SBN

Delimiting an Ethical Hacking

The main problem encountered by an organization
when they need to perform an Ethical Hacking
is to establish the boundaries of the hacking.

Delimiting the scope of an Ethical Hacking by time is a common mistake
since it is not possible to know when the hacking, that is measured
solely by effort, has ended nor whether the results were satisfactory or
if it was just a big waste of time and resources that left no valuable
knowledge to the organization.

There are two objectives to evaluate in an Ethical Hacking,
infrastructure and application. These two can be evaluated in an already
deployed environment or in a development one, analyzing the source code.

If what the organization wants is to identify vulnerabilities in their
applications(web/mobile) and web services based on the needs and context
of the business, in order to generate the biggest business impact
possible, an Ethical Hacking of Applications should be done.

If what the organization wants is to detect security flaws directly in
the development, identifying bad programming practices and intentional
errors in the source code that can affect the proper functioning of the
system, a Source Code Analysis should be done.

Claroty

Finally, if what is needed are attacks on the underlying infrastructure
of the systems (Network services/OS), looking to exploit specific
vulnerabilities of the implemented technology, an Ethical Hacking of the
Infrastructure should be done.

Once the type of attack to be performed is decided, the Target of
Evaluation or ToE has to be determined based on three items.

  • Number of Ports, If what is going to be evaluated is
    Infrastructure.

  • Number of Input Fields, If the target of the attack is the
    application.

  • Lines of Code, If the risks associated to the development wished
    to be determined.

Once these scopes are set and clear, one can be assured that everything
related to that technology will be attacked, as opposed to delimitations
that are set based on execution time with automated tools that only
exploit a small percentage of the reported vulnerabilities.

In Fluid Attacks, our value proposition goes hand in hand with meeting
the promised scope, never based on time. Our Ethical Hacking is to be
finished when we have evaluated the complete target of evaluation.

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Gómez. Read the original post at: https://fluidattacks.com/blog/delimit-ethical-hacking/

Application Security Check Up