With all this talk of the skills that an ethical hacker must have, you might be wondering how the ethical hacker can put these skills to use. An organization’s IT infrastructure can be probed, analyzed, and attacked in a variety of ways. Some of the most common modes of ethical hacking are shown here:
This ethical hack simulates the types of attacks and activities that could be carried out by an authorized individual with a legitimate connection to the organization’s network.
This ethical hack seeks to simulate the types of attacks that could be launched across the Internet. It could target Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), Structured Query Language (SQL), or any other available service.
This simulation is closely related to a physical attack as it targets the organization’s equipment. It could seek to target the CEO’s laptop or the organization’s backup tapes. No matter what the target, the goal is the same — extract critical information, usernames, and passwords.
This simulationseeks to test the organization’s physical controls. Systems such as doors, gates, locks, guards, closed circuit television (CCTV), and alarms are tested to see whether they can be bypassed.
This simulation is tasked with looking for wireless access points (WAP) and modems. The goal is to see whether these systems are secure and offer sufficient authentication controls. If the controls can be bypassed, the ethical hacker might probe to see what level of system control can be obtained.
This simulation does not target technical systems or physical access. Social engineering attacks target the organization’s employees and seek to manipulate them to gain privileged information. Proper controls, policies, and procedures can go a long way in defeating this form of attack.
Every ethical hacker must abide by a few simple rules when performing the tests described previously. If not, bad things can happen to you, which might include loss of job, civil penalty, or even jail time.
Every assignment will have rules of engagement. These not only include what you are authorized to target, but also the extent that you are authorized to control such system. If you are only authorized to obtain a prompt on the target system, downloading passwords and starting a crack on these passwords would be in excess of what you have been authorized to do.
The tester should protect himself by setting up limitation as far as damage is concerned. There has to be an NDA between the client and the tester to protect them both. There is a good example of a get out of jail document at
HYPERLINK"http://www.professionalsecuritytesters.org/modules.php?name=Downloads&d_op=viewdownload&cid=1 " http://www.professionalsecurityteste...download&cid=1
That’s right; the big difference between a hacker and an ethical hacker is the word ethics. Ethics is a set of moral principles about what is correct or the right thing to do. Ethical standards are sometimes different from legal standards in that laws define what we must do, whereas ethics define what we should do.
The OSSTMM — An Open Methodology
In December 2001, the Open Source Security Testing Methodology Manual (OSSTMM) began. Hundreds of people contributed knowledge, experience, and peer-review to the project. Eventually, as the only publicly available methodology that tested security from the bottom of operations and up (as opposed to from the policy on down), it received the attention of businesses, government agencies, and militaries around the world. It also scored success with little security startups and independent ethical hackers who wanted a public source for client assurance of their security testing services. The primary purpose of the OSSTMM is to provide a scientific methodology for the accurate characterization of security through examination and correlation in a consistent and reliable way. Great effort has been put into the OSSTMM to assure reliable cross-reference to current security management methodologies, tools, and resources. This manual is adaptable to penetration tests, ethical hacking, security assessments, vulnerability assessments, red-teaming, blue-teaming, posture assessments, and security audits. Your primary purpose for using it should be to guarantee facts and factual responses, which in turn assures your integrity as a tester and the organization you are working for, if any. The end result is a strong, focused security test with clear and concise reporting. www.isecom.org is the main site for the nonprofit organization, ISECOM, maintaining the OSSTMM and many other projects. This “in the field” segment was contributed by Pete Herzog, Managing Director, ISECOM.