Ethical Hacker
Running Head: 1 THE ETHICAL HACKER 1 THE ETHICAL HACKER 7 Case Study: 1 THE ETHICAL HACKER Hacking Ethically 1 EXPLAIN YOUR METHOD OF ATTACK AND OPERATION WITHIN REASONABLE PARAMETERS OF THE LAW. Hacking is utilized to forego security parameters and controls to gain unauthorized access to a system. I would instigate a keylogging attack where I would present myself to the organization as a customer. I would go into an office or a desk an install a flash drive containing keylogging software to the computer. This would be through the USB port of the system unit or peripheral device such as a keyboard (Wang, 2017). This would happen as the owner of the desk gets me a cup of coffee or when they are looking for something on their desk. Upon entering the system, I would install spyware that would allow me to control or spy on the organization's system remotely. I would then bypass the web proxies and manipulate them in a way that they require disabling the VPN to enter the company's website (Trabelsi, 2016). A technique I would use is SQL injection, where I would exploit vulnerabilities in the database software of the site, access the company's data, and also trick users into submitting login data. Ethical Conduct. I would use the following ethical hacking codes of conduct derivatives. Maintain transparency during and after the hack with the client. This would entail communicating all relevant information gathered while instigating the hack. Transparency allows the client to take necessary actions for network and system security, as well as against the criminal entities. Determine the confidentiality and sensitivity of the information involved. This would ensure that I do not violate regulations, rules, or laws in handling proprietary, financial, and sensitive personal information. Before starting the hack, I would ensure that I understand the characteristics and nature of my target organization, including their network, system, and business (Al-Shiha, 2018). This would act as a guide to handling proprietary, confidential, or sensitive information that I may encounter during the ethical hack. I would also need an understanding of TCP/IP as follows. 2 INTERNET PROTOCOL AND TRANSMISSION CONTROL PROTOCOL ARE DIFFERENTIATED. TCP is broken down into the following layers, with each having its own structure. The application layer that creates standards for applications to use during data exchange. It entails protocols such as file transfer and hypertext transfer protocols. The transport layer facilitates communications between hosts. It is tasked with flow control and multiplexing. The protocols therein include user datagram and transmission control protocols (Smith, 2018). The internet layer that connects independent networks as a way to relay the packets containing the data, across boundary networks (Thomas et al., 2018). The protocols in this layer include internet control message and internet protocols. Lastly, the datalink layer is made up of protocols and methods that allow linkage. This link is the network component that ensures connectivity between hosts and nodes in the network. This layer has address resolution and Ethernet protocols. 2. 1 DISCUSS SPECIFIC MALWARE, SOCIAL ENGINEERING, OR ANY OTHER TYPE OF ATTACK YOU WOULD DEPLOY TO ACHIEVE YOUR DESIRED GOALS. I would take advantage of users’ poor security practices. These would allow me to circumvent any security controls in place. An example is old and unhidden passwords. Most individuals keep the office password logins in a desk or on a sticky at their desk or counter. This would make it very easy to record the password, hack into the organization’s Wi-Fi, and log in remotely. Another instance is the lack of multilevel security, i.e., extra layers of security. If the organization does not have backup security mechanisms such as mobile verification, then it would be easy to provide dubiously acquired login details and to log into the organization’s system (Oriyano, 2016). If there is added security such as security questions, then I would find my way into specific users' social media to try and gather such information. 3 INSTIGATING A DDOS ATTACK. Most organizations’ system are dependent on single servers or on-site servers. This means that these systems can crash when overloaded by service requests. I would instigate DDOS attacks where I would create a duplicate account such as one a legitimate user would have, and program the account to make endless service requests. Many free performance testing tools like Apache Jmeter which is primarily used to conduct performance testing can easily be used to take an Http web service request and ramp it up to send thousands of requests and effectively cause a Denial Of Service(DOS). To ensure success, I would also infiltrate several user accounts, i.e., those that I had key logged, and do the same thing (Nicholson, 2019). The server would inevitably crash, allowing the creation of a duplicate portal that would encourage users to provide their login information. 3. 