Tweet

Ethical Hacking and Penetration Testing  Ethical hackers engage in sanctioned hacking—that is, hacking with permission from the system’s owner. In the world of ethical hacking, most tend to use the term  pen  tester, which is short for penetration tester. Pen testers do simply that: penetrate systems like a hacker, but for benign purposes. As an ethical hacker and future test candidate you must become familiar with the lingo of the trade. Here are some of the terms you will encounter in pen testing: Hack  Value  This term describes a target that may attract an above-average level of attention to an attacker.  Presumably because this target is attractive, it has more value to an attacker because of what it may contain. Target of Evaluation (TOE)  A TOE is a system or resource that is being evaluated for vulnerabilities. A TOE would be specified in a contract with the client. Attack  This is the act of targeting and actively engaging a TOE. Exploit  This is a clearly defined way to breach the security of a system. Zero  Day  This describes a threat or vulnerability that is unknown to developers and has not been addressed. It is considered a serious problem in many cases. Security  This is described as a state of well-being in an environment where only actions that are defined are allowed. Threat  This is considered to be a potential violation of security. Vulnerability  This is a weakness in a system that can be attacked and used as an entry point  into  an  environment.  Daisy  Chaining  This is the act of performing several hacking attacks in sequence with each building on or acting on the results of the previous action. As an ethical hacker, you will be expected to take on the role and use the mind-set and skills of an attacker to simulate a malicious attack. The idea is that ethical hackers understand both sides, the good and the bad, and use this knowledge to help their clients. By understanding both sides of the equation, you will be better prepared to defend yourself successfully.  Some things to remember about being an ethical hacker are: ■ ■ ■ ■  👨‍💻👨‍💻 You must have explicit permission in writing from the company being tested prior to starting any activity.  👨‍💻👨‍💻 Legally, the person or persons that must approve this activity or changes to the plan must be the owner of the company or their authorized representative. If the scope changes, update the contracts to reflect those changes before performing the new tasks.  👨‍💻👨‍💻 You will use the same tactics and strategies as malicious attackers. You have every potential to cause harm that a malicious attack will have and should always consider the effects of every action you carry out. You must have knowledge of the target and the weaknesses it possesses. 👨‍💻👨‍💻 What Is an Ethical Hacker? 11 ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ You must have clearly defined rules of engagement prior to beginning your assigned job. You must never reveal any information pertaining to a client to anyone but the client. If the client asks you to stop a test, do so immediately.  👨‍💻👨‍💻 You must provide a report of your results and, if asked, a brief on any deficiencies found during a test. You may be asked to work with the client to fix any problems that you find. As an ethical hacker you must agree to the following code of ethics:  👨‍💻👨‍💻👨‍💻Keep private and confidential information gained in your professional work (in particular as it pertains to client lists and client personal information). Do not collect, give, sell, or transfer any personal information (such as name, e-mail address, social security number, or other unique identifier) to a third party without prior client consent. Protect the intellectual property of others by relying on your own innovation and efforts, thus ensuring that all benefits vest with its originator.  👨‍💻👨‍💻 Disclose to appropriate persons or authorities potential dangers to any e-commerce clients, the Internet community, or the public, that you reasonably believe to be associated with a particular set or type of electronic transactions or related software or hardware. Provide service in your areas of competence; be honest and forthright about any limitations of your experience and education.  👨‍💻👨‍💻 Ensure that you are qualified for any project on which you work or propose to work by an appropriate combination of education, training,  and  experience. Never knowingly use software or a process that is obtained or retained either illegally or  unethically. Do not engage in deceptive financial practices such as bribery, double billing, or other improper  financial  practices. 👨‍💻👨‍💻  Use the property of a client or employer only in ways properly authorized, and with the owner’s knowledge and consent. Disclose to all concerned parties those conflicts of interest that cannot reasonably be avoided or escaped. Ensure good management for any project you lead, including effective procedures for promotion of quality and full disclosure of risk.  👨‍💻👨‍💻 Add to the knowledge of the e-commerce profession by constant study, share the lessons of your experience with fellow EC-Council members, and promote public awareness of the benefits of e-commerce. Conduct yourself in the most ethical and competent manner when soliciting professional service or seeking employment, thus meriting confidence in your knowledge and integrity.

