3. The Adversary of Cybersecurity: Hackers 45 3.1.1 Ethical Hacking Before focusing on black hat hackers, we will quickly examine some ways that white hat hackers hack for good, otherwise known as ethical hacking. There are three principles of ethical hacking: behaving ethically at all times, respecting the rights of all citizens, and obeying all applicable laws and authorities. This is a high bar for those who would engage in ethical hacking—the bar is high because the stakes are high. Ethical hacking is serious business. Ethical hackers must know the law and understand the legal authorities so that they can operate within the appropriate legal boundaries at all times. There is overlap between these three principles, but they have different emphases. Chapter 10 explores each area in detail. This section provides an overview of the four main types of ethical hackers: penetration testers, cyber warriors, law enforcement officials, and cybersecurity researchers. 3.1.1.1 Pentesters Penetration testing (pentesting) is the active probing of the cybersecurity defenses of an organization for the purpose of improving security. Companies pay professional pentesters to hack them so that they can discover security weaknesses before the bad guys do. Pentesters must be vigilant in how they maneuver within an organization because they need to avoid creating harmful side-effects from their testing. This is not easy because hacking sometimes involves uncertainty and trial and error. Therefore, it is important that pentesters be highly competent hackers. They need to minimize risks such as deleting important data or crashing computers. Pentesters must also be of high moral character. During their pentesting, they may observe sensitive information that needs to be kept confidential. Also, they need to be trustworthy enough to do their job thoroughly and to report their findings accurately. Pentesters have opportunities to cross the line into unethical areas, and if they do, it is likely nobody would ever find out. Their character must be strong enough to safeguard them from these types of temptations. Pentesters need to abide by important conditions that are codified in official documents that have legal standing. First, they must gain authorization. Gaining authorization is achieved by having an authorized party sign a permission memo before the pentest begins. Colloquially this document is known as a “get out of jail free card.” A permission memo explicitly grants the pentesters authorization to hack the organization. If you ever consider engaging in pentesting, always remember: procuring proper permission prior to performing pentesting is paramount! Second, they must define the boundaries of the pentest. Boundaries are defined in agreements called the scope of work (SOW) and the rules of engagement (ROE). Boundaries include things like specific IP addresses, workstations, servers, and routers that are eligible to be pentested; the times, dates, and duration of the pentest; who will be performing the pentesting; and the types of attacks that are permitted. Lastly, they must maintain confidentiality. Pentesters sign documents
RkJQdWJsaXNoZXIy MTM4ODY=