Professional Documents
Culture Documents
There are several different means that can be used to misrepresent a penetration test.You can misrepresent yourself and claim to possess adequate
experience to perform the test, when in fact you do not.You can do a partial penetration test and pass it off as a complete test. Finally, using free tools
to perform a penetration test that is questionable in its effectiveness and failing to check the facts is another form of misrepresentation.
Misrepresentation occurs whenever you do not fulfill the obligations and expectations of the client.Your client is expecting the best from you to help
protect their system from attack.
Misrepresenting Yourself
It is important that qualified personnel conduct penetration tests. This being said, it is up to the hiring company to determine the criteria for
qualification, assuming that the applicants do not misrepresent themselves in any manner. If the hiring company wants to hire someone with very
little experience, that is entirely their prerogative. Since this is a former client, you probably know why they are requesting an ethical hack and can
determine whether you and possibly a better-educated contractor can meet their needs.
Vulnerability Scanners
The client often sets the timeframe, and for business reasons may reduce this period of time. It may or may not be ethical tostill charge for a full
penetration test, depending on the exact circumstances of the situation and the communications between the penetration tester and the client.
However, if you have the time required to do a full penetration test and only perform a vulnerability scan, you have ventured out of reasonable ethical
boundaries.
Because all systems are vulnerable, communicating absolute security of information systems as a result of a penetration testis a mistake. Is it a moral mistake? It is if your client believes you. All penetration tests are
only good for the exact configuration that was tested. New vulnerabilities are being discovered every week and there is alsothe problem of the “zero day” attack, where the exploit exists and the attacker knows how to
use it, but it is not yet known to the security community.
Both points of view indicate that it is best to communicate penetration test results and remediation strategies as quickly aspossible to protect your client from unnecessary attack. You should provide remediation
information, if you have it, whether you charge extra money for such results or not. Keep in mind that almost anyone can acquire a recipe for a cake, but not everyone can bake the cake. Give them the remediation
recipe and if their system administrators cannot fix the problems, your client can pay you to do the job. Be careful when bidding on the job; remediation is a manual process and can be complex and time consuming.
It is a personal choice if you wish to go above and beyond the scope of the job you are there to perform. If the company doestheir homework prior to hiring you, they will know that your piece of the puzzle is one part of
the overall perspective. Nevertheless, you may decide to make sure the company knows this and communicate how the penetrationtest fits into overall corporate security. This may bring in more work for you in the
long run.
This example illustrates the primary difference between a vulnerability test and a penetration test. The expectations on thepart of the tester must be different because the penetration test seeks to exploit system
weaknesses. The vulnerability test attempts to detect the presence of vulnerabilities, but not actually penetrate security openings. Either approach can break a system or a network, everyone in this field has a dozen, “I
was running the test when the phone rang, it turned out I broke the ….” stories. The client must expect that penetration testing is a highly intrusive process that has the potential to result in destruction to the system
under the testing regiment. However, a qualified penetration tester must be able to control to some degree the flow of the test so that it is not overly destructive. This is not any easy job. When a tester utilizes
thirdparty tools, there is always the risk of not being able to control those tools in a vulnerable penetration environment. You must us e special care when using third-party tools in the production environment or on a
system that directly affects the other clients or business partnerships. Before you ever put yourself in such a situation make sure the rules of engagement, what is permissible and what is not, are clearly stated.
Testing Non-clients
It is quite common for penetration testers and wannabes to perform penetration tests to varying degrees on potential clients.This occurs when the penetration tester pokes
around a potential client’s Web site looking for vulnerabilities.They then take the results of the modified penetration test and present them to the prospective client.This is a
form of self-promotion and marketing that they hope will inspire the client to hire them to perform a full penetration test.
On some occasions, penetration testers will provide limited results of the penetration test because they intend to chargeadditional money for each set of results. When it comes
to information security, how much of a role should marketing play in the ethics of penetration testing work.
Overstating Problems
Ethics are always a question when you do not provide exact information in response to a penetration test. The only marginallyacceptable time to exaggerate information is if the
client requires that type of communication to address the vulnerability at all. If you communicate that it is a minor security problem, they may not address the issue. However, a
minor vulnerability can quickly turn into a major one.
Privacy Complaints
This is a huge topic of debate right now. A satisfactory common ground is nowhere in sight at this point.
Determining which is more important, national security or individual privacy, an impossible. The only right answer
is that they both are critical. That being the case, we must determine how to balance the two so that neither is
compromised.
