Top 7 Certified Ethical Hacker Certification Books for IT Professionals

The following list of the top best Certified Ethical Hacker certification books will prove to become valuable resources in helping you pursue the most recognized and respected hacking certification on the globe. It also helps ensure that all you IT professionals out there will be able to apply your newfound knowledge through these books in security principles in the context of your daily job scope.

Top 7 Certified Ethical Hacker Certification Books for IT Professionals

1. CEH Certified Ethical Hacker All-in-One Exam Guide by Matt Walker

The content included in this certified ethical hacking certification book is well-written and easy to understand. The authors manage to present usually boring content in such a way that it doesn’t lull you to sleep. This book offers an amazing framework you  may use to design a great study plan! Everything is covered very well, including all angles of this great career. You will love its simplicity and clear context.

2. Official Certified Ethical Hacker Review Guide

For Version 7.1 (with Premium Website Printed Access Card and CertBlaster Test Prep Software Printed … (EC-Council Certified Ethical Hacker (Ceh)) by Steven DeFino, Larry Greenblatt

This book has chapters that are well written and organized. It focuses on the major concepts, as well as a wide range of useful learning tools, including step-by-step tutorials, chapter objectives, “Try it Out” challenges and exercises, group discussion topics, short lab examples, and practice exam questions and answers with its corresponding explanations.

3. CEH Certified Ethical Hacker Study Guide by Kimberly Graves

This Certified Ethical Hacking certification book provides ethical hacking knowledge in a specific order that performs well in the real world. This book is fair and excellent book due to its concise, straight and well-done technical references. All information included is useful for the CEH exam. This Certified Ethical Hacker Study Guide handles all exam objectives for CEHv6, including real-world scenarios and exercises, paired with exam prep software featuring the complete book in pdf and electronic flashcards too.

4. Certified Ethical Hacker Exam Prep by Michael Gregg

You can’t find a better condensed Certified Ethical Hacker certification book for security information. It lays a great foundation, with tons of relevant and strong new-age information on todays software and systems. The writing style makes it an easy read, and  you will appreciate the few jokes inserted here and there. The book also handles most of the topics included in the exam.

5. CEH: Official Certified Ethical Hacker Review Guide: Exam 312-50 by Kimberly Graves

This book offers an excellent overview of the objectives of the CEH. It gets you used to the terminology and includes many tools for hacking across the board. This book is definitely worth owning especially if you have completed your homework with more in-depth studying. This book is also a great tool to finding out exactly what you need to know if you are planning on getting started on the White Hat track.

6. Official Certified Ethical Hacker Review Guide by Steven DeFino

You will find this Certified Ethical Hacker certification book to be a real gem. The author Steven DeFino really know his internet security stuff. It answers so many of the questions you have been asking and wondering about for so long, in an efficient and simple manner. This is an excellent source of study material to brush up on and ensure that you are on track for what is needed in taking the CEH exam.

7. The CEH Prep Guide

The Comprehensive Guide to Certified Ethical Hacking by Ronald L. Krutz and Russell Dean Vines

This Certified Ethical Hacker certification book definitely gives you an overview of the computer security environment. It covers everything very well, and it is timely. It handles the tools much better than classroom material and in a lot less time. It also offers a good glimpse at things from both sides and goes through concepts fairly well. The material in this book is well-written, as well as easy to follow and comprehend.

These CEH books contain realistic sample questions and exercises too to strengthen your understanding. It will also help prepare you for success on that Certified Ethical Hacker exam, on your first try maybe even! Let me know what you think by leaving a comment below.

Continue reading

7 Ethical Hacking Certifications for Your IT Career

With the rapid development of IT technologies, hackers have become an integral part of this process. We keep hearing about computer security destroyers and the problems they cause from time to time. And these hackers cause much destructive problems making it difficult for other users to use the Internet safely. But have you ever heard of ethical hackers?

Who is an ethical hacker? What is his main difference from a computer hacker?

Well, they are hackers…but much more of the “good guys” than the usual destructive hackers. The ethical hackers are individuals who hack into computer network in order to asses or evaluate its security rather than with an intention for maliciousness or for a criminal act. They are also known as white hat hackers who use hacking techniques in a legitimate and lawful manner. While regular hackers also termed as ‘black hat hackers’ use the process of hacking for a destructive purpose such as for phishing purposes. This is the major difference between an ethical hacker and a computer hacker.

What does an ethical hacker do?

◈ An ethical hacker mainly does scanning ports by looking for vulnerabilities.

◈ Another main job of ethical hackers is to check patch settings and ensure that these installations cannot be misused. The hackers can participate in social engineering concepts like diving-diving or scavenging in bins for charts or passwords that can be used to engender an attack.

◈ Ethical hackers avoid Intrusion Detection and Prevention systems.

◈ Additionally, an ethical hacker bypasses and hacks wireless encryption as well as hijacks web applications and web servers.

◈ Ethical hackers handle problems associated with the theft of laptops and fraud with employees.

Who can be an ethical hacker?

A person with good and enough knowledge in programming and networking may go a long way in the field of white hat hackers. This is best for individuals who work as forensic or intrusion analysts, security professionals, or individuals aiming to take these job roles.

What is Ethical Hacking certification?

