According to Solomon and Oriyano, "A security policy is a high-level description of how an organization defines a secure environment." and "enumeration is to uncover specific information about each target system that can help the attacker subsequently design effective exploits (Solomon and Oriyano, p. 157). Enumeration is part of the hacking phase to uncover specific information that can be used for an attack exploit. The discussion question mentions that enumeration can also be used by Pentesters. Pentesters are contracted 'white-hat' hackers that have been given certain permission to attack an employer's system to find vulnerabilities before a malicious hacker does. A security policy statement (regarding enumeration), could define what is allowed during enumeration, and what is not.

 

If you were an IT security director, what are three example statements you would include in your security policy regarding enumeration. Remember that ethical hacking and penetration testing also include enumeration