Ethical hacking techniques for standard penetration testing

Ask the Expert

Ethical hacking techniques for standard penetration testing

I recently did a penetration test for one of our company's partners, only to find out that management had not obtained written permission from the partner for the test to be performed. The partner reported that they'd been hacked and now the companies are involved in litigation! I'll make sure that I have written permission in my hands every time from here on out, but what steps should I take to salvage my reputation as an ethical hacker?

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

There's nothing like accidently getting yourself involved in litigation. Sounds like you and your company have learned a valuable lesson about always having proper written authorization prior to conducting an assessment. There are a few things you should do initially: One is to talk with your company's management and lawyers to find out what documentation they need from you. This will likely include documenting what you were asked to do, what tests you ran and when. Be as cooperative as possible and quickly establish that you are a team player that has the best interest of the company in mind.

Next, create a process to be followed for any future penetration tests. This should obviously mandate a documented request from management as well as some sort of notice that you have been granted permission from all appropriate parties. After the test, this should include documentation of when and what tests were performed.

If your company is handling the situation well, management will support you in this process. If it becomes clear, however, that your company knew about the need for permission and chose to ignore it, you have an alternate option, which unfortunately is to quit. Sometimes the only way to protect your reputation is to separate yourself from the organization completely and find a new company to work with that respects ethical concerns. This is a drastic measure, but may be in your best interest in the end. And no potential employer worth its salt would hold this stance against you.

More information:

This was first published in November 2008