can hear you

guys in the real world grumbling already, but believe it or not,

EC-Council also looks at policy through the prism of how tough it

is on users. A promiscuous policy is basically wide open,

whereas a permissive policy blocks only things that are known to

be dangerous. The next step up is a prudent policy, which pro-

vides maximum security but allows some potentially and known

dangerous services because of business needs. Finally, a para-

noid policy locks everything down, not even allowing the user to

open so much as an Internet browser.

EXAM TIP    In this discussion there are four other terms worth

committing to memory. Standards are mandatory rules used to

achieve consistency. Baselines provide the minimum security

level necessary. Guidelines are flexible, recommended actions

users are to take in the event there is no standard to follow. And,

finally, procedures are detailed step-by-step instructions for ac-

complishing a task or goal.

Introduction to Ethical Hacking

Ask most people to define the term hacker, and they’ll instantly

picture a darkened room, several monitors ablaze with green

text scrolling across the screen, and a shady character in the cor-

ner furiously typing away on a keyboard in an effort to break or

steal something. Unfortunately, a lot of that is true, and a lot of

people worldwide actively participate in these activities for that

very purpose. However, it’s important to realize there are differ-

ences between the good guys and the bad guys in this realm. It’s

the goal of this section to help define the two groups for you, as

well as provide some background on the basics.

Whether for noble or bad purposes, the art of hacking re-

mains the same. Using a specialized set of tools, techniques,

knowledge, and skills to bypass computer security measures al-

lows someone to “hack” into a computer or network. The pur-

pose behind their use of these tools and techniques is really the

only thing in question. Whereas some use these tools and tech-

niques for personal gain or profit, the good guys practice them

in order to better defend their systems and, in the process, pro-

vide insight on how to catch the bad guys.

Hacking Terminology

Like any other career field, hacking (ethical hacking) has its own

lingo and a myriad of terms to know. Hackers themselves, for in-

stance, have various terms and classifications to fall into. For ex-

ample, you may already know that a script kiddie is a person un-

educated in hacking techniques who simply makes use of freely

available (but oftentimes old and outdated) tools and techniques

on the Internet. And you probably already know that a phreaker

is someone who manipulates telecommunications systems in or-

der to make free calls. But there may be a few terms you’re unfa-

miliar with that this section may be able to help with. Maybe you

simply need a reference point for test study, or maybe this is all

new to you; either way, perhaps there will be a nugget or two

here to help on the exam.

In an attempt to avoid a 100-page chapter of endless defini-

tions and to attempt to assist you in maintaining your sanity in

studying for this exam, we’ll stick with the more pertinent infor-

mation you’ll need to remember, and I recommend you peruse

the glossary at the end of this book for more information. You’ll

see these terms used throughout the book anyway, and most of

them are fairly easy to figure out on your own, but don’t dis-

count the definitions you’ll find in the glossary. Besides, I

worked really hard on the glossary—it would be a shame if it

went unnoticed.

EXAM TIP    Definition questions should be no-brainers on the

exam. Learn the hacker types, the stages of a hack, and other

definitions in the chapter—don’t miss the easy ones.

Hacker Classifications: The Hats

You can categorize a hacker in countless ways, but the “hat” sys-

tem seems to have stood the test of time. I don’t know if that’s

because hackers like Western movies or we’re all just fascinated

with cowboy fashion, but it’s definitely something you’ll see over

and over again on your exam. The hacking community in gen-

eral can be categorized into three separate classifications: the

good, the bad, and the undecided. In the world of IT security, this

designation is given as a hat color and should be fairly easy for

you to keep track of.

•   White hats Considered the good guys, these are the ethical hack-

ers, hired by a customer for the specific goal of testing and im-

proving security or for other defensive purposes. White hats are

well respected and don’t use their knowledge and skills without

prior consent. White hats are also known as security analysts.

•   Black hats Considered the bad guys, these are the crackers, ille-

gally using their skills for either personal gain or malicious in-

tent. They seek to steal (copy) or destroy data and to deny access

to resources and systems. Black hats do not ask for permission

or consent.

•   Gray hats The hardest group to categorize, these hackers are

neither good nor bad. Generally speaking, there are two subsets

of gray hats—those who are simply curious about hacking tools

and techniques and those who feel like it’s their duty, with or

without customer permission, to demonstrate security flaws in

systems. In either case, hacking without a customer’s explicit

permission and direction is usually a crime.

NOTE    Lots of well-meaning hacker types have found employ-

ment in the security field by hacking into a system and then in-

forming the victim of the security flaws so that they can be fixed.

However, many more have found their way to prison attempting

the same thing. Regardless of your intentions, do not practice

hacking techniques without approval. You may think your hat is

gray, but I guarantee the victim sees only black.

While we’re on the subject, another subset of this community

uses its skills and talents to put forward a cause or a political

agenda. These people hack servers, deface websites, create

viruses, and generally wreak all sorts of havoc in cyberspace un-

der the assumption that their actions will force some societal

change or shed light on something they feel to be a political in-

justice. It’s not some new anomaly in human nature—people

have been protesting things since the dawn of time—it has just

moved from picket signs and marches to bits and bytes. In gen-

eral, regardless of the intentions, acts of “hacktivism” are usu-

ally illegal in nature.

Another class of hacker borders on the insane. Some hackers

are so driven, so intent on completing their task, they are willing

to risk everything to pull it off. Whereas we, as ethical hackers,

won’t touch anything until we’re given express consent to do so,

these hackers are much like hacktivists and feel that their rea-

son for hacking outweighs any potential punishment. Even will-

ing to risk jail time for their activities, so-called suicide hackers

are the truly scary monsters in the closet. These guys work in a

scorched-earth mentality and do not care about their own safety

or freedom, not to mention anyone else’s.

EXAM TIP    ECC loves adding more definitions to the mix to

confuse the issue. Here are a few other ones to remember: script

kiddie (unskilled, using other’s scripts and tools), cyberterrorist

(motivated by religious or political beliefs to create fear and

large-scale systems disruption), and state-sponsored hacker (em-

ployed by a government).

Attack Types

Another area for memorization in our stroll through this intro-

duction concerns the various types of attacks a hacker could at-

tempt. Most of these are fairly easy to identify and seem, at

times, fairly silly to even categorize. After all, do you care what

the attack type is called if it works for you? For this exam, EC-

Council broadly defines all these attack types in four categories:

•   Operating system (OS) attacks Generally speaking, these at-

tacks target the common mistake many people make when in-

stalling operating systems—accepting and leaving all the de-

faults. Administrator accounts with no passwords, all ports left

open, and guest accounts (the list could go on forever) are exam-

ples of settings the installer may forget about. Additionally, oper-

ating systems are never released fully secure—they can’t be, if

you ever plan on releasing them within a timeframe of actual

use—so the potential for an old vulnerability in newly installed

operating systems is always a plus for the ethical hacker.

