Ethical Hacking

A high-level information security study on

protecting a company’s information system
infrastructure in the 21st century

Aaron Varrone
December
2011
Quinnipiac University- MS IT
CIS 652- Advanced Topics in Information Security- Independent Study
Contents
ABSTRACT..................................................................................................................2
INTRODUCTION TO ETHICAL HACKING....................................................................3
What do Hackers do?.............................................................................................4
FOOTPRINTING AND RECONNAISSANCE.................................................................5
SYSTEM HACKING.....................................................................................................6
Types of Attacks.....................................................................................................6
Why Cover Tracks?.................................................................................................8
PENETRATION TESTING............................................................................................8
Why Penetration Testing?.....................................................................................8
COUNTERMEASURES................................................................................................9
How to defend against Footprinting? .................................................................10
How to defend against Password Cracking? .......................................................10
How to defend against Privilege Escalation? ......................................................10
How to defend against Malware? .......................................................................11
How to defend against Steganography? .............................................................11
REAL-WORLD EXAMPLES .......................................................................................12
Hacker Boot Camp Helps Good Guys Outsmart Intruders .................................12
Government Agencies Seeking Code Breakers ...................................................12
Ethical Hacking Proves to be an Excellent Test for Companies ..........................13
Ethical Hacking Demand Helping Firm Achieve Record Profits ..........................13
College Universities Teaching Students How to Hack ........................................13
CONCLUSION ..........................................................................................................14
REFERENCES ...........................................................................................................16

Varrone 1 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s
information system infrastructure in the 21st century
ABSTRACT

As organizations in recent years continue to increase their investment into the

advancements of technology to upsurge productivity and efficiently, more and
more companies begin to realize that protecting of this technology is just as
significant (Information Security), if not; even more important in order to protect
their reputation and integrity as a company.

This paper provides a comprehensive high-level view of ethical hacking, such as

what it is, what it entails, and why companies hack into their own technology.
Additionally, counter measures including penetration testing and real-world
examples will be examined to give the reader a better understanding of ethical
hacking and why it’s such an essential element of Information Security in the
Information Systems/Technology field.

Varrone 2 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s
information system infrastructure in the 21st century
INTRODUCTION TO ETHICAL HACKING

In simple terms, Ethical Hacking can be described as a process in which working

professionals (in the technology field) are hired on by an organization to perform a
variety of attacks to their own network, systems, and technology. The goal is quite
simple, and that is to ‘break into’, also known as ‘hack’ their way into the
organization’s information system where vulnerabilities are discovered and then
eventually ‘patched’ so that a real attack would have no harming consequences to
the company such as; data leakages, compromised systems, stolen proprietary
information, and so on. Hence where the word, ‘ethical’, comes into play, as these
hackers are solely hired on for this purpose. Professionals in this field include
outside security consultants hired by the company or even a direct role within the
company who possess expert computer skills in a wide variety of areas and
systems (networks, operating systems, application programming). Ethical hackers
try to answer three basic questions: what can the intruder see on the target
system, what can an intruder do with the information compromised, and will
anyone notice that the attack occurred?

Before proceeding further, a basic understanding of the umbrella, Information

Security field must be conveyed. There are three elements of Information Security:
Confidentiality- assurance that the information is accessible only to those
authorized to have access, Integrity- the reliability of data or resources in terms of
preventing improper and unauthorized changes, and Availability- assurance that
the systems responsible for delivering, storing, and processing information are
accessible when required by an authorized user. (EC-Council, 2011)

With this said, all three elements have a direct impact to the way in which network
and system security is portrayed, which leads us to our discussion of Ethical
Hacking. If all three of these elements are properly addressed and implemented
during the architecture of the way in which an organization’s systems interact, then
one would not have to be so concerned with their technology and securing of this
technology. As companies continue to grow and expand their horizon for the need
of information systems by increasing their investment on a year-to-year basis , so
does the need to protect and defend their infrastructure against malicious activities,
attacks, and destructive encounters.

The risk of not protecting one’s information system is too extraordinary as the
effects of a successful hacking attempt include: damage and theft of proprietary
information, client/customer data, personal information, impeding of business
operations and activities. All in which can lead to a company’s downfall. As great as
the technology is that many of these companies have adapted in creating an
efficient
Varrone 3 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s
information system infrastructure in the 21st century
operation, their lack on focusing their attention on security can contradict
themselves and instead create an inefficient and ineffective use of the technology.

