StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Securing Exploits and Vulnerabilities: Ethical Hacking - Essay Example

Cite this document
Summary
This essay will investigate security testing software that, if adopted, will benefit the organization's corporate information systems. The subject of this analysis is the Metasploit security tool’s penetration testing which includes password attacks, authentication bypass, and operating system security among others…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER93.7% of users find it useful
Securing Exploits and Vulnerabilities: Ethical Hacking
Read Text Preview

Extract of sample "Securing Exploits and Vulnerabilities: Ethical Hacking"

Ethical Hacking: Executive Proposal Number Overview Advanced Research recognizes the significance of testing its security architecture for exploits and vulnerabilities before attackers take advantage of them and cause serious losses. Acting on my mandate as an IT manager tasked with security of physical and operational aspects, I present a security testing software that if adopted will benefit the organizations corporate information systems. The security testing software presented in this proposal is referred developed by Rapid7- a security management company. It presents a package of software solutions including Nexpose, Metasploit, Mobilisafe, ControlsInsight and UserInsight. The subject of this proposal is Metasploit security tool’s penetration testing which include password attacks, authentication bypass and operating system security among others. Description of the software and benefits Recognizing the organization’s need to test its defense more accurately, Rapid7 developed a suite of testing tools for every environment. Metasploit is presented as an attacker’s playbook backed by hundreds of thousands of users and contributors. It is penetration testing software that offers organizations insight on their security aspects including weak points and vulnerabilities before a malicious attacker does. Skilled penetration testers with capabilities to simulate attacks on the network and unearth security issues are hard to come by in an organization. For the few such as IT professionals and security experts, much of their tasks is spent on repetitive tasks and script customization, consequently taking little time to address the core problem of identifying security issues and advising accordingly (Maynor, 2008). Metasploit Pro is an advanced penetration analyzer that aid testers in conducting security assessments by leveraging discovery, exploitation, brute-forcing and reporting tools. The end result is the development of an advanced evasion and post-exploitation technique as well as better management of vast amounts of data sourced from the assessments. The software is easy to use even for security professionals new to penetrating testing procedures. Penetration testing conducted using this tool is not only efficient but also fast and is proven to increase productivity by 45%. Second, the tool is used to validate vulnerabilities and exploits in order to define an effective remediation strategy. Most vulnerability scanners can determine installed applications and their vulnerabilities but lack the intelligence to determine the exact risk to the organizations network (Ari Takanen, 2008). This is challenging because security experts would not know which vulnerability to remedy first. Metasploit Pro closes the gap in vulnerability testing by presenting the risk in an objective way and through collaboration with Nexpose - a vulnerability management solution with the capability to tell the “who, what and where” of the risk, remediation programs can be prioritized (Rapid7, 2014). Third, Metasploit is used to manage phishing and protect employee credentials. It is recognized that phishing is the third most popular attack vector in a company. There is always a grey area when it comes to an organization measuring and managing phishing exposure and gauging the effectiveness applicable training and technical controls. Metasploit gauges the effectiveness of a security program by conducting simulated phishing crusades to control exposure to phishing attacks. Product reviews, case studies and customer recommendations Metasploit has been tested in a variety of fields, and it is found to be effective. The President of Offensive Security Jim O’Gorman attributed the use of the application to time savings and fewer interruptions in organizational activities. According to him “,Time savings is our prime motivation for using Metasploit Pro (Rapid7, 2014).”Another security consultant, Ben Holder of Lumenate termed Metasploit as a useful software for delivering closed-loop vulnerability reports that facilitate the development of remediation activities. According to Holder, discovery of vulnerabilities is simplified by 70-80% by using Rapid7 products. With respect to phishing capabilities, Metasploit is a great business driver. Tim Pospisil, an IT Security Supervisor at Nebraska Public Power District, commented “What really facilitate our move to the top were the phishing provisions of Metasploit ... According to me, that was a critical business drive. (Rapid7, 2014)” during an interview. Personal experiences with Metasploit Having installed the free 14-day trial edition of Metaploit Pro, I realized that the software is far much beneficial than thought. The first feature that was beneficial in my case is the ability to test the network for weak and reused passwords from multiple accounts. This feature is really important in that security professional can detect common employee sources of password cracking synonymous with many organizations. In addition to cracking the operating system accounts, Metasploit Pro can initiate brute force attacks on multiple accounts such as databases, web servers, email accounts and