In the following article, I concentrate on some of the often-asked questions topic connected to ethical hacking, the area of computing concerned with the discovery of security vulnerabilities that can potentially be exploited by real hackers.
Should hacking be taught in a classroom?
The ‘ethical computer hackers’ or ‘white hat hackers’ play an important role in today’s cybersecurity. It is essential to cultivate the new generation of responsible computer and networking experts who do not use security flaws for personal benefit, but rather specialize in computer security with the goal of protecting businesses against cyberhackers and governments against cyberterrorist. The corporations and the society need the skilled security experts to ensure the protection of all computer resources.
The possible consequence of teaching hacking techniques in a classroom is the possibility that student will use newly acquired skills to bypass security systems and become a ‘grey hat hacker’ who hacks without consent; or a ‘black hat hacker’ who “compromises the security of a computer system without permission from an authorized party” (Aggarwal et al., 2014).
How does one become an ethical hacker?
One example is to study in an online class, such as Udemy’s Certified White Hat Hacker (CWHH) that concentrates on teaching the white hat hacking techniques and puts emphasis on ethical and moral responsibilities as well as possible consequences of misusing the hacking skills.
Can hacking ever be ethical?
While we can never be completely certain with the true motives of a hacker, the ethical hackers are (at least in my view) morally on a good side because their motive is not to misuse the found security flaws for the personal benefit, but rather to report it to the author(s) of the software. Such practices assist in implementing security solutions and enhance the overall security of the software and organizational information systems out there. As long, as the white hat experts share the discovered security flaws directly to a corporation or authors of the exploited software, and do so ethically, they will remain a tremendous asset to all businesses.
Figure 1 offers the comparison of an ethical and illegal hacker.
Figure 1 – Kalubowila (2016)
How ethical hackers share the findings? Are there any exceptions?
The white hat hacker examines and evaluates the hardware and software security with the permission from the involved party. Using various penetration techniques without permission, even if the goal is to determine the likelihood of unauthorized malicious activities, is called ‘gray hat hacking’ and not aligned with the code of ethics. Results should always be shared with the author of the exploited software only.
In my view, the ethical hacker (white hat hacker) must always operate within laws of his country. That just means that all hacking and penetration testing must be done within boundaries of the law and done with the written permission of the relevant organization. As far as the intent itself, that’s important to note, that ethical hacking should never be done with a plan to hack someone’s network for the sake of piracy, but rather done in an attempt to prevent future malicious attacks from happening.
Regarding the discovery of security vulnerabilities, a black hat hacking process is very similar to the white hat hacking, but that’s where the similarities end. White hat hackers always start their plan with gaining permission from the company, then keeps the firm informed about the progress during the hacking attempt (scheduling appropriate timing together, etc.) and always reports results back to the organization.
Whereas, the black hat hacker starts with a survey, scanning and gaining access, but ends with covering tracks and maintaining access for as long as possible without being discovered.
I will end this section by stating, that ethical hacking is not a cure-all. “A penetration test can find some of those flaws in advance. Not all, but some. It tells you what the bad guys will be able to see if they hack you” (Coffin, 2003).
The primary difference as we can see lies in the openness and willingness to share the results with the company or author of the exploited software.
As far as the exceptions go, naturally, the situations can occur where the hacking method discovers a flaw which may negatively impact not only the security of a particular organization but could end up being a major security flaw that affects numerous other agencies around the world. In that case, I support releasing the information publically. However, specific processes should be followed.
According to Howdoireportavuln.com (2017), the right thing is to tell the responsible for the service or product that it is vulnerable and it is putting users at risk. In terms of going public, they suggest to use one of the following options:
- Use Full Disclosure mailing list (lightly moderated by a team of volunteers).
- Use Bugtraq security mailing list that tends to be moderated more than Full Disclosure (a better signal-to-noise ratio).
- Instead of posting to a mailing list, send your vulnerability to a vulnerability database and let them publish it anonymously. VDBs include NVD, Exploit DB, and Secunia. Ideally, use VDBs that verify the vulnerability before publishing.
- If you’ve found a vulnerability in open source software, you can post it to the Open Source Security mailing list. Members of the list include open source projects as well as researchers and developers.
Ideally, there should be some web service that provides the ability to report a vulnerability or incident, such as “vulnerability metadata exchange system that includes US-CERT Technical Alerts, US-CERT Vulnerability Notes, US-CERT Technical Alerts or Vulnerability Notes, and OVAL Queries.” (Quinnell et al., 2006) suggested in U.S. Patent Application No. 11/530,760.
The ethical hacking and code of ethics
There is no uniform code of ethics that ethical hackers adhere to. However, there is a various computer industry code of ethics, which offer some excellent suggestions, such as ACM, who says: “An ACM member must contribute to society and human well-being” (Myers and Venable, 2014). Figure 2 offers a comparison of ACM, ICCP and AITP code commonly used as a code of conduct for computer professionals.
Figure 2 – Dinah Payne, B. (2017)
“Although ethical hacking is an effective measurement tool and a crucial component of any security program, it should only be part of a larger security program.” (Smith et al., 2002)
The use of ethical hacking is an important way of discovering and preventing potential security vulnerabilities, because white hat hackers can model the behavior of real cyber attackers. However, in my view, while undoubtedly useful, hiring white hat experts should not be the only strategy used by the organization, but rather a part of a more complex and fully developed organization-wide security program.
Smith, B., Yurcik, W., & Doss, D. (2002). Ethical Hacking: the security justification redux. In Technology and Society, 2002.(ISTAS’02). 2002 International Symposium on (pp. 374-379). IEEE.
Aggarwal, P., Arora, P., & Ghai, R. (2014). Review on cybercrime and security. International Journal of Research in Engineering and Applied Sciences, 2(1), 48-51.
Myers, M. D., & Venable, J. R. (2014). A set of ethical principles for design science research in information systems. Information & Management, 51(6), 801-809.
Dinah Payne, B. (2017). A uniform code of ethics: business and IT professional ethics | November 2006 | Communications of the ACM. [online] Cacm.acm.org. Available at: https://cacm.acm.org/magazines/2006/11/5790-a-uniform-code-of-ethics/abstract [Accessed 9 Dec. 2017].
Kalubowila (2016). Ethical Hacking. [online] Slideshare.net. Available at: https://www.slideshare.net/TharinduKalubowila/ethical-hacking-67537399 [Accessed 9 Dec. 2017].
Quinnell, J., Carlsen, M., Ladner, M., Rudy, J., Smith, K., & Walasek, A. (2006). U.S. Patent Application No. 11/530,760.
Coffin, B. (2003). IT takes a thief: Ethical hackers test your defenses. Risk Management, 50(7), 10-14.
Howdoireportavuln.com. (2017). How do I report a vulnerability? A guide for anyone new to vulnerability reporting. [online] Available at: http://howdoireportavuln.com/ [Accessed 10 Dec. 2017].