5 – Where is the danger?

🎯 Learning Objectives

Develop the Communication and Networks Learning Strands:

  • Describe different methods of identifying cybersecurity vulnerabilities, such as: penetration testing, ethical hacking, network forensics, commercial analysis tools, review of network and user policies
💬 Key Vocabulary
  • Penetration testing
  • ethical hacking
  • ethical hacker
  • commercial analysis tools
  • network policy
  • user policy

📝 Starter Activity – Meet an ethical hacker

Watch this video.

  • What is a hacker?
  • What does the word ‘ethical’ mean?
  • What does an ethical hacker do for a company?

Download the workbook below to answer these questions.

In pairs discuss what you think an ethical hacker does

Be ready to share

📖 Where is the danger? Who are the heroes?

From the video and our discussions you know that ethical hackers, or white hat hackers, are paid to discover weaknesses in computer systems for the benefit of a company’s cybersecurity. 

For each of the sections below you should add the term and definition to your notes in your own words.

📖 Penetration testing

Penetration testing is a type of security testing that is used to test for insecure areas of a system or application.

Much of this focuses on network forensics, which is monitoring and analysis of computer network traffic for information gathering and intrusion detection. The goal of this testing is to find all the security vulnerabilities (including susceptibility to social engineering) of the system being tested.

📖 What are pen testers looking for?

Physical security: This describes security measures that are designed to deny unauthorised access to facilities, equipment, and resources and to protect personnel and property from damage or harm, for example the use of passcards and biometric checks (fingerprints and retinal scans).

Training: Does the company provide ongoing training for staff to make sure they understand potential social engineering threats? Do they have good network policies and user access levels?

Data storage: Can the pen tester use tools to retrieve data from the company’s systems?

Software security: Does the company keep a check on necessary patches and use good antivirus software with firewalls?

Remember: A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.

📖 What types of pen test are there?

White box: Full knowledge; more like a malicious insider

Grey box: Some knowledge; a compromise

Black box: No knowledge; more like an external hacker

📝 What methods do ethical hackers use?

They use commercial analysis tools; for example, the National Cyber Security Centre (NCSC) provides a free service to public-service organisations called NCSC Web Check.

Have a look at it here if you’re interested.

📝 What do you think a white hat hacker does in each of these phases?

Match the title with the description

📝 Activity – Rufus Rants

A social media company for angry people

The Rufus Rants company has invited a consultant in to pen test its systems.

Read through the example company description and penetration test plan by downloading it.

📝 Over to you

Now you have seen an example, it’s your turn to create your own company and penetration test plan, complete the blank slides on your lesson activity PowerPoint.

Step 1: Design your data company

  • When you design your company, remember that you are designing it to be penetration tested
  • Don’t try to design an extremely secure company
  • You have free choice on what company to design and what type of data they hold, but include one of each of the security options from the further instructions section of A2

Step 2: Design a penetration test for another group’s company

  • Think about their security infrastructure and where the potential vulnerabilities are likely to be
  • You are acting as a group of white hat hackers who are exposing the company’s vulnerabilities in order to address them
  • Include recommendations that could prevent successful attacks in the future

📖 Class discussion about pen testing exercise

What type of companies did you design?

What type of vulnerabilities did you identify and correct?

  • Physical security of the building
  • Training provided
  • Data storage
  • Software security

🏅 Badge it

Upload your Word file or a photo of your paper that contains the notes and answers to questions that you have made throughout this lesson to www.bournetolearn.com.

🥈 Silver Badge

Upload your starter activity answers and notes on the terms and definitions.

🥇 Gold Badge

Upload your data company design sheet. 

🥉 Platinum Badge

Upload your penetration test plan. 

In this lesson, you…

Described different methods of identifying cybersecurity vulnerabilities, such as: penetration testing, ethical hacking, network forensics, commercial analysis tools review of network and user policies.

Next lesson, you will…

Learn about cybersecurity careers and undertake an end-of-unit assessment.