Which Systems Should You Ethically Hack?
You probably don’t want — or need — to hack and assess the security of all your systems at the same time. Assessing security of all your systems could be quite an undertaking and might lead to problems. It’s not recommended that you don’t eventually assess every computer and application you have.
You should break your ethical hacking projects into smaller chunks to make them more manageable. You might decide which systems to test based on a high-level risk analysis, answering questions such as
What are your most critical systems? Which systems, if accessed without authorization, would cause the most trouble or suffer the greatest losses?
Which systems appear most vulnerable to attack?
Which systems crash the most?
Which systems are not documented, are rarely administered, or are the ones you know the least about?
After you’ve established your overall goals, decide which systems to test. This step helps you define a scope for your ethical hacking so that you establish everyone’s expectations up front and better estimate the time and resources for the job.
The following list includes devices, systems, and applications that you may consider performing your hacking tests on:
Routers and switches
Wireless access points
Web, application, and database servers
E-mail and file servers
Mobile devices (such as phones and tablets) that store confidential information
Workstation and server operating systems
What specific systems you should test depends on several factors. If you have a small network, you can test everything. Consider testing just public-facing hosts such as e-mail and web servers and their associated applications. The ethical hacking process is flexible. Base these decisions on what makes the most business sense.
Start with the most vulnerable systems and consider these factors:
Where the computer or application resides on the network
Which operating system and application(s) the system runs
The amount or type of critical information stored on the system