Manualshelf

Datasheet

ManualsBrandsFor Dummies Manualsbooks978-0-470-55093-9
12345678910
18
Part I: Building the Foundation for Ethical Hacking
If you choose to hire a “reformed” hacker to work with you during your testing
or to obtain an independent perspective, be careful. I cover the pros, cons,
do’s, and don’ts associated with hiring an ethical hacker in Chapter 18.
Formulating your plan
Getting approval for ethical hacking is essential. Make sure that what you’re
doing is known and visible — at least to the decision makers. Obtaining spon-
sorship of the project is the first step. Sponsorship could come from your
manager, an executive, your client, or even yourself if you’re the boss. You
need someone to back you up and sign off on your plan. Otherwise, your test-
ing might be called off unexpectedly if someone claims you were never autho-
rized to perform the tests.
The authorization can be as simple as an internal memo or an e-mail from
your boss when you perform these tests on your own systems. If you’re test-
ing for a client, have a signed contract stating the client’s support and autho-
rization. Get written approval on this sponsorship as soon as possible to
ensure that none of your time or effort is wasted. This documentation is your
Get Out of Jail Free card if anyone questions what you’re doing, or worse,
if the authorities come calling. Don’t laugh — it wouldn’t be the first time it
happened.
One slip can crash your systems — not necessarily what anyone wants. You
need a detailed plan, but that doesn’t mean you need volumes of testing pro-
cedures to make things overly complex. A well-defined scope includes the
following information:
Specific systems to be tested: When selecting systems to test, start with
the most critical systems and processes or the ones you suspect are
the most vulnerable. For instance, you can test server OS passwords, an
Internet-facing Web application, or attempt social engineering attacks
before drilling down into all your systems.
Risks involved: Have a contingency plan for your ethical hacking pro-
cess in case something goes awry. What if you’re assessing your fire-
wall or Web application and you take it down? This can cause system
unavailability, which can reduce system performance or employee pro-
ductivity. Even worse, it might cause loss of data integrity, loss of data
itself, and even bad publicity. It’ll most certainly tick off a person or two
and make you look bad.