•   Application-level attacks These are attacks on the actual pro-

gramming code and software logic of an application. Although

most people are cognizant of securing their OS and network, it’s

amazing how often they discount the applications running on

their OS and network. Many applications on a network aren’t

tested for vulnerabilities as part of their creation and, as such,

have many vulnerabilities built into them. Applications on a net-

work are a gold mine for most hackers.

•   Shrink-wrap code attacks These attacks take advantage of the

built-in code and scripts most off-the-shelf applications come

with. The old refrain “Why reinvent the wheel?” is often used to

describe this attack type. Why spend time writing code to attack

something when you can buy it already “shrink-wrapped”?

These scripts and code pieces are designed to make installation

and administration easier but can lead to vulnerabilities if not

managed appropriately.

•   Misconfiguration attacks These attacks take advantage of sys-

tems that are, on purpose or by accident, not configured appro-

priately for security. Remember the triangle earlier and the

maxim “As security increases, ease of use and functionality de-

crease”? This type of attack takes advantage of the administrator

who simply wants to make things as easy as possible for the

users. Perhaps to do so, the admin will leave security settings at

the lowest possible level, enable every service, and open all fire-

wall ports. It’s easier for the users but creates another gold mine

for the hacker.

EXAM TIP    Infowar (as ECC loves to call it) is the use of offen-

sive and defensive techniques to create advantage over your ad-

versary. Defining which actions are offensive vs. defensive in na-

ture should be self-explanatory, so if you’re asked, use common

sense and reasoning. For example, a banner on your system

warning those attempting access that you’ll prosecute is defen-

sive in nature, acting as a deterrent.

Hacking Phases

Regardless of the intent of the attacker (remember there are

good guys and bad guys), hacking and attacking systems can

sometimes be akin to a pilot and her plane. That’s right, I said

“her.” My daughter is a helicopter pilot for the U.S. Air Force,

and because of this ultra-cool access, I get to talk with pilots

from time to time. I often hear them say, when describing a mis-

sion or event they were on, that they just “felt” the plane or heli-

copter—that they just knew how it was feeling and the best

thing to do to accomplish the goal, sometimes without even

thinking about it.

I was talking to my daughter a while back and asked her

about this human–machine relationship. She paused for a mo-

ment and told me that sure, it exists, and it’s uncanny to think

about why pilot A did action B in a split-second decision.

However, she cautioned, all that mystical stuff can never happen

without all the up-front training, time, and procedures. Because

the pilots followed a procedure and took their time up front, the

decision making and “feel” of the machine gets to come to

fruition.

Hacking phases, as identified by EC-Council, are a great way to

think about an attack structure for you, my hacking pilot

trainee. I’m not saying you shouldn’t take advantage of opportu-

nities when they present themselves just because they’re out of

order (if a machine presents itself willingly and you refuse the

attack, exclaiming, “But I haven’t reconned it yet!” I may have to

slap you myself), but in general following the plan will produce

quality results. Although there are many different terms for

these phases and some of them run concurrently and continu-

ously throughout a test, EC-Council has defined the standard

hack as having five phases, shown in Figure 1-7. Whether the at-

tacker is ethical or malicious, these five phases capture the full

breadth of the attack.

Figure 1-7 Phases of ethical hacking

EXAM TIP    Keep the phases of hacking in mind throughout

your study. You’ll most likely see several questions asking you to

identify not only what occurs in each step but which tools are

used in each one.

Reconnaissance is probably going to be the most difficult

phase to understand for the exam, mainly because many people

confuse some of its steps as being part of the next phase (scan-

ning and enumeration). Reconnaissance is nothing more than

the steps taken to gather evidence and information on the tar-

gets you want to attack. It can be passive in nature or active.

Passive reconnaissance involves gathering information about

your target without their knowledge, whereas active reconnais-

sance uses tools and techniques that may or may not be discov-

ered but put your activities as a hacker at more risk of discovery.

Another way of thinking about it is from a network perspective:

active is that which purposefully puts packets, or specific com-

munications, on a wire to your target, whereas passive does not.

For example, imagine your penetration test, also known as a

pen test, has just started and you know nothing about the com-

pany you are targeting. Passively, you may simply watch the out-

side of the building for a couple of days to learn employee habits

and see what physical security measures are in place. Actively,

you may simply walk up to the entrance or guard shack and try

to open the door (or gate). In either case, you’re learning valu-

able information, but with passive reconnaissance you aren’t

taking any action to signify to others that you’re watching.

Examples of actions that might be taken during this phase are

social engineering, dumpster diving, and network sniffing—all

of which are addressed throughout the remainder of this exam

study guide.

NOTE    Every pen tester on the planet who’s been knee-deep in

a dumpster with a guard’s flashlight in their face knows that

dumpster diving is about as passive an activity as participating

in a marathon. Just keep in mind that sometimes definitions and

reality don’t match up. For your exam, it’s passive. In real life,

it’s a big risk, and you’ll probably get stinky.

In the second phase, scanning and enumeration, security pro-

fessionals take the information they gathered in recon and ac-

tively apply tools and techniques to gather more in-depth infor-

mation on the targets. This can be something as simple as run-

ning a ping sweep or a network mapper to see what systems are

on the network, or as complex as running a vulnerability scan-

ner to determine which ports may be open on a particular sys-

tem. For example, whereas recon may have shown the network

to have 500 or so machines connected to a single subnet inside a

building, scanning and enumeration would tell you which ones

are Windows machines and which ones are running FTP.

The third phase, as they say, is where the magic happens. This

is the phase most people delightedly rub their hands together

over, reveling in the glee they know they will receive from by-

passing a security control. In the gaining access phase, true at-

tacks are leveled against the targets enumerated in the second

phase. These attacks can be as simple as accessing an open and

nonsecured wireless access point and then manipulating it for

whatever purpose, or as complex as writing and delivering a

buffer overflow or SQL injection against a web application. The

attacks and techniques used in the phase will be discussed

throughout the remainder of this study guide.

In the fourth phase, maintaining access, hackers attempt to

ensure they have a way back into the machine or system they’ve

already compromised. Back doors are left open by the attacker

for future use, especially if the system in question has been

turned into a zombie (a machine used to launch further attacks

from) or if the system is used for further information gathering

—for example, a sniffer can be placed on a compromised ma-

chine to watch traffic on a specific subnet. Access can be main-

tained through the use of Trojans, rootkits, or any number of

other methods.

