Ethical Hacking - Pen Testing

Penetration Testing is a method that many companies follow in order to minimize their security breaches. This is a controlled way of hiring a professional who will try to hack your system and show you the loopholes that you should fix.

More Info: 312-50: Certified Ethical Hacker (CEH)

Before doing a penetration test, it is mandatory to have an agreement that will explicitly mention the following parameters −

◉ what will be the time of penetration test,

◉ where will be the IP source of the attack, and

◉ what will be the penetration fields of the system.

Penetration testing is conducted by professional ethical hackers who mainly use commercial, open-source tools, automate tools and manual checks. There are no restrictions; the most important objective here is to uncover as many security flaws as possible.

Types of Penetration Testing

We have five types of penetration testing −

◉ Black Box − Here, the ethical hacker doesn’t have any information regarding the infrastructure or the network of the organization that he is trying to penetrate. In black-box penetration testing, the hacker tries to find the information by his own means.

◉ Grey Box − It is a type of penetration testing where the ethical hacker has a partial knowledge of the infrastructure, like its domain name server.

◉ White Box − In white-box penetration testing, the ethical hacker is provided with all the necessary information about the infrastructure and the network of the organization that he needs to penetrate.

◉ External Penetration Testing − This type of penetration testing mainly focuses on network infrastructure or servers and their software operating under the infrastructure. In this case, the ethical hacker tries the attack using public networks through the Internet. The hacker attempts to hack the company infrastructure by attacking their webpages, webservers, public DNS servers, etc.

◉ Internal Penetration Testing − In this type of penetration testing, the ethical hacker is inside the network of the company and conducts his tests from there.

Penetration testing can also cause problems such as system malfunctioning, system crashing, or data loss. Therefore, a company should take calculated risks before going ahead with penetration testing. The risk is calculated as follows and it is a management risk.

RISK = Threat × Vulnerability

Example

You have an online e-commerce website that is in production. You want to do a penetration testing before making it live. Here, you have to weigh the pros and cons first. If you go ahead with penetration testing, it might cause interruption of service. On the contrary, if you do not wish to perform a penetration testing, then you can run the risk of having an unpatched vulnerability that will remain as a threat all the time.

Before doing a penetration test, it is recommended that you put down the scope of the project in writing. You should be clear about what is going to be tested. For example −

◉ Your company has a VPN or any other remote access techniques and you want to test that particular point.

◉ Your application has webservers with databases, so you might want to get it tested for SQL injection attacks which is one of the most crucial tests on a webserver. In addition, you can check if your webserver is immune to DoS attacks.

Quick Tips

Before going ahead with a penetration test, you should keep the following points in mind −

◉ First understand your requirements and evaluate all the risks.

◉ Hire a certified person to conduct penetration test because they are trained to apply all the possible methods and techniques to uncover possible loopholes in a network or web application.

◉ Always sign an agreement before doing a penetration test.

Source: tutorialspoint.com

Continue reading

Ethical Hacking - DDOS Attacks

A Distributed Denial of Service (DDoS) attack is an attempt to make an online service or a website unavailable by overloading it with huge floods of traffic generated from multiple sources.

Unlike a Denial of Service (DoS) attack, in which one computer and one Internet connection is used to flood a targeted resource with packets, a DDoS attack uses many computers and many Internet connections, often distributed globally in what is referred to as a botnet.

More Info: 312-50: Certified Ethical Hacker (CEH)

A large scale volumetric DDoS attack can generate a traffic measured in tens of Gigabits (and even hundreds of Gigabits) per second. We are sure your normal network will not be able to handle such traffic.

What are Botnets?

Attackers build a network of hacked machines which are known as botnets, by spreading malicious piece of code through emails, websites, and social media. Once these computers are infected, they can be controlled remotely, without their owners' knowledge, and used like an army to launch an attack against any target.

A DDoS flood can be generated in multiple ways. For example −

◉ Botnets can be used for sending more number of connection requests than a server can handle at a time.

◉ Attackers can have computers send a victim resource huge amounts of random data to use up the target's bandwidth.

Due to the distributed nature of these machines, they can be used to generate distributed high traffic which may be difficult to handle. It finally results in a complete blockage of a service.

Types of DDoS Attacks

DDoS attacks can be broadly categorized into three categories −

◉ Volume-based Attacks

◉ Protocol Attacks

◉ Application Layer Attacks

Volume-Based Attacks

Volume-based attacks include TCP floods, UDP floods, ICMP floods, and other spoofedpacket floods. These are also called Layer 3 & 4 Attacks. Here, an attacker tries to saturate the bandwidth of the target site. The attack magnitude is measured in Bits per Second (bps).

◉ UDP Flood − A UDP flood is used to flood random ports on a remote host with numerous UDP packets, more specifically port number 53. Specialized firewalls can be used to filter out or block malicious UDP packets.

◉ ICMP Flood − This is similar to UDP flood and used to flood a remote host with numerous ICMP Echo Requests. This type of attack can consume both outgoing and incoming bandwidth and a high volume of ping requests will result in overall system slowdown.

◉ HTTP Flood − The attacker sends HTTP GET and POST requests to a targeted web server in a large volume which cannot be handled by the server and leads to denial of additional connections from legitimate clients.

◉ Amplification Attack − The attacker makes a request that generates a large response which includes DNS requests for large TXT records and HTTP GET requests for large files like images, PDFs, or any other data files.

Protocol Attacks

Protocol attacks include SYN floods, Ping of Death, fragmented packet attacks, Smurf DDoS, etc. This type of attack consumes actual server resources and other resources like firewalls and load balancers. The attack magnitude is measured in Packets per Second.

◉ DNS Flood − DNS floods are used for attacking both the infrastructure and a DNS application to overwhelm a target system and consume all its available network bandwidth.

◉ SYN Flood − The attacker sends TCP connection requests faster than the targeted machine can process them, causing network saturation. Administrators can tweak TCP stacks to mitigate the effect of SYN floods. To reduce the effect of SYN floods, you can reduce the timeout until a stack frees memory allocated to a connection, or selectively dropping incoming connections using a firewall or iptables.

◉ Ping of Death − The attacker sends malformed or oversized packets using a simple ping command. IP allows sending 65,535 bytes packets but sending a ping packet larger than 65,535 bytes violates the Internet Protocol and could cause memory overflow on the target system and finally crash the system. To avoid Ping of Death attacks and its variants, many sites block ICMP ping messages altogether at their firewalls.

Application Layer Attacks

Application Layer Attacks include Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Here the goal is to crash the web server. The attack magnitude is measured in Requests per Second.

◉ Application Attack − This is also called Layer 7 Attack, where the attacker makes excessive log-in, database-lookup, or search requests to overload the application. It is really difficult to detect Layer 7 attacks because they resemble legitimate website traffic.

