Ethical Hacker Commandments
Ethical hackers carry out the same attacks against computer systems, physical controls, and people that malicious hackers do. The ethical hacker commandments help keep you in line. An ethical hacker’s intent, however, is to highlight any associated weaknesses.
To ensure his or her hacking is truly ethical, every ethical hacker must abide by a few basic commandments.
If you don’t heed the following commandments, bad things can happen. These commandments are sometimes ignored or forgotten when planning or executing ethical hacking tests. The results weren’t positive — trust me.
The word ethical in this context means working with high professional morals and principles. Whether you’re performing ethical hacking tests against your own systems or for someone who has hired you, everything you do as an ethical hacker must be aboveboard and must support the company’s goals. No hidden agendas allowed! This also includes reporting all your findings regardless of whether or not it will create politic backlash.
Trustworthiness is the ultimate tenet. The misuse of information is absolutely forbidden. That’s what the bad guys do. Let them receive a fine or go to prison because of their poor choices.
Treat the information you gather with the utmost respect. All information you obtain during your testing — from web application flaws to clear text e-mail passwords to personally identifiable information and beyond — must be kept private. Don’t snoop into confidential corporate information or employees’ private lives. Nothing good can come of it.
Involve others in your process. Employ a watch-the-watcher system that can help build trust and support for your ethical hacking projects.
Avoid crashes of your systems
One of the biggest mistakes people make when trying to hack their own systems is inadvertently crashing the systems they’re trying to keep running. Poor planning is the main cause of this mistake. These testers often misunderstand the use and power of the security tools and techniques at their disposal.
Although it’s not likely, you can create DoS conditions on your systems when testing. Running too many tests too quickly can cause system lockups, data corruption, reboots, and more. This is especially true when testing websites and applications. Don’t rush and assume that a network or specific host can handle the beating that network tools and vulnerability scanners can dish out.
You can even accidentally create an account lockout or a system lockout condition by using vulnerability scanners or by socially engineering someone into changing a password, not realizing the consequences of your actions. Proceed with caution and common sense. It’s still better that you discover DoS weaknesses than someone else!
Many vulnerability scanners can control how many tests are performed on a system at the same time. These settings are especially handy when you need to run the tests on production systems during regular business hours. Don’t be afraid to throttle back your scans. It will take longer to complete your testing, but it can save you a lot of grief.