ETHICAL HACKING (Professional Elective – II)

UNIT - III

Preparing for a Hack:

Technical Preparation
Managing the Engagement
Reconnaissance:
SocialEngineering
Physical Security
Internet Reconnaissance

Preparing for a Hack:

Technical Preparation
Hackers have broken into billions of accounts throughout the years. It is not altogether unlikely that you
have been personally affected by one of these attacks.
You don’t have to be a cybersecurity expert to prepare yourself from hackers. It’s much easier to protect
your data, your identity, or your company than you may think.
Thankfully, there are a few resources that will help you create unbreakable passwords, find out whether
or not any of your personal accounts have been hacked, and update existing software. Cybersecurity
strategies can also help you prepare for hacks and protect yourself.
Here are 6 surefire ways to defend yourself from hacking attacks:

1. Read pressing cybersecurity news

Staying informed about the latest breaches, bugs, and bots will help you defend yourself and even
prevent potential hacking attempts.
Major news outlets with regular updates on cybersecurity issues include:

 TechCrunch
 CNET
 Wired
 Reuters

Most national and international newspapers will also highlight issues in technology and cybersecurity.
Be sure to keep an eye out for these sections in your daily periodical. Simply reading one or two security
stories every few weeks will help keep you in the know.

2. Check if you’ve been compromised

The website HaveIBeenPwned.com allows users to put in account information, such as an email
address. HaveIBeenPwned checks its database of millions of accounts. If your account turns up, then
it’s been compromised.
If you happen to have a compromised account, you’ll want to change your password as soon as
possible. In addition, you’ll want to keep a lookout for any suspicious activity for a few months.
 3. Create strong, unique passwords
Passwords are the easiest ways to defend ourselves from hacking attempts. There are simple
and effective password strategies that can make your account unbreakable.
The most effective passwords are:

 Unique for every account

 At least 8-12 characters long
 A mixture of numbers, letters, and special characters (like ‘!’, ‘@’, and ‘&’)
 A mixture of lowercase and capital letters

One trick for remembering strong passwords is to create a sentence or meaningful phrase out of the
password. So, for example, g00D7Hinkn5!, could be referred to by the phrase “good thinking!”

4. Use a password manager

Password managers take a good chunk of the work out of protecting yourself from hacking attempts.
Password managers like LastPass take the guesswork and the grunt work out of creating, storing, and
changing your passwords.
With password managers, you can keep all of your passwords in one encrypted location. You’ll never
have to enter in your passwords again (save for the master password you use for the manager). You
can even generate strong passwords and rotate them automatically so you don’t even have to keep
coming up with passwords on your own.

5. Enable two-factor authentication

For important accounts, like your professional or personal email accounts, for example, you can add
two-factor authentication. What does this mean? Two-factor authentication provides users with two
walls to their accounts instead of just one.
How does two-factor authentication typically work? After entering your password, your phone will
receive a secure SMS. This text message will contain something like six-digit code. You are then
prompted to enter the code into your web browser. Only after entering the code will access to your
account be granted.

6. Update software regularly

Software almost always has bugs, holes, or backdoors. No matter how new a software product may be,
there are always exploitable elements. Luckily, software developers are aware of this and have a few
measures to fight against these unexpected errors.
Software updates patch software issues. For this reason, it’s of the utmost importance to consistently
check for updates. The more outdated your software, the more likely it is hackers will exploit it. Update
your software regularly to minimize risk.
 Managing the Engagement
Every ethical hacking has rules of engagement, which defines how a ethical hack would be laid out,
what methodology would be used, the start and end dates, the milestones, the goals of the
penetration test, the liabilities and responsibilities, etc. All of them have to be mutually agreed upon by
both the customer and the representative before the ethical hack is started.

Following are important requirements that are present in almost every rules of engagement

 A proper “permission to hack” and a “nondisclosure” agreement should be signed by both the
parties.
 The scope of the engagement and what part of the organization must be tested.
 The project duration including both the start and the end date.
 The methodology to be used for conducting a ethical hack.
 The goals of a ethical hack.
 The allowed and disallowed techniques, whether denial-of-service testing should be
performed or not.
 The liabilities and responsibilities, which are decided ahead of time. As a ethical hacker you
might break into something that should not be accessible, causing a denial of service; also,
you might access sensitive information such as credit cards. Therefore, the liabilities should
be defined prior to the engagement.
 Never exceed the limits of your authorization. Every assignment will have rules of
engagement. These not only include what you are authorized to target, but also the extent
that you are authorized to control such system. If you are only authorized to obtain a prompt
on the target system, downloading passwords and starting a crack on these passwords would
be in excess of what you have been authorized to do.
 The tester should protect himself by setting up limitation as far as damage is concerned.
There has to be an NDA between the client and the tester to protect them both.
 Be ethical That’s right; the big difference between a hacker and an ethical hacker is the word
ethics. Ethics is a set of moral principles about what is correct or the right thing to do. Ethical
standards are sometimes different from legal standards in that laws define what we must do,
whereas ethics define what we should do.
 Maintain confidentiality During security evaluations, you will likely be exposed to many types
of confidential information. You have both a legal and moral standard to treat this information
with the utmost privacy.