Who is a Hacker?

A hacker can be defined as an individual with superb computer skills who has the
ability to create and explore into another system, which can be software programs
or hardware based devices. A motive behind a hacker’s mindset is to gain
knowledge or poke around to do illegal and disruptive activities that could result
in monetary benefits. For some, it’s a hobby to see how many systems and
networks they can control. There are four unique hacker classes:

Black Hats- individuals who resort to malicious or destructive activity for malicious
intent.

White Hats- individuals using them for defensive purposes, also known as security
analysts.

Suicide Hackers- individuals who aim to bring down critical infrastructure for a
“cause” and would rather be known for their destruction they commit. These
individuals are not worried about facing any type of severe penalty regardless of
fines or jail time sentences.

Gray Hats- are individuals who work both offensively and defensively at various
times whose intent is mostly for the well-being, however this is not always the
case.
(EC-Council, 2011)

What do Hackers do?

There are five phases that goes through a hacker’s mindset:

Phase 1 Reconnaissance- refers to the preparatory phase where an attacker looks

to gather as much information about a target as they can prior to launching an
attack. Such examples include: employees’ names, phone numbers, and email
addresses, system names, and software installed on these systems. There are two
types of reconnaissance: Passive- which involves acquiring information without
directly interacting with the target or someone affiliated with the target, such as
searching for press releases or public records; and Active- which involves
interacting with the target directly by any means, for instance phoning calls to the
help desk or technical support center pretending to be an employee of the
company.
Varrone 4 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s
information system infrastructure in the 21st century
Phase 2 Scanning- refers to the “pre-attack phase” of when an attacker scans the
network seeking specific information on the basis of information gathered during
reconnaissance. Such examples include: port scanning, vulnerability scanners, and
dialers.

Phase 3 Gaining Access- Once access is achieved to the desired operating system,
application, or network; the attacker can escalate privileges to obtain complete
control of the system. Such examples include: password cracking, buffer
overflows, denial of service, and session hijacking.

Phase 4 Maintaining Access- After access has been attained, most hackers attempt
ways in which to retain their ownership of the system/application/device.
Attackers may prevent the system from being owned by other fellow hackers by
securing their access exclusively with backdoors, trojans, or rookits. Attackers then
use the compromised system to launch further attacks, which allows them to
upload, download, or manipulate data, configuration, and applications at any given
time period.

Phase 5 Covering Tracks- After a hacker’s activities have been carried out,
smarter attackers usually look for ways in which they can hide their malicious act
by covering their tracks and hiding their own identity. This can be achieved by
overwriting system, application, audit, and event logs or deleting any evidence that
may lead to prosecution.
(EC-Council, 2011)

FOOTPRINTING AND RECONNAISSANCE

Footprinting and reconnaissance are hacking methodologies used to uncover and

collect as much information as possible regarding an organization’s information
system. These two methods are carefully planned well ahead in time before an
attack is carried out. Basic information such as a company’s DNS, IP addresses,
system and network architectures, platforms, and applications used, is all
prevalent information that can be gathered and collected by an hacker to help
carry out the attack. While this information is collected, the hacker cautiously
examines and identifies vulnerabilities that can be exploited. An ethical hacker
looks to examine what information can be made available publicly by collecting
information from the internet or internally and then documents the effects this
may have to the organization, such as: privacy loss, corporate espionage,
competitive intelligence, and information leakage.

There are four types of Footprinting:

Varrone 5 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s
information system infrastructure in the 21st century
Anonymous Footprinting- Gathering information from sources where the author
of the information cannot be traced nor identified.

Internet Footprinting- Collecting information about a target from the Internet.

Organizational/Private Footprinting- Collecting information internally within

the organization.

Pseudonymous Footprinting- Collecting information that may be published

under a different name in an attempt to preserve privacy and confidentiality.
(EC-Council, 2011)

SYSTEM HACKING

There are several ways an attacker can gain access to a particular system, however
each way requires the ability for an attacker to exploit a weakness, vulnerability,
or even human-error.
Types of Attacks

Operating System Attacks- Attackers search for platform (operating system)

vulnerabilities and then exploit them. Such examples include: buffer overflow,
bugs and glitches, and unpatched operating systems.

