There are certain commandments that an ethical hacker lives by. Here are 10 of the main ones:
- You must set goals
If you have planned to evaluate the security of an online system or network, you must first try to answer three questions:
- What information does a criminal hacker see when they look at the target network?
- Can the criminal hacker misuse that information?
- Is the target aware of any attempts to penetrate their system?
Part of the planning process of a hack involves goal setting. The goal does not have to be overly complicated. It could be as simple as getting information from a system, or maybe searching a wireless network for unauthorized access.
- You must plan ahead — always
Every hacker is bound by certain constraints. These could be time, money, or manpower. For this reason, you must learn how to plan your work in order to avoid veering off course. Your hacking plan should include:
- Identifying the networks that you will test.
- Determining the intervals of your tests.
- Clearly defining the testing procedure.
- Creating a plan that you can share with stakeholders.
- Getting the plan approved.
- You must get authorization
As an ethical hacker, you must obtain the necessary authorization before you attempt to hack an organization’s system. If you do not, be prepared to do some serious prison time! Make sure that the person whose system you are hacking gives you written permission. The document should show that you have been given the approval to test the system according to a pre-approved plan and that the organization will support you in case of any legal charges.
- You must be ethical
An ethical hacker is bound by the code of professionalism, confidentiality, and conscience. Make sure that you always stick to the plan that was previously approved and avoid adding any new details to it down the road. You are not to release or share the results of your security test with unauthorized persons both within and outside the organization. Any information you discover should be treated as sensitive and not disclosed to those who don’t need to know. It is also important to be aware of any local laws or governance regulations within the organization that relate to hacking. If the laws or regulations are against hacking, do not perform an ethical hack.
- You must maintain good records
Every ethical hacker worthy of that name must embody the attributes of diligence and patience. Hacking is a long and arduous task that involves plugging away over a keyboard for hours on end, not giving up until you reach your goal. Another professional aspect of ethical hacking is the maintenance of records, electronic or paper, to back up your discoveries. There are some basic rules that should b followed when it comes to record keeping:
- Note down every task performed.
- Log every piece of information directly.
- Always have a backup copy of the log.
- Note down every test performed, including the dates.
- Though some tests or tasks may not go as planned, ensure that you still keep accurate records.
- You must protect confidential information
You are likely to come across a lot of personal and private information during your testing. It is important that you respect people’s privacy and treat every piece of information with confidentiality. Passwords, encryption keys, and other sensitive information must not be abused. Always treat other people’s personal or confidential information with the same respect you would want others to treat your own.
- You must not cause harm
Hacking actions often cause some kind of unforeseen damage. There are times when you may get excited about the job and the positive test results you are receiving, so you keep plugging away. However, you may accidentally cause some kind of outage or even interfere with another’s rights. This is why you should always have a plan and then commit to sticking to it. Be knowledgeable about the tools you are using, especially their implications. Choose your tools wisely and always read the documentation.
- Your process must always be empirical
If you want your test results to be accepted, you need to use a scientific process that is characterized by these features:
- Quantifiable goals set a goal that you will be able to quantify. You can set task goals or time-related goals.
- Consistency and repeatability every test that you perform must produce the same If they do not, then your results are inconsistent and probably invalid. If you repeat a test over and over, you should get the same results every time. Consistency and repeatability of tests are critical features of an empirical process.
- Permanence of results — The client that you work for will look forward to your test results if you focus on fixing persistent problems for good, instead of solving temporary ones that may recur later on.
- You must not use any random tool
There are a lot of hacking tools in the market today. It is easy to be tempted to try them all out, probably since most of them are free. However, it is advisable to just focus on a few tools that you know are effective and you are familiar with.
- You must report all your findings
If you are hired to ethically hack a system, and the process takes longer than a week, you need to give your clients weekly status updates. It can be very unnerving to hire someone to test your system only for him or her to spend weeks without any kind of feedback. If you discover any high-risk weaknesses and vulnerabilities in the system during your tests, you need to report them to those concerned. The reports that you issue are what the client will use to determine how thorough and sincere you are in your work. A report will also help during analysis and critique of your results.
The 10 commandments explained above are very important for ethical hacking. There are times when your work may be criticized unfairly, but if you followed these commandments, you will easily be able to defend yourself. Finally, make sure that you do not leave out any results no matter how insignificant they may seem. You may not need to highlight them all in the summary of your report, but always ensure that they are explained in the detailed narrative. You do not want to sully your reputation as an ethical hacker by being accused of ineptitude and manipulation of results.