Any security evaluation involves three phases: preparation, conduct and conclusion.
- Preparation
In this phase, a formal contract is signed that contains a non-disclosure clause as well as a legal clause to protect the ethical hacker against any protection that he may possibly attract during the conduct phase. The contract also outlines infrastructure perimeter, evaluation activities, time schedules and resources available to him.
During this phase, the ethical hacker should discuss with the organization about what the organization is trying to protect, against whom and at what cost. After discussion, a security plan is prepared which will identify the systems that are to be tested for vulnerabilities, how the testing would be carried out (methodology) and what restriction may be applied (limitation faced).
While it is theoretically possible to say that the testing strategy should follow a "no-holds-barred" approach, practically this not usually the case. This approach is encouraged so that the ethical hacker is given the chance to gain maximum access. - Conduct
In this phase, the evaluation technical report is prepared based on testing potential vulnerabilities.
There are several methods for carrying out ethical hacking, but the two most used approaches are the limited vulnerability analysis and attack and penetration testing. Limited vulnerability analysis deals with enumerating the specific entry points to the organization's information system over the internet, as well as the visibility of mission critical systems and data from a connection on the internal network. On detection, the potential entry point and mission critical systems are scanned for known vulnerabilities. The scanning is done using standard connection techniques and not solely based on vulnerability scanners.
In an attack and penetration testing, discovery scans are conducted to gain as much information as possible about the target system. Similar to limited vulnerability analysis, the penetration scan can be conducted from both the internet and internal network perspective. This approach differs from the limited vulnerability analysis is that the testing is not limited to scanning alone. It goes a step further and tries to exploit the vulnerabilities. This is said to simulate the real threat to data security.
Clients usually prefer a limited vulnerability analysis because they do not want to risk loss of data or any other damage.
It should be communicate with the organization that there are inherent risks in undertaking an ethical hack. These can include alarmed staff and unintentional system crashes, degraded network and system performance, denial of service, and log file size explosions. A possible way of minimizing this risk is to conduct the test after office hours or holidays. The organization should provide contact within, who can respond to calls from the ethical hackers if a system or network appears to be adversely affected by the evaluation or if an extremely dangerous vulnerability is found that should be immediately corrected. While conducting an evaluation, ethical hackers may come across security holes that cannot be fixed within the predetermined time frame. Therefore, the ethical hacker must communicate to his client the urgency for corrective action that can extend even after evaluation is completed. If the system administrator delays the evaluation of his system until a few days or weeks before this computer need to go online again, no ethical hacker can provide a really complete evaluation or implement the correction for potentially immense security problems. Therefore, such aspect must be considered during the preparation phase. - Conclusion
In this phase, the result of evaluation is communicated to the organization and corrective action/advise is taken if needed.
沒有留言:
張貼留言