Application-Level/Shrink Wrap Code Attacks- Programming is complex and

there are times where unsecure code is used over and over again to reduce this
complexity, such as utilizing existing libraries of code. If it’s there, why reinvent the
wheel? This leads to poor and nonexistent error checking in these applications
which can lead to buffer overflow attacks, cross-site scripting, denial of service,
SQL injection attacks, session hijacking, man-in-the-middle attacks, and so on.

Misconfiguration Attacks- Misconfigured systems occur when a change is made

to a file’s permission. If that’s the case, the file or application can no longer be
considered as secure. Administrators are expected to change the configuration and
limit authority of the devices before they are deployed to the network. Failure to
do this allows the default settings to be used to attack the system.

Password Cracking- Various techniques and tools are utilized to recover

passwords from computer systems. Hackers can use these tools to gain
unauthorized access to a vulnerable system. Most of these techniques are
successful due to weak or easily guessable passwords, such as dictionary words or
default
Varrone 6 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s
information system infrastructure in the 21st century
passwords. Such password cracking techniques include: dictionary attacks, brute
force attacks, hybrid attacks, syllable attacks, and rule-based attacks. Surprisingly
an increasingly number of non-technical password stealing techniques have been
reported in recent years, such as: shoulder surfing, social engineering, and
dumpster diving.

Spyware/Keyloggers- Refers to a program or device (software or hardware)

specifically hidden to record the user’s interaction with the system without the
user’s knowledge. The various types of spyware include: screen capturing
spyware, USB spyware, child monitoring spyware, video spyware (secretly
monitors and records webcams and video IM conversations, attacks can then be
remotely viewed via the web or mobile phone), audio/cellphone spyware, GPS
spyware (uses the global positioning system to determine location of a vehicle,
person, or asset to which it is attached or installed to), and even print spyware.

Viruses/Trojans/Worms- Are all examples of malware, unsolicited code or

software on a system that in most cases allows for data breaches, backdoor access
for a hacker to gain access to or executes damage that can harm the system. This
type of malware is commonly created with malicious code or tools and utilities that
have the ability to attack vulnerable systems (as long as the hacker knows where
the vulnerability exists).

Rootkits- Refers to code hidden within a kernel of the operating system that has
the ability to hide itself and cover up traces of the malicious intent. More
specifically, it replaces certain operating system calls and utilities with its own
modified version. From there, the attacker acquires root access (above a level of
administrator) to the system by installing a virus, trojan, worm, or other malware
in order to exploit it. This allows the attacker to maintain undetected access to the
system. Such types of rookits include: hypervisor level, kernel level, application
level, hardware/firmware, and boot loader.

Steganography- Is a technique consisting of hiding a secret message within an

ordinary message or file and extracting it at the destination to maintain its hidden
identity. The most popular use of this technique are when hackers utilize a graphic
image and embedding a code within that image file to perform a malicious activity.
This conceals the data within the file. Such techniques include: substitution,
transform domains, cover generation, distortion, statistical, and spread spectrum.
The various means of steganography besides images include: document, video, and
audio steganography.
(EC-Council, 2011)

Varrone 7 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s
information system infrastructure in the 21st century
Why Cover Tracks?

Most hackers, with the exception of a suicidal one, will cover their traces to avoid
detection and possible jail sentence. However, this is not the only reason. By
covering their track, this allows the attacker to install backdoors to gain access in
the future. When this is executed, a clever hacker will usually escalate the
compromised account’s privileges without documenting the system change. As
previously mentioned, they can do this by manipulating the log files of an
operating system or altering the event logs. Once intruders have successfully
gained administrator type access on a system, they will attempt to cover their
tracks in every possible way that they can, including deleting recently modified
files and disabling audit logs. Disabling these logs is usually performed
immediately after obtaining administrator privileges.

PENETRATION TESTING

Penetration testing is a method of actively evaluating the security of an

information system or network by simulating an attack from a malicious source.
Various security measures are analyzed for weaknesses in design, technical flaws,
and vulnerabilities that can be exploited. There are two types of testing that is
performed: Black box testing, which simulates an attack from someone who is
unfamiliar with the system; and white box testing, which simulates an attacker
that has knowledge about the system, such as an employee. The results are
recorded and delivered to senior level management and technical audiences.

Why Penetration Testing?

