Ethical hacking
I need to do paraphrasing in these 5 pages and make it 6 pages long with references. please tried to avoid plagiarism and please try to paraphrase as best as you can.
Running head: ETHICAL HACKING RECOMMENDATIONS 1
ETHICAL HACKING RECOMMENDATIONS 2
Ethical Hacking Recommendations
Student’s Name
Institutional Affiliation
Introduction
Critical security controls are important in all businesses and institutions. the reason is that with the emergence of technology in the 21st Century every piece of information is electronically prepared, utilized, and stored for retrieval. The modern generation has embraced technology not only in their personal lives but also in their places of business. With the embrace of technology follows new types of jobs such as hacking. Hacking is the use of compute and technology to retrieve information about a specific person or institution. In the current world, there are two types of hackers namely the Black hats and ethical hackers (Hafele, 2004). Black hats are the hackers who use the internet and deep web to commit criminal offenses with the information obtained on specific individuals and institutions. Ethical hackers on the other hand, are individuals who use the internet and deep web for good. The ethical hackers are referred to as “Honest Criminals” as observed by Hafele, (2004). Ethical hackers have managed to create a niche for their profession whereby they are on demand by many institutions and organizations for their expertise. This is different from some few decades ago where organizations were not willing to be associated with hackers. By using Ethical hackers for security control this paper will focus on three recommendations of ensuring the achievement of security within an organization. The recommendations involve the adoption of the Black, White, and Gray box approach.
Black Box Model
The Black box approach as observed by Zak and Park (2001) uses a random approach to attacks. This type of model is effective to organizations with the responsibility of maintaining the secrets of their clientele or of the business altogether. The reason is that the Black Box model provides very little information to the ethical hackers prior to them carrying out their security testing (Andrew, 2004). The little information is meant to protect the organization and its clientele. The Black Box Model can be effective to organizations such as Banks that are responsible of maintaining the account details of their clientele. Thus, in case of a need to carry out ethical hacking in a bank, the best approaches in such a situation would be the use of a Black Box Approach. During implementation of the model it is essential that technically astute hackers are used (Hafele, 2004). The reason is that the technically astute hackers are deemed to be professional hackers and thus, will be able to follow the rules and use the little information provided to them for security testing.
The Black Box Approach follows five phases in its implementation. The first phase is the reconnaissance. This is the stage of gathering information about a particular organization under investigation using public sources such as the institution’s web page (Gabriele, 2004). The second phase is the determination of service. At this stage the ethical hacker identifies information from the clients’ network and is able to identify the type of operating system being utilized. This phase is followed by the enumeration stage (Najmi, 2002). The enumeration phase involves the identification of the network shares, resources, applications, and users. This phase is important, since in the absence of proper security of the network, the hackers are able to access the network freely (Ida Mae, 2000). The fourth stage is the gaining access phase. This is a crucial stage since through gaining access the hackers are able to control a particular network through coding. The success of the infiltration is essential for the next step which is the escalation of privileges (Hafele, 2004). This finals stage involves setting up stronger measures that ensure a particular network is protected from any hackers. The Black Box Mode can be effective in ensuring security measures within an institution/organization are met if and when implemented correctly.
White Box Model
Unlike the Black box approach, the White box Model follows the principle of providing adequate information to ethical hackers responsible for carrying out security penetration tests of networks in an organization. The White Box Model follows the same procedures as the Black Box Model. However, the two models are different with respect to the amount of information provided, time allocation, and resources to be utilized (Hafele, 2004). During the implementation of the White Box Model, the ethical hackers are given little time to carry out the penetration tests. The lack of adequate time would justify the need for the provision of a lot of information on the organization prior to the penetration tests. The resources used in the penetration test increase with the longer it takes to carry out the penetration test by ethical hackers. This demands for a quicker penetration test as compared to when implementing the Black box approach. The white box model is appropriate for larger organizations that do not store a lot of personal clientele information or business secrets that risk exposure (Marcia, 2003). The larger the organization the more resources required to carry out the penetration test, thus, a white box approach is appropriate to ensure little time is spent as a result of the provided information.