Penetration Testing
Penetration Testing is currently widely used when referring to a security vulnerability assessment and
is primarily focused on penetrating an organisation’s defensive systems. A penetration test can also
be used to find any vulnerabilities and weaknesses on a particular focus product/application before
"sign-off". This will normally last between 2-14 days with a singular report at the end and should
always be considered a point in time assessment of security.

Those conducting a penetration test can be running tests on both internal & external network
infrastructures and systems as well as wireless network infrastructure and against mobile and mobile
applications, to identify any:

 Potential exploitable flaws and vulnerabilities

 Configuration weaknesses that introduce security risk
 Identify unpatched software
 Validate technical controls and countermeasures

If security flaws are identified, the tester will often provide remediation advice to resolve or implement
appropriate controls/processes to ensure that security systems are effective and comply with a range
of data and privacy regulations. Such as EU GDPR (General Data Protection Regulation), DPA (Data
Protection Act) 2018, and PCI DSS (Payment Card Industry Data Security Standard).
 Red Team Engagement
Unlike a penetration test, a red team engagement assessment is a larger-scale security assessment
across the entire organisation to reduce the risk from cyber threats. Red team engagements are
typically not bound by a traditional or focused scope, meaning that there are no restrictions as to what
can be looked at within security systems and the business. This can include analysing systems,
applications, software, employee engagement, physical security, and learning how they interact with
each other.

Red team engagements blend various skills used by attackers to perform a security assessment,
including but not limited to full exploitation, vulnerability chaining and social engineering.

To ensure that the security assessment is under the right conditions, those conducting the test will act
how a cybercriminal would, and people within the organisation will know as little as possible
beforehand. Except for those in the organisation that will need to approve it of course.

This is to make sure there is no interference with the security assessment and that the reports are
accurate as possible.

Depending on the length of the assessment, a detailed report will be provided both regularly
throughout and at the end of the assessment. Below is a handful of topics in which the report will
cover:

 Types of attacks undertaken and their successfulness - did existing systems and controls detect and
respond to attacks (e.g. Did users report Phishing attacks)
 Details of compromised systems, data, at the initial kick-off High-Value Targets (HTV) are often set, if
any of these HVTs are compromised these will be reported
 Indicators of compromise, sometimes red team testing will uncover previous compromises.

Due to the scope and what is involved with a 'Red Team Engagement' assessment, the process can
typically last several months or longer!

Are Penetration Tests and Red Team Engagement Assessments important?

To round things off, both 'Red Team Engagement' assessments and 'Penetration Testing' are
important when assessing your security set-up, however, both cover different scope levels and hold a
different time duration.
Remember, you are offering insight into your network and possible sensitive data, therefore, ensure
your research is thorough to guarantee that your data is protected and is only used for the
assessment.
Most companies that offer 'Pen Testing' and 'Red Team Engagement' assessments could have one of
the following qualifications:

 CREST certification
 CREST STAR – 'Simulated Target Attack & Response' (Red Teaming)
 PCI DSS penetration testing – for the Payment Card Industry (PCI)
 Certified Ethical Hacker (CEH) program - provided by the EC-Council (International Council of E-
Commerce Consultants

While these qualifications are useful when looking for a security assessment provider, they shouldn't
be a deciding factor. A service provider that has the relevant knowledge base and has earned your
trust will be able to deliver the security assessment that’s required.
 Reconnaissance:
Reconnaissance is the information-gathering stage of ethical hacking, where you collect data about
the target system. This data can include anything from network infrastructure to employee contact
details. The goal of reconnaissance is to identify as many potential attack vectors as possible.

Social Engineering
Social engineering is a manipulation technique that exploits human error to gain private information,
access, or valuables. In cybercrime, these “human hacking” scams tend to lure unsuspecting users
into exposing data, spreading malware infections, or giving access to restricted systems. Attacks can
happen online, in-person, and via other interactions.

Scams based on social engineering are built around how people think and act. As such, social
engineering attacks are especially useful for manipulating a user’s behavior. Once an attacker
understands what motivates a user’s actions, they can deceive and manipulate the user effectively.

