The theory behind penetration testing or ethical hacking is simple; know your enemy - just like in war and sports. Ethical hackers know the tricks that crackers and rogue insiders use and exploit. They both explore the security of a system based on their knowledge and use of tools to discover holes. This similar nature of two kinds of hackers alarms organizations. It is important to remember ethical hackers are not crackers and do not usually have a past of criminal hacking.
Most security assessing companies will not hire an ex cracker onto their team. This is due to the lack of trust and customer distastes for allowing an individual with that background work on sensitive systems. Ethical hackers have different histories, but all have one factor in common, being trustworthy. They can not maliciously cause any damage, steal client information, or perform any malicious acts in their search for holes. All the work they perform must remain confidential and any problems discovered must have proper security measures in place to prevent leakage. In addition to being trustworthy, hackers must possess technical knowledge of systems and crackers tricks. They tend to have strengths in programming, and networking as well as familiarity with popular operating systems as well. It is common for them to have previously worked in related fields or have picked up hacking after having been victims of attacks.
The key questions organizations need to ask themselves when opting to work with ethical hackers are given in the lines below.
(1) What are you trying to protect?
(2) What are you trying to protect against?
(3) How much time, effort, and money are you willing to expand to obtain adequate protection?
The first question refers to critical assets whose loss could cause damage for an organization or its clients. It includes information such as employee names and addresses, computer network information, and other organizations, with which the organization collaborates, as well as their image and reputation. The second involves the possibilities of losing the items in question one, the resulting adverse affects, and issues of system availability. The third question has three different costs to consider monetary, usability, and computer/network performance. The more secure a system is, the more difficult it can be to make it easy to use. Performance refers to the time a system spends on security resulting in less time spent on user problems.
After careful consideration of these questions, follows the creation of a contractual agreement, often referred to as the get out of jail free card. The client and ethical hacker usually jointly write this contract. It contains a security evaluation plan that identifies the precise systems to be tested, how to test, and any limitations on that testing. Additionally, it protects the hacker against prosecution, since the tasks they perform are illegal in most locations.
Take account of this logic: If the business is concerned about the damages of downtime, it should test it before a cracker finds a hole and causes for more damage than the hacker causes.
Another important element of the evaluation plan is the timing. It is the most realistic to allow the hacker to test at any time. However, clients tend to prefer testing outside of normal working hours to avoid serious downtime or other problems. This restriction does not necessarily negate but does reduce accuracy as most intruders do their work outside of working hours. Despite the visible prevalence outside normal hours, daytime attacks can be more easily masked than later in the day.
At any time of day, there is a risk of adverse affects on a business system. With that in mind, ethical hackers need access to a contract network when they discover a problem that needs immediate correction. Still, the business should minimize the amount of contracts necessary and awareness of employees to the ethical hacker's activities. This is to ensure that the evaluation is accurate and reflects actual response time without giving employees a chance to say on top of the hacker. Due to the secretive nature of testing the companies system, if employees stumble upon the hacker they may feel threatened. The management team should reassure their employees that there is no evaluation on them taking place.
The practices recommended in this article may appear to be superfluous to some business proprietors; but remember, is is more hurtful and expensive to deal with a breach after a cracker has penetrated their system than the proactive approach of finding the hole and keep it from exploitation. As the world converts information to electronic data, penetration testing becomes ever more important in an environment that does not well tolerate security breaches.
Most security assessing companies will not hire an ex cracker onto their team. This is due to the lack of trust and customer distastes for allowing an individual with that background work on sensitive systems. Ethical hackers have different histories, but all have one factor in common, being trustworthy. They can not maliciously cause any damage, steal client information, or perform any malicious acts in their search for holes. All the work they perform must remain confidential and any problems discovered must have proper security measures in place to prevent leakage. In addition to being trustworthy, hackers must possess technical knowledge of systems and crackers tricks. They tend to have strengths in programming, and networking as well as familiarity with popular operating systems as well. It is common for them to have previously worked in related fields or have picked up hacking after having been victims of attacks.
The key questions organizations need to ask themselves when opting to work with ethical hackers are given in the lines below.
(1) What are you trying to protect?
(2) What are you trying to protect against?
(3) How much time, effort, and money are you willing to expand to obtain adequate protection?
The first question refers to critical assets whose loss could cause damage for an organization or its clients. It includes information such as employee names and addresses, computer network information, and other organizations, with which the organization collaborates, as well as their image and reputation. The second involves the possibilities of losing the items in question one, the resulting adverse affects, and issues of system availability. The third question has three different costs to consider monetary, usability, and computer/network performance. The more secure a system is, the more difficult it can be to make it easy to use. Performance refers to the time a system spends on security resulting in less time spent on user problems.
After careful consideration of these questions, follows the creation of a contractual agreement, often referred to as the get out of jail free card. The client and ethical hacker usually jointly write this contract. It contains a security evaluation plan that identifies the precise systems to be tested, how to test, and any limitations on that testing. Additionally, it protects the hacker against prosecution, since the tasks they perform are illegal in most locations.
Take account of this logic: If the business is concerned about the damages of downtime, it should test it before a cracker finds a hole and causes for more damage than the hacker causes.
Another important element of the evaluation plan is the timing. It is the most realistic to allow the hacker to test at any time. However, clients tend to prefer testing outside of normal working hours to avoid serious downtime or other problems. This restriction does not necessarily negate but does reduce accuracy as most intruders do their work outside of working hours. Despite the visible prevalence outside normal hours, daytime attacks can be more easily masked than later in the day.
At any time of day, there is a risk of adverse affects on a business system. With that in mind, ethical hackers need access to a contract network when they discover a problem that needs immediate correction. Still, the business should minimize the amount of contracts necessary and awareness of employees to the ethical hacker's activities. This is to ensure that the evaluation is accurate and reflects actual response time without giving employees a chance to say on top of the hacker. Due to the secretive nature of testing the companies system, if employees stumble upon the hacker they may feel threatened. The management team should reassure their employees that there is no evaluation on them taking place.
The practices recommended in this article may appear to be superfluous to some business proprietors; but remember, is is more hurtful and expensive to deal with a breach after a cracker has penetrated their system than the proactive approach of finding the hole and keep it from exploitation. As the world converts information to electronic data, penetration testing becomes ever more important in an environment that does not well tolerate security breaches.