access to a computer system, in order to wreak havoc, steal money or data, or to prevent
the system from operating as it is supposed to. The three main methods that are used in
order to attack a system that is connected to the Internet are: network enumeration,
vulnerability analysis and exploitation.
A network enumerator is a program that is used in order to
discover the usernames and other information from
networked computers. The program discovers any
weaknesses in the computer network’s security and the
findings are reported to a hacker who may then use this
information in order to access the network and cause
damage (either by stealing data or corrupting the network.)
On the other hand, ethical hackers can use the same process
simply to discover any weaknesses in their system in order to tighten security. Another
method used is vulnerability analysis, which identifies any points of vulnerability in a
system; this information can then be used to either attack the system, or to remove the
weakness. Vulnerability analysis can then lead to exploitation, where the hacker uses the
vulnerability information in order to breach a computer or system’s security.
There are many specific techniques that can be used, but they all employ the main
concepts and methods described above. The first more specific example of a hacking
technique is a vulnerability scanner, which is a program used to check a network for
susceptibility to attack. A port scanner can also be used, which identifies avenues of
access to a computer and can establish how to circumnavigate a firewall.
As well as these mechanized devices, hackers can also find these vulnerabilitiesthemselves, which can be done by manually searching the code of the computer and then
testing whether they are right. Brute-force attack is another method by which a hacker can
gain unauthorized entry to a computer network, and this involves for example guessing
passwords. Password cracking is another hacking technique that uses passwords, but
rather than guessing the password, the hacker recovers password information that has been
stored in the computer, or transmitted.
A spoofing attack (otherwise known
as phishing) is an enemy program,
system or website that poses as a
trusted one. By falsifying data the
hacker is able to masquerade as a
trusted system and thus fool a
program or user into revealing
confidential information such as
passwords or bank details. Another
hacking technique that is commonly
used is a root kit, which is a program that manages to take over the control of an operating
system by employing hard to detect methods.
A Trojan horse is yet another technique that is a program which manages to fool systems
and users; it works by working in one way while seeming to be doing something else. By
using this method a hacker is able to gain unauthorized access to a system and create an
access point so that they can re-enter via that established route later on. A computer virus
is the most widely recognized form of hacking, as it is the computer threat that most of the
public is aware of.
The virus works by self-replicating and implanting itself into documents and code; while
some computer viruses are malicious some are merely irritating or harmless. A computer
worm is similar in that it is self-replicating, but it is able to enter a computer program
without a user inadvertently letting it in, and it does not need to insert itself into present
programs.
Finally, a keylogger is a tool that records every keystroke on a given machine, which can
later be accessed and viewed by the hacker. This is usually to enable the hacker to access
confidential information that has been typed by the victim. In fact, there are some
legitimate uses for such a technique, for example some companies use a keylogger in
order to detect any dishonesty or fraud committed by an employee.
A large area of computer hacking involves
the use of social engineering, whereby in
order to circumvent information security a
person is manipulated in order to reveal
confidential information or to grant access
to secure networks. This technique (which
includes phishing) is usually only part of a
complex routine in a wider fraud scheme, but it is also a dangerous step because human
beings are more likely to be won over by a convincing trickster than a machine is.
Social engineering relies on the psychological act of decision-making, and can be thought
of as one of the most significant vulnerabilities in a computer security system. There are
many different ways in which social engineering can be applied in order to gain
unauthorized access to a computer system, and this includes criminals posing as IT
technicians who pretend that they are fixing the company computers whilst in fact stealing
data.
Another example would be a trickster informing a company that the number of the IT
helpdesk has changed, so that when employees phone the number they will willingly
disclose their account details thinking that they are talking to somebody who they can trust
with the information. These sorts of scenarios come under the category of ‘pretexting’
because making up a believable scenario allows the criminal to access the required
information and this leads the victim to disclose the information.
Other professionals that a hacker involved in social
engineering could pose as include the police or bank manager,
because these are individuals who we believe have the right to
be granted any information that they request. Baiting is a
subcategory of social engineering because it relies on human
psychology in order to work. Baiting is where a victim’s
computer security is compromised when an infected disk,
device or USB stick is used.
An example of baiting would be for the criminal to post a
USB through somebody’s door with a tempting sounding label
and simply wait for the curious victim to plug it into their
laptop, at which point malware would automatically install and infect their computer. This
technique makes the most of the human tendency towards curiosity and greed, because if a
label promises erotic images, money or gossip then a victim may find it hard to resist
taking a look.
Kevin Mitnick, a once computer criminal who later because a security consultant, haspointed out that it is much easier and quicker to trick a person into disclosing confidential
information than it is to crack into the system using luck, brute force or technical
knowledge. Christopher Hadnagy has written a book titled Social Engineering: The Art of
Human Hacking, which emphasizes the way in which humans are the most vulnerable part
of any computer system.
No comments:
Post a Comment