In addition, hackers try to exploit a user's lack of knowledge. Thanks to the speed of technology,
many consumers and employees aren’t aware of certain threats like drive-by downloads. Users also
may not realize the full value of personal data, like their phone number. As a result, many users are
unsure how to best protect themselves and their information.

Generally, social engineering attackers have one of two goals:

1. Sabotage: Disrupting or corrupting data to cause harm or inconvenience.

2. Theft: Obtaining valuables like information, access, or money.

This social engineering definition can be further expanded by knowing exactly how it works.

How Does Social Engineering Work?

Most social engineering attacks rely on actual communication between attackers and victims. The
attacker tends to motivate the user into compromising themselves, rather than using brute force
methods to breach your data.

The attack cycle gives these criminals a reliable process for deceiving you. Steps for the social
engineering attack cycle are usually as follows:

1. Prepare by gathering background information on you or a larger group you are a part of.
2. Infiltrate by establishing a relationship or initiating an interaction, started by building trust.
3. Exploit the victim once trust and a weakness are established to advance the attack.
4. Disengage once the user has taken the desired action.

This process can take place in a single email or over months in a series of social media chats. It could
even be a face-to-face interaction. But it ultimately concludes with an action you take, like sharing
your information or exposing yourself to malware.

It's important to beware of social engineering as a means of confusion. Many employees and
consumers don't realize that just a few pieces of information can give hackers access to multiple
networks and accounts.

By masquerading as legitimate users to IT support personnel, they grab your private details — like
name, date of birth or address. From there, it's a simple matter to reset passwords and gain almost
unlimited access. They can steal money, disperse social engineering malware, and more.
 Traits of Social Engineering Attacks
Social engineering attacks center around the attacker’s use of persuasion and confidence. When
exposed to these tactics, you are more likely to take actions you otherwise wouldn’t.

Among most attacks, you’ll find yourself being misled into the following behaviors:

Heightened emotions :
Emotional manipulation gives attackers the upper hand in an any interaction. You are far more likely
to take irrational or risky actions when in an enhanced emotional state. The following emotions are all
used in equal measure to convince you.
 Fear
 Excitement
 Curiosity
 Anger
 Guilt
 Sadness

Urgency:
Time-sensitive opportunities or requests are another reliable tool in an attacker’s arsenal. You may be
motivated to compromise yourself under the guise of a serious problem that needs immediate
attention. Alternatively, you may be exposed to a prize or reward that may disappear if you do not act
quickly. Either approach overrides your critical thinking ability.

Trust: Believability is invaluable and essential to a social engineering attack. Since the attacker is
ultimately lying to you, confidence plays an important role here. They’ve done enough research on
you to craft a narrative that’s easy to believe and unlikely to rouse suspicion.

There are some exceptions to these traits. In some cases, attackers use more simplistic methods of
social engineering to gain network or computer access. For example, a hacker might frequent the
public food court of a large office building and "shoulder surf" users working on their tablets or laptops.
Doing so can result in a large number of passwords and usernames, all without sending an email or
writing a line of virus code.

Now that you understand the underlying concept, you’re probably wondering “what is social
engineering attack and how can I spot it?”

Types of Social Engineering Attacks

Almost every type of cybersecurity attack contains some kind of social engineering. For example, the
classic email and virus scams are laden with social overtones.

Social engineering can impact you digitally through mobile attacks in addition to desktop devices.
However, you can just as easily be faced with a threat in-person. These attacks can overlap and layer
onto each other to create a scam.

Here are some common methods used by social engineering attackers:

 Phishing Attacks

Phishing attackers pretend to be a trusted institution or individual in an attempt to persuade you to

expose personal data and other valuables.

Attacks using phishing are targeted in one of two ways:

1. Spam phishing, or mass phishing, is a widespread attack aimed at many users. These attacks are
non-personalized and try to catch any unsuspecting person.
2. Spear phishing and by extension, whaling , use personalized info to target particular users. Whaling
attacks specifically aim at high-value targets like celebrities, upper management, and high
government officials.

Whether it’s a direct communication or via a fake website form, anything you share goes directly into
a scammer’s pocket. You may even be fooled into a malware download containing the next stage of
the phishing attack. Methods used in phishing each have unique modes of delivery, including but not
limited to:

Voice phishing (vishing) phone calls may be automated message systems recording all your inputs.
Sometimes, a live person might speak with you to increase trust and urgency.

SMS phishing (smishing) texts or mobile app messages might include a web link or a prompt to
follow-up via a fraudulent email or phone number.

Email phishing is the most traditional means of phishing, using an email urging you to reply or follow-
up by other means. Web links, phone numbers, or malware attachments can be used.

