Which of the following statements pertaining to ethical hacking is NOT true?
A.
An organization should use ethical hackers who do not sell auditing, hardware, software, firewall, hosting,
and/or networking services.
B.
Testing should be done remotely to simulate external threats.
C.
Ethical hacking should not involve writing to or modifying the target systems negatively.
D.
Ethical hackers never use tools that have the potential of affecting servers or services.
Explanation:
Ethical hackers should use tools that have the potential of affecting servers or services to provide a valid
security test. These are the tools that a malicious hacker would use.
The first step before sending even one single packet to the target would be to have a signed agreement with
clear rules of engagement and a signed contract. The signed contract explains to the client the associated risks
and the client must agree to them before you even send one packet to the target range. This way the client
understands that some of the tests could lead to interruption of service or even crash a server. The client signs
that he is aware of such risks and willing to accept them.
Incorrect Answers:
A: An organization should use ethical hackers who do not sell auditing, hardware, software, firewall, hosting,
and/or networking services. An ethical hacking firm’s independence can be questioned if they sell security
solutions at the same time as doing testing for the same client.
B: Testing should be done remotely to simulate external threats. Testing simulating a cracker from the Internet
is often one of the first tests being done. This is to validate perimeter security. By performing tests remotely, the
ethical hacking firm emulates the hacker’s approach more realistically.
C: Ethical hacking should not involve writing to or modifying the target systems negatively. Proving the ability to
write to or modify the target systems (without causing harm) is enough to demonstrate the existence of a
vulnerability.
Krutz, Ronald L. and Russel Dean Vines, The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, New York, 2001, p. 520