remote administration accounts. This software is advanced in evading detection by common anti-malware solutions. This is especially one of the features that will eliminate the false positives offered by many software packages. With the dynamic payloads, it can evade anti-malware solutions 90% of the time. The ability to get past firewall and IPS using traffic-level evasion procedures can imitate the actions of dedicated attackers and help an organization develop an advanced security boundary. With all the capabilities mentioned, the best experience was on reporting. After penetrating the network undetected, Metasploit can effectively report on the findings from the network and application-layer perspective. I managed to generate reports of network bypass in a few steps rather than the tedious process of copying and pasting results at every stage. Report writing is the most frustrating part of any security analysis in addition to the time taken to compile all the particulars. The automated reports save up to a third of the assessment time, and this is valuable for any manager or security professional. Cost considerations Metasploit is available in four editions: Pro version for advanced penetration tests and enterprise security program, express edition for baseline penetration tests, community edition available free of charge for entry level and framework edition, a free open source developmental platform. Pro edition is offered on a 14-day trial upon which the user obtain a full license. Pro edition is the ultimate software that comes with advanced capabilities including dynamic payloads to circumvent leading antivirus packages, full access to internal networks via a compromised machine with VPN pivoting, closed-loop validation of vulnerabilities and remedy prioritization and phishing awareness and management among others. The express edition contains fewer capabilities as compared to the Pro version that includes smart exploitation, automated credential brute forcing and baseline penetration testing reports. The cost of the full-featured Pro edition is $15,000 per year for every user. That of the community edition is much cheaper going for $3,000 per user per year (David Kennedy, 2011). Additional costs include that for training on software deployment, administration and operational expertise. Training is intended for different types of security personnel such as certified administrators and specialists and costs a flat rate of $2,000. Webinars are regularly offered and free of charge. Training takes place every month at different locations in Americas, EMEA and APAC and all information is located at the company’s website http://www.rapid7.com/services/training-certification/product-training.jsp. System requirements Metasploit’s system requirements are not superior - the application can run on a system with 2GHz+ processor, 2GB RAM and 1GB of hard disk even though 50 GB of hard disk is recommended. For browsers, it requires Mozilla Firefox 18.0+, Microsoft Internet Explorer 9+, Google Chrome 10+ and Iceweasal 18+ (David Kennedy, 2011). The software can run on a varied OS’s including Windows Vista, 7, 8 and from Server 2003 and above, Red Hat Enterprise Linux 5, Ubuntu Linux 10 and Kali Linux 1.0 (David Kennedy, 2011). Effects of the software on the production environment Rapid7 has an always available customer support to offer product auto-updates, testing guarantees and round the clock Vulnerability SLA (Rapid7, 2014). All this services improves the operational environment of an organization by ensuring that production is not impacted in a major way. Rapid7 has a comprehensive database of vulnerabilities amounting to hundreds of thousands, and this is used as a benchmark for all users in establishing their own. Licensed holders will get due attention in solving any problem that comes up in the course of deployment, configuration and use. Thus, other than the normal installation interruptions, the software has no reported difficulties in the course of its use. Conclusion I propose Metasploit as the organization’s information systems security tester. This software solution provides advanced capabilities that will unearth security issues and vulnerabilities little known in Advanced Research. With the current security standing and the strategic position the company occupies in medical research and development, nothing should leave to chance and the only way to do this is by adopting Metasploit. References Ari Takanen, J. D. (2008). Fuzzing for Software Security Testing and Quality Assurance. Artech House. David Kennedy, J. O. (2011). Metasploit: The Penetration Testers Guide. No Starch Press. Maynor, D. (2008). Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research. Elsevier. Rapid7. (2014, September 24). Metasploit: Penetration Testing Software. Retrieved from rAPID7: http://www.rapid7.com/products/metasploit/capabilities.jsp Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(Securing Exploits and Vulnerabilities: Ethical Hacking Essay Example | Topics and Well Written Essays - 1250 words, n.d.)
Securing Exploits and Vulnerabilities: Ethical Hacking Essay Example | Topics and Well Written Essays - 1250 words. https://studentshare.org/information-technology/1839907-cmit-321-ethical-hacking-executive-proposal
(Securing Exploits and Vulnerabilities: Ethical Hacking Essay Example | Topics and Well Written Essays - 1250 Words)
Securing Exploits and Vulnerabilities: Ethical Hacking Essay Example | Topics and Well Written Essays - 1250 Words. https://studentshare.org/information-technology/1839907-cmit-321-ethical-hacking-executive-proposal.
“Securing Exploits and Vulnerabilities: Ethical Hacking Essay Example | Topics and Well Written Essays - 1250 Words”. https://studentshare.org/information-technology/1839907-cmit-321-ethical-hacking-executive-proposal.
  • Cited: 0 times

