CYB 4302, Cyber Warfare and Application 1

Course Learning Outcomes for Unit I

Upon completion of this unit, students should be able to:

2. Perform ethical hacking practices.
2.1 Describe hackers and their motivations and responsibilities.
2.2 Discuss what is involved in test plans.
2.3 Discuss ethics and the legality of ethical hacking.

Required Unit Resources

Chapter 1: An Introduction to Ethical Hacking—Read the following sections:

• Foundation Topics
• Security Fundamentals
• Security Testing
• Hacker and Cracker Descriptions
• Ethical Hackers
• Test Plans—Keeping it Legal
• Ethics and Legality
• Summary

Unit Lesson

Ethical Hacking Basics

Our first lesson of the course provides an overview of essential considerations, frameworks, terminology, and
practices required of practitioners working in cybersecurity. Ethical hacking is the collection of best practices
used to identify security vulnerabilities using the same tools and approaches that malicious attackers use
(Synopsis, 2021). Ethical hacking practices extend beyond penetration testing, which is only one activity
intended to improve security using a predictable and repeatable process.

Security Triad – Goals of Security

Ethical hacking fits within an overall enterprise approach to information security. Understanding the goals for
information security provides a perspective on how ethical hacking contributes to achieving them. Information
security goals are expressed as the security triad, confidentiality, integrity, and availability (CIA) (Center for
Internet Security, 2018).

UNIT I STUDY GUIDE
Ethical Hacking Fundamentals

CYB 4302, Cyber Warfare and Application 2

UNIT x STUDY GUIDE
Title

Figure 1 Security Triad

• Confidentiality:

o Addresses how secret the information is
o If someone obtains the information, the confidentiality has been compromised.
o Locked doors, fences, and guards can be used to keep physical structures secure.
o Passwords, encryption, and firewalls can be used to secure computer systems and networks.

• Integrity:
o Addresses the correctness of the data
o Data must be protected both while in storage and in transit.
o If the data is modified while in storage or in transit, the integrity has been compromised.

• Availability:
o Data and applications should be available when the user needs them.
o Employing a backup strategy and disaster recovery plan ensures data is not lost.

Elements of Risk

Risk identification and management is an entire discipline by itself. Ethical hacking focuses on three of the
most common and essential elements of risk management (Watts, 2020). The three elements are assets,
threats, and vulnerabilities.

• Assets
o Any item that could have a value
o Routers, computers, information, trade secrets, and people are some examples of assets.

• Threats
o Any condition that could compromise an asset.
o Natural disasters, hacking attacks, and viruses are some examples of threats.

• Vulnerabilities
o Weakness in the system design, implementation, or code.
o Exploits can be used to take advantage of vulnerabilities.

Every organization has a different tolerance for risk. One of the goals of information security is to minimize
risk to a level acceptable to a specific organization.

Types of Pentesting

Pentesting can take on different forms depending on the assumptions and information provided. Operating
against these assumptions is the primary job of ethical hackers. The knowledge supplied or assumed in
developing security tests depends on which the three general models are being deployed (Poston, 2021).

CYB 4302, Cyber Warfare and Application 3

UNIT x STUDY GUIDE
Title

• Black box (no-knowledge tests:
o Simulates an outsider attack
o Assumer no prior knowledge of target or network
o Takes more time and is more expensive

• White box (full knowledge tests):
o Full knowledge of network, systems, and infrastructure
o Can spend more time probing vulnerabilities

• Gray box (partial-knowledge tests):
o Partial understanding of the target
o Simulates an insider attack

Figure 2 Pentesting types

Types of Security Tests

Security testing can be broken down into one of three different categories. Each category will differ in scope
and complexity (Cybersecurity Guide, 2021):

• High-level assessments:
o Level I assessment
o Top-down assessment of organizational policies, procedures, and guidelines
o It does not include hands-on testing.

• Network evaluations:
o Level II assessment
o Includes hands-on testing in addition to Level I assessment

• Penetration tests:
o Level III assessment
o Attempts to compromise the network as an attacker would

These are all activities that are focused on reducing organizational risk. In some cases, these are phases
completed in sequence.