◉ Slowloris − The attacker sends huge number of HTTP headers to a targeted web server, but never completes a request. The targeted server keeps each of these false connections open and eventually overflows the maximum concurrent connection pool, and leads to denial of additional connections from legitimate clients.

◉ NTP Amplification − The attacker exploits publically-accessible Network Time Protocol (NTP) servers to overwhelm the targeted server with User Datagram Protocol (UDP) traffic.

◉ Zero-day DDoS Attacks − A zero-day vulnerability is a system or application flaw previously unknown to the vendor, and has not been fixed or patched. These are new type of attacks coming into existence day by day, for example, exploiting vulnerabilities for which no patch has yet been released.

How to Fix a DDoS Attack

There are quite a few DDoS protection options which you can apply depending on the type of DDoS attack.

Your DDoS protection starts from identifying and closing all the possible OS and application level vulnerabilities in your system, closing all the possible ports, removing unnecessary access from the system and hiding your server behind a proxy or CDN system.

If you see a low magnitude of the DDoS, then you can find many firewall-based solutions which can help you in filtering out DDoS based traffic. But if you have high volume of DDoS attack like in gigabits or even more, then you should take the help of a DDoS protection service provider that offers a more holistic, proactive and genuine approach.

You must be careful while approaching and selecting a DDoS protection service provider. There are number of service providers who want to take advantage of your situation. If you inform them that you are under DDoS attack, then they will start offering you a variety of services at unreasonably high costs.

We can suggest you a simple and working solution which starts with a search for a good DNS solution provider who is flexible enough to configure A and CNAME records for your website. Second, you will need a good CDN provider that can handle big DDoS traffic and provide you DDoS protection service as a part of their CDN package.

Assume your server IP address is AAA.BBB.CCC.DDD. Then you should do the following DNS configuration −

◉ Create a A Record in DNS zone file as shown below with a DNS identifier, for example, ARECORDID and keep it secret from the outside world.

◉ Now ask your CDN provider to link the created DNS identifier with a URL, something like cdn.someotherid.domain.com.

◉ You will use the CDN URL cdn.someotherid.domain.com to create two CNAME records, the first one to point to www and the second record to point to @ as shown below.

You can take the help from your system administrator to understand these points and configure your DNS and CDN appropriately. Finally, you will have the following configuration at your DNS.

Now, let the CDN provider handle all type of DDoS attacks and your system will remain safe. But here the condition is that you should not disclose your system's IP address or A record identifier to anyone; else direct attacks will start again.

Quick Fix

DDoS attacks have become more common than ever before, and unfortunately, there is no quick fix for this problem. However, if your system is under a DDoS attack, then don’t panic and start looking into the matter step by step.

Source: tutorialspoint.com

Continue reading

Ethical Hacking - Overview

Hacking has been a part of computing for almost five decades and it is a very broad discipline, which covers a wide range of topics. The first known event of hacking had taken place in 1960 at MIT and at the same time, the term "Hacker" was originated.

Read More: 312-50: Certified Ethical Hacker (CEH)

Hacking is the act of finding the possible entry points that exist in a computer system or a computer network and finally entering into them. Hacking is usually done to gain unauthorized access to a computer system or a computer network, either to harm the systems or to steal sensitive information available on the computer.

Hacking is usually legal as long as it is being done to find weaknesses in a computer or network system for testing purpose. This sort of hacking is what we call Ethical Hacking.

A computer expert who does the act of hacking is called a "Hacker". Hackers are those who seek knowledge, to understand how systems operate, how they are designed, and then attempt to play with these systems.

Types of Hacking

We can segregate hacking into different categories, based on what is being hacked. Here is a set of examples −

◉ Website Hacking − Hacking a website means taking unauthorized control over a web server and its associated software such as databases and other interfaces.

◉ Network Hacking − Hacking a network means gathering information about a network by using tools like Telnet, NS lookup, Ping, Tracert, Netstat, etc. with the intent to harm the network system and hamper its operation.

◉ Email Hacking − It includes getting unauthorized access on an Email account and using it without taking the consent of its owner.

◉ Ethical Hacking − Ethical hacking involves finding weaknesses in a computer or network system for testing purpose and finally getting them fixed.

◉ Password Hacking − This is the process of recovering secret passwords from data that has been stored in or transmitted by a computer system.

◉ Computer Hacking − This is the process of stealing computer ID and password by applying hacking methods and getting unauthorized access to a computer system.

Advantages of Hacking

Hacking is quite useful in the following scenarios −

◉ To recover lost information, especially in case you lost your password.

◉ To perform penetration testing to strengthen computer and network security.

◉ To put adequate preventative measures in place to prevent security breaches.

◉ To have a computer system that prevents malicious hackers from gaining access.

Disadvantages of Hacking

Hacking is quite dangerous if it is done with harmful intent. It can cause −

◉ Massive security breach.

◉ Unauthorized system access on private information.

◉ Privacy violation.

◉ Hampering system operation.

◉ Denial of service attacks.

◉ Malicious attack on the system.

Purpose of Hacking

There could be various positive and negative intentions behind performing hacking activities. Here is a list of some probable reasons why people indulge in hacking activities −

◉ Just for fun

◉ Show-off

◉ Steal important information

◉ Damaging the system

◉ Hampering privacy

◉ Money extortion

◉ System security testing

◉ To break policy compliance

Continue reading

EC-Council ECES Certification to Gain a Competitive Edge

The EC-Council Certified Encryption Specialist (ECES) certification introduces professionals and applicants to the field of cryptography. The applicants will learn the basics of modern symmetric and vital cryptography, comprising the data of algorithms such as Feistel Networks, DES, and AES.

Many penetration testing professionals testing normally don't attempt to breach cryptography. A primary understanding of cryptanalysis is very helpful to any penetration testing.

Target Audience

Anyone engaged in the selection and implementation of VPNs or digital certificates should earn this certification. Without understanding cryptography in some depth, people are limited to following marketing hype. Understanding the actual cryptography allows you to know which one to select. A person completing this course will choose the encryption standard that is most beneficial to their organization and understand how to deploy that technology effectively.

EC-Council ECES certification is best for ethical hackers, and penetration testing professionals as most penetration testing certifications ignore cryptanalysis altogether. Many penetration testing professionals testing usually don't attempt to breach cryptography. Fundamental knowledge of cryptanalysis is very crucial to any penetration testing.

About The ECES Exam

• Exam Title: EC-Council Certified Encryption Specialist
• Number of Questions: 50
• Duration: 2 hours
• Exam Availability: EC-Council Exam Portal
• Test Format: Multiple Choice
• Passing Score: 70%

What is an Encryption Specialist?