This is a qualification obtained by evaluating the security of computer systems, using penetration testing methods. This certification qualifies an individual as a certified ethical hacker. It helps you think like a hacker. There are multiple benefits of holding an ethical hacking certification:

◈ It helps understand risks and vulnerabilities affecting the organizations on a daily basis.

◈ It shows the tools of trade. Your misconceptions about hacking will definitely be solved. That is, after this certification, you will get a general idea about how and what a white hacker’s job role will be.

◈ Also, you’ll understand that the concept of hacking is much more than just merely hacking into another individual’s Facebook or email accounts.

◈ Through this certification, you will learn various types of foot-printing, countermeasures and foot-printing tools. You can also discover what packet sniffing methods are and how to shield against sniffing.

◈ This cert will teach you the network scanning and enumeration techniques as well as network scanning and enumeration countermeasures. As an ethical hacker certification holder, you can also develop your skill in Trojans, Trojan countermeasures and Trojan analysis.

◈ You will develop your knowledge in the field of system hacking and hijacking methods, steganography, steganalysis, covering tracks, virus analysis, the working of viruses, malware analysis procedure, computer worms and countermeasures.

◈ And finally, you’ll learn how the exploits evolve.

Top 7 Ethical Hacking Certifications

1. Certified Ethical Hacking Certification

CEH is one among the oldest, most popular and superlative certification programs that can be provided for ethical hackers. A person who has acquired a certification in this course would be a skilled professional who can understand on how to look at vulnerabilities and weaknesses in target systems and uses the identical knowledge and tools as a malicious hacker but in a more legit and lawful manner so as to evaluate the security posture of a target system.

The CEH qualification confirms that individuals as certified in the specific network security discipline of Ethical Hacking from a vendor-neutral standpoint. The CEH informs the public that the certified individual meets minimum criteria. It also helps reinforce ethical hacking as an exclusive and self-regulating profession. This course will help you to think into the mindset of a hacker. After all, if you need to be a hacker, you need to think like one! This will enable you to defend against future attacks. This course will put you in a control with hands-on environment with a systematic process. You will definitely be exposed to a totally different way of attaining optimum information security posture in their organization. That is by hacking it. You will be taught the phases of hacking as mentioned earlier. And the objective of this course is to assist you to grasp the ethical hacking methods that can be used in a penetration testing or ethical hacking situation. Earning this internationally recognized cert means obtaining ethical hacking knowledge and skills that are in high demand now.

2. GIAC Penetration Tester

SANS GPEN is another type of certification provided under ethical hacking. SysAdmin, Networking, and Security (SANS) is an institute which offers multiple course and certifications with GIAC Penetration Tester (GPEN) being the most popular one. It mainly covers in-depth technique approaches to verifying the entire way up through reporting and scoping. The main objectives to learn under GPEN are attacking password hashes, advanced password attacks, initial target scanning, exploitation fundamentals, pen-testing foundations, vulnerability scanning, moving files with exploits, penetration testing using the Windows command line and power shell, reconnaissance, and web application attacks.

3. Offensive Security Certified Professional

OSCP has been only about 10 years, but it has already gained good reputation for durability and toughness. It contains practical training and exam. The Offensive security certified professional course teaches how to attain, alter and apply public exploit code. This course also offers advanced pen testing exams and courses such as wireless, web, advanced Windows exploitation. The OSCP is designed to show the students’ practical, accurate, precise and clear understanding of the penetration testing process and life-cycle through a strenuous twenty-four (24) hour certification exam. So, to conclude, this certification proves that its holder is able to recognize vulnerabilities, generate and alter exploit code, exploit hosts, and successfully accomplish tasks on the compromised systems over several operating systems.

4. CREST

CREST information certification body’s pen test exams and courses are widely accepted across many countries. These countries include the UK, Europe, Asia and Australia. This test helps to certify as well as educate quality pen testers. This is a not-for-profit organization that aids the requirements of a technical information security marketplace that entails the service of a regulated and structured services industry. CREST helps to build high quality capability, capacity and consistency within the worldwide technical cyber security segment. In order to counter the risk of cyber-attack it is also vital that the industry works in a collective manner and shares top practice and knowledge. It is also important to have in place progressive activities that support professionals employed in the industry to obtain and maintain the knowledge that need to work in this rapid shifting environment. CREST acts as a focus for the progress of best practice and professional progress activities through its collective research deeds.

5. Foundstone Ultimate Hacking

Foundstone Ultimate Hacking is the next best certification. This is the practical penetration course available. Additionally, Foundstone proposes a various training options further than just writing testing inclusive of forensic and incident responses, and also provides learning of how to hack Internet of Things also known as IoT, firmware, RFID and Bluetooth. Under this course you’ll discover how hackers and evil-minded malefactors analyse and develop target vectors directed at your critical assets, cultivate the policy underlying the search for flaws before they become a security threat, and help to expand the mind-set of a malevolent attacker and recognize the actual risk posing to your organization. You will also learn how to apply the tools and methodologies using by hackers in a controlled and secure environment as well as how to promote your own security toolkit from previously tested tools.

6. Certified Penetration Testing Consultant

CPTC: If you are looking to be professional who is supposed to be responsible for securing computers, then CPTC is the certification for you. This certification teaches you advanced expertise with in-depth penetration testing and auditing security controls including physical and user security. This certification teaches you the business of penetration testing.

