What Is Ethical Hacking

Published Date: 02 Nov 2017

The Internet is growing rapidly with more and more computers and wireless devices getting connected to the global information network everyday. As the complexity of these networks increases, the possibility of flaws in them also increases, which could be exploited by people with malicious intent. As a result the concern for privacy and security of information has become a major issue. It not only affects individuals but also businesses and organizations. To address this issue, concept of Ethical Hacking was introduced. Ethical hacking is a way of assessing the Information Security Environment of an organization, carried out by individuals or groups who are expert in computers and networking. These individuals have the same knowledge and mindset as that of a malicious hacker but they use this knowledge ethically to defend against the malicious hackers.

The goal of an ethical hack is neither to damage nor to steal any valuable information, it’s more a service for a client to test their IT environment on how it would withstand an actual hacker attack. [1] The final output from this assessment is a detailed report about the detected problems and vulnerabilities and a possible solution for each of them. [2] Ethical Hacking can also be defined as penetration testing, which is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders (who do not have an authorized access to the organization's systems) and malicious insiders (who have some level of authorized access). [3] This process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, due to hardware or software flaws or operational weaknesses. [4] Security issues uncovered through the penetration test are presented to the system's owner. [5] Effective penetration tests will couple this information with an accurate assessment of the potential impacts to the organization and outline a range of technical and procedural countermeasures to reduce risks. [6] It may also include a risk analysis report in order evaluate the potential impacts to the organization from a financial perspective.

An ethical hacker is sometimes called a white hat, a term that comes from old Western movies, where the "good guy" wore a white hat and the "bad guy" wore a black hat. [7] Hence the term Black hat would refer to a "malicious person" and the term White hat would refer to the people who defend against these malicious people. One of the first examples of ethical hackers at work was in the 1970s, when the United States government used groups of experts called red teams to hack its own computer systems. [8] According to Ed Skoudis, Vice President of Security Strategy for Predictive Systems' Global Integrity consulting practice, ethical hacking has continued to grow in an otherwise lackluster IT industry, and is becoming increasingly common outside the government and technology sectors where it began. [9] Many large companies, such as IBM, Google, maintain employee teams of ethical hackers. [10]

"Ethics of Hacking"

Before we debate on ethics of hacking, we should first know what exactly is hacking and how a hacker is actually described. In one sense it's silly to argue about the ''true'' meaning of a "hacker". It can be whatever people use it to mean. [11] A true hacker is identified by his hobby which he pursues with dedication and flair. It can be science, computers or anything related to technology. If I had to define what a "hacker" was, I’d say, a hacker is a person who is always motivated to explore the realms of computer systems, mostly it includes finding new ways to access areas where we’re not supposed to be but only for learning and fun. So, basically a "Computer Hacker" is someone who lives and breathes computers, who knows all about computers, who can get a computer to do anything. Equally important, though, is the hacker's attitude. [12] Computer programming must be a hobby, something done for fun, not for money. It's okay to make money, but that can't be the reason for hacking. A hacker must be fundamentally an amateur, even though hackers can get paid for their expertise. Someone who sets out to crack the security of a system for financial gain cannot be considered as hacker at all. If you make this a job before you make it an interest you will be miserable. [13]

A password hacker whose primary interest is in learning how the system works doesn't therefore necessarily refrain from stealing information or services, but someone whose primary interest is in stealing isn't a hacker. It's a matter of emphasis. [14]

More precisely, hacker ethic refers to the feelings of right and wrong. So, is hacking morally right? To understand this question we should know what morals actually are. Morality means proper behavior and is typically seen as a balance of right and wrong. [15] As mentioned in the Stanford Encyclopedia of Physiology, morality means a code of conduct held to be authoritative in matters of right and wrong. Morals are created by and define society, philosophy, religion, or individual conscience. [15]

Lets consider an example to discuss this more clearly and in a way easier to understand. Several years ago, a man named Linus Torvalds created something we now know as the Linux kernel. At the same time, a man named Richard Stallman decided he wanted to rewrite a popular operating system of the time; all he needed was a kernel to put the pieces together. When the Linux kernel, and GNU were put together, they created the GNU/Linux project, which is now used by more than 10 million people worldwide. Linus and Richard were hackers... but would anyone say what they did was illegal? Or unethical? [16]

Hacking, like anything else, it is morally wrong only if it is used for destructive purposes. True hackers are passionate programmers, they’re BUILDERS. Hackers define the technologies that drive this massive information network called Internet. Hackers develop the security algorithms to protect this information network from malicious attacks. Hence ensuring the safety of information and private data on the network.