An encryption specialist defends the IT systems and information distributed over any network with cryptography. Cryptography is a technique in which data is encrypted through algorithms before its transmission. Only the receiving party can decode the data and read it.

The encryption analysts also carry out the cryptoanalysis. They figure out the encrypted data. Analyzed information is carried out to develop software and other plans necessary for information security. Private organizations and government companies engage encryption experts to secure their valuable data from unauthorized access.

Skills Needed to Become an Encryption Specialist

It expects a profound knowledge of networking, computer programming, and database architecture to become a skilled encryption specialist. High-level mathematics and a knowledge of data structure are an advantage.

A professional must also hold excellent analytical and productive thinking skills to evolve new ciphers and algorithms to safeguard information.

Benefits of EC-Council ECES Certification

There have been a lot of thoughts about the benefits of EC-Council ECES certification. Though, now a huge number of organizations require applicants to have ECES certification to carry out the tasks efficiently. Listed below are some of the benefits of having this certification.

1. EC-Council ECES Certification Help You Stand Out

Having an ECES certification can be the core distinguisher between you and another applicant applying for the same job profile. There are several examples of professionals with similar knowledge and experience beat others just based on their certification.

2. Show A Level Of Accomplishment And Perseverance

No doubt achieving a certification demands expects hard work and determination as it is a tough exam. Therefore, earning a certification confirms that you're dedicated to your career and are engrossed in moving forward and beyond to deliver your best. Additionally, this is especially helpful if you've just new to the field. This will equip you with some authenticity and urge potential employers to hire you. In a nutshell, having an ECES certification confirms that you're serious about the field and want to develop a long and remunerative career.

3. Hiring Managers Place High-Value On EC-Council Certification

It's a known fact that not every hiring manager will be relying on certifications; there are still a considerable amount of employers who are normally impressed by them. Even the army has made it compulsory for some of their employees to earn certification based on their experience and position. This is mainly because having a college degree is usual and immense. On the contrary, by passing an EC-Council Certified Encryption Specialist exam, you now have contemporary knowledge of the concepts and methods that are useful to carry out the given tasks successfully.

4. Get Noticed for a Promotion At Work

Have you ever sense that you're at a dead-end? Have you seen your co-workers get promotions over you, but you're jammed in the same position? If that's the situation, you should think of earning an EC-Council ECES certification. By doing this, you will acquire extra knowledge and skills that are sure to impress your administration. This will result in you getting other brilliant opportunities to evidence your determination and acquire more responsibilities.

All in all, you will be an esteemed resource and will play an important role in Identifying any weakness in prevailing cryptography systems and implementing more secure, extremely encrypted solutions for your organization.

5. Brilliant Career Prospects

EC-Council Certified Encryption Specialist can get to work in national and international organizations such as the National Security Agency or any other agency or organization that requires the secure transmission of secret information.

Conclusion

This article describes the importance of earning EC-Council ECES certification for those looking to efficiently promote their career through certification.

Such a career move not only requires money but also support from the organization you are presently working for. Schedule a meeting with your manager to know early on the kind of support they can provide. And start preparing to pass this certification exam.

Continue reading

3 Reasons Why Financial Institutions Need Penetration Testing

Banking and financial institutions have been under attack from various and considerable cyber-threats. Every year, this sector loses a massive chunk of its funds to criminal activities like phishing, ransomware, malware, etc. Due to this, cybersecurity has become a primary concern in this sector. The scale of attacks and damages have opened new vacancies in different departments of cybersecurity and Penetration Testing is one of them. With effective Penetration Tests, banks, investment firms, real estate companies, etc., can effectively reduce the cost of cyberattacks and save their funds as well as market reputation.

More Info: EC-Council Certified Security Specialist (ECSS)

According to CNN, hackers are regularly attacking banks, and stock exchanges. There are blind spots in the critical supply chain which makes them a target among cybercriminals. Even the small financial units are not safe as attackers use them to gain access to a bigger firm. In such situations, regular Penetration Tests become extremely important.

This article examines why financial institutions need Penetration Testing.

Penetration Testing for Financial Institutions: Advantages

A survey approximates that the coronavirus has enhanced digital transformation by 5.3 years. However, when things accelerate at this speed, vulnerabilities and unprepared security tactics become the order of the day.

When an industry proliferates, it is vital to ensure that the system around it also develops at a similar pace. Cybersecurity is a top concern for financial institutions because it is essential to ensure that their growth doesn’t lose more than they have gained. Here are a few reasons why financial institutions need penetration testing.

Meet Regulatory Standards

Financial sectors are mandated to comply with specific regulatory standards, which is most often the motivation for hiring penetration testers. Several regulatory bodies demand penetration testing. The financial regulatory papers that incorporate a recommendation for penetration testing solutions are:

◉ PCI DSS Security Scanning Procedures, v1.1

◉ FFIEC IT Examination Handbook

Likewise, specific industry guidance, particularly for Payment Card Industry Data Security Standard, includes a recommendation for penetration testing for financial institutions. The regulatory requirements demand that the moment vulnerabilities and threats are assessed, testing must be designed to mitigate the risks detected all over the environment. Here the scope of a penetration tester comes into play. Failure to comply with these standards can lead to fines, reputational damage, and other severe consequences.

Discover And Mitigate New Vulnerabilities

Financial units face threats through new applications. Platform marketing is also a reason that increases the threat of cyberattacks. New developments in the market and industrial sectors create openings for malicious cyber attackers. Banks and financial institutions have established abundant value targets for hackers through their migration to digital transactions and eCommerce platforms. Add the remote work culture and the disruptions caused by the COVID-19 pandemic, and malicious hackers have a honeypot.

Based on the series of transformative modifications to their infrastructures, it is more and more crucial that financial institutions apply third-party penetration testing to uncover newly formed vulnerabilities. A professional penetration tester with help in thwarting an attack. Expert penetration testers will also discover vulnerabilities, regardless of the scope of financial services. Their role will save you from financial loss and regulatory consequences.

Prevent Island Hopping

Financial institutions depend on 3rd party vendors for many tasks. Third party processes open many gaps that cybercriminals can take advantage of. One of these issues is known as island hopping. It refers to implementing connected third parties to intrude a system or organization through the back door. These connected third parties can include contractors, remote employees, business partners, suppliers, and even customers.

While this concept is nothing new, it has become the basic tactic for attacks. Even organizations that utilize proven security tactics can be compromised through island hopping. Therefore, you need penetration testing framework methodology and training to prevent hackers from gaining access to your critical assets.

Financial institutions are just one of the few market sectors where openings for penetration testers along with different cybersecurity experts have increased in the last few years. For Enterprise leaders looking to upskill or retrain their Cybersecurity teams, no training comes even remotely close to EC-Council’s CPENT.

