Developing Your Ethical Hacking Plan

Getting Your Plan Approved
Getting approval for ethical hacking is critical. First, obtain project sponsorship.
This approval can come from your manager, an executive, a customer,
or yourself (if you’re the boss). Otherwise, your testing may be canceled suddenly,
or someone can deny authorizing the tests. There can even be legal
consequences for unauthorized hacking. Always make sure that what you’re
doing is known and visible — at least to the decision-makers. Chapter 20
outlines ten tips for getting upper management’s buy-in on your security
initiatives.
If you’re an independent consultant or have a business with a team of ethical
hackers, consider getting professional liability (also known as errors and
omissions) insurance from an agent who specializes in business insurance
coverage. This kind of insurance can be expensive, but it can be well worth it.
The authorization can be as simple as an internal memo from upper management
if you’re performing these tests on your own systems. If you’re performing
testing for a customer, you must have a signed contract in place, stating
the customer’s support and authorization. Get written approval as soon as
possible to ensure that your time and efforts are not wasted. This documentation
is your security if anyone questions what you’re doing.
Establishing Your Goals
Your ethical hacking plan needs goals. The main goal of ethical hacking is to
find vulnerabilities in your systems so you can make them more secure. You
can then take this a step further:
Define more specific goals. Align these goals with your business
objectives.
Create a specific schedule with start and end dates. These dates are
critical components of your overall plan.
Before you begin any ethical hacking, you absolutely, positively need everything
in writing and signed-off on.
Document everything, and involve upper management in this process. Your
best ally in your ethical hacking efforts is a manager who supports what
you’re doing.
The following questions can start the ball rolling:
Does ethical hacking support the mission of the business and its IT and
security departments?
What business goals are met by performing ethical hacking?
These goals may include the following:
• Prepping for the internationally accepted security framework of
ISO 17799 or a security seal such as SysTrust or WebTrust
• Meeting federal regulations
• Improving the company’s image
How will ethical hacking improve security, IT, and the general business?
What information are you protecting?
30 Part I: Building the Foundation for Ethical Hacking
This could be intellectual property, confidential customer information,
or private employee information.
How much money, time, and effort are you and your organization willing
to spend on ethical hacking?
What specific deliverables will there be?
Deliverables can include anything from high-level executive reports to
detailed technical reports and write-ups on what you tested along with
the outcomes of your tests. You can deliver specific information that is
gleaned during your testing, such as passwords and other confidential
information.
What specific outcomes do you want?
Desired outcomes include the justification for hiring or outsourcing security
personnel, increasing your security budget, or enhancing security
systems.
People within your organization may attempt to keep you from performing
your ethical hacking plans. The best antidote is education. Show how ethical
hacking helps support the business in everyone’s favor.
After you know your goals, document the steps to get there. For example, if
one goal is to develop a competitive advantage to keep existing customers
and attract new ones, determine the answers to these questions:
When will you start your ethical hacking?
Will your ethical hacking be blind, in which you know nothing about the
systems you’re testing, or a knowledge-based attack, in which you’re
given specific information about the systems you’re testing such as IP
addresses, hostnames, and even usernames and passwords?
Will this testing be technical in nature or involve physical security
assessments or even social engineering?
Will you be part of a larger ethical hacking team, often called a tiger team
or red team?
Will you notify your customers of what you’re doing? If so, how?
Customer notification is a critical issue. Many customers appreciate that
you’re taking steps to protect their information. Approach the testing in
a positive way. Don’t say, “We’re breaking into our systems to see what
information of yours is vulnerable to hackers.” Instead, you can say that
you’re assessing the overall security of your systems so the information
is as secure as possible from the bad guys.
How will you notify customers that the organization is taking steps to
enhance the security of their information?
What measurements can ensure that these efforts are paying off?