Chapter 1: Ethics of of Ethical Hacking
11
To the novice, this sounds like an open and shut case and an easy stroll into net-
work utopia where all of the scary entities can be kept out. This false utopia, unfortu-
PART I
nately, is created by not understanding the complexity of information security. The
problem with just depending upon this large pile of printouts is that it was generated
by an automated tool that has a hard time putting its findings into the proper context
of the given environment. For example, several of these tools provide an alert of “High”
for vulnerabilities that do not have a highly probable threat associated with them. The
tools also cannot understand how a small, seemingly insignificant, vulnerability can be
used in a large orchestrated attack.
Vulnerability assessments are great for identifying the foundational security issues
within an environment, but many times, it takes an ethical hacker to really test and
qualify the level of risk specific vulnerabilities pose.
Penetration Testing
A penetration test is when ethical hackers do their magic. They can test many of the vul-
nerabilities identified during the vulnerability assessment to quantify the actual threat
and risk posed by the vulnerability.
When ethical hackers are carrying out a penetration test, their ultimate goal is usu-
ally to break into a system and hop from system to system until they “own” the domain
or environment. They own the domain or environment when they either have root
privileges on the most critical Unix or Linux system or own the domain administrator
account that can access and control all of the resources on the network. They do this to
show the customer (company) what an actual attacker can do under the circumstances
and current security posture of the network.
Many times, while the ethical hacker is carrying out her procedures to gain total
control of the network, she will pick up significant trophies along the way. These tro-
phies can include the CEO’s passwords, company trade-secret documentation, admin-
istrative passwords to all border routers, documents marked “confidential” held on the
CFO’s and CIO’s laptops, or the combination to the company vault. The reason these
trophies are collected along the way is so the decision makers understand the ramifica-
tions of these vulnerabilities. A security professional can go on for hours to the CEO,
CIO, or COO about services, open ports, misconfigurations, and hacker potential with-
out making a point that this audience would understand or care about. But as soon as
you show the CFO his next year’s projections, or show the CIO all of the blueprints to
the next year’s product line, or tell the CEO that his password is “IAmWearingPanties,”
they will all want to learn more about the importance of a firewall and other counter-
measures that should be put into place.
CAUTION No security professional should ever try to embarrass a customer
or make them feel inadequate for their lack of security. This is why the security
professional has been invited into the environment. He is a guest and is there
to help solve the problem, not point fingers. Also, in most cases, any sensitive
data should not be read by the penetration team because of the possibilities
of future lawsuits pertaining to the use of confidential information.