"Limits of Ethical Hacking"

An ethical hacker should always be aware of the legal aspects of hacking. He should be aware of the penalties of any kind of unauthorized access, both while he is working under a legal contract and while researching on his own. Any action taken during a pentest which breaches approved limits of contract or causes any disruption in customer services, can be held against the ethical hacker. Any network auditing should be performed only after following certain rules to ensure that the moral and ethical obligations are met. These rules include,

Getting approval for the auditing by signing a legal contract with the client.

Maintain and follow a Non-Disclosure-Agreement (NDA) with the client, incase any confidential information is disclosed during the auditing procedure. No information should ever be disclosed to a third party.

The most important thing about ethical hacking is that, it can done for commercial purpose but not for goodwill. Not even if it benefits many! "There's no defense in our hacking laws that your behavior is for the greater good. Even if it's what you believe." explains Struan Robertson, legal director at Pinsent Masons LLP, and editor of OUT-LAW.com. [17] No penetration testing should be done without the consent of the target authority. No matter how vulnerable their system is, legal approval is a must. If its not approved, huge penalties can be charged against those responsible for the un-authorized access. "You take a big risk in breaking those laws. The merits of your crime could be lost on a judge", says Robertson. [18]

Case Studies of Computer Misuse Act (1990):

In 2005, Daniel Cuthbert, a computer consultant of Whitechapel (London) was convicted for gaining unauthorized access to a website belonging to a Tsunami Fund-raising Committee, even though the judge hearing the case accepted that the convict didn’t meant to cause any harm to the website or the committee. At the time of his arrest, Cuthbert was employed by ABN Amro (state-owned bank of Netherlands) to carry out security testing of its systems. Cuthbert's defence team argued that he had merely 'knocked on the door' of the site, pointing out that he had the skills to break into it if he wanted. Despite of hearing all arguments from the defence, Cuthbert was found guilty by the court under Section one of the Computer Misuse Act 1990.

Section one of the CMA says that it is an offence to make "unauthorized access to a computer material". There is no burden on the prosecution to prove that the accused had intended to cause any damage. Mere attempt of unauthorized access could be held against the guilty. Cuthbert was found to plead guilty and was fined around a thousand British Pounds. [19]

The offence of unauthorized access covers everything from guessing the password, to accessing someone's email account, performing denial of service attacks, or cracking the security of a bank. The maximum penalty for unauthorized access to a computer is several years in jail and a fine depending upon the financial impact caused by the unauthorized test. These penalties could be even higher if the any data on the target system is altered or exposed publicly.

Another contractual agreement made between the client and ethical hackers is, the "Get out of jail free card". As much of what ethical hackers do during the course of auditing would be illegal in most countries, this agreement protects the ethical hackers against prosecution. It provides a precise description and extent of the ethical hack to be carried out against the client’s systems. Usually it is network addresses, modem telephone numbers or range of computer systems to be evaluated. The accuracy of the data given in this agreement is of utmost importance, since a minor miss-judgement could lead to the evaluation of the wrong system in client’s installation or in worst case, the evaluation of other organization’s system, for instance, a partner organization. Above all, the ethical hacker employed for the pentest must be completely trustworthy. Hiring ex-criminal hackers for the job could be disastrous. As C. C. Palmar writes in his article [20], "the ethical hacker often holds the keys to the company". Therefore, the client needs to 100% certain that the information found during the test won’t be abused.

"The effects these limitations have on Ethical Hacking"

Once all the legal agreements are in place, the auditing may begin as defined in the contract. In order for a successful system evaluation the client should co-operate with the auditing team. Some clients insist to halt the evaluation procedure and notify them as soon as the ethical hackers gain access to any of their systems. This sort of ruling is mostly found in system evaluations of banks, insurance companies, or other high profile organizations where customer data is highly confidential. However, this practice should be discouraged as it prevents the client from learning about other vulnerabilities that the ethical hackers might discover during the full evaluation. Incomplete penetration tests can lead to the client having a false sense of security of their systems. The client should rather allow the evaluation to proceed, since where there is one vulnerability there are probably others which could remain un-discovered.

If an ethical hacker is not allowed to use all methodologies and tools during the job then how can a client be really sure how secure their systems are? "There is a sense of frustration in that if you were given a completely free hand there's a lot more you could do", says Paul Vlissidis, technical director with NCC Group Secure Test. [21] The best evaluation is done under a "No-Holds-Barred" approach. [22] It allows an ethical hacker to use any tools and methods he can think of to un-cover all possible vulnerabilities in the client’s systems. This kind of approach is most realistic and useful of all as it impersonates the attempts of a real intruder who will not play by client’s rules.