How to Be Ethical

Ethical hacking is usually conducted in a structured and organized manner, usually as part of a penetration test or security audit. The depth and breadth of the systems and applications to be tested are usually determined by the needs and concerns of the client. Many ethical hackers are members of a tiger team. A tiger team works together to perform a full-scale test covering all aspects of network, physical, and systems intrusion.
The ethical hacker must follow certain rules to ensure that all ethical and moral obligations are met. An ethical hacker must do the following:
  • Gain authorization from the client and have a signed contract giving the tester permission to perform the test.
  • Maintain and follow a nondisclosure agreement (NDA) with the client in the case of confidential information disclosed during the test.
  • Maintain confidentiality when performing the test. Information gathered may contain sensitive information. No information about the test or company confidential data should ever be disclosed to a third party.
  • Perform the test up to but not beyond the agreed-upon limits. For example, DoS attacks should only be run as part of the test if they have previously been agreed upon with the client. Loss of revenue, goodwill, and worse could befall an organization whose servers or applications are unavailable to customers as a result of the testing.
The following steps (shown in Figure 1) are a framework for performing a security audit of an organization and will help to ensure that the test is conducted in an organized, efficient, and ethical manner:
  1. Talk to the client, and discuss the needs to be addressed during the testing.
  2. Prepare and sign NDA documents with the client.
  3. Organize an ethical hacking team, and prepare a schedule for testing.
  4. Conduct the test.
  5. Analyze the results of the testing, and prepare a report.
  6. Present the report findings to the client.
In-depth penetration testing and security auditing information is discussed in EC-Council's Licensed Penetration Tester (LPT) certification.

Figure 1: Security audit steps

No comments:

Post a Comment

Popular Posts