CHECK THESE SAMPLES OF Securing Exploits and Vulnerabilities: Ethical Hacking

Blackhole Exploit Kit

In the paper “Blackhole Exploit Kit” the author defines the Blackhole exploit kit as the framework designed to deliver exploits through a third party or compromised websites.... hellip; The primary purpose of the Blackhole exploit kit is aimed at delivering a malicious payload or exploits to the computer of a victim.... Because of this invisible call, malware and exploits would be delivered silently while the user is browsing on a legitimate but compromised website....
7 Pages (1750 words) Research Paper

Can Gray Hacking Be Justified

This paper has also articulated ethical hacking from numerous perspectives, emphasizing that ethical hacking is not a solution for all network security problems.... This essay deals with the issue of a criminal activity, namely, hacking or cracking.... The interconnectedness of the term ethical with hacking is known as being oxymoron, parallel to calling someone a frank offender.... … The author focuses on the ethical Hackers which have a made a niche for themselves in the Defense in Depth continuum....
4 Pages (1000 words) Research Paper

Sociology Research - Hacking subculture

Ross also argued that ethical hacking done by these white hackers provide a lot of benefits such as... In a study made by Taylor among young hackers, he identified some reasons behind hacking : feelings of addiction, urge of curiosity, boredom with educational system, enjoyment of feeling of power ,peer recognition, and political acts ( Jordan and Taylor 46) In 1994, Levy categorized the hackers into generations, the first of which are computer aficionados in the 50's and 60's mostly from MIT....
5 Pages (1250 words) Essay

Hackers Tools and Techniques

The research proposal "Hackers Tools and Techniques" proposes to conduct a study into the hacking tools used by the hackers in the banking and financial services industry, with a focus on PayPal.... hacking can take place in different forms such as spoofing, smurfing and other Denial of Services (DoS) attacks.... Nevertheless, the members do receive spoof mails and unless the members are aware of such mails, they become easy prey to such hacking techniques....
1 Pages (250 words) Research Proposal

Explain the difference between a security vulnerability and an exploit

Normally, overflow vulnerabilities control the software appliance to do something that it is not destined to.... Hence, a vulnerability is a weak spot in a system that implies a danger, particularly… A lone vulnerability can be targeted by hundreds or thousands of dissimilar exploits. An exploit refers to an assault program developed by spiteful hackers to utilize a vulnerability, usually for the reason of running random code on a specified Running head: Security Vulnerability and an Exploit The Difference between Security Vulnerability and an Exploit Insert Insert Grade Insert Tutor's Name30 June 2012A security vulnerability refers to a fault in a computer function, operating system, or practice that can be utilized to make application to function in a manner not intended by its designers....
2 Pages (500 words) Essay

Ethical Hacking Techniques

Thus, IDS can provide organizations real-time or near-real-time monitoring of a host or a network and defend them from hacking.... CEH: Exam prep 2 - Technical foundations of hacking.... Scanning is the deliberate process of trying to access the systems to get a response, while enumeration collects additional in-depth information to ensure the success of attack (The ethical Hacker Network, 2012).... dfThe ethical Hacker Network....
2 Pages (500 words) Essay

Blackhole Exploit Kit - What They Are and How They Work

It is a type of crimeware that takes advantage of exploits that are unpatched with the view of hacking computers through malicious scripts that are planted on legitimate but compromised websites.... The primary purpose of the Blackhole exploit kit is aimed at delivering a malicious payload or exploits to the computer of a victim.... Because of this invisible call, malware and exploits would be delivered silently while the user is browsing on a legitimate but compromised website....
7 Pages (1750 words) Case Study
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us