Problem solve Get help with specific problems with your technologies, process and projects.

Ethical hacking techniques for standard penetration testing

Learn how to form a policy for standard penetration tests including getting written permission. Learn ethical hacking techniques.

I recently did a penetration test for one of our company's partners, only to find out that management had not obtained written permission from the partner for the test to be performed. The partner reported that they'd been hacked and now the companies are involved in litigation! I'll make sure that I have written permission in my hands every time from here on out, but what steps should I take to salvage my reputation as an ethical hacker?

There's nothing like accidently getting yourself involved in litigation. Sounds like you and your company have learned a valuable lesson about always having proper written authorization prior to conducting an assessment. There are a few things you should do initially: One is to talk with your company's management and lawyers to find out what documentation they need from you. This will likely include documenting what you were asked to do, what tests you ran and when. Be as cooperative as possible and quickly establish that you are a team player that has the best interest of the company in mind.

Next, create a process to be followed for any future penetration tests. This should obviously mandate a documented request from management as well as some sort of notice that you have been granted permission from all appropriate parties. After the test, this should include documentation of when and what tests were performed.

If your company is handling the situation well, management will support you in this process. If it becomes clear, however, that your company knew about the need for permission and chose to ignore it, you have an alternate option, which unfortunately is to quit. Sometimes the only way to protect your reputation is to separate yourself from the organization completely and find a new company to work with that respects ethical concerns. This is a drastic measure, but may be in your best interest in the end. And no potential employer worth its salt would hold this stance against you.


This was last published in November 2008

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.