IT Security Fundamentals
This is a beginner-level course designed to provide you with an introduction to Information technology security concepts. The course will suit anyone interested in understanding the fundamentals of security concepts from a business and technology perspective.
In this course we will provide:
- An introduction to the concept of Information Security
- We will cover the basic concepts that pertain to Information Security
- We then begin to answer the question - what is information security and why do we need it?
- We then explore some of the frameworks, controls and activities we can implement to control information security
This is a beginner level course where having a basic understanding of computing concepts will be useful
Please reach out to us at firstname.lastname@example.org with any questions, comments or feedback.
Hello and welcome back. We're now looking at the area of ethical testing and in this lecture, we’re going to look at Kali Linux.
Kali Linux is a penetration testing operation system run by Offensive Security Ltd.
Offensive Security are actually the owners of the course, you may have heard of it, the OSCP course. It’s created by Kali Linux and definitely worth looking into.
They also run the Exploit Database. And they do a training on Metasploit. Metasploit is a framework used for vulnerabilities. I think about Metasploit like a vulnerability gun, where you load the Metasploit framework, which is just software, with vulnerability bullets, you aim it at the target, and you pull the trigger. Also known as Exploit, or Run. And then you just hack a system essentially.
They also house the Google Hacking Database. And they have the Kali NetHunter which is an Android penetration platform.
The Google Hacking Database is just an index of Google searches used to obtain sensitive data.
Kali Linux is where we find our operating system. You can download it. Here you go. These are the actual ISO images. You can also download virtual images for VMware, VirtualBox, and also Hyper V. And you can run those, and it works quite well. My personal favorite is the VirtualBox version.
So they use those same tools both to be an attacker or to be a defender. Okay, so our attackers, they are known as Red Team. And Blue Team, we can also use it to test our environment, to make sure it's safe.
So that brings us to the world of penetration testing. Penetration testing comes in a couple of different flavors. You’ve got Red Team, external, the kind of people you hire to hack yourself so you can get good feedback as to how good your security posture is.
Blue Team, your internal folk where you kind of do it yourself. You're testing your own environments.
You've got Purple Team, which is a mixture of both, where they come together and try and get a blend of knowledge about your organization, and what's capable.
With Red Team they'll try everything under the sun to get into your organization. Or rather whatever is inside the scope. So as long as it's inside the scope it's fair game. If it's outside the scope it stops being ethical testing.
So, if a company says to a tester, "You can check our server farm." and as they were testing the server farm they found that there was a way to get from the server farm to the company’s actual app and its customer data storage, but the customer data storage wasn't in the scope of the test, but the tester hacked it anyway to show, "Hey look. This is vulnerable as well,” then that's not ethical, in fact, they've actually broken the law, because it's outside the scope of the agreement.
So that's what ethical testing is. It's just testing inside the scope of the agreement that's made between a company and a tester. And that's when you start to fall into the world of gray hats.
A gray hat is a hacker who may not operate to the ethical testing standards we've discussed here, but they don't have malicious intent. So their intentions are still good.
Originating from a systems administration/network architecture career, a solid part of his career building networks for educational institutes. With security being a mainstay his implementation he grew a strong passion for everything cyber orientated especially social engineering. The educational experience led to him mentoring young women in IT, helping them to begin a cyber career. He is a recipient of the Cisco global cyber security scholarship. A CCNA Cyber Ops holder and elected for the CCNP Cyber Ops program.