Angler phishing takes place on social media, where an attacker imitates a trusted company’s
customer service team. They intercept your communications with a brand to hijack and divert your
conversation into private messages, where they then advance the attack.

Search engine phishing attempt to place links to fake websites at the top of search results. These
may be paid ads or use legitimate optimization methods to manipulate search rankings.

URL phishing links tempt you to travel to phishing websites. These links are commonly delivered in
emails, texts, social media messages, and online ads. Attacks hide links in hyperlinked text or
buttons, using link-shortening tools, or deceptively spelled URLs.

In-session phishing appears as an interruption to your normal web browsing. For example, you may
see such as fake login pop-ups for pages you’re currently visiting.

Baiting Attacks

Baiting abuses your natural curiosity to coax you into exposing yourself to an attacker. Typically,
potential for something free or exclusive is the manipulation used to exploit you. The attack usually
involves infecting you with malware.
 Popular methods of baiting can include:
 USB drives left in public spaces, like libraries and parking lots.
 Email attachments including details on a free offer, or fraudulent free software.

Physical Breach Attacks

Physical breaches involve attackers appearing in-person, posing as someone legitimate to gain
access to otherwise unauthorized areas or information.

Attacks of this nature are most common in enterprise environments, such as governments,
businesses, or other organizations. Attackers may pretend to be a representative of a known, trusted
vendor for the company. Some attackers may even be recently fired employees with a vendetta
against their former employer.

They make their identity obscure but believable enough to avoid questions. This requires a bit of
research on the attacker’s part and involves high-risk. So, if someone is attempting this method,
they’ve identified clear potential for a highly valuable reward if successful.

Pretexting Attacks

Pretexting uses a deceptive identity as the “pretext” for establishing trust, such as directly
impersonating a vendor or a facility employee. This approach requires the attacker to interact with you
more proactively. The exploit follows once they’ve convinced you they are legitimate.

Access Tailgating Attacks

Tailgating , or piggybacking, is the act of trailing an authorized staff member into a restricted-access
area. Attackers may play on social courtesy to get you to hold the door for them or convince you that
they are also authorized to be in the area. Pretexting can play a role here too.

Quid Pro Quo Attacks

Quid pro quo is a term roughly meaning “a favor for a favor,” which in the context of phishing means
an exchange of your personal info for some reward or other compensation. Giveaways or offers to
take part in research studies might expose you to this type of attack.

The exploit comes from getting you excited for something valuable that comes with a low investment
on your end. However, the attacker simply takes your data with no reward for you.
 DNS Spoofing and Cache Poisoning Attacks

DNS spoofing manipulates your browser and web servers to travel to malicious websites when you
enter a legitimate URL. Once infected with this exploit, the redirect will continue unless the inaccurate
routing data is cleared from the systems involved.
DNS cache poisoning attacks specifically infect your device with routing instructions for the
legitimate URL or multiple URLs to connect to fraudulent websites.

Scareware Attacks

Scareware is a form of malware used to frighten you into taking an action. This deceptive malware
uses alarming warnings that report fake malware infections or claim one of your accounts has been
compromised.

As a result, scareware pushes you to buy fraudulent cybersecurity software, or divulge private details
like your account credentials.

Watering Hole Attacks

Watering hole attacks infect popular webpages with malware to impact many users at a time. It
requires careful planning on the attacker’s part to find weaknesses in specific sites. They look for
existing vulnerabilities that are not known and patched — such weaknesses are deemed zero-day
exploits .

Other times, they may find that a site has not updated their infrastructure to patch out known issues.
Website owners may choose delay software updates to keep software versions they know are stable.
They’ll switch once the newer version has a proven track record of system stability. Hackers abuse
this behavior to target recently patched vulnerabilities.

Unusual Social Engineering Methods

In some cases, cybercriminals have used complex methods to complete their cyberattacks, including:

 Fax-based phishing: When one bank’s customers received a fake email that claimed to be from the
bank — asking the customer to confirm their access codes – the method of confirmation was not via
the usual email / Internet routes. Instead, the customer was asked to print out the form in the email,
then fill in their details and fax the form to the cybercriminal’s telephone number.
 Traditional mail malware distribution: In Japan, cybercriminals used a home-delivery service to
distribute CDs that were infected with Trojan spyware. The disks were delivered to the clients of a
Japanese bank. The clients’ addresses had previously been stolen from the bank’s database.

Examples of Social Engineering Attacks

Malware attacks deserve a special focus, as they are common and have prolonged effects.
When malware creators use social engineering techniques, they can lure an unwary user into
launching an infected file or opening a link to an infected website. Many email worms and other types
of malware use these methods. Without a comprehensive security software suite for your mobile and
desktop devices, you’re likely exposing yourself to an infection.
 Worm Attacks
The cybercriminal will aim to attract the user’s attention to the link or infected file – and then get the
user to click on it.

