Ethical hackers engage in sanctioned hacking—that is, hacking with permission from the system’s owner. In the world of ethical hacking, most tend to use the term pentester, which is short for penetration tester. Pentesters do simply that: penetrate systems like a hacker but for benign purposes.
As an ethical hacker and future test candidate, you must become familiar with the lingo
of the trade. Here are some of the terms you will encounter in pen testing:
Hack Value This term describes a target that may attract an above‐average level of atten- tion from an attacker. Presumably because this target is attractive, it has more value to an attacker because of what it may contain.
Target of Evaluation A target of evaluation (TOE) is a system or resource that is being evaluated for vulnerabilities. A TOE would be specified in a contract with the client.
Attack This is the act of targeting and actively engaging a TOE. Exploit This is a clearly defined way to breach the security of a system.
Zero Day This describes a threat or vulnerability that is unknown to developers and has not been addressed. It is considered a serious problem in many cases.
Security This is a state of well‐being in an environment where only actions that are defined are allowed.
Threat This is considered to be a potential violation of security.
Vulnerability This is a weakness in a system that can be attacked and used as an entry
point into an environment.
Daisy Chaining This is the act of performing several hacking attacks in sequence with each building on or acting on the results of the previous action.
As an ethical hacker, you will be expected to take on the role and use the mind‐set and skills of an attacker to simulate a malicious attack. The idea is that ethical hackers under- stand both sides, the good and the bad, and use this knowledge to help their clients. By understanding both sides of the equation, you will be better prepared to defend yourself successfully. Here are some things to remember about being an ethical hacker:
You must have explicit permission in writing from the company being tested prior to starting any activity. Legally, the person or persons who must approve this activity or changes to the plan must be the owner of the company or their authorized representa- tive. If the scope changes, you must update the contract to reflect those changes before performing the new tasks.
You will use the same tactics and strategies as malicious attackers.
You have the potential to cause the same harm that a malicious attack will cause and should always consider the effects of every action you carry out.
You must have knowledge of the target and the weaknesses it possesses.
You must have clearly defined rules of engagement prior to beginning your assigned job.
You must never reveal any information pertaining to a client to anyone but the client. If the client asks you to stop a test, do so immediately.
You must provide a report of your results and, if asked, a brief on any deficiencies
found during a test.
You may be asked to work with the client to fix any problems that you find. As I
will discuss several times in this text, never accept a verbal agreement to expand test parameters. A verbal agreement has no record, and there is a chance of getting sued if something goes wrong and there’s no record.
Under the right circumstances and with proper planning and goals in mind, you can provide a wealth of valuable information to your target organization. Working with your client, you should analyze your results thoroughly and determine which areas need atten- tion and which need none at all. Your client will determine the perfect balance of security versus convenience