What do Ethical Hacker do?

To evaluate the security of an information system, an ethical hacker seek answer to the three basic questions:

1. What can an attacker see on the target system?
   This require an ethical hacker to think "out of the box" and to be "creative". An attacker can exploited those vulnerabilities that can be overlooked in the normal and route security check by the system administrator. This correspond to the reconnaissance and scanning phase.
   
2. What can an attacker do with the available information?
   An ethical hacker tries to understand the intent and purpose of the potential exploit, so as to do appropriate countermeasures. This correspond to the gaining access and maintaining access phase. An ethical hacker need to think one step ahead of the attacker in order to provide sufficient protection.
3. Are the attacker's attempts being noticed on the target system?
   Usually attackers lurk around the system before they actually wreck havoc. If the activities of an attacker cannot be noticed, the attacker can still spend weeks or month trying to break-in. In order not be noticed, the attackers may clear their track by modifying log files or installing trojan horse or back-doors. An ethical hacker need to investigate if these activities has been recorded and what preventive measures were taken if any. This not only gives him an indirect assessment of the attacker's proficiency, but also gives him an insight into the security related activities of the enterprise / system he is evaluating.
   

The entire process of ethical hacking and subsequent patching of discovered vulnerabilities would depend on questions such as:

• What is the organization trying to protect, against whom or what and how much resources the organization is willing to expend in order to gain protection

Sometimes when such exercises are taken without proper framework, the organization may call off the evaluation at the first instance of vulnerability reporting. These may be to ward off further discovery or save resource. Therefore it is imperative that the ethical hacker and the organization work out a suitable framework.

The organization must be convinced about the need for the exercise. Usually the concerned personnel have to be guide to concisely describe all of the critical information asset whose loss could adversely affect the organization or its clients.

Last, but not the least, the ethical hacker must remember that it is not possible to guard systems completely.