NOTE    There’s an important distinction I’ve mentioned before

and will mention over and over again through this book: ECC

and study materials for the CEH oftentimes have as much to do

with the real world and true hacking as nuclear fusion has to do

with doughnut glaze. For example, in the real world, pen testers

and hackers only carry out scanning and enumeration when the

possibility of gaining useful intelligence is greater than the risk

of detection or reaction by the target. Sure, you need as much in-

formation as you can get up front, but if what you’re doing

winds up drawing unnecessary attention to yourself, the whole

thing is pointless. Same thing goes for privilege escalation: if you

can get done what you want or need to without bothering to es-

calate to root privilege, huzzah!

In the final phase, covering tracks, attackers attempt to con-

ceal their success and avoid detection by security professionals.

Steps taken here consist of removing or altering log files, hiding

files with hidden attributes or directories, and even using tun-

neling protocols to communicate with the system. If auditing is

turned on and monitored, and often it is not, log files are an in-

dicator of attacks on a machine. Clearing the log file completely

is just as big an indicator to the security administrator watching

the machine, so sometimes selective editing is your best bet.

Another great method to use here is simply corrupting the log

file itself—whereas a completely empty log file screams an at-

tack is in progress, files get corrupted all the time, and, chances

are, the administrator won’t bother trying to rebuild the log file.

In either case, be really careful when it comes to corrupting or

deleting logs in the real world. As a pen tester you may be bound

by a “no harm” clause, which will prevent you from altering the

log files at all. Not only would that cause harm to the organiza-

tion but it may also prevent them from discovering real bad guys

who may be attacking during your test. Good pen testers are

truly defined in this phase, and “do no harm” should be in the

forefront of your mind when attempting this.

EXAM TIP    An acronym you should definitely get acquainted

with is SIEM (which stands for security incident and event man-

agement). A SIEM helps to perform functions related to a

Security Operation Center (SOC), such as identifying, monitoring,

recording, auditing, and analyzing security incidents. While the

term can be associated with an overall enterprise effort (made

up of people, applications, processes, and so on), in the real

world oftentimes it is used to refer to a specific application.

Splunk, for example, is often referred to as a SIEM.

A couple of insights can, and should, be gained here. First,

contrary to popular belief, pen testers do not usually just ran-

domly assault things hoping to find some overlooked vulnerabil-

ity to exploit. Instead, they follow a specific, organized method

to thoroughly discover every aspect of the system they’re target-

ing. Good ethical hackers performing pen tests ensure these

steps are very well documented, taking exceptional and detailed

notes and keeping items such as screenshots and log files for in-

clusion in the final report. Mr. Horton, our beloved technical edi-

tor, put it this way: “Pen testers are thorough in their work for

the customer. Hackers just discover what is necessary to accom-

plish their goal.” Second, keep in mind that security profession-

als performing a pen test do not normally repair or patch any se-

curity vulnerabilities they find—it’s simply not their job to do so.

The ethical hacker’s job is to discover security flaws for the cus-

tomer, not to fix them. Knowing how to blow up a bridge doesn’t

make you a civil engineer capable of building one, so while your

friendly neighborhood CEH may be able to find your problems,

it in no way guarantees he or she could engineer a secure

system.

NOTE    A hacker who is after someone in particular may not

bother sticking to a set method in getting to what is wanted.

Hackers in the real world will take advantage of the easiest,

quickest, simplest path to the end goal, and if that means attack-

ing before enumerating, then so be it.

The Ethical Hacker

So, what makes someone an “ethical” hacker? Can such a thing

even exist? Considering the art of hacking computers and sys-

tems is, in and of itself, a covert action, most people might be-

lieve the thought of engaging in a near-illegal activity to be sig-

nificantly unethical. However, the purpose and intention of the

act have to be taken into account.

For comparison’s sake, law enforcement professionals rou-

tinely take part in unethical behaviors and situations in order to

better understand, and to catch, their criminal counterparts.

Police and FBI agents must learn the lingo, actions, and behav-

iors of drug cartels and organized crime in order to infiltrate

and bust the criminals, and doing so sometimes forces them to

engage in criminal acts themselves. Ethical hacking can be

thought of in much the same way. To find and fix the vulnerabil-

ities and security holes in a computer system or network, you

sometimes have to think like a criminal and use the same tactics,

tools, and processes they might employ.

In CEH parlance, and as defined by several other entities,

there is a distinct difference between a hacker and a cracker. An

ethical hacker is someone who employs the same tools and tech-

niques a criminal might use, with the customer’s full support

and approval, to help secure a network or system. A cracker,

also known as a malicious hacker, uses those skills, tools, and

techniques either for personal gain or destructive purposes or,

in purely technical terms, to achieve a goal outside the interest

of the system owner. Ethical hackers are employed by customers

to improve security. Crackers either act on their own or, in some

cases, act as hired agents to destroy or damage government or

corporate reputation.

One all-important specific identifying a hacker as ethical ver-

sus the bad-guy crackers needs to be highlighted and repeated

over and over again. Ethical hackers work within the confines of

an agreement made between themselves and a customer before

any action is taken. This agreement isn’t simply a smile, a con-

versation, and a handshake just before you flip open a laptop

and start hacking away. No, instead it is a carefully laid-out plan,

meticulously arranged and documented to protect both you (the

ethical hacker) and the client.

In general, an ethical hacker will first meet with the client and

sign a contract. The contract defines not only the permission and

authorization given to the security professional (sometimes

called a get-out-of-jail-free card) but also confidentiality and

scope. No client would ever agree to having an ethical hacker at-

tempt to breach security without first ensuring the hacker will

not disclose any information found during the test. Usually, this

concern results in the creation of a nondisclosure agreement

(NDA).

Additionally, clients almost always want the test to proceed to

a certain point in the network structure and no further: “You

can try to get through the firewall, but do not touch the file

servers on the other side…because you may disturb my MP3 col-

lection.” They may also want to restrict what types of attacks you

run. For example, the client may be perfectly okay with you at-

tempting a password hack against their systems but may not

want you to test every DoS attack you know.

Oftentimes, however, even though you’re hired to test their

security and you know what’s really important in security and

hacking circles, the most serious risks to a target are not allowed

to be tested because of the “criticality of the resource.” This, by

the way, is often a function of corporate trust between the pen

tester and the organization and will shift over time; what’s a crit-

ical resource in today’s test will become a focus of scrutiny and

“Let’s see what happens” next year. If the test designed to im-

prove security actually blows up a server, it may not be a win-

ning scenario; however, sometimes the data that is actually at

risk makes it important enough to proceed. This really boils

down to cool and focused minds during the security testing

negotiation.

