1

................................................................................................2 ().......................3 ..................................................4 ......................................................................5 .......................................................7 ......................................8 .................................................................................8 ...............................................................10 (Penetration testing) ;........................13 ;..........................................14 ;...16 ...............................17 ........................................................19 ...................................22 ......................................................24 ..........................................25 ...........................................26 .....................................27 ..................................................................27 ..................................................................29 ...........................................................................................30 ..........................................................................................31

2

()

. : , : , , , , , , . , , , , . : , . : , .

3

, .

. . .

, . , :

, , , , . (information systems security) 4

. . , . , , , , , , , . , ( ). , , . , .

, . , . , , , . , , , .

5

. , , :

(integrity): . - , .

(confidentiality):

, . (availability): .

, . (authenticity), , (validity), , (uniqueness), (non-repudiation) , .6

, , , . , . , . , . . , . , ( ) , . , , .

, , . , : (1) (2) - .

7

. . , . . . , , . . . , . . , , .

8

(vulnerability) , . . . : (.. ) (.. ) (.. , )

, . , , , . : (1) , , . (2) , 9

( ) . . , , , [2472/97]. , .

, . . . . , , :

(tapping) : 10

, . (traffic analysis) : (pattern) . , , . (hardware failure) : , , . (spoofing) : , . (password stealing) : (sniffing) (brute force attack). (trapdoors exploiting) : . (port-scanning) (unauthorised modification) : .

11

(Denial of Service) : , . , .

(Distributed Denial of Service) : , (agents). , .

(misuse of resources) : , , , , .

(repudiation of action) : , . .

(internal threats) : . .

(masquerade) :

12

(viral software) : . (script). , .

(spamming) : . , , .

(Penetration testing) ;

(Penetration Testing ) . . . (Vulnerability Analysis). . . , . 13

, . . , . .

;

. . , . , . . . . . . . 14

. . , . , Computer Emergency Response Team (CERT) .. 2004 $141,496,560 . , :

(, ..) LANs

Hacking Marketing

Hacktivism

15

, . , . CCIE Security, CEH, CISSP, CCSP,GIAC, OPSTA Security+ .

;

. . : 1. H/Y . .. 2. H/Y. , . CSI/FBI 2002 90% 34% . ( ), ,

16

. . . , (Organisation for Economic Co-Operation and Development-OECD) - . 1992 2 2002 . . , , , . , . , 1995 OECD . , ... .

, .17

, acking (MIT) 1960 Tech Model Railroad Club (TMRC) . MIT . Hacking . , Cracking hacking . . ethical hacker white-hat hackers. . . . black-hat hacker critical hackers. , hacking grey hat hackers. . . 18

. penetration tester. hacker . ethical hackers tiger team. . (denial of serviceDoS ) . , .

: - black-box:

. IP hacker. white box:

. . ' . gray box :

. 19

.

. . - :

; ; Trojan ; ; ; (black-box, white-box, gray-box) ; IT ; (target-of-evaluation - TOE) ; social engineering ;

, . .

20

. (Threat) . . (Vulnerability) . portals Joomla, Vbulletin, Drupal ( SQL injection vulnerabilities) . exploit. . DoS . exploits (Vulnerability). exploits . , . - . . 21

. , , (zero-day exploits). , .

. hacker . , , . , . : 1. (Performing Reconnaissance) . . (passive reconnaissance) social engineering. (active reconnaissance)

22

. . 2. (Scanning &

enumeration) . . , . 3. (Gaining access) . . . . 4. (Maintaining access) . . . , . . . rootkit. . , (sniffers) . 5. (Covering tracks) . 23

(log files) . , (Alternate Data Streams - ADS).

. . . :

( Footprinting Tools) : Nslookup, Whois,ARIN, Neo Trace, VisualRoute Trace SmartWhois, eMailTrackerPro, Website watcher, Google,Google Earth,GEO Spider,HTTrack Web,Googlag, MyIP Suite,BiLe Suite, Alchemy Network Tool,Wikt, Lan Whois,Country Whois,WhereIsIP,Ip2country,CallerIP, Samspade, SpiderFoot, Web The Ripper, Necrosoft Advanced DIG, DomainKing, Domain Name Analyzer, MSR Strider URL Tracer, Mozzle Domain Name Pro, Path Analyzer Pro, Maltego, Read Notify Netcraft Toolbar. ( Password Crackers) Cain and Abel, John the Ripper, THC Hydra, Aircrack, Airsnort, SolarWinds, Pwdump, RainbowCrack Brutus. (Packet Sniffers) : Wireshark, Kismet, Tcpdump, Dsniff, Ettercap, NetStumbler, Ntop KisMAC (Vulnerability Scanners) Sara,QualysGuard, SAINT MBSA24

:

Nessus, GFI LANguard, Retina, Core Impact, ISS Internet Scanner, X-scan,

(Web Vulnerability Scanners) : Nikto, Paros proxy, WebScarab, WebInspect, Burpsuite, Wikto, Acunetix WVS, Watchfire AppScan N-Stealth. (Wireless Tools) : Kismet, NetStumbler, Aircrack, Airsnort KisMAC. (Vulnerability

Exploitation Tools) : Metasploit Framework, Core Impact Canvas Tools) : Hping2, Scapy, Nemesis Yersinia. , . , Linux Unix . . , , . http://sectools.org/. (Packet Crafting

, . , , , , . , . , , 25

, , . (Public Key Infrastructure - PKI) , . ,

, , , . , . , , .

, . , , , . , , - (Trusted Third Parties - TTP). , . , ,26

. , O.

, , , , . , , . . - , , .

, , . , . ( ) , . , , . 27

, . . , (quality assurance) . , . , . , " " : - (secure) (known) , , - (trusted) , (believed) . , TCSEC-Orange Book, . , :

. (functional profile) .

(.. , , ) .

28

O . , : (functionally TTP): . . . , . , . (unconditionally TTP): . . , . , . 29

, . (key recovery) (key escrow) . , , . , , , . , . , . (escrow agents).

. , , ,

30

, . , . , , . , .

- ., ., , , , , , , 1995 - ., , , 1.5, , , 2000 - ., ISO 9004, , , 2001 - ., , , , 2000 - ., ., ., , , , , , , 1995

31

-www.insecure.org -www.wikipedia.org -www.thc.org -www.securiteam.com -http://sectools.org/

32