Ethical Hacking and Penetration Testing
Ethical hackers engage in sanctioned hacking—that is, hacking with permission from the system’s owner. In the world of ethical hacking, most tend to use the term pen tester, which is short for penetration tester. Pen testers do simply that: penetrate systems like a hacker, but for benign purposes.
As an ethical hacker and future test candidate you must become familiar with the lingo of the trade. Here are some of the terms you will encounter in pen testing:
Hack Value This term describes a target that may attract an above-average level of attention to an attacker. Presumably because this target is attractive, it has more value to an attacker because of what it may contain.
Target of Evaluation (TOE) A TOE is a system or resource that is being evaluated for vulnerabilities. A TOE would be specified in a contract with the client.
Attack This is the act of targeting and actively engaging a TOE.
Exploit This is a clearly defined way to breach the security of a system.
Zero Day This describes a threat or vulnerability that is unknown to developers and has not been addressed. It is considered a serious problem in many cases.
Security This is described as a state of well-being in an environment where only actions that are defined are allowed.
Threat This is considered to be a potential violation of security.
Vulnerability This is a weakness in a system that can be attacked and used as an entry point into an environment.
Daisy Chaining This is the act of performing several hacking attacks in sequence with each building on or acting on the results of the previous action.
As an ethical hacker, you will be expected to take on the role and use the mind-set and skills of an attacker to simulate a malicious attack. The idea is that ethical hackers understand both sides, the good and the bad, and use this knowledge to help their clients. By understanding both sides of the equation, you will be better prepared to defend yourself successfully. Some things to remember about being an ethical hacker are:
- You must have explicit permission in writing from the company being tested prior to starting any activity. Legally, the person or persons that must approve this activity or changes to the plan must be the owner of the company or their authorized representative. If the scope changes, update the contracts to reflect those changes before performing the new tasks.
- You will use the same tactics and strategies as malicious attackers.
- You have every potential to cause harm that a malicious attack will have and should always consider the effects of every action you carry out.
- You must have knowledge of the target and the weaknesses it possesses.
- You must have clearly defined rules of engagement prior to beginning your assigned job.
- You must never reveal any information pertaining to a client to anyone but the client.
- If the client asks you to stop a test, do so immediately.
- You must provide a report of your results and, if asked, a brief on any deficiencies found during a test.
- You may be asked to work with the client to fix any problems that you find.