7. Certified Penetration Testing Engineer

CPTE is a certification which qualifies you to have expertise and knowledge of five key information security components: penetration testing, data collection, scanning, enumeration, exploitation and reporting. Also, CPTE trains you on how to hack and also teaches you on how to become an ethical hacker. This is an internationally accepted cyber security certification and is held to be one of five core cyber security credentials.

Some facts about ethical hacking

Ethical hackers are hired by companies to hack into their systems and to report back with the weaknesses. This helps the company to learn which precaution to take. There are 5 phases to ethical hacking namely,

a) Reconnaissance

b) Scanning

c) Gaining access

d) Maintaining access and

e) Covering tracks

The salary income of an individual who has gotten into the field of hacking is as follows depicted in the pie chart:

A security analyst would get paid $36,817 while a CEH would get paid $74,457. An information security analyst – $30,429, an ethical hacker and a security consultant would get paid $10,80,000 and $77,869, respectively.

Continue reading

The Basics of Cyber Insurance

I talk a lot about cyber insurance policies on this blog. While many readers will be familiar with those policies, some may not be. While most of you know that cyber policies cover data breaches, you may find yourself wishing you had a deeper understanding of the coverage and how the policies work.  To help with that I’m starting a series of periodic posts that will explore the essentials of cyber coverage.

Let me start by saying that cyber policies are weird.  They aren’t like general and professional liability policies that provide liability coverage, nor are they like property and crime policies that provide first party coverage.  Cyber policies are all over the map.  They cover unusual types of losses too.  All of that can make them hard to understand.

A Very Short History of Cyber Insurance

When trying to understand cyber insurance it is useful to look at its roots.

Cyber insurance developed in the 1990s in conjunction with the rise of “dot.com” businesses. The policies covered lawsuits arising from breaches of the insured’s computer system security. Early policies sometimes also covered business interruption loss resulting from a compromise of computer system security.

Ironically, few companies in the US today would point to those coverages as the reasons they buy cyber insurance. Most US buyers are focused on data privacy risk.

The focus on data privacy risk can be traced to California’s enactment in 2003 of the first law requiring companies to notify affected individuals when their private information has been breached. Many states subsequently followed California’s lead, and today 47 US states, and in some cases the federal government, require individuals to be notified. The costs inherent in providing notice drove insurers to offer privacy liability and breach response coverage. That led to increased interest in cyber insurance.

There are very few mandatory notification laws outside the US. Interest in cyber insurance nevertheless has grown globally. This is being driven by concerns about cyber attacks and increasingly by regulatory regimes that encourage voluntary notification of individuals affected by a data breach.

Cyber threats have continued to multiply and become more serious. Cyber policies have evolved to cover those threats. While cyber policies are very far from being standardized, there are coverages that appear in the vast majority of policy forms.

What Does A Cyber Policy Cover?

A basic “plain vanilla” cyber policy today will cover claims resulting from data privacy and data security risks. Those aren’t the same thing.

Data privacy claims concern the improper disclosure or exposure of private information.  This includes personal information, credit card information, health information, and confidential business information.  Those claims are generally brought by individuals and companies whose information has been compromised, by regulators, and sometimes by law enforcement entities.

Data security claims involve loss arising from a compromise of the insured’s computer systems. This most often is the result of things like hacking into the insured’s systems, introduction of malware (programs designed to obtain unauthorized access to data or to damage data or computer systems), and denial of service attacks.

Typical Insuring Agreements

Although cyber policies can have a dozen or more different insuring agreements, as the graphic below illustrates, there are four that appear in most basic policy forms.

There are three liability coverages: (1) liability to third parties for privacy breaches, (2) liability to regulators for privacy breaches, and (3) liability to third parties for computer system security breaches.

The fourth coverage is a first party coverage that covers the insured’s costs to investigate and respond to a breach event. These include things like forensic investigation costs, costs to notify affected individuals, and costs to provide credit monitoring

These coverages typically are provided in separate insuring agreements that may each provide a different amount of insurance. For example, a policy that provides $10 million of coverage for privacy liability claims may have a much smaller amount available, known as a sublimit, for privacy regulatory claims.

“A sublimit is not necessarily a good reflection of the amount of coverage a company needs.”

Sublimits under cyber policies need to be very carefully considered. Insurers include sublimits to help them manage their overall exposure and to attractively price policies. A sublimit is not necessarily a good reflection of the amount of coverage a company needs. While lower limits for some coverages might make sense for some companies, I’ve seen a number of claims over the years where companies ended up wishing their sublimits were higher.

I’ll talk about each of these coverages in more detail in later posts in this series.

Coverage Trigger

Like D&O and other professional liability policies, cyber policies are written on a claims made and reported basis. The events that trigger coverage must take place and be reported to the cyber insurer during the same one year period that the policy is in effect. That requires a company to thoroughly understand what events the policy requires to be reported. Companies also must be extremely vigilant and diligent about reporting those events.

Compliance with a policy’s reporting requirements is extremely important to cyber insurers because of the speed at which cyber events can move, and the potential for impactful decisions to be made early in the company’s response to an event. Insurers want to be, and often have the right to be, involved at the earliest possible moment.

Claim Control

Cyber policies differ on the extent to which the insurer will control the response to a breach event or the defense of covered lawsuits. Some policies give the insurer the absolute right to control every aspect of the company’s response to a cyber event. The insurer will retain all necessary vendors, and will appoint defense counsel in the event lawsuits materialize. This is a feature appreciated by many companies that are unfamiliar with cyber event response. Other policies provide much more latitude for companies to select vendors and counsel they are comfortable with and to exercise greater control over the response to the cyber event. These policies appeal to companies that have spent time preparing for a cyber event and that have developed relationships with law firms and vendors that they prefer to use.