Penetration testing allows the company to identify threats that may occur during
the testing stage discovered in its information system or network. Companies that
hire such testers have actually discovered that overall IT security costs are
reduced and provides a better return on security investment (ROSI) by identifying
and resolving vulnerabilities, weaknesses, and possible exploits that may have
been taken advantage of if the proper security measures weren’t enforce.
Additionally, companies are also seeing what type of IT security investments they
really need to focus on, as oppose to investing in a large enterprise-wide security
solution that covers everything, which may not always be necessary for every
organization out there.

Varrone 8 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s
information system infrastructure in the 21st century
Additionally, these professionals provide an organization with assurance of a
thorough and comprehensive assessment of an organization’s security policy,
procedure, controls, and how they may decide to be implemented. Many industry-
wide regulations may be applied such as HIPAA (Health Insurance Portability and
Accountability Act), FDA (Food Drug Administration), PCI (Personal Confidential
Information); requiring specific certification and best practice security standards
in order to continue business. For instance, PCI regulation requires all hard drives
to be encrypted within the organization.

A Penetration Tester’s Best Friend

Vulnerability libraries are a penetration tester’s best friend as it documents all of

the discovering vulnerabilities that have been reported by testers, users, ethical
hackers, and even the programmers themselves. The majority of these
vulnerabilities are design flaws that will open an operating system and its
applications susceptible to an attack. These vulnerabilities are classified based on
severity levels (low, medium, or high) and exploit range (remote or local). Such
professionals need access to this research in order to identify and correct
exposures to their respective function. Many of these vulnerabilities are
documented on websites and databases available to the public, where even some
of the more ‘proficient’ hackers, seek to expand those vulnerabilities to a further
level.

A list of vulnerability research websites are listed below:

 The United States Computer Emergency Readiness Team (US-

CERT) Vulnerabitlity Database (kb.cert.org)
 National Vunerability Database Sponsored by DHS National Cyber
Security Division (National Institute of Standards and Technology)
(nvd.nist.gov)
 Secunia – (secunia.com )
 SecuriTeam – (securiteam.com)
 SecurityTracker- (securitytracker.com)

COUNTERMEASURES

In conjunction with penetration testing, countermeasures are examined closely,

documented, and then reviewed by the ethical hacker to improve the security
posture at the company. There are several different countermeasures that are
more closely scrutinized than others, including but not limited to: footprinting,
defending against password cracking, defend against privilege escalation,
Varrone 9 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s
information system infrastructure in the 21st century
defending against malware including session hi-jacking, networking sniffing, man-
in-the-middle, denial of service, and against steganography attacks.

Varrone 10 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s
information system infrastructure in the 21st century
How to defend against Footprinting?

Defending against footprinting includes: configuring routers and access control list
(ACL) to restrict the responses to footprinting request, implement/configure IDS
(Intrusion Detection System) to refuse suspicious traffic picked up in patterns,
locking down ports with a suitable firewall configuration, configuring web servers
to avoid information leakage, and lastly disable unwanted protocols. Ethical
hackers will additionally document and evaluate the content of information made
available publicly and work to remove any sensitive information discovered such
as their network architecture, applications, employees, and/or email addresses.
(EC-Council, 2011)

How to defend against Password Cracking?

By incorporating strict password guidelines within an organization’s security

policy, hackers will have that much more of a difficult time of successfully being
able to crack a password. These guidelines should include: requiring user’s to use a
combination of alphanumeric characters along with upper and lowercase numbers,
letters, and symbols. Additionally, by requiring users to change their password on a
more frequent basis- such as 30 days, this will help alleviate hackers from returning
to an account or system that has been compromised at one point in time. There
should be additional effort and resources available for monitoring system logs or
alarming events for possible attacks as well.

How to defend against Privilege Escalation?

As described above, once hackers obtain access to a system or account, they will
seek ways to escalate their privileges to that similar of an administrator.
Therefore, countermeasures to defend against the ability for them to escalate
privileges is examined:

 Use encryption as much as possible and wherever it can be done. Not all
systems, applications, devices have the ability to encrypt their data; but
one level of encryption (for instance, on a user’s workstations) will make it
that much more difficult for an intruder to gain access to.

 Systems should be patched on a continuing basis as patching cycles never

end and there will always be room to resolve vulnerabilities, bugs, and other
fixes in an application or operating system.

Varrone 10 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
  Run services within a system’s environment as an “unprivileged” account,
this way if this account does become compromised, the intruder can’t do
much since access is restricted.

