Lesson video

Hi, I'm Ben, your computing teacher for this lesson.

Now this is Key Stage 4 security, and we're up to lesson six already.

Now this lesson is called Where is the Danger.

And what we're going to do is explore how actually getting someone to deliberately attack our systems and penetrate our network might actually be the best form of defence.

So all you'll need for this lesson is a computer and a web browser.

And as always, if you can clear away any distractions that you might have, that'd be absolutely great.

So once you're ready, let's begin.

So in this lesson, you will describe different methods of identifying cybersecurity vulnerabilities, such as penetration testing, network forensics, commercial analysis tools, and we're going to have a review of network and user policies.

Okay.

So let's get started now.

I've got an activity for you to do straight away.

Now this activity is called meet a real world hacker.

So I'd like to go to activity one in your worksheets, and there's a video for you to watch where a young person has a conversation with a real world hacker, okay? So you've got to watch that video, see how it goes.

And there are some nice questions for you to answer based on the video.

Okay.

So you can pause the video, watch a video on your worksheets, answer the questions and once you've done that you can un-pause and we'll continue.

Okay, so let's move on to something called ethical hacking.

Now, hopefully in that video, you saw an explanation of a hacker, but he was an ethical hacker.

He wasn't a hacker who was deliberately trying to do bad things as maybe we might associate the word hacking with, okay? So, the title of this slide is Where's the danger/ who are the heroes? So from that video, you know the ethical hackers are paid to discover weaknesses in computer systems for the benefit of as a company's cyber security.

So not to disrupt systems, not to cause danger, not to steal data, but actually for the benefit of enhancing a company's cybersecurity.

So how do companies do this systematically? So this is through something called penetration testing.

Now, penetration testing is a type of security testing that is used to test for insecure areas of a system or application.

So as we've already got a sense of, we're paying people to deliberately try and work out where our vulnerabilities are, try and actually deliberately hack a network for us, but then at the end of it to say, well, actually these are your weaknesses.

And this is how I got into the system.

And that's going to help a company be able to better prepare themselves, to avoid such attacks in future, to kind of patch up those loopholes that people have found.

So much of this actually focuses on something called network forensics, which is monitoring and analysis of computer network traffic.

And that's a bit on for information gathering and intrusion detection.

Now the goal of this testing is to find all the security vulnerabilities, including susceptibility to social engineering of a system being tested.

Now that's key as well.

So it's not just maybe the automated forms of attack.

It may well be actually working out where those weaknesses are with actually human beings as well.

So what exactly are penetration testers looking for? well, let's go through the kind of the steps that they might take.

Now first one might be physical security.

So physical security describes the security measures that are designed to deny an authorised access to facilities, equipment and resources, and to protect personal property from damage or harm.

For example, the use of passcards and biometric checks.

And what I mean by biometrics is things that are unique about your person.

So your fingerprints or retinal scans, for example.

So this when we say physical security, this isn't something that software can prevent us from.

This is physical access to the building, okay.

Or physical access to the equipment, or once they've got access to that equipment, what can they do with it once they're there? Okay.

And I want to say not, it doesn't involve software.

There is an element of software there.

For example, we know that biometric checks require some kind of software, but what we're trying to do is stop this physical entry rather than a remote entry, maybe using a network or the internet.

Okay, another method, might look at training.

So does the company provide ongoing training for staff to make sure that they understand the potential social engineering threats? Do they have good network policies and user access levels? Are staff able to access all the network, all the files on the network or only restricted to the ones that they need? Or are staff being trained not to look at a phishing email for example? Or not to click on the links for, more importantly I guess.

Okay, so number three is data storage and software security.

Okay, so data storage can.

We're supposed to ask the question, can a penetration tester use tools to retrieve network from the company systems? Software security, does the company keep a check on necessary patches and good use of anti virus software with firewalls? So all these things can be tested.

And why don't we talk about patches? Remember that WannaCry ransomware attack, the patches weren't up-to-date on lots of people's computers.

And therefore people were able to exploit that weakness with the operating system.

So that might be something that a penetration tester might test.

So what methods do ethical hackers use? Well, they use commercial analysis tools.

For example, the National Cyber Security Centre, the NCSC provides a free service to public-service organisations called NCSC Check or NCSC Web Check.

So these need commercial tools to be able to say, just commonly available tools to try and actually go into someone's network and try and hack them.

Okay.

And they might also use other methods as we've just explored that.

But actually what's important is there are also these free checks that people can do.

They'll do a web check to test more common vulnerabilities to a network.

So penetration tester methods.

What do you think a penetration tester does in each of these phases? So match the title with the description.

So those titles are: Planning phase, discovery, attack phase and reporting phase.

They're all in the correct order.

What aren't in the correct order is the A, B, C and D.

So what your task is to is now to head over to your worksheets and see if you can put A, B, C, D in the right order to match the list on the left-hand side.

Now on your worksheet, you can move on to your worksheet and there's that slide there that you saw.

So either you can draw a line between the right numbers and letters, or you might just re-order the letters so they match up with the right numbers and they are in the right order.

Okay? So pause your video again and then un-pause when you've done that.

Okay, so how did you get on with that? So what we're going to do is look through the answers now.

So the answers I have on my slides are in front of you now are the actual answers.

So if you want to go back and correct your answers, if you got it wrong, don't be afraid to pause the video and do that.

So the planning phase, should be linked up with C.

So that's examining existing security policy standards that are already in place.

Number two, the discovery phase.

