Week 2

Source: Dev.to

Disclaimer

The tools and techniques discussed in this blog are strictly for educational purposes.

Testing Methodologies and Legalities

This week in the Ethical Hacking and Penetration Testing class, we focused heavily on the theory and legalities of penetration testing. Before actively breaking into systems, it is essential to understand the structural boundaries and the legal framework involved.

Roles in Security

• Ethical Hackers – Break into systems with permission to find weak links and report them so the organization can patch them.
• Hackers & Crackers – Access systems without authorization, often to steal or destroy data, which can lead to imprisonment.
• Script Kiddies – Inexperienced individuals who copy‑paste scripts and techniques without understanding the underlying code.

Engagement Types

• White Box – You are given the full network topology and have authorization to interview the IT staff.
• Black Box – You receive zero details, and the internal company staff may not even know the test is happening; you must find and map everything yourself.
• Gray Box – A hybrid approach where the client provides partial information to start the engagement.

Security Operations Teams

• Red Team – Acts as the attackers, performing tests without the knowledge of the IT staff, usually to reveal system defense capabilities.
• Blue Team – The internal team that defends the system and opposes the Red Team.

Legal Considerations

• Accessing a computer without explicit permission is illegal.
• In Indonesia, the UU ITE (Information and Electronic Transactions Law) governs these activities.
• Under Pasal 31, intercepting or wiretapping electronic information or documents in a system you do not own is a crime.
• Even seemingly harmless reconnaissance might be viewed as a violation depending on your ISP’s Acceptable Use Policy.

Golden Rule of Penetration Testing

Using a contract is good business practice, and you should have an attorney review your contract before signing it.