- Introduction
- The Basics of a Network
- Basic Network Utilities
- The OSI Model
- What Does This Mean for Security?
- Assessing Likely Threats to the Network
- Classifications of Threats
- Likely Attacks
- Threat Assessment
- Understanding Security Terminology
- Choosing a Network Security Approach
- Network Security and the Law
- Using Security Resources
- Summary
This chapter is from the book
This chapter is from the book
This chapter is from the book
Understanding Security Terminology
When studying the field of computer security, you must be cognizant of the fact that this discipline is an overlap of security professionals and amateur hackers. As such, the field combines terminology from both domains. This book’s Glossary will be a useful reference tool throughout this course.
Hacking Terminology
Let’s begin by examining hacker terminology. Note that this terminology is not precise, and that many definitions can be debated. No “official” hacker vocabulary exists. The terms evolve through their use by the hacker community. Clearly, beginning this examination by defining hacker, a term used in movies and news broadcasts, would be prudent. Most people use it to describe any person who breaks into a computer system. However, security professionals and hackers themselves use this term differently. In the hacking community a hacker is an expert on a particular system or systems who wants to learn more about the system. Hackers feel that looking at a system’s flaws is the best way to learn about it.
For example, someone well-versed in the Linux operating system who works to understand that system by learning its weaknesses and flaws would be a hacker. However, this does often mean seeing whether a flaw can be exploited to gain access to a system. This “exploiting” part of the process is where hackers differentiate themselves into three groups:
White hat hackers, upon finding vulnerability in a system, will report the vulnerability to the vendor of that system. For example, if they were to discover some flaw in Red Hat Linux, they would then e-mail the Red Hat company (probably anonymously) and explain what the flaw is and how it was exploited.
Black hat hackers are the people normally depicted in the media (e.g., movies and news). After they gain access to a system, their goal is to cause some type of harm. They might steal data, erase files, or deface websites. Black hat hackers are sometimes referred to as crackers.
Gray hat hackers are typically law-abiding citizens, but in some cases will venture into illegal activities. They might do so for a wide variety of reasons. Commonly, gray hat hackers conduct illegal activities for reasons they feel are ethical, such as hacking into a system belonging to a corporation that the hacker feels is engaged in unethical activities. Note that this term is not found in many textbooks, but is a commonly used term in the hacking community itself.
Regardless of how hackers view themselves, intruding on any system without permission is illegal. This means that, technically speaking, all hackers, regardless of the color of the metaphorical hat they wear, are in violation of the law. However, many people feel that white hat hackers actually perform a service by finding flaws and informing vendors before those flaws are exploited by less ethically inclined individuals.
The various shades of hackers are only the beginning of learning hacker terminology. Recall that a hacker is an expert in a given system. If so, what is the term for someone who calls herself a hacker but lacks expertise? The most common term for an inexperienced hacker is script kiddy. The name derives from the fact that the Internet is full of utilities and scripts that one can download to perform some hacking tasks. Someone who downloads these tools without really understanding the target system would be considered a script kiddy. A significant number of the people who call themselves hackers are, in reality, merely script kiddies.
This discussion brings us to some specific types of hackers. A cracker is someone whose goal is to compromise a system’s security for purposes other than to learn about the system. No difference exists between a black hat hacker and a cracker. Both terms refer to a person who breaks through a system’s security and intrudes on that system without permission from the appropriate parties, with some malicious intent.
When and why would someone give permission to another party to hack/crack a system? The most common reason is to assess the system’s vulnerabilities. This is yet another specialized type of hacker—the ethical hacker or sneaker (an older term, not often used these days), a person who legally hacks/cracks a system in order to assess security deficiencies. In 1992, Robert Redford, Dan Aykroyd, and Sydney Poitier starred in a movie about this very subject, named Sneakers. Consultants exist who perform work of this type, and you can even find firms that specialize in this activity as more and more companies solicit these services to assess their vulnerabilities. Today, these are usually called penetration testers (or simply pen testers). And the profession has matured since the first edition of this book.
A word of caution for readers either considering becoming or hiring a pen tester: Any person hired to assess the vulnerabilities of a system must be both technically proficient and morally sound. This means that a criminal background check should be done before engaging his/her services. You certainly would not hire a convicted burglar as your night watchman. Neither should you consider hiring someone with any criminal background, especially in computer crimes, as a penetration tester/ethical hacker. Some people might argue that a convicted hacker/cracker has the best qualifications to assess your system’s vulnerabilities. This is simply not the case, for several reasons:
You can find legitimate security professionals who know and understand hacker skills but have never committed any crime. You can get the skills required to assess your system without using a consultant with a demonstrated lack of integrity.
