What do ethical hackers do?
An ethical hacker’s evaluation of a system’s securityseeks answers to three basic questions:
c What can an intruder see on the target systems?
c What can an intruder do with that information?
c Does anyone at the target notice the intruder’s attempts
or successes?
While the first and second of these are clearly important,
the third is even more important: If the owners
or operators of the target systems do not notice
when someone is trying to break in, the intruders
can, and will, spend weeks or months trying and will
usually eventually succeed.
When the client requests an evaluation, there is quite
a bit of discussion and paperwork that must be done
up front. The discussion begins with the client’s answers
to questions similar to those posed by Garfinkel
and Spafford:13
1. What are you trying to protect?
2. What are you trying to protect against?
3. How much time, effort, and money are you willing
to expend to obtain adequate protection?
A surprising number of clients have difficulty precisely
answering the first question: a medical center
might say “our patient information,” an engineering
firm might answer “our new product designs,”
and a Web retailer might answer “our customer database.”
All of these answers fall short, since they only describe
targets in a general way. The client usually has
to be guided to succinctly describe all of the critical
information assets for which loss could adversely affect
the organization or its clients. These assets
should also include secondary information sources,
such as employee names and addresses (which are privacy
and safety risks), computer and network information
(which could provide assistance to an intruder),
and other organizations with which this organization
collaborates (which provide alternate paths into the target
systems through a possibly less secure partner’s
system).
No comments:
Post a Comment