Every ethical hacking has rules of engagement, which defines how a ethical hack would be laid out, what methodology would be used, the start and end dates, the milestones, the goals of the penetration test, the liabilities and responsibilities, etc. All of them have to be mutually agreed upon by both the customer and the representative before the ethical hack is started.
Following are important requirements that are present in almost every rules of engagement
- A proper “permission to hack” and a “nondisclosure” agreement should be signed by both the parties.
- The scope of the engagement and what part of the organization must be tested.
- The project duration including both the start and the end date.
- The methodology to be used for conducting a ethical hack.
- The goals of a ethical hack.
- The allowed and disallowed techniques, whether denial-of-service testing should be performed or not.
- The liabilities and responsibilities, which are decided ahead of time. As a ethical hacker you might break into something that should not be accessible, causing a denial of service; also, you might access sensitive information such as credit cards. Therefore, the liabilities should be defined prior to the engagement.
- Never exceed the limits of your authorization. Every assignment will have rules of engagement. These not only include what you are authorized to target, but also the extent that you are authorized to control such system. If you are only authorized to obtain a prompt on the target system, downloading passwords and starting a crack on these passwords would be in excess of what you have been authorized to do.
- The tester should protect himself by setting up limitation as far as damage is concerned. There has to be an NDA between the client and the tester to protect them both.
- Be ethical That’s right; the big difference between a hacker and an ethical hacker is the word ethics. Ethics is a set of moral principles about what is correct or the right thing to do. Ethical standards are sometimes different from legal standards in that laws define what we must do, whereas ethics define what we should do.
- Maintain confidentiality During security evaluations, you will likely be exposed to many types of confidential information. You have both a legal and moral standard to treat this information with the utmost privacy.