Create Battle-Ready Teams with CPENT

Certified Penetration Testing Professional or CPENT by EC-Council teaches your employees to perform an effective penetration test in an enterprise network environment. The modules in this certification program are designed to help financial institutions find effective offence against cybercriminals. Teams with CPENT are equipped to plug the most vulnerable security gaps due to which banks, stock markets and real estate companies suffer from cyberattacks. CPENT is one of the few courses that blends manual and automated penetration testing approaches, covering advanced penetration testing tools, techniques, and methodologies required by industries in 2021.

Source: eccouncil.org

Continue reading

What Qualifications Do You Need to Be a Penetration Tester?

The definition of penetration testing varies among experts. But most professionals agree that pen testing is a process of testing vulnerabilities in IT infrastructure by conducting a lawful cyberattack. The times when companies only called an ethical hacker to find a solution after the attack are long gone. Everyone wants to keep an eye on possible breaches and vulnerable spots in their IT infrastructure, and that is where a penetration tester proves to be helpful.

More Info: EC-Council Certified Encryption Specialist (ECES)

In the last few years, vacancies for penetration testers have increased. The U.S. Bureau of Labor Statistics projects a 32% increase in demand for information security analysts between 2018 and 2028. Due to this, more and more cybersecurity professionals are opting for a penetration testing course training. Businesses that handle high volumes of personal, sensitive, proprietary, and classified information consider hiring penetration testers.

Cyberattacks happen every day, due to which businesses lose the privacy, data, funds, and trust of their customers. Since 2020, these threats have increased because people are working and studying from home. On January 5, 2021, the FBI warned that cybercriminals are looking for ways to exploit online classrooms. In 2020, more than $1 trillion was lost to cybercrime.

The demand for penetration testers is set to increase because of such impending threats. Penetration testing was one of the top 5 job profiles in cybersecurity. If you find cracking codes and solving puzzles interesting, then this job just might be the perfect fit for you.

What Is Penetration Testing?

Penetration testing, otherwise called pen test or pen testing, is a simulated cyberattack against a system to inspect exploitable weaknesses. It is a process that helps an organization to determine if its systems are susceptible to attacks and ways to prevent them.

The pen tester attempts to breach application systems like frontend/backend servers or application protocol interfaces (APIs) to discover exploitable weaknesses. The results from the penetration tests can then be applied to fix and patch identified vulnerabilities.

Penetration testing certification is recommended for network administrators, engineers, system or software developers, self-taught hackers, and students. Students who have prior understanding of tools and techniques related to ethical hacking, understanding of Linux, Linux Server Administration and Identity, and access management can also start their career path to become a certified penetration tester. Elaborate and well-thought-out certification programs equip you with the right mix of formal knowledge and hands-on, practical experience. These skills add more credibility to your knowledge, capturing the focus of employers during the hiring process.

Major sectors that hire penetration testing professionals include healthcare, financial services, technology companies, and government. Top technology enterprises hire internal penetration testers as a part of their quality assurance commitments. Big enterprises like Amazon, Paylocity, and IBM hire penetration testers on a regular basis. IBM is also one of the top-paying employers of pen testers.

Skills Required to Be a Penetration Tester

There’s a clear shortage of skilled penetration testers, because of which implementing and sustaining a penetration testing program becomes more challenging. Research suggests that the cybersecurity workforce needs to increase by 145% to breach this obvious skills gap.

Someone who knows the basics of ethical hacking will grow further in their career with penetration testing certification. Some of the required skills to make it big as a pen tester are:

◉ Programming skills such as Python, Bash, Ruby, Perl, and PHP. Other languages common in web development can also prove useful such as CSS, HTML, SQL, ASP.NET, and JavaScript.

◉ Knowledge of vulnerabilities and exploits beyond tool suites.

◉ Strong knowledge of computer networks.

◉ Ability to script or write a code.

◉ Securing web communication by generating secure domain certificates.

◉ Understanding of *nix systems.

◉ Willingness to constantly learn.

◉ System administration skills.

◉ Soft skills such as public speaking, team player, effective communication and interpersonal skills, and report writing.

Please note that technical skills aren’t the only indicators of success for a penetration testing exercise. The most important thing is to be determined and willing to keep going even in the face of difficulty. The ability to keep on learning and ask for help when necessary is also quite important.

How Can You Learn Penetration Testing?

The importance of penetration testers is only going to rise in the coming future. Everything is dependent on the internet and cybercriminals are finding new ways to breach vulnerable points. With the most relevant skills, you can learn penetration testing like a true professional. While selecting an institute to pursue a penetration testing course, make sure that their program uses relevant case studies and real-world examples. Professionals who have knowledge of the latest tools and techniques will be able to impress employers and progress further with ease.

Certified Penetration Tester (CPENT) from EC-Council is a widely recognized certification program that covers every aspect of performing a successful penetration testing. Since its inception, CPENT has been able to create new standards of penetration testing skill development. If you’ve only been operating in flat networks, CPENT’s live practice range will help you elevate your skills by teaching you how to pen test OT systems, IoT systems, how to build your own tools, how to write your own exploits, double pivot to access hidden networks, conduct advanced binaries exploration, and customize scripts to penetrate the innermost segments of the network.

Why Professionals Should Pursue CPENT?

Many individuals who complete their CPENT certification course are working professionals. A number of companies also encourage their IT department employees to opt for this course. CPENT is one of the few programs that allows you to choose how to get certified! You can choose the CPENT training course to go beyond the concepts you’ve learned in CEH and learn proven methodologies used by experts. You can opt for the CPENT Challenge Edition if you’re already working as a penetration tester and feel you’re ready to take on the CPENT range and earn your certification without attending the penetration testing course training.

EC-Council has different training options from which you can choose the most convenient option for you. This includes:

◉ iLearn (self-study)

◉ iWeek (live online)

◉ MasterClass

◉ Training Partner (in-person)

◉ Education Partner (in-person or online)

Source: eccouncil.org

Continue reading

What Is Facial Scanning? What Are the Threats Involved in It?

Facial scanning seemed like a fantasy a few years ago, but today we can open our mobile phones by scanning our faces. Millions of people are happy to access their smartphones with facial scanning worldwide. Facial scanning technology has a rapid increase in corporate organizations, airports, mobile phones, and shopping malls. Although facial recognition has advantages to companies, biometric technology also poses threats that both companies and users are concerned about in recent years. Although many automobile companies still introduce facial scanning technology.

