Datasheet
14
Part I: Building the Foundation for Ethical Hacking
Anticipating all the possible vulnerabilities you’ll have in your systems and
business processes is impossible. You certainly can’t plan for all possible
attacks — especially the unknown ones. However, the more combinations
you try and the more you test whole systems instead of individual units, the
better your chances are of discovering vulnerabilities that affect your infor-
mation systems in their entirety.
Don’t take ethical hacking too far, though; hardening your systems from
unlikely attacks makes little sense. For instance, if you don’t have a lot of foot
traffic in your office and no internal Web server running, you might not have
as much to worry about as an Internet hosting provider might have. Your
overall goals as an ethical hacker are
✓ Prioritize your systems so you can focus your efforts on what matters.
✓ Hack your systems in a nondestructive fashion.
✓ Enumerate vulnerabilities and, if necessary, prove to management that
vulnerabilities exist and can be exploited.
✓ Apply results to remove the vulnerabilities and better secure your
systems.
Understanding the Dangers
Your Systems Face
It’s one thing to know generally that your systems are under fire from hackers
around the world and malicious users around the office; it’s another to under-
stand the specific attacks against your systems that are possible. This section
offers some well-known attacks but is by no means a comprehensive listing.
Many information security vulnerabilities aren’t critical by themselves.
However, exploiting several vulnerabilities at the same time can take its toll
on a system. For example, a default Windows OS configuration, a weak SQL
Server administrator password, or a server hosted on a wireless network
might not be major security concerns separately — but a hacker exploit-
ing all three of these vulnerabilities at the same time could lead to sensitive
information disclosure and more.
Nontechnical attacks
Exploits that involve manipulating people — end users and even yourself —
are the greatest vulnerability within any computer or network infrastructure.
Humans are trusting by nature, which can lead to social engineering exploits.