Ethical Hacking

Varied Perspectives: Perhaps the real hacking is in the Ethics

By Tito Ndoka

Ethical Hacking: Varied Perspectives by Tito Ndoka is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Table of Contents
1 Introduction............................................................................................................................................................................ 2 2 Understanding The Position of Ethical Hacking................................................................................................. 3 2.1 What Drives Ethical Hacking?............................................................................................................................. 3 2.2 Common Processes in Penetration Testing................................................................................................. 4 2.2.1 Reconnaissance ................................................................................................................................................ 4 2.2.2 Scanning ............................................................................................................................................................... 5 2.2.3 Exploitation ........................................................................................................................................................ 5 2.2.4 Maintaining Access ......................................................................................................................................... 5 2.3 The Implication of These Processes................................................................................................................. 5 3 General Business Case Ethics........................................................................................................................................ 7 4 The Ethics of Hacking........................................................................................................................................................ 9 5 The Varying Perspectives of Ethics.......................................................................................................................... 10 5.1 That The Company is of Utmost Importance........................................................................................... 10 5.2 That the records (information or data) are of utmost importance..............................................11 5.3 That the Customers, the Vendors and the Staff are of Utmost importance............................12 5.4 That The Ethical Hacker Is Right..................................................................................................................... 13 6 Positive Moves Towards Ethical Procedure........................................................................................................ 14 6.1 CERT(Computer Emergency Response Team)......................................................................................... 14 6.2 Getnetwise.org.......................................................................................................................................................... 14 6.3 My Secure Cyberspace.......................................................................................................................................... 15 6.4 Internet Industry Association of Australia.................................................................................................. 15 6.5 Wired Safety............................................................................................................................................................... 15 7 Conclusion............................................................................................................................................................................ 16 8 References............................................................................................................................................................................ 17

Abstract
Ethical Hacking has already been established as a Discipline in the Information Technology Industry in resolving security challenges created by the current and increasing threat of Intrusive hackers, anonymous and aggressive in cyberspace. The worry of many companies with something to lose should their systems be compromised is the possibility that their security measures may not suffice, which is why penetration testing is utilized to determine just how susceptible the system is. In doing so, actual, privileged information has to be compromised in a controlled process, regarded as ethical hacking, which aims to demonstrate areas of weakness by getting to the information which is supposed to be secured from public or unauthorized access. Due to the significant number of players likely to get affected by the controlled hacking process, ethical perspectives arise where the affected parties can reserve the right to protest against the action, claiming ethical violations. But how can the moral perspective be practically implemented when this action is aimed at securing the system further? How can the ethical component be applied when ethics are based on prevailing cultural and moral values? Is there an ethical opinion in ethical hacking that can prevail in the prevention of the ethical violation? Does the organization's information and processes take precedence over the data hosted in their systems which was entrusted to them under the premise of privacy? Can ethical hackers be trusted, and if they are that good at hacking systems, what are the possibilities that they are the very compromise that the company seeks to prevent? How can they be vetted? Is it not possible that they hone their skills by hacking other systems anonymously without the permission of the subject company? Many ethical issues arise, and they are all based on the differing points of view from the varied stakeholders Perhaps the real ethical dilemma is in the name 'ethical hacking, , and it should be defined from a technical point of view, or comprehensively restructured to accommodate prevailing cultural values.

