Before the real fun for the hacker begins, three essential steps must be performed. This chapter will discuss the first one footprinting the fine art of gathering target information. For example, when thieves decide to rob a bank, they don't just walk in and start demanding money (not the smart ones, anyway). Instead, they take great pains in gathering information about the bankthe armored car routes and delivery times, the video cameras , the number of tellers and escape exits, and anything else that will help in a successful misadventure.
The same requirement applies to successful attackers. They must harvest a wealth of information to execute a focused and surgical attack (one that won't be readily caught). As a result, attackers will gather as much information as possible about all aspects of an organization's security posture . Hackers end up with a unique footprint, or profile of their target's Internet, remote access, and intranet/extranet presence. By following a structured methodology, attackers can systematically glean information from a multitude of sources to compile this critical footprint of nearly any organization.
Sun Tzu had this figured out centuries ago when he penned the following in Sun Tzu on the Art of War: "If you know the enemy and know yourself, you need not fear the result of a hundred battles . If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle."
You may be surprised to find out just how much information is readily available about your organization's security posture to anyone willing to look for it. It is essential for you to know what the enemy already knows about you!