DoS, DDos and DeOS… Oh My!!

In the security industry, we classify our security infrastructure in a variety of ways. One important classification method is called the “CIA Triad,” which refers to three security objectives defined by the Federal Information Security Management Act (FISMA). These three objectives are Confidentiality, Integrity and Availability. The goal of any information security team is to protect against these three objectives, and the goal of an attacker is to compromise one or more of these objectives.

Read more

CEH v9 Question of the Week: Password Attack Method

Kelly is a network security officer for a large state-run agency in California. Kelly is asked by the IT manager of another state agency to perform a security audit on their network. This audit she is asked to perform is an external audit. The IT manager thought that Kelly would be a great candidate for this task since she does not work for this other agency and is an accomplished IT auditor. The first task that she is asked to perform is an attempt to crack user passwords. Since Kelly knows that all state agency passwords must abide by the same password policy, she believes she can finish this particular task quickly. What is the best password attack method for Kelly to use in this situation?

Read more

CEH v9 Question of the Week: Social Engineering Attack

Kevin, an IT security consultant, is working on contract for Davidson Avionics to audit the company’s network. He is given permission to perform any necessary tests. Kevin creates a fake company ID badge and uniform and waits by one of the company’s entrance doors. He follows an employee into the office after they use their valid access card to gain entrance. What type of social engineering attack has Kevin employed?

Read more

CEH v9 Question of the Week: Password Cracking Tool

Johnny is a member of the hacking group Orpheus1. He is currently working on breaking into the Department of Defense’s front end Exchange Server. He was able to get into the server, located in a DMZ, by using an unused service account that had a very weak password that he was able to guess. Johnny wants to crack the administrator password, but does not have a lot of time to crack it. He wants to use a tool that already has the LM hashes computed for all possible permutations of the administrator password. What tool would be best used to accomplish this?

Read more