Developing Your Ethical Hacking Plan
As an ethical hacker, you must plan your ethical hacking efforts before you start. A detailed plan doesn't mean that your testing must be elaborate. It just means that you're very clear and concise on what's done. Given the seriousness of ethical hacking, make this as structured a process as possible.
Even if you're just testing a single Web application or workgroup of computers, it's critical to establish your goals, define and document the scope of what you'll be testing, determine your testing standard, and gather and familiarize yourself with the proper tools for the task. This chapter covers these steps to help you create a positive ethical hacking environment so you can set yourself up for success.
Getting Your Plan Approved
Getting approval for ethical hacking is critical. First, obtain project sponsorship. This approval can come from your manager, an executive, a customer, or yourself (if you're the boss). Otherwise, your testing may be canceled suddenly, or someone can deny authorizing the tests. There can even be legel consequences for unauthorized hacking. Always make sure that what you're doing is known and visible-at least to the decision-makers.
If you're an independent consultant or have a business with a team of ethical hackers, consider getting professional liability (also known as error and omissions) insurance from agent who specialized in business insurance coverage. This kind of insurance can be expensive, but it can be well worth it.
The authorization can be as simple as an internal memo from upper management if you're performing these tests on your own systems. If you're performing testing for a customer, you must have a signed contract in place, stating the customer's support and authorization. Get written approval as soon as possible to ensure that your time and effort are not wasted. This documentation is your security if anyone question what you're doing.
Establishing Your Goals
Your ethical hacking plan needs goals. The main goal of ethical hacking is to find vulnerabilities in your systems so you can make more secure. You can then take this a step further:
- Define more specific goals. Align these goal with business objective.
- Create a specific schedule with start and end dates. These dates are critical components of your overall plan.
Document everything, and involve upper management in this process. Your best ally in your ethical hacking effort is a manager who support what you're doing.
The following question can start the bell rolling:
- Does ethical hacking support the mission of the business and its IT and security department?
- What business goals are met by performing ethical hacking?
- Prepping for the internationally accepted security framework of ISO 17799 or a security seal such as SysTrust or WebTrust
- Meeting federal regulations
- improving the company's image
How will ethical hacking improve security, IT, and the general business?
What information are you protecting?
This could be intellectual property, confidential customer information, or private employee information.
How much money, time, and effort are you and your organization willing to spend on ethical hacking?
What specific deliverables will there be?Deliverables can include anything from high-level executive report to derailed technical report and write-ups on what you tested along with the outcomes of your tests. You can deliver specific information that is gleaned during your testing, such as passwords and other confidential information.
What specific outcomes do you want?Desired outcomes include the justification for hiring or outsourcing security personnel, increasing your security budget, or enhancing security systems.
People within your organization may attempt to keep you from performing your ethical hacking plans. The best antidote is education. Show how ethical hacking helps support the business in everyone's favor.
After you know your goals, document the steps to get there. For example, if one goal is to develop a competitive advantage to keep existing customers and attract new ones, determine the answer to these question:
When will you start your ethical hacking?
Will your ethical hacking be blind, in which you know nothing about the systems you're testing, or a knowledge-based attack, in which you're given specific information about the systems you're testing such as IP addresses, hostname, and even usernames and passwords?
Will this testing be technical in nature or involve physical security assessments or even social engineering?
Will you be part of a larger ethical hacking team, often called a tiger team or red team?
Will you notify your customers of what you're doing? If so' how?Customer notification is a critical issue. Many customers appreciate that you're taking steps to protect their information. Approach the testing in a positive way. Don't say,"We're breaking into our systems to see what information of yours is vulnerable to hackers." Instead, you can say that you're assessing the overall security of your systems so the information is as secure as possible from the bad guys.
How will you notify customers that the organization is taking steps to enhance the security of their information?
What measurements can ensure that these effort are paying off?Establishing your goals takes time, but you won't regret it. These goals are your road map. If you have any concerns, refer to these goals to make sure that you stay on track.
No hay comentarios:
Publicar un comentario