ii

Ethical Hacking: Varied Perspectives

This Page is intentionally left blank

Ethical Hacking: Varied Perspectives

1 Introduction
Ethical Hacking is currently established as a recognized discipline with some training and educational institutions around the world[1], [2] and will eventually take its place in the management of information systems in the assurance of strategic measures in data and information security. Hacking is a somewhat ambiguous term and formerly positive in its implication, pointing to an enthusiastic software developer whose interest and ambition is in the innovative effort of creating versatile and trending software and other computing solutions, mostly out of interest[3, p. 4]. The term 'hacking' is now associated with unauthorized or intrusive access of electronic information, regardless of the purpose or intent; perhaps from an innovative standpoint, it is a creatively different way of accessing information, data or processes. Security becomes a major aspect in the Business and Trade communities due to increased on-line transactions in operations, financial administration and management. Liability spreads to the flow of information, privileged client details, privacy; all aspects expected and required to be upheld in integrity by all stakeholders. Generally, US Law, for instance, regards hacking as the access of privileged electronic systems or devices through varied electronic means without proper authorization with the intent to defraud or out of ambition or malice[4, p. 26]. Ethical hacking therefore finds relevance due to the increasing efforts and sophistication of hackers around the world in the compromise and/or access of information and proprietary intelligent property hosted in electronic form. It is a responsive effort of engaging the same hacking procedures (generally and initially unwanted or perceived illegal) in the testing and securing of information and/or information systems. The term 'Ethical Hacking' still begs for clarity, with the meaning left to ambiguous interpretation, many taking a comparative position. In this view, it has been compared to Financial Auditing[5, p. 2] where integrity, procedure and operational structure are verified in an internally sanctioned activity[6] . Ethical hacking has also been compared to the tactics of war as asserted by Harper[4, pp. 319] in that Ethical Hacking, and the moral therein, are similar to military application where the enemy has to be fully defined before and during the engagement of offensive or defensive activity. The main issue with ethical hacking is therefore not its productivity, since it has been evaluated and proven to be effective [7, pp. 1722] , but rather in the implication of the actions engaged which lead to the desired results; the predefined procedures that lead to the revelation of possible compromise or the occurrence of threat, commonly referred to as Penetration Testing[8, p. 3], [9, p. 10]. This contentious implication is ethical in nature, with many assumptions made on behalf of all stakeholders[4, p. 50]. While the intention of ethical hacking may be qualified, it may not necessarily be clarified in terms of the scope of compromise, and therefore, the ethical standpoint, which presumably guides the hackers towards a predefined and supervised path similar to which hackers would take, as Tiller [9, p. 22] would say "...there are rules, time limitations, access restrictions, motive differences, and consequences associated with assuming the role of a hacker to which the real hacker is not confined..., thereby Introducing a number of varying ethical perspectives. 2

Ethical Hacking: Varied Perspectives

2 Understanding The Position of Ethical Hacking

Undeniably, the securing of information systems and information in any form or state is a critical need, especially with the increase of risk and the possibility of compromise. Therefore there must be action taken to secure the processes, the data and all related accessibilities and privileges. Furthering the need for security is the business case of software and virtual products hosted in electronic form, for which it is important to protect the innovative uniqueness in the development of solutions, legally qualified as intelligent property, whether the uniqueness is expressed in the process or the product.

2.1 What Drives Ethical Hacking?

Ethical hacking seems a reasonable method of attaining security where the same strategies used by a hacker are emulated in the test for weaknesses within the subject system, it allows the organization to put measures in place in preventing or responding to a hacking attack. One of the key reasons for the possibility of compromise is financial, where the value of a product or a process is expressly invested in the structure of the product with privileged information as one of the key ingredients, for instance, client information, prices and estimates, copyrights, financial processes etc. Would these qualities of the product or process be released to unscrupulous parties, the associated gain would transfer from the company to the unscrupulous parties. It would also be a compromise to privileged information that would inadvertently lead customers and buyers to lose confidence in the subject company, thereby harming the business goal. The invested value is therefore protected by all means from unauthorized access or preview, either through seclusion or closely monitoring access sessions which are purview to the said privileged information or processes. Ethical Hacking is therefore driven towards determining the susceptibility and compromise of the secluded system across a whole range of products and processes. Other than the whimsical ambition to prove their prowess, hackers have found that information has a market, and can be used to manipulate processes towards a gainful outcome, for instance [4, p. 4,5]: A Citibank hacking results in tens of millions lost through the action of a group of hackers called the Russian Business Network in 2008 $9 million of the Royal Bank of Scotland lost to a group of hackers from Russia, Estonia and Moldova in 2009 German Banks lose 300,000 to a Malware $100 Million linked to a keylogger called Zeus, which was known to steal user information that led to privileged financial portals.