Like professional liability policies, defense costs paid under cyber policies reduce the available policy limit and sublimit. There is some divergence in insurers’ approaches to payment of first party breach response costs though. While the majority of policies treat them like defense costs that are paid from the policy limit, some insurers will pay breach response costs outside the policy limit, generally for a specified number of affected individuals.

Continue reading

Cyber Insurance Basics: System Security Liability Coverage

It’s time for another post in my series about the basics of cyber policies. This time I’m going to look at system security liability coverage.

As the graphic below illustrates, security liability coverage is one of the four basic coverages available in typical cyber policies.

System security liability coverage exists to respond to the insured’s liability to third parties resulting from cyber attacks on the insured’s computer system or the computer system of a third party operated on behalf of the insured.

So what kind of cyber attacks are covered? Generally speaking, good policies cover loss resulting from:

◈ A third party’s unauthorized access or use of the computer system;
◈ Malware, spyware, viruses, etc. in the computer system (e.g. the NotPetya attack);
◈ A denial of service attack;
◈ The computer system being used to attack computer systems of oth◈ers.

Cyber attacks such as these can give rise to a variety of claims. A few examples:

◈ A company that hosts e-commerce web sites suffers a denial of service attack. Its customers’ web sites become inaccessible and the customers lose money and sue the insured.

◈ On online gaming service is attacked and taken down. Subscribers bring a class action because the system is inaccessible.

◈ A franchisor provides IT infrastructure for its franchisees. A cyber attack impacts the franchisees and causes them to lose business. The franchisees sue.

◈ Malware causes destruction of customer data. Customers sue.

◈ An insured’s computer system is hacked and used to infect a third party’s system with malware. The third party brings suit.

A cyber attack may result in a breach of private data, but such a breach is not necessary to trigger system security liability coverage.

It is important to understand what system security liability coverage won’t do.

System security liability coverage won’t cover the insured for its own losses. If an attack results in a theft of money or other property from the insured the coverage will not respond. Companies typically need to look to their crime policies to cover that loss.

System security liability coverage won’t cover the insured’s cost to recreate lost or corrupted data. While the coverage will respond to losses sustained by a third party if data is lost, it will not cover the insured for amounts spent to recover data. That loss can be covered under another type of cyber coverage that I’ll talk about in a later post.

Finally, system security liability coverage will not cover the insured’s cost to investigate and remediate the cyber attack. A good cyber policy should cover that loss under a breach event cost insuring clause if purchased.

Continue reading

SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking

SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking is designed as a logical progression point for those who have completed SEC560: Network Penetration Testing and Ethical Hacking, or for those with existing penetration testing experience. Students with the prerequisite knowledge to take this course will walk through dozens of real-world attacks used by the most seasoned penetration testers. The methodology of a given attack is discussed, followed by exercises in a hands-on lab to consolidate advanced concepts and facilitate the immediate application of techniques in the workplace. Each day of the course includes a two-hour evening boot camp to drive home additional mastery of the techniques discussed. A sample of topics covered includes weaponizing Python for penetration testers, attacks against network access control (NAC) and virtual local area network (VLAN) manipulation, network device exploitation, breaking out of Linux and Windows restricted environments, IPv6, Linux privilege escalation and exploit-writing, testing cryptographic implementations, fuzzing, defeating modern OS controls such as address space layout randomization (ASLR) and data execution prevention (DEP), return-oriented programming (ROP), Windows exploit-writing, and much more!

Attackers are becoming more clever and their attacks more complex. To keep up with the latest attack methods, you need a strong desire to learn, the support of others, and the opportunity to practice and build experience. This course provides attendees with in-depth knowledge of the most prominent and powerful attack vectors and furnishes an environment to perform these attacks in numerous hands-on scenarios. The course goes far beyond simple scanning for low-hanging fruit and shows penetration testers how to model the abilities of an advanced attacker to find significant flaws in a target environment and demonstrate the business risk associated with these flaws.

SEC660 starts off by introducing advanced penetration concepts and providing an overview to prepare students for what lies ahead. The focus of day one is on network attacks, an area often left untouched by testers. Topics include accessing, manipulating, and exploiting the network. Attacks are performed against NAC, VLANs, OSPF, 802.1X, CDP, IPv6, VOIP, SSL, ARP, SNMP, and others. Day two starts with a technical module on performing penetration testing against various cryptographic implementations, then turns to PowerShell and post exploitation, escaping Linux restricted environments and Windows restricted desktop environments. Day three jumps into an introduction of Python for penetration testing, Scapy for packet crafting, product security testing, network and application fuzzing, and code coverage techniques. Days four and five are spent exploiting programs on the Linux and Windows operating systems. You will learn to identify privileged programs, redirect the execution of code, reverse-engineer programs to locate vulnerable code, obtain code execution for administrative shell access, and defeat modern operating system controls such as ASLR, canaries, and DEP using ROP and other techniques. Local and remote exploits as well as client-side exploitation techniques are covered. The final course day is devoted to numerous penetration testing challenges that require students to solve complex problems and capture flags.

