Several deadly mistakes — when properly executed — can wreak havoc on your ethical hacking outcomes and even your job or career.
Getting Approval in Writing
Getting approval for your ethical hacking efforts — whether it’s from upper management or the customer — is an absolute must. It’s your get out of jail free card.
Obtain documented approval that includes the following:
Explicitly lay out your plan, your schedule, and the affected systems.
Get the authorized decision-maker to sign off on the plan, agreeing to the terms and agreeing not to hold you liable for malicious use or other bad things that can happen unintentionally.
Get the signed original copy of the agreement.
No exceptions here!
Assuming That You Can Find All Vulnerabilities During Your Tests
So many security vulnerabilities exist — some known and just as many or more unknown — that you can’t find them all during your testing. Don’t make any guarantees that you’ll find all security vulnerabilities. You’ll be starting something that you can’t finish.
Stick to the following tenets:
Be realistic.
Use good tools.
Get to know your systems, and practice honing your techniques.
Assuming That You Can Eliminate All Security Vulnerabilities
When it comes to computers, 100 percent security has never been attainableand never will be. You can’t possibly prevent all security vulnerabilities. You’ll do fine if you
Follow best practices.
Harden your systems.
Apply as many security countermeasures as reasonably possible.
Performing Tests Only Once
Ethical hacking is a snapshot in time of your overall state of security. New threats and vulnerabilities surface continuously, so you must perform these tests regularly to make sure you keep up with the latest security defenses for your systems.
Not Using the Right Tools
Without the right tools for the task, it’s almost impossible to get anything done — at least not without driving yourself nuts! Download the free tools I mention throughout this book and list in Appendix A. Buy commercial tools if you have the inclination and the budget. No security tool does it all. Build up your toolbox over time, and get to know your tools well. This will save you
gobs of effort, plus you can impress others with your results.
Pounding Production Systems at the Wrong Time
One of the best ways to lose your job or customers is to run hack attacks against production systems when everyone and his brother is using them. Mr. Murphy’s Law will pay a visit and take down critical systems at the absolute worst time. Make sure you know when the best time is to perform your testing. It may be in the middle of the night. (I never said being an ethical hacker
was easy!) This may be reason enough to justify using security tools and other supporting utilities that can help automate certain ethical hacking tasks.
Outsourcing Testing and Not Staying Involved
Outsourcing is great, but you must stay involved. It’s a bad idea to hand over the reins to a third party for all your security testing without following up and staying on top of what’s taking place. You won’t be doing anyone a favor except your outsourced vendors by staying out of their hair. Get in their hair.
(But not like gum — that just makes everything more difficult.)
No comments:
Post a Comment