These memorably infamous examples prove that a hacker's intrusive efforts affect financial profitability, hence the need to step up in the prevention or the response of an attack that compromises the integrity of information, or the process. It is important to understand the full scope of a risk before mitigating it, and moreso when the 3

Ethical Hacking: Varied Perspectives

risk cannot be fully understood other than through observation. Ethical hacking can therefore be viewed as an experimental process where observation offers proof of impenetrability. There are, however, situations where a hacker needs to be identified for varied reasons, therefore a calculated traceback would be initiated in mitigating specific risks[11, p. 2]. This differers from the determination of system susceptibility, and addresses specific risks involved with an exclusive hacking attempt. As long as a product or process holds financial value, any and all measures are expected to be taken in the prevention of the loss of that value in the expectation of maximum returns for the investing company or companies; ethical hacking is therefore expected to grow as innovation presents sophistication in products and processes, and the associated need to secure them for a return on investments.

2.2 Common Processes in Penetration Testing

Generally, these common practices do not encompass the complete scope of ethical hacking, but they provide a picture of what goes on with typical hacking. Due to the growing sophistication of hacking methods, the structure somewhat changes from one hacking to the other, depending on the targeted system/systems that lead to the desired product, information or process. The discussion here is confined to penetration testing, however, some of these processes can be used in tracebacks when responding to a detected hacking attempt[9, p. 20]. Before going through the various processes and steps in ethical hacking, it is important to note that the whole idea is to test products and systems for possible weaknesses which would allow a hacker a look inside, therefore, there are basic situations that would allow a hacker a free pass, and while it would be equated to hacking, it is too basic to outline as a part of process, for instance: A poorly Configured Firewall Software downloaded from the Internet against company policy An untested product or process that is run on a public domain Someone looking over a screen as a password or access credentials are being entered

Since most hackers prove their prowess by penetrating a system without perceived luck, they assume that an organization has put in place measures to prevent the most obvious of intrusive action, which is why elaborate methods of penetration are employed. A good hacking makes sure that one can access the system at will, and not by sheer luck, and in the ability to remain anonymous long enough to maintain the upper hand. The following are the common practices in ethical hacking encompass four steps according to Engebretson[9, pp. 10144]:

2.2.1 Reconnaissance
This step involves collecting as much information as possible about the target of the test. A more comprehensive research usually leads for more successful attempts in later stages.

Ethical Hacking: Varied Perspectives

This stage involves the collection and sorting information without necessarily intruding on the target, though some active reconnaissance strategies involve intrusive action with an aim of collecting information without the primary concern of being detected[9, p. 16] Once the process is complete, a list of IP addresses and the various levels of difficulty in getting access to each is generated. The tools used at this stage are anything between a web search engine to a Name Server lookup, business directories, emails, social engineering among others.

2.2.2 Scanning
This stage utilizes the list generated from the first stage to determine whether the target IP addresses are active, and if they are, whether there is a point of penetration using ports (port scanning). The standard operation of Internet transmission protocols dictates that for all valid software applications, ports are utilized in appropriating applications and processes, for instance, accessing web pages uses port 80, and therefore most of all applications that tend to access that port are Internet browsers. A port scan checks the targets for ports which have been left open, and checks for ways of using the open ports to access the system other than the prescribed purpose of the port in what is called a vulnerability scan[9, p. 58]. There are many tools for accomplishing the objectives of this stage, and they have to do with programs that deliver Ping Requests, Port Scans, Syn Scans for UDP and TCP transactions over the target network.

2.2.3 Exploitation
This stage is where the ethical hacker takes over the target system by achieving administrative level on key computers on the network. Internally networked computers have more relaxed security restrictions, which makes them easy to target in the implementation of administrative level tasks. The stage therefore encompasses cracking passwords in order to achieve access to a platform where commands can be executed using the target machine which is within the network. Similar to other steps is the availability of numerous tools that can be used to crack passwords, guess user names, and send remote commands to the compromised computer.

