DEV Community

Timothy Imanuel
Timothy Imanuel

Posted on

Week 2

#cybersecurity #devjournal #infosec #testing

Week 02: Testing Methodologies and the Rules of Engagement

Disclaimer: The tools and techniques discussed in this blog are strictly for educational purposes.

This week in the Ethical Hacking and Penetration Testing class, we focused heavily on the theory and legalities of penetration testing. Before we start actively breaking into systems, we need to understand the structural boundaries and the legalities involved

The Types of Hackers

The industry separates security personnel and attackers into a few distinct buckets:
Ethical Hackers: break into systems with permission to find the weak links and report them so the organization can patch them.
Hackers & Crackers: These are individuals accessing systems without authorization, often to steal or destroy data, which is a fast track to prison.
Script Kiddies: Young, inexperienced amateurs who just copy and paste scripts and techniques without actually understanding the underlying cod.

Penetration Testing Models

When executing a real-world test, your approach depends entirely on how much information the client gives you upfront.
White Box: You are given the full network topology and have authorization to interview the IT staff.
Black Box: You get zero details, and the internal company staff doesn't even know the test is happening. [cite_start]You have to find and map everything yourself.
Gray Box: A hybrid approach where the client provides you with partial information to start the engagement.

Red Team vs. Blue Team

Security operations are usually split into two opposing sides.
Red Team: Acts as the attackers, performing tests without the knowledge of the IT staff, usually to reveal system defense capabilities.
Blue Team: The internal team that defends the system. [cite_start]They are the opposing side of the red team.

The Legal Reality (UU ITE)

This is the most critical takeaway. [cite_start]Accessing a computer without explicit permission is illegal. [cite_start]Here in Indonesia, we operate under the UU ITE (Information and Electronic Transactions Law).

  • Under Pasal 31 (Indoneisan Law), intercepting or wiretapping electronic information or documents in a system you do not own is a crime.
  • Even seemingly harmless reconnaissance might be viewed as a violation depending on your ISP's Acceptable Use Policy.

The golden rule of penetration testing: Using a contract is just good business, and you should have an attorney read over your contract before signing it.

Top comments (0)