CLASS NOTE: CYBER SECURITY – ETHICAL HACKING AND PENETRATION TESTING

Subject: Digital Technology Class: SS2 Topic: Cyber Security: Ethical Hacking and Penetration Testing

---

1. COMPREHENSIVE CORE CONCEPTS

Understanding Cyber Security

In our modern world, we live a significant portion of our lives online. From social media and online banking to school portals and government databases, our data is everywhere. Cyber Security is the practice of protecting systems, networks, and programs from digital attacks. These attacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes.

As SS2 students, it is vital to understand that as technology evolves, so do the methods used by "threat actors" (hackers). To defend against these threats, we must learn to think like them—this is where Ethical Hacking and Penetration Testing come into play.

What is Ethical Hacking?

Ethical Hacking involves an authorized attempt to gain unauthorized access to a computer system, application, or data. Unlike malicious hacking, ethical hacking is performed with the owner’s permission. The goal is to find vulnerabilities (weaknesses) that a malicious hacker could exploit.

Ethical hackers are often called "White Hat Hackers." They use the same tools and techniques as "Black Hat Hackers" (criminals), but they do so to improve security rather than cause harm. Think of an ethical hacker as a security consultant who is hired by a bank to try and break into their vault. If the consultant succeeds, they don't take the money; instead, they tell the bank exactly how they got in so the bank can fix the hole in the wall.

The Phases of Ethical Hacking

1. Reconnaissance: Gathering information about the target.
2. Scanning: Using tools to identify open doors (ports) and services running on the system.
3. Gaining Access: This is where the "hacking" happens—exploiting a weakness to enter the system.
4. Maintaining Access: Seeing if they can stay in the system undetected.
5. Analysis/Reporting: Documenting how they got in and providing solutions to fix the gaps.

Penetration Testing (Pen-Testing)

While ethical hacking is a broad term covering all hacking techniques used for good, Penetration Testing is a specific, structured procedure. It is a simulated cyber-attack against your computer system to check for exploitable vulnerabilities.

In the context of Nigeria's growing Fintech industry (like OPay, Flutterwave, or GTBank apps), penetration testing is mandatory. Companies must regularly "test" their apps to ensure that hackers cannot steal customers' money or personal BVN (Bank Verification Number) details.

Types of Penetration Testing:

• Black Box Testing: The tester has no knowledge of the system. They act like an outsider trying to find a way in.
• White Box Testing: The tester has full knowledge of the system (source code, IP addresses, etc.). This tests the system from the perspective of someone with internal access.
• Grey Box Testing: A hybrid approach where the tester has partial knowledge of the internal workings.

---

2. REAL-WORLD EXAMPLES

Scenario 1: Protecting the School Portal

Imagine your school has an online portal where students check their exam results. An ethical hacker might be hired to see if a student could "inject" code into the website to change their grades from a 'C' to an 'A'. By finding this weakness, the hacker helps the school developer rewrite the code to make it "injection-proof."

Scenario 2: E-commerce Security (Jumia or Konga)

During a "Black Friday" sale, millions of Nigerians use their debit cards on e-commerce sites. A penetration tester will simulate a "Man-in-the-Middle" (MITM) attack to see if they can intercept the card details as they travel from the user's phone to the company’s server. If they can intercept it, the encryption is too weak and must be upgraded.

Scenario 3: Social Media Account Recovery

Have you ever seen a "hacked" Instagram or Facebook account? Ethical hackers often work with these platforms to find "bugs" in the "Forgot Password" system. If a hacker finds a way to bypass the 2-factor authentication (2FA) using a specific trick, they report it to Meta (the owners of Facebook) and get paid a "Bug Bounty."

---

3. PRACTICAL APPLICATIONS: A GUIDE TO STAYING SECURE

Step-by-Step: Conducting a Personal Digital Security Audit

You don’t need to be a professional to apply the principles of ethical hacking to your own life. Use these steps to "pen-test" your own digital footprint:

1. Audit Your Passwords:

   • Action: Check if you use the same password for your email, Facebook, and school portal.
   • Ethical Hack Logic: If a hacker gets one password, they have them all (this is called "Credential Stuffing").
   • Fix: Use a different, complex password for every account.