Categories of Hackers

In the world of cybersecurity, hackers are categorized as belonging to one of three categories: white hat,
black hat, or gray hat.

Figure 3 Types of hackers

CYB 4302, Cyber Warfare and Application 4

UNIT x STUDY GUIDE
Title

Types of Hackers

Hackers using the same tools and methodologies can be described differently depending on their motivations
(Jelen, 2021). Two common variations are hackers versus crackers which are generally defined as:

• Hackers:
o Originally: computer enthusiasts
o Now: individuals who break into computer systems with malicious intent

• Crackers:
o Criminal hackers
o Illegally hack into the computer system without permission

As of this writing, a new type of hacker has been identified by Cisco Talos Intelligence labeled as privateers
(Mercer, 2021). Described primarily as ransomware groups operating out of North Korea, Russia, and other
countries, these groups, though not officially sanctioned by their governments, operate without the worry of
prosecution from outside law enforcement agencies.

Privateers

• have some level of unofficial state-sponsored protection,
• are financially motivated, and
• operate independently.

Using the correct terminology assists in communication and avoids confusion.

Ethical Hackers

Aside from not having any malicious intent, ethical hackers provide a beneficial service. An ethical hacker is
an individual hired by an organization to perform security tests and vulnerability assessments of its systems to
proactively identify security issues and help secure the organization’s systems and infrastructure
(Techopedia, 2012). An ethical hacker will use the same tools and expertise that a malicious cracker might
use in the search to identify vulnerabilities so they can be mitigated. Ethical hackers have skills and
knowledge that cover:

• routers,
• operating systems,
• firewalls and IDS systems,
• mainframes,
• network protocols, and
• project management.

Many other specialized skills are developed during training and in practice (Tyagi, 2021).

Modes of Ethical Hacking

Ethical hackers perform different activities that will use the same techniques and methodology a malicious
hacker might use. Some of the modes are:

• information gathering,
• internal penetration testing,
• external penetration testing,
• network gear testing,
• denial-of-service testing,
• wireless network testing,
• application testing,
• social engineering testing,
• physical security testing,
• authentication systems testing,
• database testing,

CYB 4302, Cyber Warfare and Application 5

UNIT x STUDY GUIDE
Title

• communication systems testing, and
• stolen equipment attack.

The modes that will be employed are part of defining the rules of engagement that will guide the selection of
tools and types of targets. Ethical hackers need to be proficient in the many areas of risk management that
might be encountered.

Rules of Engagement

A crucial aspect of ethical hacking is ensuring there are clear and agreed rules of engagement (ROE) with the
client. The goals and what techniques are approved need to be outlined in the ROE (Henson, 2019.)

Ethical hackers should adhere to the following set of best practices when performing any pentest:

• Always obtain written permission before starting any tests.
• Never exceed the limits of the authorization.
• Have a signed non-disclosure agreement (NDA) between the client and the ethical hacker.
• Always be ethical.
• Keep findings confidential.
• Do no harm.

These fundamental elements are what separate an ethical hacker from other types of hackers.

Ethical Hacking Test Planning and Phases

Ethical hacking activities are sequenced and managed like a project. Before the engagement, the project’s
scope must be identified to ensure the proper outcomes are met. Based on the scope, the assessment is then
undertaken. The last phase is documenting and reporting any findings. A methodology and repeatable
process should be followed, regardless of whether each engagement’s goals and specific requirements differ.
The execution of an ethical hacking engagement consists of three distinct phases:

• Scope of the project:
o Define the scope and objectives of the assessment.
o Get written approval.
o Identify compliance and legal issues.

• Perform the assessment:
o Based on the scope and goals of the assessment, the ethical hacker performs the actual security

tests.
• Post-assessment activities:

o Report the results of the testing, any relevant findings, and recommendations.

There is a lot of focus on the technical assessment activities, but improved outcomes will occur if the planning
and phasing are managed with a project-like structure.

Findings and Recommendations

In many cases, this is accompanied by a presentation that provides an overview of the engagement
highlighting the significant findings and recommendations. The report preparation should reflect the intent of
providing information that can improve the organization’s security posture.

The report should review the engagement from the original statement of work and rules of engagement
through the assessment activities and findings. The provided report could contain sensitive information and
should be marked confidential and encrypted to prevent unintended disclosure.