 Ethical Hacking and Penetration Testing

 Ethical hackers engage in sanctioned hacking—that is, hacking with permission from the system’s owner. In the world of ethical hacking, most tend to use the term  pen  tester, which is short for penetration tester. Pen testers do simply that: penetrate systems like a hacker, but for benign purposes. As an ethical hacker and future test candidate you must become familiar with the lingo of the trade. Here are some of the terms you will encounter in pen testing: Hack  Value  This term describes a target that may attract an above-average level of attention to an attacker. 

Presumably because this target is attractive, it has more value to an attacker because of what it may contain. Target of Evaluation (TOE)  A TOE is a system or resource that is being evaluated for vulnerabilities. A TOE would be specified in a contract with the client. Attack  This is the act of targeting and actively engaging a TOE. Exploit  This is a clearly defined way to breach the security of a system. Zero  Day  This describes a threat or vulnerability that is unknown to developers and has not been addressed. It is considered a serious problem in many cases. Security  This is described as a state of well-being in an environment where only actions that are defined are allowed. Threat  This is considered to be a potential violation of security. Vulnerability  This is a weakness in a system that can be attacked and used as an entry point  into  an  environment. 

Daisy  Chaining  This is the act of performing several hacking attacks in sequence with each building on or acting on the results of the previous action. As an ethical hacker, you will be expected to take on the role and use the mind-set and skills of an attacker to simulate a malicious attack. The idea is that ethical hackers understand both sides, the good and the bad, and use this knowledge to help their clients. By understanding both sides of the equation, you will be better prepared to defend yourself successfully. 

Some things to remember about being an ethical hacker are: ■ ■ ■ ■ 

👨‍💻👨‍💻

You must have explicit permission in writing from the company being tested prior to starting any activity. 

👨‍💻👨‍💻

Legally, the person or persons that must approve this activity or changes to the plan must be the owner of the company or their authorized representative. If the scope changes, update the contracts to reflect those changes before performing the new tasks. 

👨‍💻👨‍💻

You will use the same tactics and strategies as malicious attackers. You have every potential to cause harm that a malicious attack will have and should always consider the effects of every action you carry out. You must have knowledge of the target and the weaknesses it possesses.

👨‍💻👨‍💻

What Is an Ethical Hacker? 11 ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ You must have clearly defined rules of engagement prior to beginning your assigned job. You must never reveal any information pertaining to a client to anyone but the client. If the client asks you to stop a test, do so immediately. 

👨‍💻👨‍💻

You must provide a report of your results and, if asked, a brief on any deficiencies found during a test. You may be asked to work with the client to fix any problems that you find. As an ethical hacker you must agree to the following code of ethics: 

👨‍💻👨‍💻👨‍💻Keep private and confidential information gained in your professional work (in particular as it pertains to client lists and client personal information). Do not collect, give, sell, or transfer any personal information (such as name, e-mail address, social security number, or other unique identifier) to a third party without prior client consent. Protect the intellectual property of others by relying on your own innovation and efforts, thus ensuring that all benefits vest with its originator. 

👨‍💻👨‍💻

Disclose to appropriate persons or authorities potential dangers to any e-commerce clients, the Internet community, or the public, that you reasonably believe to be associated with a particular set or type of electronic transactions or related software or hardware. Provide service in your areas of competence; be honest and forthright about any limitations of your experience and education. 

👨‍💻👨‍💻

Ensure that you are qualified for any project on which you work or propose to work by an appropriate combination of education, training,  and  experience. Never knowingly use software or a process that is obtained or retained either illegally or  unethically. Do not engage in deceptive financial practices such as bribery, double billing, or other improper  financial  practices.

👨‍💻👨‍💻

 Use the property of a client or employer only in ways properly authorized, and with the owner’s knowledge and consent. Disclose to all concerned parties those conflicts of interest that cannot reasonably be avoided or escaped. Ensure good management for any project you lead, including effective procedures for promotion of quality and full disclosure of risk. 

👨‍💻👨‍💻

Add to the knowledge of the e-commerce profession by constant study, share the lessons of your experience with fellow EC-Council members, and promote public awareness of the benefits of e-commerce. Conduct yourself in the most ethical and competent manner when soliciting professional service or seeking employment, thus meriting confidence in your knowledge and integrity.