That's when they collect information and data on the system, they scan the available ports to check for any vulnerabilities.

So once they've discovered those vulnerabilities, we move on to the attack phase.

Now what happens in the attack phase? Well, hopefully it's fairly obvious.

They actually attack the system.

So they use those vulnerabilities to exploit them and see what happens, see what they're able to get access to once they attack them.

So this says, find exploits of various vulnerabilities.

And then the reporting phase, this describes the risk of vulnerabilities and their impact on the business with some solutions.

So once they've attacked them, then they provide some solutions and how they can patch them up and stop them becoming.

And recommendations how they can stop them from being vulnerable going forward.

Okay.

So let's move on to another exercise I have for you.

So this is called Rufus Rants, okay? So Rufus Rants is a social media company for angry people, okay? Now the Rufus Rant's company has invited a consultant in to penetration test its systems. So this is where you come in.

So knowing nothing more about the company at this stage, your job is to design a penetration test, to check their physical security, their software security, as well as to see how vulnerable they are to social engineering.

So what I'd like to do is head over to task three on your worksheet, to design an actual penetration test, to check the physical software vulnerabilities, as well as the social engineering vulnerabilities of Rufus Rants.

Now you don't at this stage, know anything about the company, but if you head over to task three on your worksheets, there are three slides recommending different types of physical security tests you can do, software security tests you could do as well as some social engineering tests you could do.

So on the fourth slide of the task three, what I'd like to do is write down which tests that you would complete.

You must pick one physical, one software and one social engineering attack to try out and see how that.

Pick one and then write on your worksheet to see what that might test, okay? So read the first few slides, pick your different methods and then write them down on the worksheet, okay? So once you've done that, I'll be here when you get back.

Okay, so now you've actually designed the attack.

Let's find out a little bit more about Rufus rants and that help you determine whether or not, or what kind of vulnerabilities maybe your tests might have found out, okay? So now that you've designed your test, let's find out a little bit more about the Rufus Rants company.

So let's start off with physical security.

Now their physical security, they have swipe card access to staff.

Visitors sign in with reception and the company has its own central server room, okay? So that's all the information we have that you need.

Swipe card access to staff and visitors sign in.

And that's all they do.

And there is a central server room, a dedicated server room, but does that server room have any security on it? Well, we're not being told it does.

Okay, so let's look at what data they actually collect.

Now Rufus Rants can have angry people from around the around and keep data on all of its users.

Now this stage includes that profile names, the demographic data of its users.

So what do you think is meant by demographic data? So we might be looking at things like their age, their gender, their religion, their employment status, their income, anything like that is counted as demographic data.

They collect user photos, user blog posts, contact lists and forum discussions.

So just to expand on this, the data includes activity data such as the login times and places for all the user, users sorry.

The company also have advertisers who promote relevant products to its angry users, such as camomile tea and boxercise classes to calm them down.

The company keeps financial data about its advertisers on file and they charge the advertisers for space in their site.

The company also keeps financial data about the users as they buy Rufus Rants merchandise through an online platform, including t-shirts and branded stress relief toys, okay? I know this is really important when you come back and look at whether or not your tasks were successful.

So what data might you have had access to? Cause these slides are important.

So what about data storage then? Well, currently some staff have permanent desks with PCs and others share desks using laptops, which they also take home and to the offices, to their advertising clients.

So basically they're able to, with these laptops, they're able to keep them as a hot desk so they can put them in the workplace, but they also take them home and they also might take them elsewhere as well, okay? Users are allowed to plug in any devices into the USB ports.

The company currently has a central server on-site, which houses most business critical company files such as the website, human resources information and financial information.

And staff email is cloud stored through Gmail, okay? So everything else is hosted locally on-site, but it's only that emails that are stored on the cloud.

So let's move on to software security now.

So the company has firewalls and it uses antivirus software, okay? The IT department systems patches in a kind of haphazard way and the directors are unaware of the needs of plan properly to manage incoming upcoming threats.

So what do you think it means by they instal patches haphazardly? I suppose it means maybe when they remember, so they might occasionally just say, Oh, we've got to check to see whether or not there's any patches available.

Yeah.

There are, so we'll just do that, okay? And maybe in a month's time they might check again or maybe even two weeks or maybe the next day.

I suppose that's what we mean by haphazardly.

Okay, so now we know about the physical security in place.

We know about the software security in place.

We know about the data that they have, what I'd like you to do is go to task four on your worksheet.

And I'd like to write a report for the Rufus Rants company.

Now that you've done these tests and you know more about the organisation, you now should have a better understanding what data that your test might have exposed, okay? And what can be done about it.

So write this report and recommend some things that they might be able to do, okay? So pause the video now and then have a go at writing that report and then un-pause when you're done.

Okay, so that's all for this lesson, and I really hope that you've enjoyed this lesson about actually conducting a penetration test on an organisation.

It might hopefully open your eyes as well about the fact that people do actually have this as a career path, as a choice that they can actually do, to actually deliberately hack into people's systems, but do it ethically and for the common good.

Do it for the good of an organisation to stop unethical hackers actually being able to cause some real world damage, okay? So I hope you've enjoyed it and if you'd like to share your work with us, I would love to read some of your reports or see the work that you've been doing.

If you'd like to do that, please ask your parent or carer to share your work on Instagram, Facebook, or Twitter, tagging @OakNational and using the hashtag #learnwithOak.

Okay, so that's all for lesson six.

I'm looking forward to seeing you in lesson seven, which is our final lesson for this unit.