Working ethically

The word ethical in this context can be defined as working with high professional

morals and principles. Whether you’re performing ethical hacking tests

against your own systems or for someone who has hired you, everything you

do as an ethical hacker must be aboveboard and must support the company’s

goals.

The Ethical Hacking Process

Like practically any IT or security project, ethical hacking needs to be planned

in advance. Strategic and tactical issues in the ethical hacking process should

be determined and agreed upon. Planning is important for any amount of

testing — from a simple password-cracking test to an all-out penetration test

on a Web application.

Formulating your plan

The authorization can be as simple as an internal memo from your boss if

you’re performing these tests on your own systems. If you’re testing for a

customer, have a signed contract in place, stating the customer’s support and

authorization. Get written approval on this sponsorship as soon as possible

to ensure that none of your time or effort is wasted. This documentation is

your Get Out of Jail Free card if anyone questions what you’re doing.

You need a detailed plan, but that doesn’t mean you have to have volumes of

testing procedures. One slip can crash your systems — not necessarily what

anyone wants. A well-defined scope includes the following information:

• Specific systems to be tested

• Risks that are involved

• When the tests are performed and your overall timeline

• How the tests are performed

• How much knowledge of the systems you have before you start testing

• What is done when a major vulnerability is discovered

When selecting systems to test, start with the most critical or vulnerable

Systems. For instance, you can test computer passwords or attempt socialengineering

Attacks before drilling down into more detailed systems.