1 ASSESS THE HURDLES YOU EXPECT AND HOW YOU PLAN TO OVERCOME THEM. The expected hurdles include legal risks such as lawsuits that would be based on intentional or unintentional disclosure of confidential information. Disclosure of this nature can lead to huge legal problems and liabilities if I'm caught. The fact that the client is a government agency may lead to them disowning me and absolving themselves of any involvement. As such, my ethical hacking activities would be translated as unethical or black hat hacking. This could lead to prosecution and possible jail time (Baloch, 2017). Overcoming this hurdle is by not getting caught. Another way is having the government agency sign a deal where they would absolve me of any charges if my hacking activities led to prosecution. Ethics seek to safeguard and protect societies and individuals by utilizing information systems in a responsible manner. Most organizations have definitions of code of conduct or ethical guidelines that all affiliated professionals must adhere to. 4 THE CODE MAKES INDIVIDUALS ACCOUNTABLE AND RESPONSIBLE FOR THEIR FREE WILL ACTIONS. Overcoming this hurdle would entail following an ICT policy. 4 IT IS A SET OF GUIDELINES THAT ENUMERATES HOW AN ORGANIZATION SHOULD UTILIZE INFORMATION RESOURCES RESPONSIBLY. It entails guidelines on the following. Training of all users involved in ICT. Appropriate use of information resources. Rules on how to create or modify login information such as passwords. Utilization of updated software and ensuring that patches are installed consistently. Usage and purchase of hardware equipment and also safe methods to dispose of equipment. 4. 1 DETERMINE HOW YOU WOULD REMAIN ANONYMOUS AND AVOID DETECTION. The best way to do this would be to infiltrate user accounts, and using a VPN, pretend to be an employee. Anonymity would be enhanced by making scheduled logins during company hours in a way that mimics normal and legitimate use. The behavioral component of hacking becomes very important as it allows for the avoidance of detection or flagging of anomalies or abnormal behavior. Another way is using software that would automatically access information in a remote way (Berger, 2016). The software would be hosted on a server rented online and located far way. Avoiding detection can be done by manipulating TCP/IP protocols such as addresses. TCP establishes virtual connections between devices by utilizing reply and request messages, relayed over the internet. A weak link here would enable infiltration. IP deals with the address of each packet, ensuring it reaches the receiver (Rathore, 2016). TCP, on the other hand, breaks down files or messages, transmits over a network, and then reconstitutes on arrival. Protocols are used to relay data across IP networks. References Al-Shiha, R., & Alghowinem, S. (2018, July). 5 SECURITY METRICS FOR ETHICAL HACKING. In Science and Information Conference (pp. 1154-1165). Springer, Cham. 6 RETRIEVED FROM HTTPS://LINK.SPRINGER.COM/CHAPTER/10.1007/978-3-030-01177-2_83 Baloch, R. (2017). 7 ETHICAL HACKING AND PENETRATION TESTING GUIDE. Auerbach Publications. Retrieved from https://tsoungui.fr/ebooks/Ethickal-haking-postexploitation.pdf 5 BERGER, H., & JONES, A. (2016, July). 5 CYBER SECURITY & ETHICAL HACKING FOR SMES. IN PROCEEDINGS OF THE 11TH INTERNATIONAL KNOWLEDGE MANAGEMENT IN ORGANIZATIONS CONFERENCE ON THE CHANGING FACE OF KNOWLEDGE MANAGEMENT IMPACTING SOCIETY (P. 12). ACM. 8 RETRIEVED FROM HTTPS://DL.ACM.ORG/CITATION.CFM?ID=2926016 Nicholson, S. (2019). How ethical hacking can protect organisations from a greater threat. Computer Fraud & Security, 2019(5), 15-19. 9 RETRIEVED FROM HTTPS://WWW.SCIENCEDIRECT.COM/SCIENCE/ARTICLE/PII/S1361372319300545 Oriyano, S. (2016). Ethical Hacking: SQL Injections. Retrieved from https://iln.ieee.org/Public/ContentDetails.aspx?id=18700BD80038409F91C7F128B444CDCD Rathore, N. K. (2016). 5 ETHICAL HACKING & SECURITY AGAINST CYBER CRIME. JOURNAL ON INFORMATION TECHNOLOGY (JIT), 5(1), 7-11. Retrieved from https://www.researchgate.net/profile/N_Rathore/publication/315489178_ETHICAL_HACKING_SECURITY_AGAINST_CYBER_CRIME/links/5bed1594299bf1124fd34759/ETHICAL-HACKING-SECURITY-AGAINST-CYBER-CRIME.pdf 10 SMITH, H., & MORRISON, H. (2018). Ethical Hacking: 10 A COMPREHENSIVE BEGINNERS GUIDE TO LEARN AND MASTER ETHICAL HACKING. 8 RETRIEVED FROM HTTPS://DL.ACM.ORG/CITATION.CFM?ID=3278818 11 TRABELSI, Z., & MCCOEY, M. (2016). 11 ETHICAL HACKING IN INFORMATION SECURITY CURRICULA. 12 INTERNATIONAL JOURNAL OF INFORMATION AND COMMUNICATION TECHNOLOGY EDUCATION (IJICTE), 12(1), 1-10. Retrieved from https://www.igi-global.com/article/ethical-hacking-in-information-security-curricula/143147 Thomas, G., Burmeister, O., & Low, G. (2018). 13 ISSUES OF IMPLIED TRUST IN ETHICAL HACKING. ORBIT JOURNAL, 2(1). RETRIEVED FROM HTTPS://ORBIT-RRI.ORG/OJS/INDEX.PHP/ORBIT/ARTICLE/VIEW/77 14 WANG, Y., & YANG, J. (2017, March). 14 ETHICAL HACKING AND NETWORK DEFENSE: CHOOSE YOUR BEST NETWORK VULNERABILITY SCANNING TOOL. IN 2017 31ST INTERNATIONAL CONFERENCE ON ADVANCED INFORMATION NETWORKING AND APPLICATIONS WORKSHOPS (WAINA) (PP. 110-113). IEEE. 15 RETRIEVED FROM HTTPS://IEEEXPLORE.IEEE.ORG/ABSTRACT/DOCUMENT/7929663/