Discover that that whether or not a company is required by law to ensure data protection, ethical hacking is important in an organization. Lisa Bock discusses the current threat landscape, what a data breach is, what constitutes personally identifiable information, and outlines the importance of Ethical Hacking.
- [Voiceover] Security compliance requires organizations exercise due diligence and due care in providing information security and risk management. Well, what does that mean? Let's boil it down. That means I understand what I need to do and I'm taking steps to do the right thing. Ethical hacking is a structured methodology that is the due care in assessing an infrastructure's security posture. Now, just what is at stake? I'm at this website, the European Union Agency for Network and Information Security.
Now, there is a lot of information on this website, but I was more specifically concerned with the threat landscape. I will go down here to take a look at the Threat Landscape in 2015. There is the document, and we're gonna take a look at the threat landscape, and I've opened it up. Now, I'll go to page three, where if I scroll down, we can see the different types of threats, and you can read about the threats and their implications.
In addition, there is also the Top 15 Cyber Threats of 2015. Now I've opened this document as well and let's take a look. Right there, we can see the number one threat in 2015 was malware. What's the second one? Web-based attacks, and then the third one web application attacks, and we see a pattern, so this'll help you prioritize in the ways that you're trying to reduce the vulnerabilities in your organization by simply being aware of them and what implications that they would have for the security of your company.
The truth is no one is truly safe from a data breach, but just what is a breach? A data breach is an incident that compromises some form of data and, in addition, personally identifiable information. When we think about compromising our identity, we're looking at somehow they've captured some form of personally identifiable information. Well, what is that? Well, it's a name and something else.
It's a pair, a name and a social security number, a name and a credit card number, or other name-information pair, including medical information. It has to be a pair, meaning if I were to find a list of credit card numbers, that really isn't personally identifiable information. In fact, here I went on to a site to generate credit card numbers. These are valid in that a Master Card starts with 5-4-4-8. These are valid numbers, but they're meaningless because there's no name associated with this.
In this chart, you can see that the data trend, breaches have increased since 2006. They're trending upward, and well sadly, they're going to continue because the fact is data is being stored more digitally than ever because ways that laws are structured, not everyone has to report a breach, so it really may be truly hard to assess how many breaches are occurring every year. Why don't we report a breach? Well, companies do not report a breach for a number of reasons.
One, that they're possibly embarrassed, or worse yet, they don't know that they've experienced a breach. Now, sophisticated cyber attacks use advanced techniques, such as encryption, zero-day vulnerabilities, and backdoors to breach critical systems and evade detection. Well, the primary motive is to gain access. The attack vector may very well be a vulnerability that is left wide open. Due diligence includes an understanding of all available methods to secure the data and also the testing to ensure the methods are effective in today's changing threat landscape.
Due care is taking steps to address the vulnerabilities. Again, meaning I know what needs done, and I'm doing it to the best of my ability. An organization has choices when dealing with risk and those include reduce the risk by enacting security measures. We can transfer the risk, and that's by using insurance. An organization can accept the risk and the organization will bear the loss, or reject the risk saying, "It can't possibly happen to us." Many techniques and technologies are available to reduce the risk to an organization and detect intrusions, but are they effective in reducing the risk? This is where ethical hacking or penetration comes into play.
Ethical hacking challenges a company's data security defenses by structured assessment and testing and should be done in every organization.
Security expert Lisa Bock starts with an overview of ethical hacking and the role of the ethical hacker. She reviews the kinds of threats networks face, and introduces the five phases of ethical hacking, from reconnaissance to covering your tracks. She also covers penetration-testing techniques and tools. The materials map directly to the "Introduction to Ethical Hacking" competency from the CEH Body of Knowledge, and provide an excellent jumping off point for the next courses in this series.
Note: Our Ethical Hacking series will map to the 18 parts of the EC-Council's certification exam. Find more courses in the series on Lisa's author page.
- Ethical hacking principles
- Managing incidents
- Creating security policies
- Protecting data
- Conducting penetration testing
- Hacking in phases