Getting documented approval, such as an e-mail, an internal memo, or a formal contract for your ethical hacking efforts — whether it's from management or your client — is an absolute must. It's your Get Out of Jail Free card.

Obtain documented approval that includes the following:

So many security vulnerabilities exist — known and unknown — that you won't find them all during your testing. Don't make any guarantees that you'll find all the security vulnerabilities in a system. You'll be starting something that you can't finish.

Stick to the following tenets:

When it comes to computers, maintaining 100 percent, ironclad security is not attainable. You can't possibly prevent all security vulnerabilities, but you'll do fine if you

Ethical hacking is a snapshot of your overall state of security. New threats and vulnerabilities surface continually, so you must perform these tests periodically and consistently to make sure you keep up with the latest security defenses for your systems.

No one working with computers or information security knows it all. Keeping up with all the software versions, hardware models, and emerging technologies, not to mention the associated security threats and vulnerabilities, is impossible. Good ethical hackers know their limitations — that is, what they don't know. However, ethical hackers certainly know where to get answers. (Hint: Try Googling it.)

Think about how a malicious outsider or rogue insider can attack your network and computers. Get a fresh perspective, and try to think outside the proverbial "box." Study criminal and hacker behaviors and common hack attacks so you know what to test for.

Focus on the systems and operations that matter most. You can hack away all day at a standalone desktop running MS-DOS from a 5¼-inch floppy disk with no network card and no hard drive, but does that do any good? Probably not. But you never know. Your biggest risks might be on the seemingly least critical system. Focus on what's urgent and important.

Without the right tools for the task, getting anything done without driving yourself nuts is impossible. Download the free tools I mention throughout this book and in Appendix A. Buy commercial tools when you can — they're usually worth every penny. No security tool does it all, though. Building your toolbox and getting to know your tools well will save you gobs of effort, and you'll impress others with your results.

One of the best ways to tick off your manager — or lose your customer's trust — is to run hack attacks against production systems when everyone is using them. If you try to hack a system at the wrong time, expect that something will take down the critical systems at the absolute worst moment. Make sure you know the best time to perform your testing. It might be in the middle of the night. (I never said ethical hacking is easy!) This might be reason to justify using security tools and other supporting utilities that can help automate certain ethical hacking tasks.

Outsourcing is great, but you must stay involved throughout the entire process. Handing over the reins of your security testing to a third party without following up and staying on top of what's taking place is a bad idea. You won't be doing your manager or customers a favor by staying out of their hair. Get in their hair. (But not like a piece of chewing gum — that just makes everything more difficult.)