Hace tiempo hablamos sobre el Plugin Metasploit WMAP , hoy os vamos a hablar del nuevo libro sobre Kali Linux y de su autor.
Rassoul Ghaznavi-zadeh, autor de «kali linux – Hacking tools introduction«, ha sido consultor de seguridad informática desde 1999. Comenzó como ingeniero de redes y seguridad, reuniendo conocimientos sobre negocios empresariales, gobernanza de seguridad y estándares y marcos como ISO , COBIT, HIPPA, SOC y PCI. Con su ayuda, numerosas organizaciones empresariales han llegado a puertos seguros mediante pruebas, auditorías y siguiendo sus recomendaciones de seguridad.Sin duda, una eminencia en hacking.
Hoy os traemos una breve entrevista que le hicieron a este gran experto en ciberseguridad, además del primer capítulo de su libro Kali Linux – Hacking tools introduction.
What made you write this book?
I have been working on Cybersecurity for more than 10 years now. A couple of years ago, I put together all my notes about penetration and ethical hacking and released them as a book. While I didn’t expect it, I received lots of good comments, and sold a lot of copies. This year, I decided to release a similar book with more details and information which can even be used in academic environments.
The first chapter states that the purpose of your book is to encourage and prepare the readers to act and work as ethical hackers. Can you describe your views on what it means to be an ethical hacker?
Ethical hacking is a process of investigating vulnerabilities in an environment, analyzing them and using the information gathered to tighten security to protect that environment.
An Ethical hacker would have extensive knowledge about a range of devices and systems. Ideally you should have multiple years of experience in the IT industry and be familiar with different hardware, software and networking technologies.
As an Ethical hacker you have a clear responsibility about how you use your knowledge and techniques. It is also important to understand the client’s expectations from an ethical hacker, and consider them when assessing the security of a customer’s organization.
Can you give us a quick tip on starting a penetration project as an ethical hacker?
As hackers, breaking the law or getting into trouble can sometimes be difficult to avoid, so it’s important to act legitimately and get your paperwork ready in advance. This includes signed approvals to access the customer’s network and system, signing an NDA, defining clear goals and timelines for you and your team and notifying appropriate parties, such as the sys admin, security department, legal department etc.
What new knowledge did you gain whilst writing your book?
Obviously writing a book is not an easy task, considering this is not my main job. Writing this book was a good opportunity for me not only to learn more about professional writing, but also refreshing my knowledge about the hacking tools and techniques. For every single tool introduction in this book, I have done some manual work by installing and testing the latest version of them on the newest version of Kali operating system.
Where can one acquire your book?
The book is available on most online stores like Amazon, Google, Itunes, Barns and Noble, Kobo, etc. I also have a couple of more books which can be found there including the original version of this book, “Hacking and Securing Web Applications” and “Enterprise Security Architecture”.
Following is the first of three chapters from “Kali Linux- Hacking tools introduction”.
Chapter 1- Ethical Hacking and Steps
By Rassoul Ghaznavi-zadeh
Ethical hacking is a process of investigating vulnerabilities in an environment, analyse them and use the information gathered to protect that environment from those vulnerabilities. Ethical hacking requires a legal and mutual agreement between ethical hacker and the asset and system owners with a defined and agreed scope of work. Any act outside of the agreed scope of work is illegal and not considered as part of ethical hacking.
What is the purpose of this book?
The purpose of this book is to prepare the readers to be able to act and work as an ethical hacker. The techniques on this book must not be used on any production network without having a formal
approval from the ultimate owners of the systems and assets. Using these techniques without having an approval can be illegal and can cause serious damage to others intellectual property and is a crime.
What are the responsibilities of an Ethical Hacker?
As an Ethical hacker you have a clear responsibly about how you use your knowledge and techniques. It is also very important to understand what the expectations from an Ethical hacker are
and what you should consider when assessing the security of a customer’s organization. Below are a couple of important things you must consider as an Ethical hacker:
- Must use your knowledge and tools only for legal purposes
- Only hack to identify security issues with the goal of defence
- Always seek management approval before starting any test
- Create a test plan with the exact parameters and goals of test and get the management approval for that plan
- Don’t forget, your job is to help strengthen network and nothing else!
What are the customer’s expectations?
It is very important to understand the customer’s expectation before starting any work. As the nature of this work (Ethical hacking) is high risk and requires a lot of attentions; if you don’t have a
clear understanding of their requirements and expectations, the end result might not be what they want and your time and effort will be wasted. This could also have some legal implications as well if you don’t follow the rules and address customer’s expectation. Below are some important things you should note:
- You should work with customer to define goals and expectations
- Don’t surprise or embarrass them by the issues that you might find
- Keep the results and information confidential all the time
- Company usually owns the resultant data not you
- Customers expect full disclosure on problems and fixes
What are the required skills of the hacker?
To be an Ethical hacker you should have extensive knowledge about a range of devices and systems. Ideally you should have multiple years of experience in IT industry and be familiar with different hardware, software and networking technologies. Some of the important skills required to be an Ethical hacker are as below:
- Should already be a security expert in other areas (perimeter security, etc.)
- Should already have experience as network or systems administrator
- Experience on wide variety of Operating Systems such as Windows, Linux, UNIX, etc.
- Extensive knowledge of TCP/IP – Ports, Protocols, Layers
- Common knowledge about security and vulnerabilities and how to correct them
- Must be familiar with hacking tools and techniques (We will cover this in this book)
How to get prepared for the Preparation testing
Once you want to start a penetration project, there are number of things that you need to consider. Remember, without following the proper steps, getting approvals and finalizing an agreement with customer; using these techniques is illegal and against the law.
- Important things to consider before you start:
- Get signed approval for all tests from the customer
- You need to sign confidentiality agreement (NDA)
- Get approval of collateral parties (ISPs)
- Put together team and tools and get ready for the tests
- Define goals (DoS, Penetration, etc.)
- Set the ground rules (rules of engagement with the customer and team)
- Set the schedule (non-work hours, weekends?)
- Notify appropriate parties (Sys admin, Security department, Legal department, law enforcement)