Examples of this type of attack include:

 The LoveLetter worm that overloaded many companies’ email servers in 2000. Victims received an
email that invited them to open the attached love letter. When they opened the attached file, the worm
copied itself to all of the contacts in the victim’s address book. This worm is still regarded as one of
the most devastating, in terms of the financial damage that it inflicted.
 The Mydoom email worm — which appeared on the Internet in January 2004 — used texts that
imitated technical messages issued by the mail server.
 The Swen worm passed itself off as a message that had been sent from Microsoft. It claimed that the
attachment was a patch that would remove Windows vulnerabilities. It’s hardly surprising that many
people took the claim seriously and tried to install the bogus security patch — even though it was
really a worm.

Malware Link Delivery Channels

Links to infected sites can be sent via email, ICQ and other IM systems — or even via IRC Internet
chat rooms. Mobile viruses are often delivered by SMS message.

Whichever delivery method is used, the message will usually contain eye-catching or intriguing words
that encourage the unsuspecting user to click on the link. This method of penetrating a system can
allow the malware to bypass the mail server’s antivirus filters.

Peer-to-Peer (P2P) Network Attacks

P2P networks are also used to distribute malware. A worm or a Trojan virus will appear on the P2P
network but will be named in a way that’s likely to attract attention and get users to download and
launch the file.

For example:
 AIM & AOL Password Hacker.exe
 Microsoft CD Key Generator.exe
 PornStar3D.exe
 Play Station emulator crack.exe
Shaming Infected Users out of Reporting an Attack

In some cases, the malware creators and distributors take steps that reduce the likelihood of victims
reporting an infection:

Victims may respond to a fake offer of a free utility or a guide that promises illegal benefits like:

 Free Internet or mobile communications access.

 The chance to download a credit card number generator.
 A method to increase the victim’s online account balance.
 In these cases, when the download turns out to be a Trojan virus, the victim will be keen to avoid
disclosing their own illegal intentions. Hence, the victim will probably not report the infection to any
law enforcement agencies.

As an example of this technique, a Trojan virus was once sent to email addresses that were taken
from a recruitment website. People that had registered on the site received fake job offers, but the
offers included a Trojan virus. The attack mainly targeted corporate email addresses. The
cybercriminals knew that the staff that received the Trojan would not want to tell their employers that
they had been infected while they were looking for alternative employment.

How to Spot Social Engineering Attacks

Defending against social engineering requires you to practice self-awareness. Always slow down and
think before doing anything or responding.

Attackers expect you to take action before considering the risks, which means you should do the
opposite. To help you, here are some questions to ask yourself if you suspect an attack:

 Are my emotions heightened? When you’re especially curious, fearful, or excited, you’re less likely
to evaluate the consequences of your actions. In fact, you probably will not consider the legitimacy of
the situation presented to you. Consider this a red flag if your emotional state is elevated.
 Did this message come from a legitimate sender? Inspect email addresses and social media
profiles carefully when getting a suspect message. There may be characters that mimic others, such
as “torn@example.com” instead of “tom@example.com.” Fake social media profiles that duplicate
your friend’s picture and other details are also common.
 Did my friend actually send this message to me? It’s always good to ask the sender if they were
the true sender of the message in question. Whether it was a coworker or another person in your life,
ask them in-person or via a phone call if possible. They may be hacked and not know, or someone
may be impersonating their accounts.
 Does the website I’m on have odd details? Irregularities in the URL, poor image quality, old or
incorrect company logos, and webpage typos can all be red flags of a fraudulent website. If you enter
a spoofed website, be sure to leave immediately.
 Does this offer sound too good to be true? In the case of giveaways or other targeting methods,
offers are a strong motivation to drive a social engineering attack forward. You should consider why
someone is offering you something of value for little gain on their end. Be wary at all times because
even basic data like your email address can be harvested and sold to unsavory advertisers.
 Attachments or links suspicious? If a link or file name appears vague or odd in a message,
reconsider the authenticity of the whole communication. Also, consider if the message itself was sent
in an odd context, time, or raises any other red flags.
 Can this person prove their identity? If you cannot get this person to verify their identity with the
organization, they claim to be a part of, do not allow them the access they are asking for. This applies
both in-person and online, as physical breaches require that you overlook the attacker’s identity.

How to Prevent Social Engineering Attacks

Beyond spotting an attack, you can also be proactive about your privacy and security. Knowing how
to prevent social engineering attacks is incredibly important for all mobile and computer users.

