ETHICAL HACKING REVIEWER  Double Blind Testing

o Security personnel have no prior

(MIDTERM TOPICS)
knowledge of the simulated
Purpose, Methods, and Stages of attack.
 Targeted Testing
Penetration Testing
o Both the tester and security
personnel work together and
keep each other appraised of
PENETRATION TESTING their movements.
 A penetration test, also known as a pen PENETRATION TESTING STAGES
test, is a simulated cyber-attack against
your computer system to check for 1. PLANNING AND RECONNAISSANCE
exploitable vulnerabilities.  Defining the scope and goals of a test,
PURPOSE OF PENETRATION TESTING including the systems to be addressed
and the testing methods to be used.
 Understand objectives for conducting a  Gathering intelligence (e.g., network
penetration test. and domain names, mail server) to better
 Gain an overview of the key understand how a target works and its
components of an effective penetration potential vulnerabilities.
testing approach.
2. SCANNING
 Develop an appropriate penetration
testing programmed.  The next step is to understand how the
 Identify what needs to be considered target application will respond to
when planning for and managing various intrusion attempts.
penetration tests.  Static Analysis
 Learn about the penetration testing o Inspecting an application’s code
process – and associated methodologies. to estimate the way it behaves
 Determine criteria upon which to base while running.
selection of appropriate service  Dynamic Analysis
providers. o Inspecting an application’s
PENETRATION TESTING METHODS code in a running state

 External Testing 3. GAINING ACCESS

o External penetration tests target  This stage uses web application attacks,
the assets of a company that are such as cross-site scripting, SQL
visible on the internet. injection and backdoors, to uncover a
 Internal Testing target’s vulnerabilities.
o A tester with access to an
application behind its firewall 4. MAINTANING ACCESS
simulates an attack by a  The goal of this stage is to see if the
malicious insider. vulnerability can be used to achieve a
 Blind Testing persistent presence in the exploited
o A tester is only given the name system— long enough for a bad actor
of the enterprise that’s being to gain in-depth access.
targeted.
 environment before you must pay the
cost of an extremely damaging data
5. ANALYSIS
breach.
 The results of the penetration test are 7 BENEFITS OF PEN TESTS
then compiled into a report detailing:
o Specific vulnerabilities that 1. REVEAL VULNERABILITIES
were exploited
 Penetration testing explores existing
o Sensitive data that was accessed
weaknesses in your system or
o The amount of time the pen
application configurations and network
tester was able to remain in the infrastructure.
system undetected
2. SHOW REAL RISKS
Penetration Testing: Approach;  Penetration testers try to exploit
Methodology, Types of Tests and identified vulnerabilities. That means
Rates you see what an attacker could do in the
‘real world’.
3. TEST YOUR CYBER-DEFENCE
PENETRATION TEST METHODOLOGY CAPABILITY
 RECON  You should be able to detect attacks and
o The recon phase consists of respond adequately and on time.
searching for open-source
information on the target of the 4. ENSURE BUSINESS CONTINUITY
security audit.
 To make sure your business operations
 MAPPING
are up-and-running all the time, you
o The mapping phase allows
need network availability, 24/7
listing all functionalities of the communications and access to
audit target. resources. Each disruption will have a
 DISCOVERY negative impact on your business.
o The discovery phase is an attack
phase: pen testers look for 5. HAVE A THIRD-PARTY EXPERT
vulnerabilities through manual OPINION
searches complemented by
 When an issue is identified by someone
automated tools.
within your organization, your
 EXPLOITATION
management may not be inclined to
o The exploitation phase consists
react or act.
in testing possible exploitations
of the flaws identified in the 6. FOLLOW REGULATIONS AND
previous phase. CERTIFICATIONS

 Your industry and legal compliance

WHY SHOULD I PERFORM A requirements may dictate a certain level
PENETRATION TES? of penetration testing.