Another common issue is that what is considered “too secure

to test” actually turns out to be the most vulnerable system. A

pen tester interview with the client might go like this: “What

about that crusty Solaris box that runs all the back-end process-

ing for payroll and hasn’t been updated since 2002?” “Well, it’s

really important and if it breaks, the organization dies. We have

compensating controls for stuff like that.” It’s like a sunshine law

for cyber—no mold grows where the pen test light shines.

NOTE    A common term you’ll see referenced in your CEH study

is tiger team, which is nothing more than a group of people,

gathered together by a business entity, working to address a spe-

cific problem or goal. Ethical hackers are sometimes part of a

tiger team, set up to thoroughly test all facets of a security sys-

tem. Whether you’re hired as part of the team or as an individ-

ual, pay attention to the rules of engagement.

The Pen Test

Companies and government agencies ask for penetration tests

for a variety of reasons. Sometimes rules and regulations force

the issue. For example, many medical facilities need to maintain

compliance with the Health Insurance Portability and

Accountability Act (HIPAA) and will hire ethical hackers to com-

plete their accreditation. Sometimes the organization’s leader-

ship is simply security conscious and wants to know just how

well existing security controls are functioning. And sometimes

it’s simply an effort to rebuild trust and reputation after a secu-

rity breach has already occurred. It’s one thing to tell customers

you’ve fixed the security flaw that allowed the theft of all those

credit cards in the first place. It’s another thing altogether to

show the results of a penetration test against the new controls.

With regard to your exam and to your future as an ethical

hacker, there are two processes you’ll need to know: how to set

up and perform a legal penetration test and how to proceed

through the actual hack. A penetration test is a clearly defined,

full-scale test of the security controls of a system or network in

order to identify security risks and vulnerabilities and has three

major phases. Once the pen test is agreed upon, the ethical

hacker begins the “assault” using a variety of tools, methods, and

techniques, but generally follows the same five stages of a typi-

cal hack to conduct the test. For the CEH exam, you’ll need to be

familiar with the three pen test stages and the five stages of a

typical hack.

A pen test has three main phases—preparation, assessment,

and conclusion—and they are fairly easy to define and under-

stand. The preparation phase defines the time period during

which the actual contract is hammered out. The scope of the test,

the types of attacks allowed, and the individuals assigned to per-

form the activity are all agreed upon in this phase. The assess-

ment phase (sometimes also known as the security evaluation

phase or the conduct phase) is exactly what it sounds like—the

actual assaults on the security controls are conducted during

this time. Lastly, the conclusion (or post-assessment) phase de-

fines the time when final reports are prepared for the customer,

detailing the findings of the tests (including the types of tests

performed) and many times even providing recommendations

to improve security.

In performing a pen test, an ethical hacker must attempt to re-

flect the criminal world as much as possible. In other words, if

the steps taken by the ethical hacker during the pen test don’t

adequately mirror what a “real” hacker would do, then the test

is doomed to failure. For that reason, most pen tests have indi-

viduals acting in various stages of knowledge about the target of

evaluation (TOE). These different types of tests are known by

three names: black box, white box, and gray box.

In black-box testing, the ethical hacker has absolutely no

knowledge of the TOE. The testing is designed to simulate an out-

side, unknown attacker, and it takes the most amount of time to

complete and, usually, is by far the most expensive option. For

the ethical hacker, black-box testing means a thorough romp

through the five stages of an attack and removes any precon-

ceived notions of what to look for. The only true drawback to

this type of test is it focuses solely on the threat outside the orga-

nization and does not take into account any trusted users on the

inside.

NOTE    An important “real world versus definition” distinction

arises here: While the pure definition of the term implies no

knowledge, a black-box test is designed to mirror what an exter-

nal hacker has and knows about before starting an attack. Rest

assured, the bad guys have been researching things for a long

time. They know something or they wouldn’t attack in the first

place. As a pen tester, you’d better be aware of the same things

they are when setting up your test.

White-box testing is the exact opposite of black-box testing. In

this type, pen testers have full knowledge of the network, sys-

tem, and infrastructure they’re targeting. This, quite obviously,

makes the test much quicker, easier, and less expensive, and it is

designed to simulate a knowledgeable internal threat, such as a

disgruntled network admin or other trusted user.

The last type, gray-box testing, is also known as partial knowl-

edge testing. What makes this different from black-box testing is

the assumed level of elevated privileges the tester has. Whereas

black-box testing is generally done from the network adminis-

tration level, gray-box testing assumes only that the attacker is

an insider. Because most attacks do originate from inside a net-

work, this type of testing is valuable and can demonstrate privi-

lege escalation from a trusted employee.

Laws and Standards

Finally, it would be impossible to call yourself an ethical any-

thing if you didn’t understand the guidelines, standards, and

laws that govern your particular area of expertise. In our realm

of IT security (and in ethical hacking), there are tons of laws and

standards you should be familiar with, not only to do a good job,

but to keep you out of trouble—and prison. We were lucky in

previous versions of the exam that these didn’t get hit very of-

ten, but now they’re back—and with a vengeance.

I would love to promise I could provide you a comprehensive

list of every law you’ll need to know for your job, but if I did this

book would be the size of an old encyclopedia and you’d never

buy it. There are tons of laws you need to be aware of for your

job, such as FISMA, Electronics Communications Privacy Act,

PATRIOT Act, Privacy Act of 1974, Cyber Intelligence Sharing and

Protection Act (CISPA), Consumer Data Security and Notification

Act, Computer Security Act of 1987…the list really is almost end-

less. Since this isn’t a book to prepare you for a state bar exam,

I’m not going to get into defining all these. For the sake of study,

and keeping my page count down somewhat, we’ll just discuss a

few you should concentrate on for test purposes—mainly be-

cause they’re the ones ECC seems to be looking at closely this go-

round. When you get out in the real world, you’ll need to learn,

and know, the rest.

Sometimes You Have to Know Everything

A foundational principle in Western law and order is that igno-

rance of the law does not make one free of it. In other words, if

you break a law, you cannot use the excuse that you didn’t know

about the law in question. On its face this could seem somewhat

unfair. I mean, how in the world am I supposed to know EVERY

law in EVERY state and EVERY setting? The flip side of it, and the

reason it’s a foundational principle, is simply if ignorance were a

valid excuse, any time someone was accused of a law they could

simply claim ignorance and be set free.

So how do we, as a civilized society with rule of law at our

core (supposedly) find the happy balance in this? I like the way

USLegal.com puts it: “Ignorance of law means want of knowl-

edge of those laws which a person has a duty to know and which

everyman is presumed to know.” That last bit is the important

part: you, as a citizen, have a duty to know the law of the land as

it relates to you and yours. Digging a little deeper into that

thought, then, ignorance can be either voluntary or involuntary.