Here are some important ways to protect against all types of cyberattacks:
Safe Communication and Account Management Habits
Online communication is where you’re especially vulnerable. Social media, email, text messages are
common targets, but you’ll also want to account for in-person interactions as well.

Never click on links in any emails or messages . You’ll want to always manually type a URL into
your address bar, regardless of the sender. However, take the extra step of investigating to find an
official version of the URL in question. Never engage with any URL you have not verified as official or
legitimate.

Use multi-factor authentication. Online accounts are much safer when using more than just a
password to protect them. Multi-factor authentication adds extra layers to verify your identity upon
account login. These “factors” can include biometrics like fingerprint or facial recognition, or temporary
passcodes sent via text message.

Use strong passwords (and a password manager). Each of your passwords should be unique and
complex. Aim to use diverse character types, including uppercase, numbers, and symbols. Also, you
will probably want to opt for longer passwords when possible. To help you manage all your custom
passwords, you might want to use a password manager to safely store and remember them.

Avoid sharing names of your schools, pets, place of birth, or other personal details. You could
be unknowingly exposing answers to your security questions or parts of your password. If you set up
your security questions to be memorable but inaccurate, you’ll make it harder for a criminal to crack
your account. If your first car was a “Toyota,” writing a lie like “clown car” instead could completely
throw off any prying hackers.

Be very cautious of building online-only friendships. While the internet can be a great way to
connect with people worldwide, this is a common method for social engineering attacks. Watch for
tells and red flags that indicate manipulation or a clear abuse of trust.

Safe Network Use Habits

Compromised online networks can be another point of vulnerability exploited for background
research. To avoid having your data used against you, take protective measures for any network
you’re connected to.

Never let strangers connect to your primary Wi-Fi network. At home or in the workplace, access
to a guest Wi-Fi connection should be made available. This allows your main encrypted, password-
secured connection to remain secure and interception-free. Should someone decide to “eavesdrop”
for information, they won’t be able to access the activity you and others would like to keep private.

Use a VPN . In case someone on your main network — wired, wireless, or even cellular — finds a
way to intercept traffic, a virtual private network (VPN) can keep them out. VPNs are services that
give you a private, encrypted “tunnel” on any internet connection you use. Your connection is not only
guarded from unwanted eyes, but your data is anonymized so it cannot be traced back to you
via cookies or other means.
 Keep all network-connected devices and services secure. Many people are aware of internet
security practices for mobile and traditional computer devices. However, securing your network itself,
in addition to all your smart devices and cloud services is just as important. Be sure to protect
commonly overlooked devices like car infotainment systems and home network routers. Data
breaches on these devices could fuel personalization for a social engineering scam.

Safe Device Use Habits

Keeping your devices themselves is just as important as all your other digital behaviors. Protect your
mobile phone, tablet, and other computer devices with the tips below:

Use comprehensive internet security software. In the event that social tactics are successful,
malware infections are a common outcome. To combat rootkits, Trojans and other bots, it's critical to
employ a high-quality internet security solution that can both eliminate infections and help track their
source.

Don’t ever leave your devices unsecured in public. Always lock your computer and mobile
devices, especially at work. When using your devices in public spaces like airports and coffee shops,
always keep them in your possession.

Keep all your software updated as soon as available. Immediate updates give your software
essential security fixes. When you skip or delay updates to your operating system or apps, you are
leaving known security holes exposed for hackers to target. Since they know this is a behavior of
many computer and mobile users, you become a prime target for socially engineered malware
attacks.

Check for known data breaches of your online accounts. Services like Kaspersky Security
Cloud actively monitor new and existing data breaches for your email addresses. If your accounts are
included in compromised data, you’ll receive a notification along with advice on how to take action.

Protection against social engineering starts with education. If all users are aware of the threats, our
safety as a collective society will improve. Be sure to increase awareness of these risks by sharing
what you’ve learned with your coworkers, family, and friends.

Related articles:
 Top 10 Most Notorious Hackers of All Time
 Mobile Malware Threats to Watch out for!
 Malware Implementation Techniques
 Malware and Exploit Detection
 Choosing an Antivirus Solution
 Malware Classifications
Physical Security

Physical security can be defined as the protection and concern regarding information-related assets
storage devices, hard drives, computers, organizations' machines, and laptops and servers. The
protection is mainly taken care of real-world threats and crimes such as unauthorized access, natural
disasters like fire and flood, a human-made disaster like theft, etc. This type of security requires
physical controls such as locks, protective barriers, in-penetrable walls and doors, uninterrupted
power supply, and or security personnel for protecting private and sensitive data stored in servers.

Information Security vs. Physical Security

Both the term has a conceptual difference. Information security generally deals with protecting
information from unauthorized access, disclosure, illegal use, or modification of information,
recording, copying, or destroying information. Information security is based on a logical domain,
whereas physical security is based on the physical domain.