More Info: 312-50: Certified Ethical Hacker (CEH)

Technological developments continue to open new ways in which organizations can use face template data to improve their efficiency and reliability. It is common to unlock a smartphone with facial scanning or check-in at the airport with your face today. Although the technology for facial scanning has brought countless advantages, its use also carries substantial privacy risks. This article talks about facial scanning technology, threats that evolved in it, and how to mitigate them.

What Is Facial Scanning Technology?

Facial scanning is a new age technology computerized to match a human face among a huge record of images or videos of faces in a database called a facial recognition database. The primary purpose of facial scanning is to authorize users against identity verification services by mapping out the features of a facial structure and distinctive details such as distance between eyes, the shape of the nose, etc., from an array of provided images or videos.

The technology of facial scanning attracts a lot of attention. Many companies and organizations use online recognition and verification to achieve their desired objectives, whether for fun, security, or user experience. Facial scanning is a biometric check that can identify or verify an individual to compare and analyze patterns based on the person’s facial contours.

Facial recognition uses deep learning algorithms to make it more likely to have fewer errors compared. Deep learning is a form of machine learning that provides data to learn from artificial neural webs, human-inspired algorithms. A deep learning algorithm would repeat a task, modifying it each time to improve the outcome. It identifies and captures the human face and then becomes an object of verification based on the essential characteristics of the face. These characteristics are generally the position of the eyes, the nose, and the corners of the mouth.

◉ For instance, facial scanning firstly scans the distance between your eyes, nose, and mouth, the shape of your nose and mouth, and a variety of all other minor details on the face.

◉ Once all features on your face are identified, a face signature will be created. Finally, once the face is scanned, a database with known faces is compared for a match again.

How does Facial Scanning Technology Work?

Humans can identify faces quickly. You will likely find the facet of an individual, a friend, or an acquaintance in your family. Your face features — the distance between the arch of your eyebrows and eyes, the tilt of your lips, position of your nose, etc. comprise your unique facial structure; this is how it works but on a large, algorithmic scale. Recognition technology sees data where you see a face. This information can be saved and accessed.

Face detection

Firstly, facial scanning begins with a face and identifies the appropriate face characteristics of the person. We think the human face is a basic set of eyes, nose, and mouth characteristics. Like that, the facial scanning technology recognizes the face; this is done through an extensive database of images with human sides looking at different points of view with deeper neural network & machine learning algorithms.

It starts with eyes, then eyebrows followed by nose and mouth begins to calculate the nose width, distance from forehead to mouth, and sizes. Once all the features are identified on the face region, the algorithm’s numerous algorithm training is performed on databases to detect faces.

· Face recognition

After the face is identified, a program is designed to detect the facial landmarks with an image processing algorithm. Each landmark on the face is referred to as nodal points about 80 on every human face. These landmarks are very crucial in identifying the face in the database. Now the face registered in the database is repositioned and appropriately scaled to match the original face as it is beneficial to recognize when the facial expressions change.

· Face representation

After the face is registered, the face’s nodal points, position, and sizes are sent into the software. Later, the software assigns a new face vector for every individual face in numerical codes called faceprints. Now, each faceprint distinguishes from person to person in the database.

Face matching

Lastly, after the face is recognized with the new vector code, it is compared to the faces available in the database, consisting of all registered faces. If the software detects the exact match in the database, it will give the person’s information, or else the interface classifier returns the vector code to the database.

Applications of Facial Scanning Technology

· Attendance in school

most schools have begun to implement facial scanning technology to automate students’ attendance; this helps the teachers spend less time taking the student’s attendance of larger strength and focus on teaching more. The advantage of the automated facial scanning attendance system is that no proxies can be given. It is also good to keep track of the whole campus to avoid threats.

· At airports

Airports must have facial scanning to track the passengers or people entering and going out of the airport. The security department uses this technology to identify the criminals, terrorists, and the people who exceeded the visas by comparing their photos in their existing database, which contains pictures of criminals and people who have exceeded their visas.

· Organizations’ access control

Facial scanning technology is now used in many corporate companies and other government offices for fast and effective access. As it helps in tracking everyone’s activities in the organization, identify the visitors. It also functions in enhancing security by immediately reporting any potential violations.

· Mobile apps

Many mobile apps, including Facebook Snapchat, also use facial scanning features. For instance, if a user clicks his/he selfie and can look how young or old or as the opposite gender or any other comic characters look just for entertainment. luxand is also a popular app specially designed for security purposes as it can identify faces in real-time.

· Banking

The banking sector uses facial scanning technology for making transactions more secure. Some businesses even started using pay-by-face counters as safe and fastest payment methods, unlike credit card payments and other forms, as it’s difficult to spoof the face.

Security Threats and Privacy Risks of Face Recognition

Like all other technologies, facial scanning also has significant downsides, such as cost, privacy threats, data hacking, and other crimes. There is also the risk of errors due to technological flaws.

· High costs required

Facial scanning requires high-quality, obviously costly cameras and advanced software. It is expected that technological advancements will lower the cost of facial recognition systems in the future.

Due to poor camera quality, facial scanning has a problem in identifying people with darker skin tones, so it is significantly less accurate to identify these people. So, it is challenging to determine the actual person. It can be a severe problem in law enforcement where misidentification can lead to an arrest of an innocent person instead of a criminal. It is expected that technological advancements will lower the cost of facial recognition systems soon.

· Data storage and theft

Facial scanning generally requires video and high-quality images, which need a significant amount of storage. It forces businesses to process everything on several machines at the same time, which is inconvenient.

Facial scanning generally requires video and high-quality images, which need a significant amount of storage which is an important issue. Few companies and law enforcement departments store their face recognition data on local servers, due to which data breaches occur. If data from facial recognition technologies are stored in the cloud, the data is most secure. It forces businesses to process everything on several machines at the same time, which is inconvenient.

· Loss of individual privacy

Individual privacy is adversely affected because of facial scanning technology. None of us like to have our faces stored in an unknown database. Confidentiality is a significant problem for everyone, especially in California that has prohibited facial scanning in real-time. In that case, police can use video recordings of video security devices owned by persons but cannot use software for live facial scanning

· Identification errors

Facial scanning may not always be completely accurate with the database on the faceprints. Errors usually happen because the images are insufficient or the database lacks information. Poor illumination or image quality can make it challenging to analyze the nodal points properly. When the face angles are blurred, the data are affected and cause errors in the faceprint and incorrect matches in the databases.

· Provide fraud opportunities

Cybercriminals also use facial scanning technology for criminal activities. They gather personal data, images, videos of an unknown person collected from facial scans and stored in databases. A hacker uses this information to obtain the credit card, debit card credentials of the victim.

How to Mitigate Facial Scanning Threats

Facial scanning technology has a wide range of applications in every industry, making it an easy target for cybercriminals to exploit and steal data from facial recognition databases. It is very crucial to take necessary precautions and mitigate cyber threats caused due to facial scanning technology.

