T ECHNOLOGISTS

A natural progression for many in the security field came from their experience with technology and implementing solutions in a secure manner. For some, this started early with their first installation of Windows, UNIX, or a router and they gravitated to securing that system. These individuals have risen through the ranks of security by getting more involved with technology and security-specific applications. Fire- walls are a good example where some evolved from installing routers or system gateways to integrating complex firewalls.

As technologists, security consultants continually grew while operating in the trenches of information warfare gaining greater experience and exposure to technical solutions and their vulnerabilities. It is this community we normally see performing ethical hacking services. They have reached a point of technical expertise and security know-how that allows them to manipulate systems in ways others simply cannot comprehend.

Beyond what could be considered network technology excellence are the pro- grammers and specialists. These are the resources that build and maintain secure applications or applications for use in the security industry. In addition, there are specialists in security technology, such as encryption and security protocols such as IPsec, who support the world of security through applied technology at its most fundamental level.

ARCHITECTS

There are security consultants who have moved away from technology, or never fully immersed themselves in technology, and focus on the business of security. Security consultants of this type work on the larger picture of security and are usually the authors of security policies and the minds behind comprehensive security archi- tectures that are supported by the various security-related technologies.

Many architects may have begun their careers with technology, but were imme- diately drawn to the operational aspects of security. Although usually capable of providing high-level technical services, they are ordinarily not as astute in the inner workings of technical solutions and rely heavily on the technologists to implement what they have architected.

Fully comprehending the totality of security is imperative to establishing a strong security posture and a security program to support all aspects of security. Architects look to the big picture of security and seek out solutions to ensure security is addressed technically as well as operationally.

What is interesting to note is that over their careers many consultants swing back and forth between technology and the pragmatic aspects of security. Much of this is due to simply getting bored with what they are doing or finding interest in a particular technology or process. Both of these attributes are very important to ethical hacking because of the obvious technical nature and the need for understanding the overall effects on security that the test can have on a company.

ETHICS

An understanding of ethics involves learned behavior, problem solving, creativity, invention, awareness, and social structures, among other life attributes. In virtually every event in our lives—in our problems, opportunities, decisions, actions, reac- tions—ethics make a difference. No matter how you interpret or comprehend your environment, real or potential, we operate within a world based on values and are forced to make determinations, some of which we’re totally unaware.

Information security requires a substantial amount of trust, an attribute based on a foundation of ethics. Security professionals are constantly provided sensitive information about a company and their systems to accomplish their task. The dev- olution of passwords, access information, internal architecture, policies, and pro- cesses are needed regularly to assist a company in strengthening its security posture. The entire process inherently places a great deal of trust in the consultant working with a customer. The assumption is that the information obtained by a consultant will result in less of a payoff and a greater risk to reputation if used for personal gain rather than simply working ethically within the margins of professionalism.

This section is simply to communicate what ethics a security consultant should follow and uphold to maintain a certain level of professionalism and to ensure the growth and trust of the industry as a whole. There are several public security institutions that have defined the ethics to be upheld to operate within the security community. The following list is a good basis for understanding what is and should be expected from people performing security services.

• Perform Services in Accordance with the Law. There may be situations where a consultant is asked to perform or made aware of something illegal. In this situation it is necessary to abide by the laws society has created. Essentially, it is ethically correct and expected to operate within the boundaries of the law, regardless of personal interpretation.

• Maintain Confidentiality. As alluded to above, security consultants are regularly exposed to proprietary information and ethically bound to pro- tect that information. In addition, when in doubt of the level of protection assume the highest form of protection: what is one man’s trash is another’s treasure.

• Honesty. In addition to simple professionalism, given the sensitivity of interacting with proprietary information and all that it implies, honesty must be practiced to ensure continued trust.

• Conflict of Interest. Everyone during some point in his or her career has been faced with professional conflict. Typically, this is associated with knowing certain information that if you were involved with another pro- cess you may make determinations based on that information. This cannot only lead to personal and professional conflicts but will test the ethical values one may have. Finally, this could have a negative impact on cus- tomers, related partners, and the company you work for, possibly damag- ing reputations and associations.

• Intentional Acts. Clearly associated with ethics, intentionally harming or damaging the reputation of clients, employers, or colleagues is unaccept- able behavior.

Ethics have an impact on the operational behavior of people and when faced with an ethical “fork in the road” it is best to reference this, or similar, lists to provide basic direction if questioning one’s actions.