Tracking Private Information
The privacy of customer information and activities contains loaded ethical issues. This section addresses customer privacy inrelation to such ethical matters as the use of radio
frequency ID’s for marketing, using private information about customers, respect for customer privacy, and defaultcookies..As a general rule, all technology related to
communication leads to the exposure of private information. In general, as consumers we cannot avoid the use of communications technology, so the ethical responsibility falls
on the shoulders of the collector of the information.
Default Cookies
Determining whether cookies are an invasion of personal privacy or a necessity for Internet shopping is all in the use. Cookies that gather information about people unrelated to
their services, border on attacks of personal privacy. Cookies that have a simple function are positive. It all depends on their purpose.
Surveillance
Cameras and other types of recording and monitoring devices are found nearly everywhere in the public and in private homes.They are in almost all stores to detect
shoplifting.You will find them in elevators, police cars, traffic lights, parking lots,ATM’s, personal security systems to name just a few.There are even Webcams setup in public
parks and landmarks for Web sites. Everyone is under the surveillance monitor when going into town. Many people have home surveillance systems as well, which monitor their
driveways, child-care providers, and even their children.
Video Surveillance
There is a necessity for some level of security surveillance where theft and violence may occur. However, personal privacy isimportant and the rules governing the use and
storage of such video need to be taken into account.
GPS
We have already entered the age where technology can identify people wherever they are. For example, people who use debit cards and credit cards leave a trail behind them.
Cellular technology utilizing GPS is simply real-time trails. Many people may not like it, but we have gone too far to stop it.
Activity Monitoring
The strength of communication monitors and Webcams in the workplace is that they can
determine whether employees are performing illegal activities or putting the organization at risk.
In certain industries, such as the financial industry, this is absolutely necessary. Communications
and visual monitoring may also motivate personnel to work harder knowing that they are under
surveillance. However, as we see in this example, close monitoring of employees complicates the
work environment. Senior management probably made the best ethical decision they could
under the circumstances. Alcohol and corporate secrets do not mix well. The angry employee
should probably watch her step for a while.
Workplace Privacy
Accuracy and Privacy
Constantly monitoring everything an employee does is a direct invasion of their privacy unless you have good reason to monitor their activities, such as you suspect them of committing a crime. If
a business decides they must monitor their employees, they should implement a process whereby the employees have a chance todefend themselves against the data collected against them. Do
not presume the data is correct and draw conclusions from there.
One of the most important aspects of handling private information is the individual’s right to information about themselves. Individuals must have the right to inspect this information and debate
any inaccuracies.This is to protect the individual from walking blindly into circumstances of erroneous information collection.Another positive point of making personal information available to
the individual is to identify how that information is obtained and be certain all means utilized are ethical.
With the advent of the WWW comes the intrusion of personal privacy through Web sites. Interference of personal privacy comesin the form of hostile Web sites, questionable
Web links, misleading Web sites, java trapping, and pop-up windows.This section addresses the ethical concerns of these issues.
Java Trapping
Java trapping is an obnoxious technology. You would be hard pressed to find someone who would disagree with this statement. However, deeming whether it is unethical is
another matter. Advertising in all forms can be quite intrusive. Is the Web any different? Some may say yes, others no. Thatis up to you to decide..
Pop-ups
Pop-ups annoy everyone, especially if a company trying to sell you a product that will stop pop-ups generates them. Most would consider this manner of marketing unethical.
There is a line that should not be crossed in advertising. This issue crosses it.
Internet Forums and Personal Privacy
The creation of Internet forums has generated additional privacy concerns for users of the WWW. Internet forums are on-line communities where Web
users can post questions or communications about a subject. Forums are used to facilitate discussions online.The down side of Internet forums is
misuse. Sometimes forums are used for self-promotion, advertising, or petty arguments.This section addresses the ethical misuse of Internet forums
such as Web forums as marketing tools, forums and privacy risk, and hacker forums that provide keys to software codes.
Pretexting is the process of collecting data about a person using false pretenses. The way it works is
that an investigator calls the family members or coworkers of a person under the umbrella of some
official purpose such as job screening for security or to say that they are a sweepstakes winner or are
due an insurance payment.The coworkers and family of the victim are fooled and provide the personal
data requested about the victim.
Pretexting Calls
You may not have provided enough information to do serious damage, but any information is power in
the hands of a cyber stalker.