 Restrict interactive logon privileges and run users and applications on

the least possible privileges.

 Implement multi-factor authentication and authorization such as biometrics

and token keys. If an intruder only has compromised one authentication
type in a multi-factor verification environment, the hacker is left with the
same result as when they first started, and that’s clearly no system access.

(EC-Council, 2011)

How to defend against Malware?

Malware and other unsolicited software can be tricky at times if the malicious files
are not detected by an anti-virus product, which in this case would be known as a
zero-day threat. In any circumstance to help alleviate the issue and reduce risk;
install, maintain, administer, and update the anti-virus product within the
environment. This includes updates to signature files, scan engine versions,
program versions, patches and hot fixes releases. Additionally by installing and
administering a personal and enterprise firewall with application and device
control policies and restrict and limit web-access, can all diminish the company’s
risk from exposure.

How to defend against Steganography?

Steganography is one of the more difficult types of attacks to defend against as

code is hidden and embedded into an existing application or file. Since these types
of attacks are performed in the background, an ordinary user or even a computer
expert may have trouble ‘noticing’ if anything has been altered before the file or
application was changed. The best ways to defend against these type of attacks is
to use steganography detection tools that specifically look for these changes from
file to file and application to application. These tools are also known as file
integrity verification checks. One of the more common steganography detection
tools used is a product called Stego Watch.

Varrone 11 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
REAL-WORLD EXAMPLES

The number of information security professionals in the workforce continues to

rise as companies have realized that as their usage of technology continues to grow,
so does the risk associated with using the technology. Technology is becoming
much more complex with the advancements that are made which further
complicates how attacks are performed and ultimately carried out by an intruder.

With this said, below are some real-life examples of how organizations
(including: government agencies and non-for-profit such as universities) have
utilized ethical hacking tactics to protect their technology from being hacked
into, breached, and ultimately compromised.

Hacker Boot Camp Helps Good Guys Outsmart Intruders

Rudy Chavez, a former Unix system administrator, employed by IT services firm

Booz Allen Hamilton, became a certified ethical hacker one month later. The
company that he was employed for decided they would benefit by having a ‘hacker
of their own’ to help outsmart other cybercriminals at their own game, sending
Chavez off to an ethical hacking boot camp. During the boot camp, which consisted
of a combination of classroom instruction and computer-lab time, Chavez learned
how legitimate tools, technologies, and techniques are being issued for illegal
activities and hostile purposes. Chavez claims that the sophistication and
pervasiveness of the tools out there allows for great havoc and that although
generally the IT security field takes a defensive approach, the training has lead him
to take an offensive posture and help him understand how these attacks happen.
(Information Week, 2005)
Government Agencies Seeking Code Breakers

Even government agencies are searching for hacking talent. According to the
Toronto Star, a widely recognized newspaper in Canada, reports that a British spy
agency is using an anonymous code-breaking web page to recruit self-taught
hackers that they might not have found otherwise. The page was launched in
November of 2011. A spokesman for the U.K.’s Government Communications
Headquarters even admitted that recruiting Oxford and Cambridge graduates is
not always in the best interest for the agency. They also claim that most cyber-
specialists enter their organization as graduates, however with the quickly
evolving world of cybercrime, they feel it’s essential to look for candidates who
may be self- taught but have a keen interest in code-breaking and ethical hacking.
(Taylor, 2011)

Varrone 12 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
Ethical Hacking Proves to be an Excellent Test for Companies

As the growth of extortion attempts by hackers against firms continue to rise at an

alarming rate, Mark Hanvey, Chief Security Officer of Cable & Wireless, U.K.’s
second largest fixed line telecommunications operator, states that he is
encouraged to see companies investing in ethical hacking to protect their
commercial assets. He states that ethical hacking is an excellent test for systems
and is helping out companies, however he urges that risk can never be eliminated,
only minimized, which is done by putting in effective monitoring and counter
measures tactics, such as around the clock monitoring. As long as companies
continue to invest in effective information security systems, and this starts with
hacking your own; organizations can stay away from being on the news the next
day about a possible data breach.
(Hanvey, 2005)

