The process for an ethical hacker is almost the exact same as an attacker with a few caveats. An ethical hacker with always gain permission to work with a companies networks as well as strive to “do no harm”. Steps - Obtaining Permission - This involves obtaining written permission from a person authorized to do so. - Performing Recon - Either active or passive - Scanning - Port scanning and network mapping - Gaining Access - This involves locating the entry point into the network or system - Maintaining Access - This step includes control maintaining and privilege escalation - Covering Tracks - Clearing logs and removing any evidence anyone was there - Reporting - Writing reports and showing off findings
By ethically hacking and reporting your accurate findings will help secure the organizations security.
The methodology used to secure organization is put into 5 steps - Assessment - Ethical hacking, pen testing and hands on security testing. - Policy Development - Development of policy based on the organization’s goals and mission. The focus should always be the critical assets. - Implementation - The building of technical, operational, and managerial controls to secure keys assets and data. - Training - Training employees to follow policy and how to configure key security controls - Auditing - Periodic reviews of the controls that have been put in place to provide good security. Regulations such as HIPPA specify this should be done once a year
NIST has made many standards and practices for good security. The NIST SP 800-115 method of security assessment is divided into 4 basic stages: - Planning - Discovery - Attack - Reporting
OCTAVE focuses on organizational risk and strategic practice-related issues. The goal of OCTAVE is to get all of the departments to work together to address the security needs of the company.
The OSSTMM divides security into 6 key points into sections: - Defining a security test - Data networks security testing - Human security testing - Physical security testing - Telecommunications security testing - Wireless security testing
OSSTMM gives metrics and guidelines to the specifics of each section. http://www.isecom.org/osstmm