Objectives of Physical Security

 Understand the needs for physical security.

 Identify threats to information security that are connected to physical security.
 Describe the key physical security considerations for selecting a facility site.
 Identify physical security monitoring components.
 Understand the importance of fire safety programs.
 Describe the components of fire detection and response.

Factors on Which Physical Security Vulnerabilities Depend

Any hack may result in success, despite the security if the attacker gets access to the organization's
building or data center looking for a physical security vulnerability. In small companies and
organizations, this problem may be less. But other factors on which physical security vulnerabilities
depend may be as follows:

1. How many workplaces, buildings, or sites in the organization?

2. Size of the building of the organization?
3. How many employees work in the organization?
4. How many entry and exit points are there in a building?
5. Placement of data centers and other confidential information.

Attack Points to Compromise Physical Security

Hackers think like real masterminds and find exploits in buildings for physical unauthorized access.
From the attacker's point of view, the tactics to compromise physical security are:

 Are the doors propped open? If so, that can be an attack vector.
 Check whether the gap at the bottom of critical doors allows someone to uses any device to
trip a sensor inside the security room.
 Check whether it would be easy or not to open the door by breaking the lock forcefully.
 Are any doors or windows made of glass, especially the server room's doors or other
confidential areas?
 Are the door ceilings with tiles that can be pushed up?
 Are power supply and protection equipment is faulty?
 Obtain network access by a hacker, and then hackers can send malicious emails as logged in
users.
Layers of Physical Security
Physical security depends on the layer defense model like that of information security. Layers are
implemented at the perimeter and moving toward an asset. These layers are:

1. Deterring.
2. Delaying.
3. Detection.
4. Assessment.
5. Response.

Crime Prevention Through Environmental Design (CPTED)

It is a discipline that outlines how the proper design of a real scenario can mitigate crime and hacking
by directly affecting human behavior. This concept was developed in the 1960s and is still used
mainly to prevent social engineering. It has three main strategies, namely:

1. Natural Access Control.

2. Natural Surveillance.
3. Territorial reinforcement.

Risk Assessment
Both physical intruders and cybercriminals have the same motive as money, social agenda, etc. Also,
intruders try to seek opportunities to exploit by any means. So these three terms - motive, opportunity,
and means are listed together to make a formula whose calculation is resulted in the total risk i.e.

Countermeasures and Protection Techniques

Physical security has the fact that security controls are often reactive. Other experts need to be
involved during the design, assessment, and retrofitting stages from a security perspective. Other
than that, the security measures that must be taken are:

1. Strong doors and locks.

2. Lights and security cameras, especially around entry and exit points.
3. Windowless walls around data centers'.
4. Fences (with barbed wire or razor wire).
5. Closed-circuit televisions (CCTVs) or IP-based network cameras need to be used and
monitored in real-time.
6. An intrusion detection system must be applied to detect unauthorized entries and to alert a
responsible entry.
7. Know the different types of IDS systems, such as electromechanical and volumetric.
8. Security personnel and guards must be used to protect data against physical theft or damage.
9. The organization should serve a simple form of biometric access system (such as facial or
fingerprint scanning access).
10. Ties physical security with information access control such as ID card and name badge.
11. Different types of lock systems must apply, such as manual locks, programmable locks
(controlled by computers), electronic locks, biometric locks (facial scan and retina scans).
12. Alarm and alarm systems should have to be installed in the building infrastructure to notify if
an event occurs, such as fire detection, intrusion detection, theft, environmental disturbances,
or interruption in services.
Internet Reconnaissance
Reconnaissance is an important first stage in any ethical hacking attempt. Before it’s possible to
exploit a vulnerability in the target system, it’s necessary to find it. By performing reconnaissance on
the target, an ethical hacker can learn about the details of the target network and identify potential
attack vectors.
Reconnaissance efforts can be broken up into two types: passive and active. While both versions can
be effective, passive reconnaissance prioritizes subtlety (ensuring that the hacker is not detected),
while active reconnaissance is used for cases where collecting information is more important than
remaining undetected.

Top passive recon tools

In passive reconnaissance, the hacker never interacts directly with the target’s network. The tools
used for passive reconnaissance take advantage of unintentional data leaks from an organization to
provide the hacker with insight into the internals of the organization’s network.