2. Test Your Email for Leaks:

   • Action: Visit a website like haveibeenpwned.com. Enter your email address.
   • Result: It will tell you if your data was part of a major company hack in the past.
   • Fix: If your email shows up, change your password immediately.

3. Inspect Website Security (The Padlock Rule):

   • Action: Before entering data on a website, look at the URL. Does it start with HTTPS or just HTTP?
   • Logic: The 'S' stands for Secure (SSL/TLS encryption). If there is no 'S' and no padlock icon, any information you type is being sent in "plain text" and can be easily read by anyone on the same Wi-Fi network.

---

4. SUGGESTED HOME PROJECTS (PROJECT-BASED LEARNING)

Project: The "Home Network Security Officer"

Objective: To analyze and improve the security of your home Wi-Fi network.

Materials Needed:

• A smartphone or laptop connected to your home Wi-Fi.
• Access to the Wi-Fi router (with parents' permission).
• A notebook and pen.

Procedure:

1. Map the Devices: Create a list of every device connected to your home Wi-Fi (phones, laptops, smart TVs, gaming consoles).
2. Check Router Credentials: Access your router's settings (usually by typing 192.168.1.1 or 192.168.0.1 in a browser).
   • The Test: Is the username and password still "admin/admin" or "admin/password"?
   • The Risk: If it is, anyone sitting in a car outside your house can control your internet.
3. Check Encryption Level: Look at the security settings. Is it using WEP, WPA, or WPA2/WPA3? (WPA2 and WPA3 are the only ones considered secure today).
4. Create a Security Report: Write a one-page report for your family explaining:
   • What vulnerabilities you found.
   • The potential risk (e.g., "Someone could steal our bandwidth or spy on our traffic").
   • Your recommendations (e.g., "Change the router password to something unique").

---

5. LIFE SKILLS INTEGRATION

Career Connections

Understanding ethical hacking opens doors to some of the highest-paying jobs globally and in Nigeria.

• Certified Ethical Hacker (CEH): Professionals who test government and corporate systems.
• Security Analyst: People who monitor networks for signs of a breach.
• Forensic Computer Analyst: Experts who investigate cybercrimes after they happen to find the culprit (working with agencies like the EFCC).

Critical Thinking and Ethics

This lesson isn't just about computers; it’s about Integrity. In Nigeria, the Cybercrime Act of 2015 makes unauthorized access to systems a punishable offense with heavy fines and jail time.

• Skill: Learning to distinguish between what you can do and what you should do.
• Application: Just because you found a way to see a friend's private messages doesn't mean you should. Use your skills to protect, not to pry.

---

6. ASSESSMENT THROUGH APPLICATION

Option A: The "Phishing" Detective (Case Study) Analyze the following text message: "Dear Customer, your BVN has been deactivated due to a system upgrade. Click here www.bank-verify-nignet.com to reactivate now to avoid account freezing."

1. List three "Red Flags" that suggest this is a malicious attack.
2. How would an ethical hacker describe this type of attack?
3. What is the safest action to take?

Option B: The Security Policy Creator You are the "IT Manager" for a new small business in your neighborhood. Write a 5-point "Digital Security Policy" for the employees to follow to ensure the business doesn't get hacked. (Hint: Think about passwords, public Wi-Fi, and email attachments).

---

7. STUDENT REFLECTION QUESTIONS

1. If you found a security flaw in a major Nigerian bank’s app, what are the ethical steps you should take? Why is it better to report it than to use it?
2. How has the increase in online activities (like Zoom classes or WhatsApp groups) changed the way we need to think about our personal "Attack Surface"?
3. Do you believe "Grey Hat" hackers (who hack without permission but don't steal anything) are doing a good service or a bad one? Defend your answer.
4. In what ways does cyber security contribute to the national security of Nigeria?