All organisations hope that hackers fail. However rising on-line crime statistics and the increase in the number security breaches show this is not the case. Hackers gain access by identifying vulnerabilities and exploiting them. Ethical hackers do this and report the results to their employers.
A successful hack achieved through the implementation of the pen-tester's plan will reveal vulnerabilities or weaknesses in defence which have to be conveyed to the organisation in such a way that enables positive action to remove the vulnerabilities.
The aim is to have a clear trail between reconnaissance, planning, implementation and recommendations. These recommendations may arise from weaknesses identified:-
- In working procedures and practices leaving them vulnerable to Social Engineering hacks and the installation of malware. Also includes weak authentication procedures and poor passwords.
- Out of date software leaving them vulnerable to exploits and payloads created to take advantage of loopholes.
- Incorrectly configured hardware and software leaving open ports or vulnerable services.
- Poor physical security allowing unauthorised access or observation of password entry and other security measures.