Skip to content

Phases of Information Security

For a hacking attack to succeed, the operation must follow a set of phases.


In this first phase, before taking any action, the attacker must be prepared by carrying out an information-gathering exercise on the target. The attacker collects, from many sources, every piece of publicly available sensitive information, such as target clients, employees, and network information. At the end of this phase, the hacker will have a clear view of the network (domain name, IP ranges, TCP/UDP services, and authentication mechanisms), the system (user/group names, system banners, and system architecture), and organizational information (employee details, press released, and location). There are two types of reconnaissance or footprinting.

Passive reconnaissance

Passive reconnaissance involves acquiring information about the target without directly interacting with it, for example, searching public information.

Active reconnaissance

Active reconnaissance involves interaction with the target, for example, calling technical support to gain some sensitive information.

Reconnaissance is not only technical. It is also an important weapon of competitive intelligence. Knowing some financial aspects of the target could mean that the attack succeeds.


After gathering a good amount of information on the target, the attacker has to scan it to reveal useful information about the system and use this information for the next phase (the gaining access phase). During this process, the attacker will look for different types of information, and for that, he will use different types of scanning.

Port scanning

Port scanning is the process of sending packets to a target with the aim of learning more about it in association with well-known port numbers. There are two categories of port scanning: TCP scanning and UDP scanning. To attempt port scanning, it is recommended you to use Nmap, which is an open source port scanner and network exploration tool.

Network scanning

Network scanning describes the process of locating all the live hosts on a network. Scanning a range of IPs is a type of network scan. The basic technique to discover live hosts is a ping sweep. It simply sends ICMP echo requests to multiple hosts from a range of IP addresses. Hping2 is an easy command-line network scanner for TCP/IP protocol.

Vulnerability scanning

During this subphase, the attacker tries to identify weaknesses in the target. The main aim of this type scanning is to find a potential way of exploiting the system. There are a variety of tools for vulnerability scanning, such as Nessus, Nexpose, and many other scanners.

Gaining access

At this stage, the attacker already has what they need to launch their attack, including IP range, identified systems, services, user lists, security vulnerabilities, and flows. Now they only need to bypass security controls to gain access to the system, using several techniques such as password cracking, social engineering or privilege escalation, and gaining other user permissions.

Maintaining access

Mostly, the aim of a hacking attack is not only to get information using unauthorized access, but to also maintain that access. Every day, attackers are coming up with new ways to maintain access. The most well-known technique is hiding files from the system owner and users to avoid being caught.

Clearing tracks

The final phase of every successful hacking attack is clearing the tracks. It is very important, after gaining access and misusing the network, that the attacker cover the tracks to avoid being traced and caught. To do this, the attacker clears all kinds of logs and malicious malware related to the attack. During this phase, the attacker will disable auditing and clear and manipulate logs. The order of the hacking phases is shown here:

5 Phases of hacking