Voluntary is pretty simple to define: if you could have reason-

ably acquired knowledge of the law but you claim you do not

know of it, you’re purposeful in your ignorance. Involuntary is

the area in which there’s a little wiggle room.

For example (again from USLegal.com), “...case law has recog-

nized certain exceptions to the doctrine. For example in Cheek v.

United States, 498 U.S. 192, 200-201 (U.S. 1991) the court ob-

served that the proliferation of statutes and regulations has

sometimes made it difficult for the average citizen to know and

comprehend the extent of the duties and obligations imposed by

the tax laws.” In short, Congress stated that the overly complex

tax law was more than the average citizen could be expected to

know and understand and, therefore, ignorance of certain areas

of tax law has had sentencing/conviction largely reduced.

In criminal law, while ignorance may not clear a defendant of

guilt, it can be a consideration in sentencing—and this next part

is very important here, particularly where the law is unclear or

the defendant sought advice from law enforcement or regula-

tory officials who themselves were unaware of the law or ad-

vised against the law as written. The entirety of the doctrine as-

sumes the law in question has been properly promulgated—that

is, published, distributed, and made readily available to the pub-

lic so that “everyman” can be reasonably expected to know it. In

other words, to quote the Decretum Gratiani (google it), “a secret

law is no law at all.”

So why am I talking about principles of law and order in a

book supposedly about ethical hacking? Because, dear reader,

what we’re doing here can easily land you in a world of trouble if

you make yourself willfully ignorant of the laws as they pertain to

networking, data, and hacking. There’s more than ample legal

precedent that any person taking part in activities or employ-

ment outside what could be considered common for an average

citizen must make themselves aware of any and all applicable

laws. For example, a person running the water supply for a city,

or a nuclear plant, or creating and maintaining bridges people

drive over is required to know the laws necessary to engage in

those activities.

You’re an ethical hacker, meaning (among other things) your

intent is to abide by written law (and customer agreements). But

your intent means squat in a court of law. Read up on the laws

mentioned here in this book. Then go search out updates to

them. Then look for others. After all, if you’re working for a com-

pany in Georgia, performing a pen test on a company in

Wyoming with offshore facilities, which law trumps the others

and how are you supposed to know?

While your company should provide some protection for you,

and is obligated to assist you in learning/knowing the laws you’ll

be held to during any given employment exercise, unfortunately

the answer to that question, at least in the eyes of the law, is you

better figure it out yourself.

First up is the Health Insurance Portability and Accountability

Act (HIPAA), developed by the U.S. Department of Health and

Human Services to address privacy standards with regard to

medical information. The law sets privacy standards to protect

patient medical records and health information, which, by de-

sign, are provided and shared to doctors, hospitals, and insur-

ance providers. HIPAA has five subsections that are fairly self-

explanatory (Electronic Transaction and Code Sets, Privacy Rule,

Security Rule, National Identifier Requirements, and

Enforcement) and may show up on your exam.

Another important law for your study is the Sarbanes-Oxley

(SOX) Act. SOX was created to make corporate disclosures more

accurate and reliable in order to protect the public and investors

from shady behavior. There are 11 titles within SOX that handle

everything from what financials should be reported and what

should go in them, to protecting against auditor conflicts of in-

terest and enforcement for accountability.

NOTE    One thing that may help you in setting up better security

is OSSTMM—the Open Source Security Testing Methodology

Manual (if you really want to sound snooty, call it “awstem”). It’s

a peer-reviewed, formalized methodology of security testing and

analysis that can “provide actionable information to measurably

improve your operational security.” It defines three types of

compliance for testing: legislative (government regulations), con-

tractual (industry or group requirements), and standards based

(practices that must be followed in order to remain a member of

a group or organization).

When it comes to standards, again there are tons to know—

maybe not necessarily for your job, but because you’ll see them

on this exam. ECC really wants you to pay attention to PCI-DSS,

COBIT, and ISO/IEC 27001:2013. The Payment Card Industry Data

Security Standard (PCI-DSS) is a security standard for organiza-

tions handling credit cards, ATM cards, and other point-of-sales

cards. The standards apply to all groups and organizations in-

volved in the entirety of the payment process—from card is-

suers, to merchants, to those storing and transmitting card infor-

mation—and consist of 12 requirements:

•   Requirement 1: Install and maintain firewall configuration to

protect data.

•   Requirement 2: Remove vendor-supplied default passwords and

other default security features.

•   Requirement 3: Protect stored data.

•   Requirement 4: Encrypt transmission of cardholder data.

•   Requirement 5: Install, use, and update AV (antivirus).

•   Requirement 6: Develop secure systems and applications.

•   Requirement 7: Use “need to know” as a guideline to restrict ac-

cess to data.

•   Requirement 8: Assign a unique ID to each stakeholder in the

process (with computer access).

•   Requirement 9: Restrict any physical access to the data.

•   Requirement 10: Monitor all access to data and network re-

sources holding, transmitting, or protecting it.

•   Requirement 11: Test security procedures and systems regularly.

•   Requirement 12: Create and maintain an information security

policy.

Control Objects for Information and Related Technology

(COBIT) is another security standard you’ll probably see refer-

enced. Created by the Information Systems Audit and Control

Association (ISACA) and the IT Governance Institute (ITGI),

COBIT is (from ISACA’s own website) “an IT governance frame-

work and supporting toolset that allows managers to bridge the

gap between control requirements, technical issues and business

risks. COBIT enables clear policy development, good practice,

and emphasizes regulatory compliance.” It does so in part by

categorizing control objectives into the following domains:

•   Planning and organization

•   Acquisition and implementation

•   Delivery and support

•   Monitoring and evaluation

Each domain contains specific control objectives. This stan-

dard helps security architects figure out and plan minimum se-

curity requirements for their organizations.

Want more? I don’t either, so I’ll leave you with the last exam-

ple ECC wants you to focus on: the ISO/IEC 27001:2013. It pro-

vides requirements for creating, maintaining, and improving or-

ganizational IS (Information Security) systems. The standard ad-

dresses issues such as ensuring compliance with laws as well as

formulating internal security requirements and objectives.

EXAM TIP    Law is a funny thing, and there are semantic terms

a-plenty regarding it. Be aware of the differences between crimi-

nal law (a body of rules and statutes that defines conduct pro-

hibited by the government because it threatens and harms pub-

lic safety and welfare and that establishes punishment to be im-

posed for the commission of such acts), civil law (a body of rules

that delineates private rights and remedies as well as governs

disputes between individuals in such areas as contracts, prop-

erty, and family law, distinct from criminal law), and so-called

common law (law based on societal customs and recognized and

enforced by the judgments and decrees of the courts). Anything

you see question-wise on it should be easy enough to infer, but

thought you should look into it regardless.

