Read the given information below the dotted lines and attempt to answer these questions:

How would you define Hacker, Cracker, Pen Tester?

What rules are the key to differentiating these categories?

Would you hire a Hacker as a Pen Tester? Why or why not?

Also, please consider commenting on at least one other student's response.

-------------

Important Terms

For our purposes, we will use the following terms ...

Hacking: exploring the functions and limits, both intended and unintended, of a [computing] system.

Cracking: an unauthorized attempt to circumvent security controls or break into a computer organisation's computing systems. The goals for this activity include financial gain, information, and notoriety. Crackers have no [external] time or technology constraints imposed on their actions.

Penetration Testing: an authorized attempt to circumvent controls or break into an organisation's computing systems. The goal for this activity is to prove a system's vulnerability in order to identify areas for improvement. There are normally limits placed on the time and methods used in such testing. Pen tests may be performed in-house or by contracting with a specialized service provider.

Why perform penetration tests?

Organisations may be required to by a governing body or industry organisation.

NIST SP800-53 (CA-8, for High System only) requires an independent team perform regular assessments.

Reference: NIST SP800-53r4

FFIEC requires annual tests performed by an independent team.

Reference: FFIEC IT Examination Materials

Payment card industry's PCI-DSS certification requires annual tests by "qualified internal resource" as well as tests after any "significant infrastructure or application change."

PCI-DSS Penetration Testing Guidance

Reference: PCD-DSS v3.2 Standard

But Why?

Vulnerability assessments can identify potential weaknesses in an organisation's computer systems. Penetration tests, on the other hand, are used to demonstrate the potential impact to the organisation's current information through these vulnerabilities. What data can be accessed by unauthorized individuals? How can it be accessed? By knowing the answers to these two questions, we can make better choices about how to protect our information assets.

Reflect: What are the rules for attackers?

Consider the differences between hacking (as we define it) and penetration testing? What, if any, are the rules that apply in each type of activity? Take some time to consider this, then go to the Penetration Testing Forum in Moodle and share your thoughts.

Types of Penetration Tests

Not only must you decide what you wish to test - applications, infrastructure, people - but you must decide on how much information about the target(s) you will provide to the testers.

Return to Moodle and watch the VoiceThread on Penetration testing (so that you are automatically logged in).

You can find the VoiceThread under In-Class Activities/4 - Penetration Testing.

Next Class

Two ISA presentations (yay teams!). Remember to view their materials, posted in the ISA Forum.

Wireless networking - See the Class Prep Forum for more details.

Remember:

Take some time to reflect on the rules that govern hackers, crackers, and penetration testers. Be sure to share your thoughts in the Moodle Penetration Testing Forum.