1. Wireshark

Wireshark is best known as a network traffic analysis tool, but it can also be invaluable for passive
network reconnaissance. If an attacker can gain access to an organization’s Wi-Fi network or
otherwise eavesdrop on the network traffic of an employee (e.g., by eavesdropping on traffic in a
coffee shop), analyzing it in Wireshark can provide a great deal of useful intelligence about the target
network.
By passively eavesdropping on traffic, a hacker may be able to map IP addresses of computers within
the organization’s network and determine their purposes based on the traffic flowing to and from
them. Captured traffic may also include version information of servers, allowing a hacker to identify
potentially vulnerable software that can be exploited.

2. Google

Google can provide a vast amount of information on a variety of different topics. One potential
application of Google is for performing passive reconnaissance about a target.
The information that an organization posts online can provide a massive amount of information about
their network. The organization’s website, especially its career page, can provide details of the types
of systems used in the network. By using specialized Google queries (Google Dorking), it’s also
possible to search for files that were not intentionally exposed to the internet but still publicly available
as well.

3. FindSubDomains.com

FindSubDomains.com is one example of a variety of different websites designed to help identify

websites that belong to an organization. While many of these sites may be deliberately intended for
public consumption and others may be protected by login pages, the possibility exists that some are
unintentionally exposed to the internet. Accessing error pages or unintentionally exposed pages (that
should belong on the company intranet) can provide valuable intelligence about the systems that the
company uses.
4. VirusTotal

VirusTotal is a website designed to help with analysis of potentially malicious files. Anyone with an
account on the service can upload files or URLs for analysis and receive results that describe whether
or not the file or website is likely to be malicious, behavioral analysis and other potential indicators of
compromise.
The problem with VirusTotal is that it, and other similar sites, make the same information available to
any free subscriber (and provide more data to paid users). As attacks become more sophisticated and
targeted, malware or malicious websites targeting an organization may include sensitive internal data.
As a result, terabytes of sensitive data are being uploaded to the service by companies trying to
determine if they are the victim of an attack. A hacker searching through the data provided on
VirusTotal by keywords associated with a company can potentially find a great deal of valuable
intelligence.

5. Shodan

Shodan is a search engine for internet-connected devices. As the Internet of Things grows,
individuals and organizations increasingly are connecting insecure devices to the internet.
Using Shodan, a hacker may be able to find devices within the IP address range belonging to a
company, indicating that they have the device deployed on their network. Since many IoT devices are
vulnerable by default, identifying one or more on the network may give a hacker a good starting point
for a future attack.

Top active recon tools

Tools for active reconnaissance are designed to interact directly with machines on the target network
in order to collect data that may not be available by other means. Active reconnaissance can provide
a hacker with much more detailed information about the target but also runs the risk of detection.

1. Nmap

Nmap is probably the most well-known tool for active network reconnaissance. Nmap is a network
scanner designed to determine details about a system and the programs running on it. This is
accomplished through the use of a suite of different scan types that take advantage of the details of
how a system or service operates. By launching scans against a system or a range of IP addresses
under a target’s control, a hacker can learn a significant amount of information about the target
network.

2. Nessus

Nessus is a commercial vulnerability scanner. Its purpose is to identify vulnerable applications running
on a system and provides a variety of details about potentially exploitable vulnerabilities. Nessus is a
paid product, but the comprehensive information that it provides can make it a worthwhile investment
for a hacker.
3. OpenVAS

OpenVAS is a vulnerability scanner that was developed in response to the commercialization of

Nessus. The Nessus vulnerability scanner was previously open-source, and, when it became closed-
source, OpenVAS was created off of the last open-source version to continue to provide a free
alternative. As a result, it provides a lot of the same functionality as Nessus but may lack some of the
features developed since Nessus was commercialized.

4. Nikto

Nikto is a web server vulnerability scanner that can be used for reconnaissance in a manner similar to
Nessus and OpenVAS. It can detect a variety of different vulnerabilities but is also not a stealthy
scanner. Scanning with Nikto can be effective but is easily detectable by an intrusion detection or
prevention system (like most active reconnaissance tools).

5. Metasploit

Metasploit is primarily designed as an exploitation toolkit. It contains a variety of different modules that
have prepackaged exploits for a number of vulnerabilities. With Metasploit, even a novice hacker has
the potential to break into a wide range of vulnerable machines.
Although it was designed as an exploit toolkit, Metasploit can also be effectively used for
reconnaissance. At the minimum, using the autopwn option on Metasploit allows a hacker to try to
exploit a target using any means necessary. More targeted analysis can allow a hacker to perform
reconnaissance using Metasploit with more subtlety.

Conclusion: Performing network reconnaissance

Network reconnaissance is a crucial part of any hacking operation. Any information that a hacker can
learn about the target environment can help in identification of potential attack vectors and targeting
exploits to potential vulnerabilities. By using a combination of passive and active reconnaissance tools
and techniques, a hacker can maximize the information collected while minimizing their probability of
detection.