The success of the white box model depends on the involvement of specific staff within the organization under investigation. The upper management has to be involved during the implementation of the white box approach. The upper management is responsible of setting up organizational policies and objectives, thus, must be made aware of the security threats within the organization (Hafele, 2004). The upper management is responsible of creating boundaries in which the ethical hackers can cross during the penetration tests. This creates accountability and ensures the hackers only operate on the networks directed by the upper manager. The technical staffs are important during the white box model implementation. The technical staffs oversee the work carried out by the ethical hackers and act as insiders by providing relevant information with regards to the organization’s networks (Peter, 2004). The human resource personnel have to be involved in the implementation process of the white box approach. The human resource personnel have a deeper understanding of all the employees in the organization, hence, in a good position to offer assistance to the ethical hackers in the form of information. Lastly the organizational legal team has to be involved prior the implementation of the white box model to ensure the rules is set for both the organization and ethical hackers. This reduces the risk of court case since it creates accountability for the parties involved. Notably, the white box model can be ineffective in some situations. This is as a result of already provided information, thus, the hackers can overlook some things, hence becoming ineffective.
Gray Box Model
The gray box model involved the implementation of the black and white box approaches (Andrew, 2004). The gray box model relies on the ethical hacker as the outsider and an insider from the organization. The possibilities presented by the gray box model are many. For instance the outsider hacker may implement the black box model while the insider ensures the implementation of the white box model. The gray box model is appropriate for organizations that are unsure of their security threats. The reason is that the gray box approach is thorough through the incorporation of both the black and white box model.
The success of the gray box model depends on good communication. Communication is important in ensuring the proper implementation and effectiveness of the gray box model (Hafele, 2004). The reason is that, different approaches and personnel with varying interests are employed in this model. Thus, to protect the interests of all stakeholders involved In the gray box model, proper communication channels have to be designed. The management of the organization has the responsibility of designing the proper communication channels. Notably, like the white box model, the gray box approach can be ineffective. The ineffectiveness of the model may be as a result of overlooking some aspects of a network due to provision of information prior to security penetration tests. To avoid the overlooking of particular aspect of the implementation process a checklist and procedures should be developed and followed by the ethical hacker (Hafele, 2004). In case of the failure of gray box model, it is recommended that the hacker change to the black box model to carry out the security penetration tests.
Conclusion
Security controls are essential in all organizations. The three recommendations are crucial in ensuring the networks and systems of an organization are s secure. Electronic documentation and storage of information has necessitated the need for the expertise of ethical hackers in protecting institutions. The three models discussed above can be implemented in all types of organizations in ensuring the security of their electronic information and data. However, as observed, the success of the models is not only dependent on the ethical hackers but the stakeholders of the organizations under investigation. Specifically the upper management has to be involved in developing good communication channels and boundaries to be followed by the ethical hackers during the implementation of the models.
References
Andrew R. T., (2004). “Validating Your Security Plan Using Penetra- tion Testing: An Executive Summary”. Retrieved from
http://www.nmi.net/pages/pentest.html
.
Gabriel, S., (2004). CISSP, “An Introduction to Ethical Hacking”. Retrieved from http://www.midwesttechjournal.com/modules/.php?name= news&file=article&sid=172.
Hafele, D. M., (2004). Three Different Shades of Ethical Hacking: Black, White and Gray. SANS Institute InfoSec Reading Room. Retrieved from
https://www.sans.org/reading-room/whitepapers/hackers/shades-ethical-hacking-black-white-gray-1390
.
Ida Mae, B., (2000). “The Fundamentals of Computer Hacking”, December Retrieved from
http://www.giac.org/practical/GSEC/Ida_Boyd_GSEC
.
Marcia J. W., (2003). CISSP, “Demonstrating ROI for Penetration Testing (Part Four), Retrieved from: http://www.securityfocus.com/ infocus/1736.
Najmi, (2002) “How Hackers/Crackers Break Into Your System?” Retrieved from
http://techniwarehouse.com/Articles/2002-05-13.html
.
Peter, M., (2004). “Penetration Testing”. Retrieved from: http://www insight.co.uk/downloads/whitepapers/Penetration%20Testing%20 (White%20Paper) .
Zak, M & Park H. (2001). “The Gray Box Approach to Sensor Data Analysis”. Retrieved from http://tmo.jpl.nasa.gov/tmo/progress_report/ 42-144/144B .