Finally, keep in mind that Information Security laws are

tricky things when it comes to national borders. While it’s easy

to enforce an American rule about planting seeds within the

physical borders of the United States, that law means nothing in

China, Australia, or France. When it comes to information and

the Internet, though, things get trickier. The complexities of laws

in other countries simply cannot be deciphered—in this book or

any other. You will have to spend some time with your employer

and your team to learn what you need before testing anything.

Who’s to Blame?

Oftentimes in crime dramas we don’t get to see the full story.

This is mainly because we’re all focused on the one bad guy—the

one person to blame for it all. But in the digital world, things can

get a little hairy in the blame game. For example, suppose Joe

sends Bob something truly terrible. Maybe they’re dealing in

stolen materials or sending child porn to one another. Obviously

Joe and Bob are at fault and need to face some justice. But what

about their ISPs? What about those entities that make all that il-

legal back and forth even possible in the first place? If Joe sends

Bob child porn over AT&T’s network, for example, why is AT&T

(or the countless other ISPs and/or networks between the two)

not liable for facilitating the transaction? If Sally sends a piece of

malware and takes out Jane’s network, would it have occurred

without countless networks between them? How and why are

they not liable?

In general, and without turning this into a legal paper, the

real answer is we don’t want them to be. And that is a very good

thing. For example, if Joe sends Bob printed photos in a sealed

overnight container, should the FedEx guy driving the truck be

held liable if those photos are illegal in nature? If Sally mails a

bag of drugs to Jane, is the postal worker delivering the package

at fault? Of course not, and barring gross negligence, the same

protections and thought process should apply to networks.

ISPs are basically just dumb pipes we use to blast information

to each other. The faster we blast said information, the happier

we all are. Don’t believe me? Go somewhere streaming gets

overcrowded and listen to how people rant about the latest cat

video lagging on their system. I’m not saying ISP’s can, or do, just

bask in the sun regardless of the traffic they’re carrying: most if

not all take active measures to restrict and reduce illegal activity

on the networks, and they do hold some responsibility insofar as

gross negligence is concerned. But generally speaking, they are

in the business of making sure data moves quickly from point A

to point B. And it’s safer that they stay as such.

In the Summer of 2015, the FCC classified Internet service

providers as common carriers. While heretofore defined as com-

panies that transport goods or people for any person or com-

pany (and bearing responsibility in part for any possible loss of

the goods during transport), the use here was different: ISPs

transport data, not goods or people. In the original sense, com-

mon carriers were responsible for loss or damage except for cer-

tain circumstances—like an Act of God, fault or fraud on the part

of the shipper, or defects in the goods themselves. When it came

to telecommunications, though, those stipulations didn’t apply in

the same way. Therefore, innumerable stipulations and laws es-

tablished some cover for providers: for example, the

Communications Decency Act protected against third-party con-

tent on grounds of libel or slander, and DMCA “safe harbors”

provided more liability protection in regards to copyright in-

fringements. Not to mention all of it continues to tie into net

neutrality and the back and forth we’ve seen on that for the past

decade.

So who should be held liable for malicious or illegal traffic?

Sure a purposeful sender and knowing recipient should be. But

everyone else along the way? Not as clear to see—especially

when the cat video won’t load.

NOTE    Don’t forget one very simple, obvious observation some

people just don’t think about: the Internet is global. The differ-

ence between hacking your target and hacking the government

of China could be a simple as accidentally typing the wrong

number in an IP address. And while most people believe traffic

is malicious only if it targets your system specifically, many may

see it as malicious if it just transits your system.

Chapter Review

Tips that will help on your exam include:

•   Do not let real life trump EC-Council’s view of it. Real life and the

certification exam do not necessarily always directly

correspond.

•   Use time to your advantage. The exam now is split into sections,

with a timeframe set up for each one. You can work and review

inside the section all you want, but once you pass through it, you

can’t go back.

•   Make use of the paper and pencil/pen the friendly test proctor

provides you, and as soon as you sit down, before you click

START, start writing down everything you can remember onto

the paper provided.

•   Trust your instincts. When you do question review, unless you

absolutely, positively, beyond any shadow of a doubt know you

initially marked the wrong answer, do not change it.

•   Take the questions at face value. Don’t read into them; just an-

swer them and move on.

The five zones ECC has defined are Internet (outside the

boundary and uncontrolled), Internet DMZ (a controlled, buffer

network between you and the uncontrolled chaos of the

Internet), Production Network Zone (a very restricted zone that

strictly controls direct access from uncontrolled zones), Intranet

Zone (controlled zone that has little to no heavy restrictions),

and Management Network Zone (highly secured zone with very

strict policies).

To be a successful ethical hacker, you don’t need the knowl-

edge of just tools and techniques but also the background infor-

mation that provides a secure foundation for your career. This

all begins with basic networking knowledge, including the seven

layers of the OSI reference model (Application, Presentation,

Session, Transport, Network, Data Link, and Physical) and the

four layers of the TCP/IP stack (Application, Transport, Internet,

and Network Access). Key points include the protocol data unit

(PDU) at each layer (which includes data, segment, packet,

frame, and bit), the makeup of an Ethernet frame, and the TCP

three-way handshake (SYN, SYN/ACK, ACK).

There are innumerable security concepts and terms essential

to your success on the exam, and they can’t possibly all be listed

here. A few examples include the Security, Functionality, and

Usability triangle, hack value, vulnerability, zero-day attack, pay-

load, exploit, daisy-chaining, bots, doxing, and incident response

team (IRT). Memorization is the only option for these terms.

Risk management includes identifying organizational assets,

threats to those assets, and asset vulnerabilities, allowing the

company to explore which countermeasures security personnel

could put into place to minimize risks as much as possible. These

security controls would then greatly increase the security pos-

ture of the systems. Controls can be preventative, detective, or

corrective. A business impact analysis (BIA) is an effort to iden-

tify the systems and processes that are critical for operations.

This includes measurements of the maximum tolerable down-

time (MTD), which provides a means to prioritize the recovery of

assets should the worst occur. A set of plans and procedures to

follow in the event of a failure or a disaster to get business ser-

vices back up and running is called the business continuity plan

(BCP), which includes a disaster recovery plan (DRP), addressing

exactly what to do to recover any lost data or services.

The ALE (annualized loss expectancy) is the product of the

ARO (annual rate of occurrence) and the SLE (single loss ex-

pectancy). The exposure factor (EF) is used to generate the SLE

(EF × Value of Asset).