◉ For excellent and proper data storage, the organization’s IT security team should maintain network security 24/7.

◉ Cybersecurity should be part of the organization’s security plan to ensure proper data storage to manage facial scanning technology

◉ Examine the company’s privacy and data security practices to learn who it shares data with.

◉ The organization must implement external audits for security measures and protocols, such as t SOC 2 certifications.

◉ External white hat security testing, such as penetration testing, is performed by the organization.

◉ An ethical hacker would help in securing the system from violations and vulnerabilities that attackers exploit. By using ethical hacking tools, the hacker would protect and prevent the attacks from occurring.

Facial scanning technology is effective but should be used effectively. It is advantageous for government offices, law enforcement, organizations, and end-users to increase their safety and track crimes. Besides, facial scanning also may be exploited and have severe consequences for the personal benefit of hackers. But by few safety measures, we can use it for intelligent work. It is estimated that the interaction between facial scanning and human rights and personal privacy will take at least 3 -4 years. We can then wait and expect huge industries to make it more user-friendly, transparent, and secure to enable everybody to benefit.

Source: eccouncil.org

Continue reading

What’s the Difference Between Penetration Testing and Vulnerability Assessment?

Vulnerability Assessment (or scanning) and Penetration Testing are often believed to be similar procedures. But there are some key differences between both, and it majorly depends on how you test your systems to detect vulnerabilities.

Read More: 312-76: EC-Council Disaster Recovery Professional (EDRP v3)

In simple terms, Vulnerability Assessment is an automated, high level test that is used to search potential vulnerabilities. A Penetration Test is a simulated, manual, cyber-attack against your computer system to check for exploitable vulnerabilities. Both are important in their own ways but as a business owner or a senior management member in your company, you should know how they differ and what their importance is.

In this article we will analyze these key differences.

What is Penetration Testing?

Penetration testing is an in depth, hands-on examination of existing systemic weaknesses and flaws. A quality penetration testing or pentest assesses a target to identify weaknesses or security flaws, that a threat actor can exploit. These exploitable weaknesses include unpatched software, poor vulnerability management procedures, security gaps, ineffectual security settings on systems, etc.

Penetration Tests are extremely thorough and provide a detailed approach for dealing with a specific issue. Through this test, you can easily find and remediate vulnerabilities in software applications and networks.

What is a Vulnerability Assessment?

A vulnerability assessment or vulnerability scanning, is an automated process for detecting, measuring, and prioritizing the vulnerabilities in each system and the entire environment. Vulnerability scans are conducted using automated scanners such as those manufactured by Rapid7, Nessus, Qualys, Retina, and GFI LANGuard.

You are liable to the PCI DSS (Payment Card Industry Data Security Standard) if your company handles cardholder data. This means that you are expected to perform vulnerability scans every quarter and follow any significant modifications to the network. Likewise, quarterly external scans differ from quarterly internal scans.

Their objectives are different

The execution of a penetration test depends on several situations like compliance regulations, application launches, protection from breach or leak, and/or any significant updates in network or application. Similarly, based on the different reasons for performing a pentest, its objectives can also differ significantly. Pentest reports are thorough and allows the senior management members (or anyone in similar role) to prioritize the risks on basis of budget or threat level.

The objectives of a vulnerability assessment vary slightly from a penetration test. Vulnerability scans are cyclical in nature. Scans are performed when new vulnerabilities are released, network and application change, after a breach or leak, or as part of a continuous process within a good vulnerability management program. Vulnerability Scans are affordable but there are more false positives due to the process constantly identifying  a threat that’s not real.

Penetration Testing and Vulnerability Assessment are important tools against cybercriminals. The reports will help you determine controls that are best suited for the business and department. But apart from these tools, you should also make sure that your employees go through regular training sessions. Penetration testing training on these topics will keep your security team as well as other departments aware about best practices, trends and new threats. And nothing comes close to EC-Council’s CPENT Program.

CPENT: The Only Certification Your Employees Will Ever Need

EC-Council’s Certified Penetration Tester (CPENT) program is a fully online, remotely proctored practical exam that challenges you through a grueling 24-hour performance-based, hands-on exam. If your Cybersecurity Teams have only been working in flat networks, CPENT’s live practice range will take their skills to the next level.

The heart of the CPENT program is all about helping your employees master their Penetration Testing skills by putting them to use on EC-Council’s live cyber ranges. The CPENT ranges were designed to be dynamic in order to give your employees a real-world training program, so just as targets and technology continue to change in live networks, both the CPENT practice and exam ranges will mimic this reality as our team of engineers continue to add targets and defenses throughout the CPENT course’s lifetime.

Source: eccouncil.org

Continue reading

What is Identity and Access Management (IAM) Governance and its Functions?

Data incidents continue to plague companies, and industry standards organizations are increasing their compliance requirements to ensure data privacy and security. Maintaining Identity and Access Management (IAM) compliance includes Governance software that helps the organization protect data privacy while managing an increasingly complex digital and cloud-based IT infrastructure.

More Info: EC-Council Certified Chief Information Security Officer (CCISO)

Governance frameworks are needed to fulfill IAM’s commitment to consistently support business users’ access needs without affecting the security or breaching.  Governance helps organizations solve this problem by enabling communication, by promoting a genuine understanding of the needs and the technology offered by all key stakeholders.

What Is Identity and Access Management?

Identity and access management (IAM) determine who a user is and what they are permitted to do. IAM only provides the access and handling of sensitive information by individual users in the organization. If there is no IAM, anybody can access sensitive business files, leading to potential data violation. IAM assists businesses in this regard to comply with rigorous and complex data management regulations. IAM is referred to as IDM (IDM). It is an IT branch that examines the identity of users and controls their digital access resources. IAM is a collective term covering products, processes, and policies to manage and maintain the organization’s user identities and regulate user access within the organization.

The important component of identities in an organization is one of the reasons IAM gains traction. An identity allows users to do their job by providing them Wi-Fi access, networks, file servers, applications, and other digital assets. IAM extends to identify, authenticate and authorize people to use IT resources and access hardware and applications.

What Is IAM Governance?

Any identity and access management (IAM) program must include Governance. An IAM governing body establishes and oversees all essential IAM functions, policies, procedures, and standards. The guiding principles that decide who has access to what information in an organization is known as access governance. With the ever-changing IT environment involving various distributed technologies, Establishing IAM governance entails forming a committee of people with authority to prioritize, create, enforce, and track IAM-related tasks and objectives, who meet regularly and make decisions.

Besides the guidelines, access management also requires the monitoring mechanisms necessary to assess each user’s access and use rights continually and detect defects.

