Question

Security and Network Discussion Questions

a) Discuss the pros and cons of an organization regularly engaging in penetration testing.

+

b) What are the motivations of the ethical hacker?

Answer 1

Penetration Tests
Penetration testing, often referred to as “pentesting” or “ethical hacking,” mimics a real-world attacker attempting to access systems and data. The penetration test identifies vulnerabilities and combines or “chains” them together to obtain unauthorized access to sensitive data or administrative control of systems housing sensitive information. Penetration testing typically uses vulnerability scanning software as well as other service-specific tools to efficiently get a picture of a company’s fundamental security in the allotted test time and to identify attack Information Security Manager's point of view

• It's expensive.

·       For most of organizations it's once per year exercise.

·       It’s non repeatable (another tester can provide different findings).

·       Pentest is disruptive for ICT systems (performance issues; attempts for DOS/DDOS attacks or even simple port scan can break systems).

·       Attempts for testing by Social engineering can destroy the trust and decrease the morale in your organization

·       Pentest is disruptive for your ICT department - numerous service calls, enormous amount of logs for review etc.
PROS:

• You can test your incident response procedures (and even DR if you are unlucky).
• .It’s independent third party review - it will allow you to check the quality of work for your Information Security Team (and correctness of configuration for your vulnerability scanner).
• It’s a good opportunity to raise the importance of Information Security for company’s top management.
• Clean report will add credibility of your company for clients.
• The pentest can identify some vulnerabilities missed by your vulnerability scanner.

Ethical Hacking Pros and Cons

The advantage of ethical hacking is that it supports business efforts to gain more comprehensive knowledge about the organization’s IT security. Through ethical hacking, the organization identifies security vulnerabilities and risks. This knowledge helps improve organizational efforts to strengthen security measures.

However, the main disadvantage of ethical hacking is that it presents risks of information disclosure. As an outsider, the ethical hacker could intentionally or unintentionally disclose the company’s confidential information to other parties.

Dangers of Penetration Testing

Like we had said at the beginning, penetration testing does generate some controversy and not all parties are unanimous about its cost vs. benefit. There are a couple of things to consider before you make the leap and financial outlay of having a test performed.

Legal Risks of Ethical Hacking

The legal risks of ethical hacking include lawsuits due to disclosure of personal or confidential information. Such disclosure can lead to a legal battle involving the organization and the ethical hacker. It is very easy for ethical hacking to result in a legal battle if it is not performed properly. It is also possible for the ethical hacker to commit errors to the point that the organization’s profitability is negatively affected.

Hacker facing problems

Gone are the days of home basement-organized hacking operations led by thrill-seeking teenagers and college students. Since the mid-2000s, cyber attacks have become wildly more sophisticated and pervasive. In the last five years high-profile attacks have violated the networks of major companies, stealing their customers’ social security numbers, credit card data, and medical information.

• Financial gain
• Ideology/politics
• Entertainments
• Cyber protection your computer

In such a case, the organization could sue the ethical hacker for failing to perform properly. The ethical hacker could be at legal risk if proper care and precaution are not seriously taken. To address these legal issues, it is imperative for the ethical hacker to always perform his job defensively to minimize compromising the client’s system or network. Defensive performance emphasizes prevention and extra caution in ethical hacking.