Among the biggest benefits of SEC660 is the expert-level hands-on guidance provided through the labs and the additional time allotted each evening to reinforce daytime material and master the exercises.

SEC660.1: Network Attacks for Penetration Testers

Overview

Day one serves as an advanced network attack module, building on knowledge gained from SEC560: Network Penetration Testing and Ethical Hacking. The focus will be on obtaining access to the network; manipulating the network to gain an attack position for eavesdropping and attacks, and for exploiting network devices; leveraging weaknesses in network infrastructure; and taking advantage of client frailty.

CPE/CMU Credits: 8

Topics

◈ Bypassing network access/admission control (NAC)
◈ Impersonating devices with admission control policy exceptions
◈ Exploiting EAP-MD5 authentication
◈ Custom network protocol manipulation with Ettercap and custom filters
◈ Multiple techniques for gaining man-in-the-middle network access
◈ IPv6 for penetration testers
◈ Exploiting OSPF authentication to inject malicious routing updates
◈ Using Evilgrade to attack software updates
◈ Overcoming SSL transport encryption security with Sslstrip
◈ Remote Cisco router configuration file retrieval

SEC660.2: Crypto and Post Exploitation

Overview

Day two starts by taking a tactical look at techniques that penetration testers can use to investigate and exploit common cryptography mistakes. We begin by building some fundamental knowledge on how ciphers operate, without getting bogged down in complex mathematics. Then we move on to techniques for identifying, assessing, and attacking real-world crypto implementations. We finish the module with lab exercises that allow students to practice their newfound crypto attack skill set against reproduced real-world application vulnerabilities.

The day continues with advanced techniques but focuses more on post exploitation tasks. We leverage an initial foothold to further exploit the rest of the network. We abuse allowed features to escape restricted environments. First we will build up knowledge of local restrictions on hosts. Once we establish a set of possible restrictions, we leverage that knowledge to circumvent them. We will cover the core components that restrict the desktop and a variety of escape possibilities. The Windows escape exercise is a perfect, real-world demonstration of the risks of relying on obfuscation and blacklisting to thwart attacks.

As a major factor in post exploitation, we cover both exploiting administrators use of PowerShell and PowerShell attack tools. We'll use Metasploit alternatives like PowerShell Empire to escalate privileges, pivot, and deliver additional payloads. The day ends with a challenging boot camp exercise against a full network environment comprised of a variety of modern, representative, and fully patched systems with no obvious remote vulnerabilities.

CPE/CMU Credits: 8

Topics

◈ Pen testing cryptographic implementations
◈ Exploiting CBC bit flipping vulnerabilities
◈ Exploiting hash length extension vulnerabilities
◈ PowerShell Essentials
◈ Enterprise PowerShell
◈ Post Exploitation with PowerShell and Metasploit
◈ Escaping Software Restrictions
◈ Two-hour evening Capture the Flag exercise against a modern network with hardened servers, desktops, and vApp targets

SEC660.3: Python, Scapy, and Fuzzing

Overview

Day three brings together the multiple skill sets needed for creative analysis in penetration testing. We start by discussing product security testing. The day continues with a focus on how to leverage Python as a penetration tester - the aim is to help students unfamiliar with Python start modifying scripts to add their own functionality, while also helping seasoned Python scripters improve their skills. Once we leverage the Python skills in creative lab exercises, we move on to leveraging Scapy for custom network targeting and protocol manipulation. Using Scapy, we examine techniques for transmitting and receiving network traffic beyond what canned tools can accomplish, including IPv6. Next, we take a look at network protocol and file format fuzzing. We leverage fuzzing to target both common network protocols and popular file formats for bug discovery. We use hands-on exercises to develop custom protocol fuzzing grammars to discover bugs in popular software. Finally, we carefully discuss the concept of code coverage and how it goes hand-in-hand with fuzzing. We will conduct a lab using the Paimei Reverse Engineering Framework and IDA Pro to demonstrate the techniques discussed.

CPE/CMU Credits: 8

Topics

◈ Becoming familiar with Python types
◈ Leveraging Python modules for real-world pen tester tasks
◈ Manipulating stateful protocols with Scapy
◈ Using Scapy to create a custom wireless data leakage tool
◈ Product security testing
◈ Using Taof for quick protocol mutation fuzzing
◈ Optimizing your fuzzing time with smart target selection
◈ Automating target monitoring while fuzzing with Sulley
◈ Leveraging Microsoft Word macros for fuzzing .docx files
◈ Block-based code coverage techniques using Paimei

SEC660.4: Exploiting Linux for Penetration Testers

Overview

Day four begins by walking through memory from an exploitation perspective as well as introducing x86 assembler and linking and loading. These topics are important for anyone performing penetration testing at an advanced level. Processor registers are directly manipulated by testers and must be intimately understood. Disassembly is a critical piece of testing and will be used throughout the remainder of the course. We will take a look at the Linux OS from an exploitation perspective and discuss privilege escalation. We continue by describing how to look for SUID programs and other likely points of vulnerabilities and misconfigurations. The material will focus on techniques that are critical to performing penetration testing on Linux applications.

We then go heavily into stack overflows on Linux to gain privilege escalation and code execution. We will first cover using a debugger to expose weak passwords. Then we will go over redirection of program execution and, finally, code execution. Techniques such as return to buffer and return to C library (ret2libc) will be covered, as well as an introduction to return-oriented programming. The remainder of the day takes students through techniques used to defeat or bypass OS protections such as stack canaries and address space layout randomization (ASLR). The goal of this section is to expose students to common obstacles on modern Linux-based systems.

