One of the details you need to understand early and never forget is permission. As an ethical hacker you should never target a system or network that you do not own or have permission to test. If you do so, you are guilty of any number of crimes, which would be detrimental not only to your career but perhaps to your freedom as well. Before you test a target, you should have a contract in hand from the owner giving you permission to do so. Also remember that you should test only those things you have been contracted to test. If
the customer or client decides to add or remove items from the test, the contract must be altered to keep both parties out of legal trouble. Take special notice of the fact that ethical hackers operate with contracts in place between themselves and the target. Operating with- out permission is unethical; operating without a contract is downright stupid and illegal.
In addition, a contract must include verbiage that deals with the issue of confidentiality and privacy. It is possible that during a test you will encounter confidential information or develop an intimate knowledge of your client’s network. As part of your contract you will need to address whom you will be allowed to discuss your findings with and whom you will not. Generally clients will want you to discuss your findings only with them and no one else.
According to the International Council of Electronic Commerce Consultants (EC‐ Council) you, as a CEH, must keep private any confidential information gained in your professional work (in particular as it pertains to client lists and client personal informa- tion). You cannot collect, give, sell, or transfer any personal information (such as name, email address, Social Security number, or other unique identifier) to a third party without your client’s prior consent. Keep this in mind since a violation of this code could not only cause you to lose trust from a client but also land you in legal trouble.
Once ethical hackers have the necessary permissions and contracts in place, they
can engage in penetration testing, also known as pen testing. This is the structured and methodical means of investigating, uncovering, attacking, and reporting on the strengths and vulnerabilities of a target system. Under the right circumstances, pen testing can pro- vide a wealth of information that the owner of a system can use to plan and adjust defenses.
bad guys and good guys, or Hackers and Ethical Hackers
The difference between an ethical hacker and a hacker is something that can easily get you into an argument. Just saying the word hacker in the wrong place can get you into an hours‐long conversation of the history of hacking and how hackers are all good guys who mean nothing but the best for the world. Others will tell you that hackers are all evil and have nothing but bad intentions. In one case I was even told that hackers were originally model‐train enthusiasts who happened to like computers
You must understand that for us, hackers are separated by intentions. In our world- view hackers who intend to cause harm or who do not have permission for their activi- ties are considered black hats, whereas those who do have permission and whose activities are benign are white hats. Calling one side good and the other bad may be controversial, but in this book we will adhere to these terms:
Black Hats They do not have permission or authorization for their activities; typically their actions fall outside the law.
White Hats They have permission to perform their tasks. White hats never share information about a client with anyone other than that client.
Gray Hats These hackers cross into both offensive and defensive actions at different times.
Another type of hacker is the hacktivist. Hacktivism is any action that an attacker uses to push or promote a political agenda. Targets of hacktivists have included govern- ment agencies and large corporations.