Page 1237 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1237

and this report should be protected as sensitive information. The

               report will outline specific vulnerabilities and how these
               vulnerabilities can be exploited. It will often include recommendations
               on how to mitigate the vulnerabilities. If these results fall into the
               hands of attackers before the organization implements the
               recommendations, attackers can use details in the report to launch an
               attack.

               It’s also important to realize that just because a penetration testing

               team makes a recommendation, it doesn’t mean the organization will
               implement the recommendation. Management has the choice of
               implementing a recommendation to mitigate a risk or accepting a risk
               if they decide the cost of the recommended control is not justified. In
               other words, a one-year-old report may outline a specific vulnerability
               that hasn’t been mitigated. This year-old report should be protected
               just as closely as a report completed yesterday.


               Ethical Hacking


               Ethical hacking is often used as another name for penetration testing.
               An ethical hacker is someone who understands network security and
               methods to breach security but does not use this knowledge for
               personal gain. Instead, an ethical hacker uses this knowledge to help
               organizations understand their vulnerabilities and take action to
               prevent malicious attacks. An ethical hacker will always stay within
               legal limits.


               Chapter 14 mentions the technical difference between crackers,
               hackers, and attackers. The original definition of a hacker is a
               technology enthusiast who does not have malicious intent whereas a
               cracker or attacker is malicious. The original meaning of the term
               hacker has become blurred because it is often used synonymously with
               attacker. In other words, most people view a hacker as an attacker,
               giving the impression that ethical hacking is a contradiction in terms.

               However, the term ethical hacking uses the term hacker in its original
               sense.

               Ethical hackers will learn about and often use the same tools and
               techniques used by attackers. However, they do not use them to attack
   1232   1233   1234   1235   1236   1237   1238   1239   1240   1241   1242