Ethical Hacking

William Bailey

Ethical Hacking

MIS 5211.701 ■ Fall 2020 ■ William Bailey

Week 01: Overview

Week 1 Presentation Handout

A Pen Tester’s Nightmare

by Leave a Comment

https://krebsonsecurity.com/2020/01/iowa-prosecutors-drop-charges-against-men-hired-to-test-their-security/

I recall following this story about two Pen tester’s who were arrested during an authorized penetration testing engagement in Dallas County Iowa. The engagement took place at a county courthouse and the scope of the engagement tasked the two pen testers to physically gain access to the courthouses facilities. After tripping an alarm during the assessment the two pen testers found themselves under arrest even after providing proof of contract as well as contact information of individuals who authorized the assessment.

As part of our discussion this week we spoke about what are the attributes of a “good” pen tester. One of those attributes was that a qualified pen tester must be methodical in developing a game plan in order to execute a successful pen test. This is where the breakdown was in my opinion as it turns out that the courthouse was actually owned by Dallas county and not the state of Iowa (who actually requested the assessment). While I think the authorities handling of the situation was a bit extreme, it doesn’t appear that a quality or methodical game plan was deployed during the assessment – hence, the two pen testers found themselves in trouble. What do you think?

Week 1: In the News

by 19 Comments

During the week, research an article that describes a recent breach (hack) of an organization.  Of special interest this week, does the article discuss whether the organization had conducted some sort of vulnerability scans, penetration tests, and/or red or blue team exercises?

When citing the article, include the URL, so that others can read the rest of the article.

Hackers for Hire

by Leave a Comment

In our first lecture, we discussed insider threats and the value of business information and the subsequent damage it causes organizations if stolen. Capitalizing on the market of cyber espionage, a cybercriminal group, known as DeathStalker, is targeting smaller financial organizations. Security researchers report that DeathStalker is “offering hacker-for-hire services,” and are acting as “information brokers” by stealing and selling business secrets. The group attacks victims using phishing emails and a malicious PowerShell executable.

https://www.darkreading.com/attacks-breaches/deathstalker-apt-targets-smbs-with-cyber-espionage-/d/d-id/1338737

Welcome to MIS5211 Fall 2020 – Ethical Hacking

by 7 Comments

Welcome to the online section of MIS5211!  Although this class is online, over the next semester we will be interacting with each other and working on group projects.

As we prepare for the first Webex on Thursday, I’ve set this post for each of us to introduce ourselves:

  1. What is your preferred name?  Are you a Robert that wants to be called Bob, or vice-versa?  Let us know!
  2. Where are you based?  Tell us about your City or Town.
  3. What is your current experience in ethical hacking?
  4. What do you hope to leave this class with?
  5. Are you currently employed in IT or IT Security?  You don’t have to divulge your employer, and may be restricted from telling outsiders, but what industry segment do you work in?
  6. What “fun fact” do people not know about you?

Please join in, and post a reply with a bit about yourself.

Canadian University Scammer

by 6 Comments

Just to kick things off.  Here’s an article describing scammers using phishing techniques netted 11 million Canadian (9 Million US).

https://motherboard.vice.com/en_us/article/yww4xy/a-canadian-university-gave-dollar11-million-to-a-scammer

The article says this is not technically hacking.  I don’t agree, but what do you think?

For those with an audit background, it also points out that anti-fraud controls were either not in place, or not effective.