CPE/CMU Credits: 8

Topics

◈ Stack and dynamic memory management and allocation on the Linux OS
◈ Disassembling a binary and analyzing x86 assembly code
◈ Performing symbol resolution on the Linux OS
◈ Identifying vulnerable programs
◈ Code execution redirection and memory leaks
◈ Identifying and analyzing stack-based overflows on the Linux OS
◈ Performing return-to-libc (ret2libc) attacks on the stack
◈ Return-oriented programming
◈ Defeating stack protection on the Linux OS
◈ Defeating ASLR on the Linux OS

SEC660.5: Exploiting Windows for Penetration Testers

Overview

Day five starts off covering the OS security features (ASLR, DEP, etc.) added to the Windows OS over the years as well as Windows-specific constructs, such as the process environment block (PEB), structured exception handling (SEH), thread information block (TIB), and the Windows application programming interfaces (API). Differences between Linux and Windows will be covered. These topics are critical in assessing Windows-based applications. We then focus on stack-based attacks against programs running on the Windows OS. After finding a vulnerability in an application, the student will work with Immunity Debugger to turn the bug into an opportunity for code execution and privilege escalation. Advanced stack-based techniques such as disabling data execution prevention (DEP) are covered. Client-side exploitation will be introduced, as it is a highly common area of attack. We continue with the topic of return-oriented programming (ROP), demonstrating the technique against a vulnerable application, while looking at defeating hardware DEP and address space layout randomization (ASLR) on Windows 7, Windows 8, and Windows 10. We then have a module on porting over an exploit into the Metasploit Framework and on how to quickly identify bad characters in your shellcode and as input into a program. Finally, we will take a quick look at shellcode and the differences between shellcode on Linux and Windows, followed by a ROP challenge.

CPE/CMU Credits: 8

Topics

◈ The state of Windows OS protections on Windows 7, 8, 10, Server 2008 and 2012
◈ Understanding common Windows constructs
◈ Stack exploitation on Windows
◈ Defeating OS protections added to Windows
◈ Creating a Metasploit module
◈ Advanced stack-smashing on Windows
◈ Using ROP
◈ Building ROP chains to defeat DEP and bypass ASLR
◈ Windows 7 and Windows 8 exploitation
◈ Porting Metasploit modules
◈ Client-side exploitation
◈ Windows Shellcode

SEC660.6: Capture the Flag Challenge

Overview

This day will serve as a real-world challenge for students by requiring them to utilize skills they have learned throughout the course, think outside the box, and solve a range of problems from simple to complex. A web server scoring system and Capture the Flag engine will be provided to score students as they capture flags. More difficult challenges will be worth more points. In this offensive exercise, challenges range from local privilege escalation to remote exploitation on both Linux and Windows systems, as well as networking attacks and other challenges related to the course material.

CPE/CMU Credits: 6

Continue reading

Cyber risk: Why cyber security is important

Cyber risk is now firmly at the top of the international agenda as high-profile breaches raise fears that hack attacks and other security failures could endanger the global economy.

The Global Risks 2015 report, published in January by the World Economic Forum (WEF), included this rather stark warning: "90 percent of companies worldwide recognize they are insufficiently prepared to protect themselves against [cyber attacks]."

Cyber crime costs the global economy over US$400 billion per year, according to estimates by the Center for Strategic and International Studies. In 2013, some 3,000 companies in the United States had their systems compromised by criminals, the Center reports.

High-profile US retailers Target and Home Depot were among many organizations that lost customer data and credit card information. In other companies, cyber criminals stole money from accounts, carried out industrial espionage and in some cases even took over company systems and demanded ransom money to unlock them.

It's not surprising that governments and businesses around the world are searching for better cyber defense strategies. The European Network and Information Security Agency held a cyber security exercise in October 2014, involving 29 countries and more than 200 organizations, including government bodies, telecoms companies, energy suppliers, financial institutions and Internet service providers.

The tests included simulating more than 2,000 separate incidents: denial of service attacks, website defacements, access to sensitive information and attacks on critical infrastructure. Software and hardware failures were judged the biggest security threats.

In February, President Barack Obama addressed the Summit on Cybersecurity and Consumer Protection at Stanford University. It was attended by senior US political leaders, CEOs and representatives from computer security companies, major retailers, law enforcement and technical experts, to "collaborate and explore partnerships that will help develop the best ways to bolster our cyber security."

There is clearly still much work to be done, and the people behind the attacks have a significant head start. For those playing catch-up, cyber security has become a matter of urgency.

The consequences of cyber crime

Cyber attacks fall into two broad categories: breaches in data security and sabotage. Personal data, intellectual property, trade secrets and information relating to bids, mergers and prices are tempting targets for a data security breach. Sabotage can take the form of denial of service attacks, which flood web services with bogus messages, as well as more conventional efforts to disable systems and infrastructure.

In addition to commercial losses and public relations problems, disruption of operations and the possibility of extortion, cyber attacks may also expose an organization to regulatory action, negligence claims, the inability to meet contractual obligations and a damaging loss of trust among customers and suppliers.

