Ethical Hacking and Morality: The Gray Area

Ethical hacking, better known as “penetration testing,” involves purposeful “hacking” into a computer network by a qualified person for purposes of testing a system’s security. A certified penetration tester with the full knowledge of all parties involved typically does penetration tests under contract.

Business commerce, financial transactions, records, and communication are almost all web/cloud-based now. Malicious hackers (black hats) attempt to steal money, goods, or information. They can change records, exploit weaknesses, and otherwise wreak havoc on businesses, computer users, and society in general.

To defend against malicious hackers, qualified penetration testers (white hat hackers) are being employed to defend systems. In fact, according to Marketwatch.com, the demand for ethical hackers is increasing as cyber-attacks become more and more catastrophic to large corporations.

The problem that arises is this: Since ethical hackers are here to make sure that the unethical hackers can’t hack us, who watches over the white hats to keep them from becoming black hats?

A competent penetration tester has to closely follow hacking trends, study new exploits, read hacker forums, and skirt very near to the edges of the criminal hacker fraternity to stay competent at his or her job all while maintaining their integrity.

Social Engineering

The issue becomes even more complicated when social engineering is thrown into the mix. As computer security increases in effectiveness, black hat hackers have turned their attention to the weakest link: people. Hacks on human beings are referred to as social engineering.

For example, a black hat hacker might impersonate a company’s IT service technician and ask employees to log into accounts, read personal information aloud, or even verify children’s names and birthdays (used by many people as passwords), addresses, and Social Security numbers.

For penetration testers to duplicate hacking by way of social engineering, they must also attempt to get personal information from employees without their knowledge. Doing this, even in a controlled way, is viewed by some as a violation of privacy. Nevertheless, some penetration testing contracts include social engineering attempts.

The OSSTMM

So, what metric of behavior guides ethical, white hat hackers and prevents them from going over to the proverbial “dark side?”

The Open Source Security Testing Methodology Manual (OSSTMM) lists a detailed “Rules of Engagement” section that stresses the importance of clearly elucidating a penetration test in detail beforehand so all parties involved know exactly what to expect.

The test scope, process, and reporting procedures must be clearly defined in the contract, including but not limited to, all IP addresses, phone numbers, routing ports, exploits, and even social engineering hacks that will be used during the test.

In addition to the attention paid to penetration test contracts, the use of fear, uncertainty, doubt, and deception in the marketing of white hat services is forbidden by the OSSTMM. In other words, an ethical hacker can’t trick a potential client into signing a contract by offering intimidating facts and scare tactics designed to exaggerate threats.

The International Council of E-Commerce Consultants (EC-Council) works to keep ethical hacking ethical by certifying and licensing penetration testers. This process also includes a criminal background check.

HAISA 2015

The Proceedings of the Ninth International Symposium on Human Aspects of Information Security and Assurance (HAISA) highlights some of the more serious ethical dilemmas faced by white hat hackers.

First, a dilemma exists between doing the right thing for the client company and doing the right thing for the company’s employees. A thorough penetration test could violate the privacy of the employees, but if their privacy is safeguarded, then the overall outcome of the test may not be comprehensive enough for the client.

The second dilemma is between structured and unstructured approaches to penetration testing. A structured approach details every task ahead of time, but it doesn’t allow for the ethical hacker to operate outside of those bounds.

An unstructured approach allows the white hat hacker to use his or her imagination and adapt to each scenario in a more realistic way (the way a “real” black hat hacker would), but the client must place blind faith in the penetration tester.

Penetration Testing Professional Ethics

The Australasian Journal of Information Systems published a detailed report on Penetration Testing Professional Ethics in which the authors highlighted integrity as the primary moral virtue in ethical hacking. Integrity comes from serving and protecting the customer and upholding the security profession.

To accomplish this goal, white hats must avoid conflicts of interest, false positives (pointing out flaws where there are no flaws) and false negatives (the opposite), and they must include detailed language regarding their technical and ethical limitations in the text of each contract.

Companies that hire penetration testers must have realistic expectations going into the test. Some companies expect penetration testers to also set up or improve their network security. The white hat’s job, however, is to test defenses, not create defenses.

Also, if the client wants social engineering tests to be included, he or she must be willing to accept a summarized report of non-specific result statistics. An ethical hacker cannot give the names of employees who failed the test because their employment and privacy could be jeopardized as a result.

A Sticky Business

Black hat hackers have become a major threat to society. We’ve seen hackers on the front page several times over the past few years. As hackers become more of a threat, we are being forced into responding with equally skilled, white hat hackers.

Penetration testing requires knowledge and skills used primarily for malicious purposes. But instead of sewing discord, white hat hackers are supposed to use their power for defense and security.

In the end, no matter how detailed a contract is written, at least some element of integrity is needed on behalf of the penetration tester and some element of trust is needed on behalf of the client.

Unfortunately, legal pitfalls in the field of penetration testing are abundant. And most of these originate in actual or perceived unethical behavior. Ethical hackers have even been arrested in the performance of their duties. To avoid legal issues, industry standards and regulations must be followed explicitly, and a clear channel of communication must be maintained between the client and the penetration tester.

About Maryville University’s Online Degree in Cyber Security

Maryville University offers both undergraduate and Masters degrees in cyber security, studying topics such as cryptography, cloud security, incident handling, and mobile device handling. Students can learn from anywhere, on any device, with the Maryville Virtual Lab as their training ground.

More information is available at Maryville University’s online cyber security website.

Sources:

http://www.tomsitpro.com/articles/white-hat-hacker-career,1-1151.html

http://www.marketwatch.com/story/hackers-wanted-the-ethical-ones-2015-04-22

https://securityintelligence.com/how-black-hats-and-white-hats-collaborate-to-be-successful/

http://www.prnewswire.com/news-releases/social-engineering-white-hat-hackers-undercover—redspin-finds-94-of-companies-fail-email-test-62155242.html

http://www.isecom.org/mirror/OSSTMM.3.pdf

https://cert.eccouncil.org/application-process-eligibility.html

https://books.google.com/books?id=NQJqCwAAQBAJ&printsec=frontcover#v=onepage&q&f=false

http://journal.acs.org.au/index.php/ajis/article/view/52/39

https://www.scu.edu/ethics/focus-areas/more/resources/repugnant-philosophy/

http://www.theatlantic.com/technology/archive/2015/12/white-hat-ethical-hacking-cybersecurity/419355/

http://www.securitycurrent.com/en/analysis/ac_analysis/legal-issues-in-penetration-testing