Importance of IAM Governance

Due to the pandemic, employees are remote working, and cyber criminals could attack increasingly vulnerable business systems. Organizations whose identity and access management systems are designed poorly or regulated became common cyber attackers’ common aim.

◉ Identity governance is a crucial aspect for reducing vulnerability related to identity and creating policies to manage accessibility compliance in such a long-lasting situation. We need these two things now more than ever to meet the challenges of business safety post-COVID-19.

◉ Without proper Governance, organizations fall at risk. Identity and Access Management Governance helps organizations to keep and monitor the lifecycle of their employees.

◉ Access requests will comply with the policies and regulations of the companies. An automated process can improve efficiency, productivity, and safety.

Functions of IAM Governance

As organizations adopt IaaS, Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) to simplify operations and increase customer interaction, they face a range of new problems relating to identity and access governance:

1. Governance committee

The formation of an IAM governance council, primarily composed of stakeholders responsible for developing IAM policies for the organization, is the first step in establishing an IAM program. This council must be authorized to implement risk-mitigation policies that are widely visible throughout the organization.

2. Role-based access

Governance implies that an organization is aware of who has access and why and who is responsible for adding and deleting an entry. The role management includes periodic review of roles, ensures that entitlements are correct, updates roles according to policy changes, remove roles if necessary. Several companies still depend on role-based access controls that lack context. Industry and regulatory enforcement requirements increasingly include attribute-based access controls, which have other user attributes, such as location and resource.

3. Visibility is essential

The more cloud services your company integrates into the infrastructure, the less control you have over who has access to what resources, how they use them, and why they need them.

4. Authority

Assigning decision-making to those with governing authority supports organizations in promoting and enforcing more accountability in IAM policies and procedures. The Chief Information Security Officer (CISO) has to make decisions with operational and risk considerations.

Benefits of IAM Governance

1. Providing access to the organization in an effective manner

Identity access governance allows your users quick and effective access to the resources they need to operate. It is made possible by using tools. It enables them to be productive, whether they change their responsibilities.

2. Changes in business

Organizations are continually growing and changing. Identity access will improve efficiency and make these changes less risky, since Governance can grant access based on roles and not on individual accounts. By automating and simplifying provisions and approvals, identity access management can significantly reduce time-frames for carrying out user accounts transitions. It is important to accurately and intuitively develop roles.

3. Risk management

Identity Access Governance adopts a proactive approach to reduce sensitive data exposure by strictly restricting and protecting access and reducing environmental risks. It enables a robust approach to manage and regulating access and follows the concept of least privilege, removing unnecessary rights and only giving access to those who require it to do work.

Best Practices to Set Up a Governance Committee

When establishing an IAM governance committee, the following are the best practices:

◉ Agree on key goals and priorities available.

◉ Include important owners and managers, including HR, Legal, Privacy.

◉ Identify measurement metrics for defined objectives.

◉ Get Executive Support from key management, such as CRO, CISO, CIO, CEO.

◉ Make sure that the purposes of the Committee are associated with organizational priorities, including digital transformation.

Governance aims to create a structure that includes structured principles and best practices and a multidisciplinary framework that considers its diverse nature. An effective IAM system relies on an ongoing commitment to administrative, technical, and security privacy controls.  The challenge is to provide access to the ID & Access Management Governance safely.

Source: eccouncil.org

Continue reading

What is Penetration Testing, Strategic Approaches and Its Types?

In the wake of the global pandemic, the organizations were required to secure their security infrastructure and establish endpoint security as most of their workforce is working remotely. The shift to working remotely saw an exchange of data over cloud services and employees using their devices connected to their home wi-fi, which can pose a huge threat to the organization’s safety, which is prone to cyberattacks and data breaches. Therefore, organizations are looking for cybersecurity professionals who can test and audit their systems, network, and the entire infrastructure to pinpoint vulnerabilities and loopholes that can potentially lead to cyberattacks.

More Info: EC-Council Certifications

This testing is carried out by penetration testers who monitor and audit the security parameters by conducting various tests using automated tools and more. The blog talks in detail about penetration testing, strategic approaches taken

by pentesters to conduct a pentest, and the different types of penetration testing.

What Is a Penetration Test?

Penetration testing is a technique used in cybersecurity to test vulnerabilities and threats in an application or network. Here, the penetration professionals think from the attacker’s point of view and evaluate the effectiveness of security measures. If the flaw is found, they modify it before the hacker attacks. And safeguards the security controls. Most ethical hackers perform penetration tests to check the exploitable vulnerabilities. Many organizations are also using pen testing before the release of a product to test it.

What Is the Primary Purpose of Penetration Testing?

The purpose of penetration testing is to detect security weaknesses and issues. This testing can also be used to test an organization’s security policy, its attachment to compliance requirements, its employee’s security awareness, and the company’s capability to pick up and react to security incidents. The final goal is to detect security problems and vulnerabilities. In addition, we have many side goals that Pen testing activities can do:

◉ Test the compliance of security policies.

◉ Verify the awareness of the staff in terms of security.

◉ Check if and how an organization can face a security breach.

Penetration Testing Strategic Approaches

There are a few ways where cybersecurity experts can take while executing a penetration test. The key difference tells how much knowledge that the theoretical attacker thinks to have.

1. Gray Box Penetration Test

This type of penetration testing will have the tester possess some basic knowledge about the system. It could be initial credentials, a network infrastructure map, or application logic flow charts. The test will give away a very realistic outcome because many cyber attackers will not even attempt to attack without a small amount of information about the target. This way essentially skips over the “reconnaissance” step and first gets to the actual pen test. It can be done more quickly and focus exactly on systems that are already known to be risky.

2. Black Box Penetration Test

This type of test was performed without any idea of the earmarked network or the systems running on it. The tester does not have any idea about the internal code or software and has no access to any credentials or sensitive data. This form of testing is realistic because it enables the tester to think like a potential hacker when searching for vulnerabilities. While it may seem like the exact form of testing, black box tests are restricted by time limits. The tester usually has a certain time to check on the system and try to earn access, while a hacker does not have similar restrictions and could detect weaknesses that are not obvious.

3. White Box Penetration Test

The last penetration testing approach is a less simulated cyberattack than a complete scanning of a system at the source code level. Testers are given the highest access privilege level, allowing them to break through the system completely for logic vulnerabilities, misconfigurations, poorly written code, and deficient security measures. While very comprehensive, it may not identify the gaps that an attacker would exploit from the outside using unconventional procedures. For this reason, it is often helpful to do a white box test in co-existence with black or gray box testing.

Types of Penetration Testing

To begin with, there are five types of penetration testing, with each having to resolve different types of security problems. For the company to perform a Pen test on their system, it is necessary to understand the differences to know which type of test will meet the need.