 A pen test can measure your system’s 7. MAINTAIN TRUST

strengths and weaknesses in a controlled
  A cyber assault or data breach  Security Measures and Best Practices
negatively affects the confidence and to Implement
loyalty of your customers, suppliers, and  Complementary Analysis
partners.  Frequency of Penetration Testing
COST OF PENETRATION TESTING
TYPES OF TESTS  It cost around 3k€ and 20k€.
 Web Platform SIX MAIN TYPES OF PENETRATION
o Tests conducted on Web TESTING
platforms enable to search for
vulnerabilities related to Web  External Network Penetration Testing
server configuration and to the  Internal Network Penetration Testing
application layer.  Social Engineering Testing
 Mobile Applications  Physical Penetration Testing
o Tests performed on mobile  Wireless Penetration Testing
applications (excluding mobile  Application Penetration Testing
APIs and servers) include static
ADVANTAGES OF PEN TESTING
and dynamic analysis of the
applications.
 Connected Devices – IoT
o Tests on connected devices
search for security flaws in the
object’s entire ecosystem:
hardware, embedded software,
communication protocols,
servers, Web and mobile
applications.
 Infrastructure and Network
o Tests performed on an external
infrastructure consist in DISADVANTAGES OF PEN TESTING
scanning the company’s public
IPs as well as the services
exposed online, to identify flaws
related to service configuration
and operating system
architecture.
 Social Engineering
o Testing the “human factor” of
the company enables us to
assess the reflexes of a
company’s staff when facing
phishing attempts, telephone
attacks and physical intrusion.
WHAT’S THE RESULTS OF A Legal Framework in Relation to
PENETRATION TEST? Ethical Hacking
Legal Framework in Relation to Ethical one of the biggest challenges it faces
Hacking is subjective interpretation.
 Ethical hackers bring value to  The framework should have a
organizations by finding security balance between unfettered powers
loopholes before someone with to both hackers and organizations.
malicious intentions finds them.  Too much power can be disastrous,
 Ethical hackers bring value to as it can either wreak havoc with the
organizations by finding security systems or with the confidence or
loopholes before someone with intentions of the hackers.
malicious intentions finds them. The Cybercrime Prevention Act of 2012
 Laws governing ethical hacking are
currently inadequate and vague. The  Officially recorded as Republic Act
issue of legal protection for ethical No. 10175
hackers needs serious focus. The  A law in the Philippines that was
scope of work and other legal approved on September 12, 2012.
provisions needs to be determined.  To penalize acts like cybersquatting,
cybersex, child pornography, identity
Does Ethical Hacking Need Legal Protection? theft, illegal access to data and libel.
 There is no doubt that ethical  It was signed in into law by
hacking is beneficial for President Benigno Aquino
organizations. Instead of providing CYBERCRIME
legal protection to ethical hackers,
focused laws defining the scope of  The use of a computer as an
work, roles and responsibilities of instrument to further illegal ends
both parties need to be passed. The such as:
laws should address the following o Fraud
issues: o Child Pornography
o Intellectual Property Violate
o Stealing Identities
o Privacy Violation

 Ethical hacking has huge positive

potential, if properly used. Probably
Practical Ethical Hacking Exercises of the private sector in contributing
investments and services in ICT.
OBJECTIVES
Free Resources To Legally Practice Your
Ethical Hacking Skills  This Act aims to facilitate domestic
1. Hack. Me and international dealings,
2. Hack The Box transactions, arrangements,
3. Hack This Site agreements, contracts and exchanges
4. Try2Hack and storage of information through
5. HackThis the utilization of electronic, optical
6. CTF365 and similar medium, mode,
7. OverTheWire instrumentality and technology to
8. Hacking Lab recognize the authenticity and
9. Pwnable.Kr reliability of electronic data
10. SmashTheStack
messages or electronic documents
11. IO
related to such activities and to
12. Microcorruption
13. W3Challs promote the universal use of
14. PWN0 electronic transactions in the
15. Hellbound Hackers government and by the general
16. Damn Vulnerable iOS App (DVIA) public.
17. RootMe
18. CTFtime DEFINITION
19. WebGoat  Electronic commerce (e-commerce)
20. Juice Shop
refers to companies and individuals
21. Hackademic
that buy and sell goods and services
22. Hackxor
23. Bodgelt Store over the internet.
24. EnigmaGroup ADVANTAGES
25. Google Gruyere
 Convenience
o E-commerce can occur 24
E COMMERCE LAW hours a day, seven days a
week.
 Electronic Commerce Act
 Increased Selection
DECLARATION POLICY o Many stores offer a wider
array of products online than
 The State recognizes the vital role of
they carry in their brick-and-
information and communications
mortar counterparts.
technology (ICT) in nation-building;
 Potentially Lower Start-up Cost
the need to create an information-
o E-commerce companies may
friendly environment which supports
require a warehouse or
and ensures the availability, diversity
manufacturing site, but they
and affordability of ICT products and
services; the primary responsibility
 usually don't need a physical amount of traffic, or must be
storefront. temporarily taken down for
 International Sales any reason, your business is
o As long as an e-commerce effectively closed until the e-
store can ship to the commerce storefront is back.
customer, an e-commerce  Higher Competition
company can sell to anyone o Although the low barrier to
in the world and isn't limited entry regarding low cost is an
by physical geography. advantage, this means other
competitors can easily enter
the market.