Ethical Hacking Demand Helping Firm Achieve Record Profits

A computer service company hired by large corporations for their expert in

security consulting, NCC, has achieved record profits thanks to the increase
demand for its ethical hacking services. These companies are hiring the firm for
them to hack into their own systems so that vulnerabilities can be found. Rob
Cotton, chief executive of the firm has stated that because of the nature of the
economy, many companies are seeing an alarming number of increase in threats.
The Financial Times reports that revenue has risen to 31 percent because of this
service, which only very few companies have to offer.
(Stafford, 2006)

College Universities Teaching Students How to Hack

A study conducted in 2007 revealed that the average computer is attacked by

hackers more than 2,200 times a day which comes out to about once every 40
seconds and that hackers have stolen an estimated $49 billion in the United States
alone in 2006. Geoffrey Lund, leader of the software-applications program at
University of Abertary Dundee in Scotland has stated that he has helped design a
new course to teach students on how to hack and defend against network systems.
Although classes that teach hacking techniques are rare and controversial as
administrators at the school were nervous about teaching such potential
destructive techniques, he claims that ethics are also covered in the classroom, and
that they do conduct background checks on students beforehand as a prerequisite.
Lund states that the course prepares students for a rapidly growing job market by
teaching that the best defense is a good offense. The class is set up with a network
Varrone 13 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
of

Varrone 14 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
approximately 20 computers isolated from the rest of the university system where
the students then practice hacking into or even bringing down the network. By
hacking into these systems and network, students are able to learn about
weaknesses of an intuition’s system. Alexander Graham, an experienced
information technology professional who even enrolled in the course had stated
that he is shocked by how much damage a malicious hacker can do. He claims the
course is extremely helpful and believes in the philosophy of “Know thy enemy,
then you can defeat them” at their own game.
(Vance, 2007)

CONCLUSION

Ethical Hacking is a growing trend that appears to be on all types of organizations’

radar. As evident from this study, we see a large number of money invested to
ensure that they are protected against risks associated with hacking attacks. The
increasing alarming number of attacks against these organizations are well known
and the losses can be easily quantified.

As hacking involves creative thinking; vulnerability testing and security audits

cannot guarantee that an information system is secure. To rebuttal this,
organizations must implement a defense in depth strategy by penetrating into
their own systems and network. Ethical hacking becomes necessary as it allows
one to counter the attack and reverse engineer malicious attackers by anticipating
methods they used to launch an attack and break into a system. An ethical hacker
can only help the organization better understand their system from a security
perspective, however it is still up to the organization to place the right guards
around the technology.

Securing of these information systems does comes with its challenges. For
instance, compliance to government laws and regulations must be followed and
maintained. Companies (depending on the industry) must be willing to spend vast
amounts of dollars on education, training, and awareness in order to stay in
compliance. Such industries for example have strict laws that prevent data from
being outsourced outside the country (or if it is outsourced, requires the use of
encryption), similar to sensitive personal information. Other industries may
require certain security measures in placed in order to continue business
operations. These regulations add another challenge to security, ensuring that the
proper measures are being enforced. Additionally, it is difficult to centralize
security in a distributed computing environment as the evolution of technology
evolves, so does the complexity in administering, managing, and monitoring
sophisticated and complex attacks. As we turn everything we do into the palm of

Varrone 15 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
our hands; mobile security, adaptive

Varrone 16 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
authentication, and social media strategies from an offensive and defensive
perspective are only the stepping stones on what’s next to expect in the digital
age that we live in today.

“The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge.”

–Stephen Hawking, Theoretical Physicist and Cosmologist

Varrone 17 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century
 REFERENCES
EC-Council. (2011). Ethical Hacking and Countermeasures v7.1 Course.

Hanvey, M. (2005, June 22). Ethical Hacking An Excellent Test of Mettle for
Security Systems. The Financial Times, p. 16.

Information Week. (2005, June 23). Hacker Boot Camp Helps Good Guys Outsmart
Internet Troublemakers; The number of IT security professionals is
expected to grow to nearly 800,000 by 2008, and more of them need to
think like hackers to be effective. Information Week.

Stafford, P. (2006, July 19). NCC Ethically Hacks its Way to Record. The Financial
Times, p. 24.

Taylor, L. C. (2011, December 2). British spies recruit 'ethical hackers'. Toronto Star.

Vance, E. (2007, April 13). Students at the University of Abertay Dundee Learn
Computer Hacking to Defend Networks. The Chronicle of Higher Education.

Varrone 18 | P a g e
Ethical Hacking- A high-level information security study on protecting a company’s information
system infrastructure in the 21st century