Most cyber crime incidents go unreported, and few companies come forward with information on their losses. That is not surprising given the risk to an organization's reputation and the prospect of legal action against those that own up to cyber crime. Few of the biggest cyber criminals have been caught—many have yet to be identified.

A significant proportion of cyber crime also goes undetected, particularly industrial espionage where access to confidential documents and data is difficult to spot. There is a danger that a business might trade at a disadvantage for months or even years as a result of a continuing, but undetected, security breach.

"Criminals operate across borders, so must companies and the experts that assist them, including their lawyers,". "Responding to cyber attacks requires both a global vision and a fine knowledge of local regulations and law enforcement agencies."

Vulnerability is on the rise

Cyber crime is only likely to increase, despite the best efforts of government agencies and cyber security experts. Its growth is being driven by the expanding number of services available online and the increasing sophistication of cyber criminals who are engaged in a cat-and-mouse game with security experts.

Technical innovation throws up new online dangers. For example, the migration of data to third-party cloud providers has created a centralization of data and therefore more opportunities for criminals to misappropriate critical information from a single target attack. Similarly, the emphasis on mobile services has opened up corporate systems to more users—multiplying the opportunities to penetrate security measures.

Applications that involve the collection and analysis of data in large quantities—so-called Big Data—put additional pressure on security managers. Mountains of sensitive data about buyer decisions, their habits and other personal information must be kept safe, but until recently security was not a top priority in systems handling Big Data.

The development of an Internet of Things, which enables communication between machines, raises the possibility of appliances being manipulated by hackers. The widespread use of machine-to-machine (M2M) communication is only likely to boost the possibility of information misuse.

Much of the world's critical infrastructure, controlling services such as power generation, transport and utilities, already depends on M2M. Protecting the networks that carry the communications that control these services is vital, especially since decision making is often done without human involvement.

Countering cyber risk

"Cyber security is regarded as a board-level responsibility,". "Similar to other compliance areas, board directors can be held liable for not discharging their duty to prevent harm to the corporation. In performing their oversight role, directors should stay informed about the corporation's cyber security defenses. They must ask what the risks are and determine what needs to be done to mitigate them. In today's connected world, it is unfortunately becoming a question of ‘when' rather than ‘if' some sort of data breach will occur."

Furthermore, under guidance from the US Securities and Exchange Commission, public companies are required to disclose the material risks they face from cyber attacks and include specific detail to enable an investor to assess the magnitude of those risks.

US companies are also required to consider disclosure about the potential costs associated with preventing cyber attacks and any contingent liabilities or asserted claims related to prior breaches. In sum, a failure to make adequate disclosures can lead to additional liability in the event of a cyber attack.

There is no shortage of advice available to organizations to help them assess risks and develop suitable plans to counter them. Governments around the world are developing cyber security guidelines.

Last year, at the behest of President Obama, the National Institute of Standards and Technology (NIST) in the United States issued a Framework for Improving Critical Infrastructure Security. Critical infrastructure not only includes energy supply networks and telecommunications, but financial services and retail facilities as well.

The Framework is a set of standards and best practices drawn up with the input of thousands of security experts and designed to help organizations manage the risks of a cyber security breach. With the aid of the Framework, they chart their current security profile, work out what profile they should be aiming for and create a plan for reaching it.

"Similar to financial and reputational risk, cyber security risk affects a company's bottom line. It can drive up costs and impact revenue. It can harm an organization's ability to innovate and to gain and maintain customers," warns NIST.

The UK intelligence agency, Government Communications Headquarters (GCHQ), which provides advice and services to protect national voice and data networks, estimates 81 percent of UK businesses have experienced some kind of security breach. To help stem the tide, the organization has published detailed guidance for businesses, "10 Steps to Cyber Security."

The critical first step is to establish an information risk management regime that identifies the security risks it faces and the policy for dealing with them. Businesses should protect their information and communications technology by adopting standard security measures and managing how the systems are configured and used. They should also disable unnecessary functions and keep security patches up to date.

Malware protection is an important security consideration. Businesses should not only have policies that cover email, web browsing and the use of personal devices, but also install antivirus software and regularly scan for malware.

Networks are often a weak point in cyber defenses, so it's crucial for businesses to follow recognized network design principles and ensure all devices are configured to the security standards they have adopted.

Removable media policies that control the use of media for the import and export of information are vital. Not only should removable media be scanned for malware, but the type of media and the sort of information that can be transferred should be limited.

Users should only be given the privileges they need to do their job. Accounts used by system or database administrators should not be used for high-risk user activities. User activity should be monitored; particularly those involving access to sensitive information and account actions such as changing passwords and deleting accounts.

The same can be said for vendors, who are often not perceived as a threat or lacking in security measures of their own—many breaches in recent years were via vendors.

"The point is you can't just draft all these fantastic policies and apply them internally, but then not be strict with all vendors,". "You need to ensure that these cyber policies are also imposed on vendors by way of a contract."

Equally, security policies should be part of employment terms and conditions. All users should receive regular training on the cyber risks they face.

Businesses are also urged to scan inbound and outbound traffic continuously to detect suspicious activity. They should also monitor all ICT systems using specialized intrusion detection and prevention systems.

Legal aspects of cyber risk

Governments are tightening laws to ensure organizations take greater responsibility for cyber security and report cyber breaches. The reporting of breaches is important in that it enables government agencies to take action to strengthen security, allows individuals to mitigate harm and encourages organizations to adopt effective security measures.

