Once answers to the three questions have been sorted, a security assessment plan is drawn up which identifies the systems to be tested, how they should be tested, and any limitations on that testing. Generally referred to as a “get out of jail free card,” it is a contractual agreement between the customer and the ethical hackers. The agreement also defends the ethical hackers against prosecution, as much of what they do during the course of an assessment would be illegal in most countries. The agreement provides a clear description, usually in the form of network addresses or modem telephone numbers, of the systems to be appraised.
Accuracy at this point is of the utmost importance, since a slight mistake could lead to the assessment of the wrong system at the customer’s installation or, in the worst case, the assessment of some other company’s system. Once the target systems are identified, the contract must define how they should be tested. The best assessment is done under a “no-holds-barred” approach. It means that the ethical hacker can attempt for anything he or she can consider of to attempt to gain admission to or disrupt the target system. While this is the most practical and useful, some clients balk at this level of testing.
They have several reasons for this, the most general of which is that the target systems are “in production” and intervention with their operation could be harmful to the organization’s interests. Customer should be made fully aware of the inherent risks. These risks include alarmed staff and accidental system crashes, denial of service, and log-file size explosions, degraded network or system performance. Some clients demand that as soon as the ethical hackers get access to their network or to one of their systems, the assessment should stop and the client be notified.
This sort of practice should not be encouraged, because it refrains the client from learning all that the ethical hackers might learn about their systems. The timing of the assessments may also be vital to the client. The client may wish to avoid interference during regular working hours. While this constraint is not recommended, it reduces the accuracy of the assessment only somewhat, since most intruders do their work outside of the local regular working hours. In order for the client to receive a valid assessment, the client must be cautioned to limit prior facts of the test as much as possible. (Khare, 2006).
Courtney from Study Moose
Hi there, would you like to get such a paper? How about receiving a customized one? Check it out https://goo.gl/3TYhaX