1. Network Penetration Test

In a network penetration test, you would be testing a network environment for potential security vulnerabilities and threats. This test was divided into two categories: external and internal penetration tests. An external penetration test would involve testing the public IP addresses, whereas, in an internal test, you can become part of an internal network and test that network.

The test generally aims at the following network areas in their penetration tests.

◉ Firewall configuration

◉ Firewall bypass testing

◉ Stateful analysis testing.

◉ IPS deception

◉ DNS level attacks

2. Web application penetration test

A web application penetration testing examines the potential security problems or problems that occurred due to insecure design, development, or coding. This test detects the potential vulnerabilities in the websites and web applications with CRN and externally or internally developed programs, leading to exposing or leaking important data and personal confidential data. This test is designed to focus mainly on browsers, websites and web applications, and other components like plug-in, procedures, Applets, etc.

3. Client-side test

The client-side test can also be called an internal test run to identify potential security threats that could emerge from within the organization. It could be a disadvantage in software applications running in the user’s workplace where a hacker can easily utilize it. The theme of utilizing can be exploiting vulnerabilities in client-side applications like through emails, web browsers, Macromedia Flash, Adobe Acrobat, and other modes. A hacker can use a vulnerable application through a smartly crafted email or by attracting the employee to visit a malicious web page or by malware loaded on USB sticks that are automatically executed once kept in the user’s workplace. Though running the client-side test can identify the disadvantages and reduce data breach and system vulnerability.

4. Wireless network test

Wireless network test is about dealing with wireless devices like tablets, laptops, notebooks, iPods drives, smartphones, etc. As the name itself says that the test has to examine all the wireless devices to detect any security loopholes and identify the devices that are deemed to be weak or rogue. Besides the gadgets, the penetration test considers testing administration credentials to determine crossing access rights.

Social engineering pen test

Social engineering acts as a crucial play in penetration testing. It is such a test that proves the Human Network of an organization. This test helps secure an attempt of a potential attack from within the organization by an employee looking to start a breach or an employee being cheated in sharing data. This kind of test has both remote penetration test and physical penetration test, which aims at most common social engineering tactics used by ethical hackers like phishing attacks, imposters, tailgating, pre-texting, gifts, dumpster diving, eavesdropping, to name a few.

Mainly organizations need penetration testing professionals and need minimum knowledge about it to secure the organization from cyberattacks. They use different approaches to find the attacks and defend them. And they are five types of penetration testing: network, web application, client-side, wireless network, and social engineering penetration tests. One of the best ways to learn penetration testing certifications is EC-Council Certified Penetration Testing Professional or CPENT is one of the best courses to learn penetration testing. In working in flat networks, this course boosts your understanding by teaching how to pen test OT and IoT systems, write and build your exploits and tools with advanced binaries exploitation conduction, access hidden networks, and exploit customization to get into a most profound segment of the network. There are two ways to get certified, and you can choose in which way. The first one is by joining the CPENT Training Course. Learners will get the full knowledge of pen testing methodology. Another one is CPENT Challenge Edition. The learner has to tackle the pen testing challenges and earn your certification.

Source: eccouncil.org

Continue reading

Programmable Money: Opportunities & Benefits of Digital Currency

Programmable money technology is regarded by many as the most valuable sector of the cryptocurrency market. Furthermore, programmable money helps to deliver banks, currencies, and financial instruments with new utility, and its potential value is in the trillions of dollars. Although many people are interested in programmable money, fewer people know what it means.

More Info: EC-Council Certified Security Analyst (ECSA v10)

This post will explore the concept of programmable money by explaining if this is possible using smart contracts on blockchains.

Is Programmable Money Automated Payments

You may be wondering if it is programmable money if you click on make a payment on your bank’s online banking website and the bank’s computers help move the money. Contrary to popular belief, it is not programmable money because you instruct your bank to make a payment.

Programmable money technology is not only about the ability to write arbitrary code for moving money. Furthermore, it is not programmable money if it includes complex business logic and external data as the decision-making process. Nowadays, many businesses send payment instructions to banks using the computer programs running on the corporate servers.

You may be wondering if programmable money then has to do with automation of payments at the bank’s side instead of the customer’s side. Most banks are already performing client-instructed automated tasks with rudimentary. Banks can even allow you to upload code, run the code, and then use the code result as a payment instruction from you. However, this can create liability for the banks when the code goes wrong.

If Programmable Money Is Not Automated Payments, Then What?

In the above scenarios, a bank can hold back payment even when they got a payment instruction. Regulators also require them not to tell customers why they even withheld the payment. In such cases, you are not assured that the payment is going to work in the end.

Opposite to the traditional payment methods, programmable money means that no intermediary or bank can stop the code’s instructions and it will be carried out once executed. As a customer, you’ll find the freedom to hold and control money outside the banking system.

A transaction like this can then be achieved using stable coins on public or permissioned ledger. This way, you can upload programs known as smart contracts that will indeed run. However, smart contracts will lead to creating instruction to the smart contract that defines the money. The smart contract that defines money may also decide not to make payment, for instance, when the payment instruction is made to a blacklisted account.

Programmable Money Is A Designer Money

The best way to describe programmable money is that it is designer money. It is money created by someone (an issuer) that will work in a certain way and has a specific constraint no matter the owner of the funds at any point in time.

Bank cannot do this because money in banks is usually different. For instance, money kept in JP Morgan is quite different from that at Citibank. JP Morgan’s scenario means there is a legal agreement that JP Morgan owes you money, while Citibank’s case means Citibank owes you some dollars.

Before the money in each bank can behave a certain way, both banks will need to use the same logic and constraints. This task is costly and complex because there is no ledger for more references while any transactions are made.

Problems Faced By Banks

◉ The loans can be used for other items than what a borrower told their lender they would use the money for.

◉ The funds meant for a specific purpose end up somewhere else.

◉ Grants are used for paying for things not intended for.

Benefits Of Designer Money

Designer money helps to create money where the money has control logic built into it. Designer money can be created using a Smart Contract level. The Smart Contract helps to define:

◉ The characteristics of the money like how many units there are, etc.

◉ How the users can interact with the capital, such as making a payment, asking for balance, etc.

The designer can then code the constraints in the second part of the smart contract. This way, all the payment requests come with conditions no matter who is controlling the money. The benefit is that the money only goes to the intended destinations.

After the special purpose money has gotten to the destination, it can then be redeemed for general-purpose cash when needed. Developers can also create certain types of money that you can only send with additional data; for instance, the proof of payment supports an import or export. You can also put a constraint on the money flows or wallet balances.

Furthermore, designer money offers endless possibilities. The whole point of special-purpose funds is to reduce fungibility.

Source: eccouncil.org

Continue reading