 Easier to Retarget Customers

o As customers browse a
digital storefront, it is easier DATA PRIVACY ACT LAW
to entice their attention
 Data Privacy Act of 2012
towards placed
advertisements, directed DECLARATION POLICY
marketing campaigns, or pop-
ups specifically aimed at a  It is the policy of the State to protect
purpose. the fundamental human right of
privacy, of communication while
ensuring free flow of information to
DISADVANTAGES promote innovation and growth. The
State recognizes the vital role of
 Lack of Instant Gratification
information and communications
o When you buy an item
technology in nation-building and its
online, you must wait for it to inherent obligation to ensure that
be shipped to your home or personal information in information
office. and communications systems in the
 Limited Customer Service government and in the private sector
o If you shop online for a are secured and protected.
computer, you cannot simply
ask an employee to DEFINITION
demonstrate a particular  Data privacy generally means the
model's features in person. ability of a person to determine for
 Inability to Touch Products themselves when, how, and to what
o Online images do not extent personal information about
necessarily convey the whole them is shared with or
story about an item, communicated to others.
 Reliance on Technology
o If your website crashes, CYBERCRIME LAWS
garners an overwhelming
  Cybercrime Prevention Act of These laws prohibit various forms of
2012 fraudulent activities conducted online, such
as phishing, online scams, credit card fraud,
DECLARATION POLICY and electronic funds transfer fraud.
 The State recognizes the vital role of Child Exploitation:
information and communications
industries such as content Legislation aims to combat the
production, telecommunications, online sexual exploitation of children,
broadcasting electronic commerce, including child pornography, online
and data processing, in the nation’s grooming, and the dissemination of harmful
overall social and economic material to minors.
development.
Cyberstalking and Harassment:
DEFINITION
Laws address harassment,
 Cybercrime laws are legislation and cyberbullying, and stalking conducted
regulations that govern offenses through electronic means, including social
committed using computers, media platforms, emails, or instant
networks, and the internet. These messaging.
laws are designed to address various
forms of criminal activities, such as
hacking, identity theft, online fraud, Intellectual Property Infringement:
distribution of malware,
Legislation covers copyright
cyberstalking, and online
violations, piracy, trademark infringement,
harassment.
and the unauthorized distribution or
reproduction of copyrighted material.
COMMON TYPE OF CYBERCRIMES

Denial-of-Service Attacks:
Unauthorized Access and Hacking:
Laws criminalize the intentional
Laws criminalize unauthorized disruption or impairment of computer
access to computer systems, networks, or systems or networks through denial-of-
data. Hacking, cracking, and the use of service (DoS) attacks or distributed denial-
malware fall under this category. of-service (DDoS) attacks.

Data Breach and Identity Theft:

Laws address the theft, unauthorized Cyberterrorism:
acquisition, or misuse of personal or
These laws focus on acts of terrorism
sensitive data, including financial
committed through cyberspace, such as
information, social security numbers, and
hacking into critical infrastructure,
passwords.
disrupting government services, or
Online Fraud:
launching cyberattacks against a nation or
organization.

Online Privacy and Data Protection:

Laws safeguard individuals' privacy
and govern the collection, use, and storage
of personal information by organizations
and service providers.