Another bedrock of security is the security triad of confiden-

tiality, integrity, and availability. Confidentiality, or addressing

the secrecy and privacy of information, refers to the measures

taken to prevent the disclosure of information or data to unau-

thorized individuals or systems. The use of passwords is by far

the most common logical measure taken to ensure confidential-

ity, and attacks against passwords are the most common confi-

dentiality attacks. Integrity refers to the methods and actions

taken to protect the information from unauthorized alteration

or revision—whether the data is at rest or in transit. Integrity in

information systems is often ensured through the use of a hash

(a one-way mathematical algorithm such as MD5 or SHA-1).

Availability refers to the communications systems and data be-

ing ready for use when legitimate users need it. Denial-of-ser-

vice (DoS) attacks are designed to prevent legitimate users from

having access to a computer resource or service and can take

many forms.

Security policies represent the administrative function of se-

curity and attempt to describe the security controls imple-

mented in a business to accomplish a goal (defining exactly what

your business believes is the best way to secure its resources).

There are many types of security policies addressing a variety of

specific issues within the organization. Some examples are

Information Security Policy, Password Policy, Information

Protection Policy, Remote Access Policy, and Firewall

Management Policy.

Defining an ethical hacker, as opposed to a cracker (or mali-

cious hacker), basically comes down to the guidelines one works

under—an ethical hacker works only with explicit consent and

approval from a customer. Ethical hackers are employed by cus-

tomers to improve security. Crackers either act on their own or,

in some cases, are employed by malicious entities to destroy or

damage government or corporate reputation. In addition, some

hackers who use their knowledge to promote a political cause

are referred to as hacktivists.

Hackers are generally classified into three separate groups.

White hats are the ethical hackers hired by a customer for the

specific goal of testing and improving security or for other de-

fensive purposes. Black hats are the crackers illegally using their

skills either for personal gain or for malicious intent, and they

do not ask for permission or consent. Gray hats are neither good

nor bad; they are simply curious about hacking tools and tech-

niques or feel like it’s their duty, with or without customer per-

mission, to demonstrate security flaws in systems. In any case,

hacking without a customer’s explicit permission and direction

is a crime. Other terms include suicide and state-sponsored

hackers, cyberterrorists, and script kiddies.

A penetration test, also known as a pen test, is a clearly de-

fined, full-scale test of the security controls of a system or net-

work in order to identify security risks and vulnerabilities. The

three main phases in a pen test are preparation, assessment, and

conclusion. The preparation phase defines the time period when

the actual contract is hammered out. The scope of the test, the

types of attacks allowed, and the individuals assigned to per-

form the activity are all agreed upon in this phase. The assess-

ment phase (sometimes also known as the security evaluation

phase or the conduct phase) is when the actual assaults on the

security controls are conducted. The conclusion (or post-assess-

ment) phase defines the time when final reports are prepared

for the customer, detailing the findings of the test (including the

types of tests performed) and many times even providing recom-

mendations to improve security.

The act of hacking consists of five main phases.

Reconnaissance involves the steps taken to gather evidence and

information on the targets you want to attack. It can be passive

in nature or active. The scanning and enumeration phase takes

the information gathered in recon and actively applies tools and

techniques to gather more in-depth information on the targets.

In the gaining access phase, true attacks are leveled against the

targets enumerated in the second phase. In the fourth phase,

maintaining access, hackers attempt to ensure they have a way

back into the machine or system they’ve already compromised.

Finally, in the final phase, covering tracks, attackers attempt to

conceal their success and avoid detection by security

professionals.

Three types of tests are performed by ethical hackers. In

black-box testing, the ethical hacker has absolutely no knowl-

edge of the target of evaluation (TOE). It’s designed to simulate

an outside, unknown attacker. In white-box testing, pen testers

have full knowledge of the network, system, and infrastructure

they are testing, and it is designed to simulate a knowledgeable

internal threat, such as a disgruntled network admin or other

trusted user. In gray-box testing, the attacker has limited knowl-

edge about the TOE. It is designed to simulate privilege escala-

tion from a trusted employee.

The guidelines, standards, and laws that govern ethical hack-

ing are important. These include FISMA, Electronics

Communications Privacy Act, PATRIOT Act, Privacy Act of 1974,

Cyber Intelligence Sharing and Protection Act (CISPA), Consumer

Data Security and Notification Act, and Computer Security Act of

1987.

The Health Insurance Portability and Accountability Act

(HIPAA) was developed by the U.S. Department of Health and

Human Services to address privacy standards with regard to

medical information. The law sets privacy standards to protect

patient medical records and health information, which, by de-

sign, are provided and shared to doctors, hospitals, and insur-

ance providers. HIPAA has five subsections that are fairly self-

explanatory (Electronic Transaction and Code Sets, Privacy Rule,

Security Rule, National Identifier Requirements, and

Enforcement) and may show up on your exam.

The Sarbanes-Oxley (SOX) Act was created to make corporate

disclosures more accurate and reliable in order to protect the

public and investors from shady behavior. There are 11 titles

within SOX that handle everything from what financials should

be reported and what should go in them, to protecting against

auditor conflicts of interest and enforcement for accountability.

The Payment Card Industry Data Security Standard (PCI-DSS)

is a security standard for organizations handling credit cards,

ATM cards, and other point-of-sales cards. The standards apply

to all groups and organizations involved in the entirety of the

payment process—from card issuers, to merchants, to those stor-

ing and transmitting card information—and consist of 12

requirements:

•   Requirement 1: Install and maintain firewall configuration to

protect data.

•   Requirement 2: Remove vendor-supplied default passwords and

other default security features.

•   Requirement 3: Protect stored data.

•   Requirement 4: Encrypt transmission of cardholder data.

•   Requirement 5: Install, use, and update AV (antivirus).

•   Requirement 6: Develop secure systems and applications.

•   Requirement 7: Use “need to know” as a guideline to restrict ac-

cess to data.

•   Requirement 8: Assign a unique ID to each stakeholder in the

process (with computer access).

•   Requirement 9: Restrict any physical access to the data.

•   Requirement 10: Monitor all access to data and network re-

sources holding, transmitting, or protecting it.

•   Requirement 11: Test security procedures and systems regularly.

•   Requirement 12: Create and maintain an information security

policy.

Control Objects for Information and Related Technology

(COBIT) was created by the Information Systems Audit and

Control Association (ISACA) and the IT Governance Institute

(ITGI). It categorizes control objectives into the following

domains:

•   Planning and organization

•   Acquisition and implementation

•   Delivery and support

•   Monitoring and evaluation

Each domain contains specific control objectives. This stan-

dard helps security architects figure out and plan minimum se-

curity requirements for their organizations.

Lastly, ISO/IEC 27001:2013 provides requirements for creating,

maintaining, and improving organizational IS (Information

Security) systems. The standard addresses issues such as ensur-

ing compliance with laws as well as formulating internal secu-

rity requirements and objectives.