In the United States, 47 states have enacted laws that require security breaches involving personal data to be reported. The US Congress is also considering various proposals, including one from the Obama Administration, concerning a national breach notification law. The Data Security and Breach Notification Act of 2015 is a companion to the Consumer Privacy Bill of Rights Act of 2015 unveiled by President Obama in February, governing the collection and dissemination of consumer data. According to a White House spokesperson, these will "provide customers with more control over their data, companies with clearer ways to signal their responsible stewardship over data, and everyone with the flexibility to continue innovating in the digital age."

While such legislative moves are welcome, they have their critics: fines are not particularly prohibitive and it's not clear how they would be enforced, and businesses would be allowed to draft their own codes of conduct, leaving room for loopholes.

The European Union and several of its member states have introduced similar regulations, some of which are specific to particular industries, with the result that organizations operating across different legal jurisdictions have the added burden of making sure they comply with the different laws.

Meanwhile, the EU is developing a proposal for a General Data Protection Regulation to replace and harmonize current data protection legislation. The new regime would require organizations to report data breaches promptly to both the competent authorities and the affected individuals. If it were up to the European Parliament, as one of the legislative bodies deciding on the proposal, failure to comply with this requirement could lead to penalties equivalent to 5 percent of an offender's global turnover.

Preparing for a breach in security, therefore, is particularly important when incidents can result in fines, legal action or measures by government agencies. An effective plan reduces the risks of financial losses and damage to an organization's reputation while ensuring compliance with the relevant legal requirements.

"Looking proactively, you should get input from IT professionals, lawyers, technologists and privacy experts. And it only makes sense that the same team that builds the plan should help prepare for a problem," says Orzechowski.

In the event of an incident, Orzechowski recommends that a lawyer be included on the team in charge of any fact-finding mission so that the company can claim attorney-client privilege and work-product protection. These protections, at least under US law, might prevent the disclosure of information that could be detrimental to their client if future litigation arises following an incident.

Continue reading

10 Cyber Security Tips for Small Business

Broadband and information technology are powerful factors in small businesses reaching new markets and increasing productivity and efficiency. However, businesses need a cybersecurity strategy to protect their own business, their customers, and their data from growing cybersecurity threats.

1. Train employees in security principles

Establish basic security practices and policies for employees, such as requiring strong passwords, and establish appropriate Internet use guidelines that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.

2. Protect information, computers, and networks from cyber attacks

Keep clean machines: having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available.

3. Provide firewall security for your Internet connection

A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall.

4. Create a mobile device action plan

Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password-protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.

5. Make backup copies of important business data and information

Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud.

6. Control physical access to your computers and create user accounts for each employee

Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.

7. Secure your Wi-Fi networks

If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router, so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.

8. Employ best practices on payment cards

Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.

9. Limit employee access to data and information, limit authority to install software

Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.

10. Passwords and authentication

Require employees to use unique passwords and change passwords every three months. Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account.

Continue reading

Ethical Hacking - Hacker Types

Hackers can be classified into different categories such as white hat, black hat, and grey hat, based on their intent of hacking a system. These different terms come from old Spaghetti Westerns, where the bad guy wears a black cowboy hat and the good guy wears a white hat.

White Hat Hackers

White Hat hackers are also known as Ethical Hackers. They never intent to harm a system, rather they try to find out weaknesses in a computer or a network system as a part of penetration testing and vulnerability assessments.

Ethical hacking is not illegal and it is one of the demanding jobs available in the IT industry. There are numerous companies that hire ethical hackers for penetration testing and vulnerability assessments.

Black Hat Hackers

Black Hat hackers, also known as crackers, are those who hack in order to gain unauthorized access to a system and harm its operations or steal sensitive information.

Black Hat hacking is always illegal because of its bad intent which includes stealing corporate data, violating privacy, damaging the system, blocking network communication, etc.

Grey Hat Hackers

Grey hat hackers are a blend of both black hat and white hat hackers. They act without malicious intent but for their fun, they exploit a security weakness in a computer system or network without the owner’s permission or knowledge.

Their intent is to bring the weakness to the attention of the owners and getting appreciation or a little bounty from the owners.

Miscellaneous Hackers

Apart from the above well-known classes of hackers, we have the following categories of hackers based on what they hack and how they do it −

Red Hat Hackers

Red hat hackers are again a blend of both black hat and white hat hackers. They are usually on the level of hacking government agencies, top-secret information hubs, and generally anything that falls under the category of sensitive information.

Blue Hat Hackers

A blue hat hacker is someone outside computer security consulting firms who is used to bug-test a system prior to its launch. They look for loopholes that can be exploited and try to close these gaps. Microsoft also uses the term BlueHat to represent a series of security briefing events.

Elite Hackers

This is a social status among hackers, which is used to describe the most skilled. Newly discovered exploits will circulate among these hackers.

Script Kiddie

A script kiddie is a non-expert who breaks into computer systems by using pre-packaged automated tools written by others, usually with little understanding of the underlying concept, hence the term Kiddie.

Neophyte

A neophyte, "n00b", or "newbie" or "Green Hat Hacker" is someone who is new to hacking or phreaking and has almost no knowledge or experience of the workings of technology and hacking.

Hacktivist

A hacktivist is a hacker who utilizes technology to announce a social, ideological, religious, or political message. In general, most hacktivism involves website defacement or denialof-service attacks.

Continue reading