Ethical hacking, sometimes known as penetration testing, involves purposeful hacking into a computer network by a qualified data security expert to test for vulnerabilities within a system’s critical infrastructure. A certified penetration tester with the full knowledge of all parties involved is typically under contract to perform the audit.
Business, commerce, financial transactions, records, and communication are almost all web- or cloud-based now. Hackers utilize their skills to bypass safety protocols and enter secure networks to install malicious software or steal money, goods, and sensitive information. They can change records, exploit weaknesses, and otherwise wreak havoc on businesses, computer users, and society in general.
To defend against hackers, qualified penetration testers are being employed to ward off attacks and protect critical data infrastructure. In fact, according to MarketWatch, the demand for ethical hackers is increasing as cyberattacks become more catastrophic to large-scale organizations.
This trend leads to one of the biggest questions in data security: Since ethical hackers are here to make sure the unethical hackers can’t hack us, how can we ensure that those who are charged with protecting the infrastructure don’t also use their knowledge for malicious purposes?
A competent penetration tester must closely follow hacking trends, study new exploits, read through hacker forums, and skirt very near to the edges of the criminal hacker fraternity to stay competent at their job — all while maintaining their integrity.
Unfortunately, the ease and facility of online operations means that unethical hackers are finding increased opportunities to do damage and engage in cybercrime.
The rate at which information is processed opens the door for unethical hackers to infiltrate systems and exploit weaknesses for maximum benefit. This makes the efforts of a highly skilled and well-trained penetration tester a critical component toward safeguarding the integrity of servers and networks. However, without routine testing and skill development, unethical hackers will eventually find their way inside.
Read on to learn more about the gray areas of ethical hacking.
The issue of ethical hacking becomes even more complicated when social engineering — exploiting human behavior or social norms — is thrown into the mix. As computer security increases in effectiveness, unethical hackers have turned their attention to the weakest link: people. Hacks on human beings are referred to as social engineering.
For example, an unethical hacker might impersonate a company’s IT service technician and ask employees to log in to their accounts, read personal information aloud, or even verify children’s names and birthdays (used by many people as passwords), addresses, and Social Security numbers.
For penetration testers to duplicate hacking by way of social engineering, they must also attempt to gain personal information from employees without their knowledge. Doing this, even in a controlled way, is viewed by some as a violation of privacy. Nevertheless, some penetration testing contracts include social engineering attempts.
So what metric of behavior guides ethical hackers and prevents them from using their skills for malevolent purposes?
The Open Source Security Testing Methodology Manual (OSSTMM) provides a detailed “Rules of Engagement” section that stresses the importance of clearly highlighting — in advance — the scope and objective of a penetration test so all parties involved know exactly what to expect.
The test scope, process, and reporting procedures must be clearly defined in the contract, including, but not limited to, all IP addresses, phone numbers, routing ports, exploits, and even social engineering hacks that will be used during the test.
In addition to the attention paid to penetration test contracts, the use of fear, uncertainty, doubt, and deception in the marketing of ethical hacking services is forbidden by the OSSTMM. In other words, an ethical hacker can’t trick a potential client into signing a contract by offering intimidating facts and scare tactics designed to exaggerate threats.
The International Council of E-Commerce Consultants (EC-Council) works to keep ethical hacking true to its mission by certifying and licensing penetration testers. This process also includes a criminal background check.
The Proceedings of the Ninth International Symposium on Human Aspects of Information Security and Assurance (HAISA) highlights some of the more serious dilemmas faced by ethical hackers.
First, a disconnect exists between doing the right thing for the client company and doing the right thing for the company’s employees. A thorough penetration test could violate the privacy of the employees — but if their privacy is prioritized during a penetration test, then the overall outcome of the test may not be comprehensive enough for the client.
The second dilemma is between structured and unstructured approaches to penetration testing. A structured approach details every task ahead of time, but it doesn’t allow for the ethical hacker to operate outside of those bounds.
An unstructured approach allows the ethical hacker to use his or her imagination and adapt to each scenario in a more realistic way (the way a “real” unethical hacker would), but the client must place blind faith in the penetration tester.
Penetration testing professional ethics
The Australian Journal of Information Systems published a detailed report on penetration testing professional ethics in which the authors highlighted integrity as the primary moral virtue in ethical hacking. Integrity comes from serving and protecting the customer and upholding the security profession.
To accomplish this goal, ethical hackers must avoid conflicts of interest, false positives (pointing out flaws where there are no flaws), and false negatives (the opposite), and they must include detailed language regarding their technical and ethical limitations in the text of each contract.
Companies that hire penetration testers must have realistic expectations going into the test. Some companies expect penetration testers to also set up or improve their network security. The penetration tester’s job, however, is to test defenses, not create defenses.
Also, if the client wants social engineering tests to be included, he or she must be willing to accept a summarized report of non-specific result statistics. An ethical hacker cannot give the names of employees who failed the test, because their employment and privacy could be jeopardized as a result.
A sticky business
Unethical hackers have become a major threat to almost every part of society: personal, private, business, medical, and government, to name a few. And as the infrastructure evolves, unethical hackers are constantly upgrading their skills to overcome the latest advancements in technology. Penetration testers must also do the same.
Penetration testing requires knowledge and skills used primarily for malicious purposes. But instead of sowing discord, ethical hackers are entrusted to use their skills for defense and security.
In the end, no matter how detailed a contract is written, at least some element of integrity is needed on behalf of the penetration tester, and some element of trust is needed on behalf of the client.
Unfortunately, legal pitfalls in the field of penetration testing are abundant. And most of these originate in actual or perceived unethical behavior. Ethical hackers have even been arrested in the performance of their duties. To avoid legal issues, industry standards and regulations must be followed explicitly, and a clear channel of communication must be maintained between the client and the penetration tester.
About Maryville University’s online degree in cybersecurity
Maryville University offers both undergraduate and master’s degree programs in cybersecurity, focusing on topics such as cryptography, cloud security, incident handling, and mobile device handling. Students can learn from anywhere, on any device, with the Maryville Virtual Lab as their training ground.