Questions

1.   Which of the following would be the best example of a deterrent

control?

A.   A log aggregation system

B.   Hidden cameras onsite

C.   A guard posted outside the door

D.   Backup recovery systems

2.   Enacted in 2002, this U.S. law requires every federal agency to

implement information security programs, including significant

reporting on compliance and accreditation. Which of the follow-

ing is the best choice for this definition?

A.   FISMA

B.   HIPAA

C.   NIST 800-53

D.   OSSTMM

3.   Brad has done some research and determined a certain set of

systems on his network fail once every ten years. The purchase

price for each of these systems is $1200. Additionally, Brad dis-

covers the administrators on staff, who earn $50 an hour, esti-

mate five hours to replace a machine. Five employees, earning

$25 an hour, depend on each system and will be completely un-

productive while it is down. If you were to ask Brad for an ALE

on these devices, what should he answer with?

A.   $2075

B.   $207.50

C.   $120

D.   $1200

4.   An ethical hacker is hired to test the security of a business net-

work. The CEH is given no prior knowledge of the network and

has a specific framework in which to work, defining boundaries,

nondisclosure agreements, and the completion date. Which of

the following is a true statement?

A.   A white hat is attempting a black-box test.

B.   A white hat is attempting a white-box test.

C.   A black hat is attempting a black-box test.

D.   A black hat is attempting a gray-box test.

5.   When an attack by a hacker is politically motivated, the hacker

is said to be participating in which of the following?

A.   Black-hat hacking

B.   Gray-box attacks

C.   Gray-hat attacks

D.   Hacktivism

6.   Two hackers attempt to crack a company’s network resource se-

curity. One is considered an ethical hacker, whereas the other is

not. What distinguishes the ethical hacker from the “cracker”?

A.   The cracker always attempts white-box testing.

B.   The ethical hacker always attempts black-box testing.

C.   The cracker posts results to the Internet.

D.   The ethical hacker always obtains written permission before

testing.

7.   In which stage of an ethical hack would the attacker actively ap-

ply tools and techniques to gather more in-depth information on

the targets?

A.   Active reconnaissance

B.   Scanning and enumeration

C.   Gaining access

D.   Passive reconnaissance

8.   Which type of attack is generally conducted as an inside at-

tacker with elevated privileges on the resources?

A.   Gray box

B.   White box

C.   Black box

D.   Active reconnaissance

9.   Which of the following Common Criteria processes refers to the

system or product being tested?

A.   ST

B.   PP

C.   EAL

D.   TOE

10.   Your company has a document that spells out exactly what em-

ployees are allowed to do on their computer systems. It also de-

fines what is prohibited and what consequences await those

who break the rules. A copy of this document is signed by all em-

ployees prior to their network access. Which of the following

best describes this policy?

A.   Information Security Policy

B.   Special Access Policy

C.   Information Audit Policy

D.   Network Connection Policy

11.   Sally is a member of a pen test team newly hired to test a bank’s

security. She begins searching for IP addresses the bank may

own by searching public records on the Internet. She also looks

up news articles and job postings to discover information that

may be valuable. In what phase of the pen test is Sally working?

A.   Preparation

B.   Assessment

C.   Conclusion

D.   Reconnaissance

12.   Joe is a security engineer for a firm. His company downsizes,

and Joe discovers he will be laid off within a short amount of

time. Joe plants viruses and sets about destroying data and set-

tings throughout the network, with no regard to being caught.

Which type of hacker is Joe considered to be?

A.   Hacktivist

B.   Suicide hacker

C.   Black hat

D.   Script kiddie

13.   Elements of security include confidentiality, integrity, and avail-

ability. Which technique provides for integrity?

A.   Encryption

B.   UPS

C.   Hashing

D.   Passwords

14.   Which of the following best describes an effort to identify sys-

tems that are critical for continuation of operation for the

organization?

A.   BCP

B.   BIA

C.   MTD

D.   DRP

Answers

1.   C. If you’re doing something as a deterrent, you’re trying to pre-

vent an attack in the first place. In this physical security deter-

rent control, a guard visible outside the door could help prevent

physical attacks.

2.   A. FISMA has been around since 2002 and was updated in 2014.

It gave certain information security responsibilities to NIST,

OMB, and other government agencies, and declared the

Department of Homeland Security (DHS) as the operational lead

for budgets and guidelines on security matters.

3.   B. ALE = ARO × SLE. To determine ARO, divide the number of oc-

currences by the number of years (1 occurrence / 10 years = 0.1).

To determine SLE, add the purchase cost (1200) plus the amount

of time to replace (5 × 50 = 250) plus the amount of lost work (5

hours × 5 employees × 25 = 625). In this case, it all adds up to

$2075. ALE = 0.1 × 2075, or $207.50.

4.   A. In this example, an ethical hacker was hired under a specific

agreement, making him a white hat. The test he was hired to

perform is a no-knowledge attack, making it a black-box test.

5.   D. Hackers who use their skills and talents to forward a cause or

a political agenda are practicing hacktivism.

6.   D. The ethical hacker always obtains written permission before

testing and never performs a test without it!

7.   B. The second of the five phases of an ethical hack attempt, scan-

ning and enumeration, is the step where ethical hackers take the

information they gathered in recon and actively apply tools and

techniques to gather more in-depth information on the targets.

8.   B. A white-box attack is intended to simulate an internal at-

tacker with elevated privileges, such as a network administrator.

9.   D. The target of evaluation (TOE) is the system or product being

tested.

10.   A. The Information Security Policy defines what is allowed and

not allowed, and what the consequences are for misbehavior in

regard to resources on the corporate network. Generally this is

signed by employees prior to their account creation.

11.   B. The assessment phase, which EC-Council also likes to inter-

changeably denote as the “conduct” phase sometimes, is where

all the activity takes place—including the passive information

gathering performed by Sally in this example.

12.   B. A suicide hacker doesn’t care about being caught. Jail time

and punishment mean nothing to these guys. While sometimes

they are tied to a political or religious group or function, some-

times they’re just angry folks looking to make an entity pay for

some perceived wrongdoing.

13.   C. A hash is a unique numerical string, created by a hashing al-

gorithm on a given piece of data, used to verify data integrity.

Generally, hashes are used to verify the integrity of files after

download (comparison to the hash value on the site before

download) and/or to store password values. Hashes are created

by a one-way algorithm.

14.   B. The business impact analysis best matches this description.

Although maximum tolerable downtime is part of the process,

and a continuity plan certainly addresses it, a BIA is the actual

process to identify those critical systems.

Support Sign Out

©2022 O'REILLY MEDIA, INC.  TERMS OF SERVICE PRIVACY POLICY