Best Practices Used by Ethical Hackers
Pluralsight blog Where devs, IT admins & creative pros go for news, tips, videos and more.
3,500+ tech & creative courses authored by experts - unlimited & online Get it now →
September 20, 2012

Core Rules and Concepts of Ethical Hacking

By

Watch these Ethical Hacking videos, and you’ll understand skills like buffer overflow, network sniffing, password cracking, and more. Know the techniques of ethical hacking and you’ll learn security tactics through the mind of an attacker.

Transcription

First off, we must define the concept of ethical hacking. Ethical hacking, at its core, is using the techniques and tools, approaches and attacks that an attacker would use to identify vulnerabilities, document the vulnerabilities and plan remediation. Many times, folks that aren’t as familiar with security penetration tests or security analysis just assume that all security experts, especially IT security experts, are the same and that they use the same techniques and the same tools. They assume an auditor is the same as an analyst. They assume an ethical hacker uses the same tools as those folks as well and that’s simply not the case.

The Difference Between Ethical and Unethical Hacking

Ethical hacking is different in this core function in that it uses the exact same methodology and the exact same tools that a hacker would use: someone, frequently outside the company and out of control of the company, to actually understand the network, penetrate, compromise.

They do it in a way that’s ethical, meaning that they document this, they record the steps, the breaches and the parameters that they’ve used. Later on, analysts and auditors can come and look at those results and determine what things may need to be done in the future to help prevent similar attacks, but from an unethical hacker down the road.

This is a key difference. This key approach difference is really what separates this from anything else out there.

Rules and Guidelines

When we talk about ethical hacking, as well, one thing to remember is that ethical hackers follow specific rules and guidelines. These are really important.

Do No Harm

The core rule of ethical hacking, first and foremost, is do no harm. Do not destroy assets, wreck networks, deny service and actually affect real use of systems and do not lock people out in a way that’s not part of the plan.

Doing no harm is really the big distinction between a cracker and an ethical hacker. A cracker or a true attacker, may want to do harm as part of their attack, whether it’s compromise sensitive data, deny service to legitimate users, destroy assets and so forth.Ethical hacking differs there in that, typically, there’s no destruction and no harm done.

Understanding Boundaries

Ethical hacking is also really rooted in boundaries, understanding what systems can and cannot be attacked. For example, an online database that’s critical to customer data, or critical to transactions. That kind of database should never be attacked by an ethical hacker unless it’s part of the ethical hacker’s boundaries and that database is specifically included.

Most businesses that are being run 24 hours, seven days, will not want an ethical hacker to approach any critical business systems because it could simply impact business. Understanding what those boundaries are up front and then honoring those boundaries is absolutely critical.

Counter measures are not part of the ethical hacking process. As you’re examining networks and foot printing and determining vulnerabilities and installing compromises, that process doesn’t include at every stage, well, I wonder how I would defend against this. That’s not part of ethical hacking.

Documentation

Ethical hacking is getting in, finding the vulnerabilities and certainly documenting as you go. Counter measures are usually considered only after an entire ethical hacking process is complete. After you’re successful, you’ve compromised vulnerabilities and actually owned the network, so to speak, you worry about, “I wonder how this company, my company, any company could protect against this.” That’s when that research happens.
Sometimes it’s a natural outcropping of the attack itself, and that’s great. Document that but do not focus on counter measures during ethical hacking.

All of this should be in written agreement with whoever is the subject of this ethical hacking process. If you’re a consultant, and you’ve been brought in to determine vulnerabilities and risk exposure for our company, getting agreement on, what the critical systems, boundaries, targets and areas of concern are is really important.

It has to be done in advance. It can’t be done during the process. You can’t stumble across customer database number 72 and raise your hand and ask, “Is it OK if I hack this database?” That’s not the proper approach to ethical hacking.

Ethical hacking understands these systems are off limits. Those systems are inbounds, these systems are the systems that we’re most concerned about, or the data over here is the data we’re most concerned about.
Therefore, documentation is absolutely critical. I recommend that you thoroughly document every step, process and keystroke you make. Frequently use things like Camtasia to record video or get screenshots. Have a notebook where you jot down notes as you’re doing things: commands you run, data you get, and so forth.

Saving all of that in a special place on your hard drive or on the network and having a nice backup of it is absolutely crucial as well, both to insure that you capture every part of the attack, all of the compromises, success and failure and so forth, and also, for personal liability reasons: to insure that you show exactly what you did do and exactly what you did not do.

About the Author

has worked in the IT field for more than 20 years. He is an award-winning author, public speaker, and instructor on a variety of technology topics including security, virtualization, cloud computing, wireless and wired networking, and IT lifecycle processes. His operations experience includes managing the Xbox LIVE operations team, the largest cloud computing operations team in the world, and consulting on operations efficiency with countless clients around the world. Mike has published several books (including two for O’Reilly) and numerous papers. He is a frequent conference speaker and classroom instructor on IT operations, computer security, and technology frameworks. Mike holds a number of certifications and accreditations including Certified Information Systems Security Professional (CISSP) practitioner and instructor.

Author's Website: http://www.nextdirectiontech.com/


Discussion