Is Ethical Hacking Actually Ethical or even Legal?
There are three main generally accepted categories of hacker, each represented by a hat of a different colour: white, grey and black. All of them exploit weaknesses in computer systems and networks. The differences between them are their motivations. The most infamous are the black hat hackers, computer criminals epitomised by Hollywood, whose malicious activities serve their own ends ranging from financial gain to simply causing chaos. White hat hackers are usually those that carry out their craft with no apparent criminal intention in mind. And grey hats sit somewhere in the middle, often hacking into a system just to prove they can, but afterwards usually notifying the vendor or owner of the weakness.
White hat hackers, also known as ethical hackers, are the ones hired by companies to carry out penetration testing, a technique that helps to determine how secure the company’s systems are. It’s a necessary business service. Without a penetration testing carried out by ethical hackers how else would a business identify their weaknesses and shore up their defences against the real criminals?
But is ethical hacking actually ethical? Or, more importantly, is ethical hacking even legal?
Most organisations believe that the act of authorising an ethical hacker to test a company’s defences is enough legal protection to justify both sets of actions: firstly, the action of hiring an ethical hacker and secondly, to provide necessary cover for the questionable activities of the hacker, who in turn believes they are justified by the fact that they are acting in the best interests of the company who hired them.
And the answer to this dilemma is, of course, that it depends.
In writing my novel, Invasion of Privacy, where the main protagonist is a so-called ethical hacker, it became apparent to me how grey their world really is. In the interests of dramatic fiction, it was fun to take things to extremes; to have the character go beyond the call of duty in order to get the job done. But in doing so, I began to wonder how far ethical hackers stray outside of the law.
Obviously, it depends on how far the hacker is willing to go to test the systems. Or worse, to switch into grey hat mode, determined to break in just to prove they can.
Social engineering is one technique used by hackers to trick people into giving up confidential information. White hat hackers employ it to help test a company’s defences. After all, under a real attack a black hat hacker may well do the same. This often means that the ethical hacker ends up logging into systems using someone else’s credentials, obtained using illicit methods. At this point laws are being broken as they they then have access to confidential information. If this is customer or employee information, then the hacker and the company may be in breach of the various data protection legislations in force.
A common technique to test a company’s systems is to obtain access via their business partners. Large corporate organisations often have strong security measures in place and so it is natural to focus on the weakest elements in the supply chain, their suppliers or customers. These may be smaller companies with limited protections in place, but who have privileged access to systems provided by the large corporate. Therefore, an ethical hacker may hack (in whatever way makes sense) into a business partner’s systems first in order to then be able to hop over to the intended target via this privileged back door. Unless the business partner has been included in the scope of the penetration test, the ethical hacker has strayed outside the boundaries of the law to achieve their aims.
And so it goes on.
Companies hire ethical hackers because they need to test their security. By granting their permission to the pentest, they effectively cover their corporate eyes and ears while these tests are carried out. See no evil, hear no evil. And at the end, the ethical hacker presents a nicely polished report pointing out the weaknesses and associated recommendations. What the company has no idea about is how many laws they have enticed the ethical hacker to break to get to this point. The ethical hacker may not know or, more importantly, may not care about the laws that have been broken.
What’s the moral of this story? Perhaps it’s that there really is no such thing as a white hat hacker in the real world. The world is very grey indeed.
- Social engineering in penetration tests: 6 tips for ethical (and legal) use (CSO Online)
- A Grey Hat Guide (eff.org)
- BlackHat & WhiteHat (panchitajeanclaire.wordpress.com)
- What is penetration testing? (A guide for our first time visitors) (concise-courses.com)
- Ethical hacking as a career (info4view.wordpress.com)