The final report typically includes the following sections:

• Introduction
• Statement of work performed

CYB 4302, Cyber Warfare and Application 6

UNIT x STUDY GUIDE
Title

• Results and conclusions
• Recommendation

Ethics and Legality

Ethical hackers need to be acutely aware of the laws and regulations pertaining to their activities (Global
Legal Group, 2021). The organization securing the services of an ethical hacker may not be fully aware of the
legal obligations and requirements and will rely on the ethical hacker to advise them.

The regulations and requirements are dependent on the jurisdictions that are involved and include federal and
state requirements. The ethical hacker needs to be familiar with these regulations, including:

• In the United States, hacking is covered under Section 1029 and 1030 of Chapter 47, Part 1 of Title
18: Crimes and Criminal Procedure

• Other federal laws addressing hacking in the United States:
o Electronic Communications Privacy Act of 1986
o Computer Fraud and Abuse Act (CFAA) of 1984
o Cyber Security Enhancement Act of 2002
o USA PATRIOT Act of 2001
o Federal Information Security Management Act (FISMA) of 2002
o Federal Sentencing Guidelines of 1991
o Economic Espionage Act of 1996
o Child Pornography Prevention Act of 1996
o Health Insurance Portability and Accountability Act (HIPPA)

Summary

This lesson introduced you to the basics of ethical hacking. It has provided an overview of several areas that
will be covered in more depth in subsequent lessons. From this lesson, you should have learned the elements
of the security triad and have developed a basic understanding of the elements of risk. You should be able to
describe the types of security tests and the modes that can be employed. This lesson defined what
differentiates a hacker from an ethical hacker. You have learned that ethical hacking uses a methodology-like
process outlined in the rules of engagement that define the boundaries and expectations. Finally, this lesson
has identified that ethical hackers need to be aware of and familiar with the legislation and regulations that will
apply to them when undertaking these assignments.

Ethical hacking has become a role required by many organizations, governments, and agencies who view it
as an essential business risk management function.

References

Center for Internet Security. (2018, December 13). Election security spotlight – CIA triad.

https://www.cisecurity.org/spotlight/ei-isac-cybersecurity-spotlight-cia-triad/

Cybersecurity Guide. (2021, June 30). A complete guide to becoming an ethical hacker.

https://cybersecurityguide.org/resources/ethical-hacker/

Global Legal Group. (2020, February 11). USA: Cybersecurity laws and regulations. International

Comparative Legal Guides International Business Reports. https://iclg.com/practice-
areas/cybersecurity-laws-and-regulations/usa

Hensonsecuritytools. (2019, September 13). The importance of scope and rules of engagement in a

penetration test. Henson Security Tools. https://hensonsecuritytools.wordpress.com/2019/09/13/the-
importance-of-scope-and-rules-of-engagement-in-a-penetration-test/

Jelen, S. (2019, July 11). Hacker vs. cracker: Main differences explained. Security Trails.

https://securitytrails.com/blog/hacker-vs-cracker

CYB 4302, Cyber Warfare and Application 7

UNIT x STUDY GUIDE
Title

Poston, H. (2020, August 11). What are black box, grey box, and white box penetration testing? [Updated
2020]. Infosec. https://resources.infosecinstitute.com/topic/what-are-black-box-grey-box-and-white-
box-penetration-testing/

Mercer, W., & Ventura, V. (2021, May 26). Elizabethan England has nothing on modern-day Russia. Talos.

https://blog.talosintelligence.com/2021/05/privateer-groups.html

Synopsis. (2021). Ethical Hacking? https://www.synopsys.com/glossary/what-is-ethical-hacking.html

Techopedia. (2012, May 21). Ethical Hacker. https://www.techopedia.com/definition/16089/ethical-hacker

Tyagi, A. (2021, March 16). Skills required to become an ethical hacker.

https://www.infosectrain.com/blog/skills-required-to-become-an-ethical-hacker/

Watts, S. (2020, May 13). IT security vulnerability vs. threat vs. risk: What are the differences? BMC Blogs.

https://www.bmc.com/blogs/security-vulnerability-vs-threat-vs-risk-whats-difference/