If you take the argument that hiring convicted hackers means hiring talented people to its logical conclusion, you could surmise that the person in question is not as good a hacker as he would like to think, because he was caught.
Most importantly, giving a person with a criminal background access to your systems is comparable to hiring a person with multiple DWI convictions as your driver. In both cases you are inviting problems and, perhaps, assuming significant civil and criminal liabilities.
A thorough review of a penetration tester’s qualifications is also recommended. Just as some people falsely claim to be highly skilled hackers, there are those who will falsely claim to be skilled pen testers. An unqualified pen tester might pronounce your system sound when in fact it was a lack of skill that prevented him from successfully breaching your security. Chapter 12 covers the basics of assessing a target system as well as the necessary qualifications of any consultant hired for this purpose.
Another specialized branch of hacking involves breaking into telephone systems. This sub-specialty of hacking is referred to as phreaking. The New Hackers Dictionary actually defines phreaking as “The action of using mischievous and mostly illegal ways in order to not pay for some sort of telecommunications bill, order, transfer, or other service” (Raymond, 2003). Phreaking requires a rather significant knowledge of telecommunications, and many phreakers have some professional experience working for a phone company or other telecommunications business. This type of activity is often dependent upon specific technology required to compromise phone systems more than simply knowing certain techniques. For example, certain devices are used to compromise phone systems. Phone systems are often dependent on frequencies. (If you have a touchtone phone, you will notice that, as you press the keys, each has a different frequency.) Machines that record and duplicate certain frequencies are often essential to phone phreaking.
Security Terminology
Security professionals have specific terminology as well. Readers with any training or experience in network administration are probably already familiar with most of these terms. Although most hacking terminology describes either the activity or the person performing it (phreaking, sneaker, etc.), much of the security terminology you will learn in this book deals with devices and policies. This is quite logical because hacking is an offensive activity centered on attackers and attack methodologies, and security is a defensive activity concerned with defensive barriers and procedures.
The first and most basic security device is the firewall. A firewall is a barrier between a network and the outside world. Sometimes a firewall is a stand-alone server, sometimes a router, and sometimes software running on a machine. Whatever its physical form, the purpose is the same: to filter traffic entering and exiting a network. Firewalls are related to, and often used in conjunction with, a proxy server. A proxy server hides your internal network IP addresses and presents a single IP address (its own) to the outside world.
Firewalls and proxy servers are added to networks to provide basic perimeter security. They filter incoming and outgoing network traffic but do not affect traffic on the network. Sometimes these devices are augmented by an intrusion-detection system (IDS). An IDS monitors traffic looking for suspicious activity that might indicate an attempted intrusion.
Access control is another important computer security term that will be of particular interest to you in several of the later chapters. Access control is the aggregate of all measures taken to limit access to resources. This includes logon procedures, encryption, and any method that is designed to prevent unauthorized personnel from accessing a resource. Authentication is clearly a subset of access controls, perhaps the most basic security activity. Authentication is simply the process of determining whether the credentials given by a user or another system, such as a username and password, are authorized to access the network resource in question. When a user logs in with a username and password, the system attempts to authenticate that username and password. If they are authenticated, the user will be granted access.
Non-repudiation is another term you encounter frequently in computer security. It is any technique that is used to ensure that someone performing an action on a computer cannot falsely deny that they performed that action. Non-repudiation provides reliable records of what user took a particular action at a specific time. In short, it is methods to track what actions are taken by what user. Various system logs provide one method for non-repudiation. One of the most important security activities is auditing. Auditing is the process of reviewing logs, records, and procedures to determine whether they meet standards. This activity is discussed throughout this book and is the focus of Chapter 12. Auditing is essential to do because checking that systems have appropriate security in place is the only way to ensure system security.
Least privileges is a concept you should keep in mind when assigning privileges to any user or device. The concept is that you only assign the minimum privileges required for that person to do his job, no more. Keep this simple but critical concept in mind.
You should also keep in mind the CIA triangle, or Confidentiality, Integrity, and Availability. All security measures should affect one or more of these areas. For example, hard drive encryption and good passwords help protect confidentiality. Digital signatures help ensure integrity, and a good backup system, or network server redundancy, can support availability.
An entire book could be written on computer security terminology. These few terms you have been introduced to here are ubiquitous and being familiar with them is important. Some of the exercises at the end of this chapter will help you expand your knowledge of computer security terminology. You might also find these links helpful:
https://niccs.us-cert.gov/glossary (National Initiative for Cybersecurity Careers and Studies Glossary)
https://www.sans.org/security-resources/glossary-of-terms/ (SANS Institute Glossary of Security Terms)
http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf (NIST Glossary of Key Information Security Terms)
