The Ethical Hacker’s Process
As an ethical hacker, you will follow a similar process to one that an attacker uses. The stages you progress through will map closely to those the hacker uses, but you will work with the permission of the company and will strive to "do no harm." By ethical hacking and assessing the organizations strengths and weaknesses, you will perform an important service in helping secure the organization. The ethical hacker plays a key role in the security process. The methodology used to secure an organization can be broken down into five key steps. Ethical hacking is addressed in the first:
- Assessment—Ethical hacking, penetration testing, and hands-on security tests.
- Policy Development—Development of policy based on the organization’s goals and mission. The focus should be on the organization’s critical assets.
- Implementation—The building of technical, operational, and managerial controls to secure key assets and data.
- Training—Employees need to be trained as to how to follow policy and how to configure key security controls, such as Intrusion Detection Systems (IDS) and firewalls.
- Audit—Auditing involves periodic reviews of the controls that have been put in place to provide good security. Regulations such as Health Insurance Portability and Accountability Act (HIPAA) specify that this should be done yearly.
All hacking basically follows the same six-step methodology discussed in the previous section: reconnaissance, scanning and enumeration, gaining access, escalation of privilege, maintaining access, and covering tracks and placing backdoors.
Is this all you need to know about methodologies? No, different organizations have developed diverse ways to address security testing. There are some basic variations you should be aware of. These include National Institute of Standards and Technology 800-42, Threat and Risk Assessment Working Guide, Operational Critical Threat, Asset, fand Vulnerability Evaluation, and Open Source Security Testing Methodology Manual. Each is discussed next.
National Institute of Standards and Technology (NIST)
The NIST 800-42 method of security assessment is broken down into four basic stages that include
NIST has developed many standards and practices for good security. This methodology is contained in NIST 800-42. This is just one of several documents available to help guide you through an assessment. Find out more at http://csrc.nist.gov/publications/nistpubs.
Threat and Risk Assessment Working Guide (TRAWG)
The Threat and Risk Assessment Working Guide provides guidance to individuals or teams carrying out a Threat and Risk Assessment (TRA) for an existing or proposed IT system. This document helps provide IT security guidance and helps the user determine which critical assets are most at risk within that system and develop recommendations for safeguards. Find out more at http://www.cse-cst.gc.ca/publications/gov-pubs/itsg/itsg04-e.html.
Operational Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
OCTAVE focuses on organizational risk and strategic, practice-related issues. OCTAVE is driven by operational risk and security practices. OCTAVE is self-directed by a small team of people from the organization’s operational, business units, and the IT department. The goal of OCTAVE is to get departments to work together to address the security needs of the organization. The team uses the experience of existing employees to define security, identify risks, and build a robust security strategy. Find out more at http://www.cert.org/octave.
Open Source Security Testing Methodology Manual (OSSTMM)
One well-known open sourced methodology is the OSSTMM. The OSSTMM divides security assessment into six key points known as sections. They are as follows:
- Physical Security
- Internet Security
- Information Security
- Wireless Security
- Communications Security
- Social Engineering
The OSSTMM gives metrics and guidelines as to how many man-hours a particular assessment will require. Anyone serious about learning more about security assessment should review this documentation. The OSSTMM outlines what to do before, during, and after a security test. Find out more at http://www.isecom.org/osstmm.