2.2.4 Maintaining Access

This is the final stage, normally referred to as a backdoor[9, p. 128]. This allows the hacker privileged access to the target system or systems and yet remain anonymous. This stage of Ethical Hacking demonstrates the ability to use the target system at will and access a whole range of privileged locations on the network. It is the culmination of a hacker's objective where confidential files and information is accessed and used for financial gain or other purposes.

2.3 The Implication of These Processes

If one was to observe all the stages carefully, they would realize that there are no boundaries dictated or specified, in fact, most ethical hacking training material explore various ways of 5

Ethical Hacking: Varied Perspectives

getting the best results, which is the access of information that would otherwise be privileged. Each of these processes has the following characteristics: 1. Disclosure of unpublicized information 2. Using private and personal information to gain access to privileged information 3. Infringing on implied privacy by rendering a system open for preview 4. An inadvertent widening of scope While the main intention may be upheld, there are many issues that arise from the engagement of ethical hacking procedures in the protection of information, processes and systems, namely the ethical compromise and the extent at which tolerance will be surpassed.

Ethical Hacking: Varied Perspectives

3 General Business Case Ethics

Ethics are a study in morals [12, p. 9,15] , approaching the study of morals from a normative position, other than what the social sciences accomplish from a descriptive position. Business ethics focuses on the moral rights and moral wrongs in business institutions, organizations and activities with an understanding that moral standards are not established or changed by the decisions of business authority figures or business authoritative bodies. Laws and legal standards are established by the authority of a legislature or the decisions of voters while family norms and classroom norms are set by parents and teachers. Velsquez [12] raises the question whether individual morality can be applied in the same manner in institutions and businesses [12, p. 12], she however asserts that it is wrong to assume that anything that is legal can be labeled as ethical [12, p. 21] . In the business world, profits are upheld; all activities geared towards the establishment of growth and profitability. This being one of the major objectives of businesses, if not the primary one, all other priorities take a comparative back seat. Business ethics is therefore an attempt to reconcile the moral standpoint that drives all human factored efforts and activities toward profitability. Spaord [13] defines ethics as the Discipline of dealing with what is good and bad and with moral duty and obligation. He asserts that Philosophy takes the position of what is 'right' being determined by action rather than results[13, p. 3], meaning that even with a justifiable result, the act is not necessarily moral. This means that profitability, though a major agenda in business strategies, cannot be the sole or dominating factor in business decisions, inasmuch as it happens more often than not[7, pp. 300476], With the abandonment of morals, it would prove increasing difficulty in achieving expected profits. This is tied in with the company image or institutional reputation. Ferrell[7, pp. 1722] outlines the benefits of Business Ethics in the promotion of employee commitment, Investor Loyalty, Customer Satisfaction and in the achievement of profit; a company's reputation is a key decisive factor in achieving returns, since one has to demonstrate to all stakeholders that while profits are imminent, the entire organism of the business upholds some form of ethical conduct that would lead to trust and therefore confidence. Some businesses often due to the specificity of their operational model, boast a lawful standpoint, ignoring most moral opinions when an ethical conflict is eminent. This model is build around maximizing structural performance rather than the cooperative human element which fosters self initiated performance. However, all (arguably most)business institutions and establishments realize the value of abiding to the law as a backstop. In some regions, however, legal constraints are tied in with cultural values, hence a moral perspective is lawfully enforced, as in the case of Coca Cola in the European Market[7, pp. 407419] According to Jennings[14], ethical standards are not standards of the law, however, there are many instances where the law and moral positions intersect, Spaord states that "...businesses 7

Ethical Hacking: Varied Perspectives

misled consumers who could not easily follow the jargon of long and complex agreements." [13, p. 19]. This being the case, there is a greater need other than the applied legal obligation. In many cases, business operations are not sanctioned before a demonstrated Return on Investment(ROI), which means that with each step forward, all stakeholders have to be assured that their desired results will be met before they commit more funding towards business operations. In the situation where profitability is negatively affected, business executives have to demonstrate control and mitigation processes that will protect the aversion from profits, some of these actions may seem to circumvent moral implications, but in the long run demonstrate what the stakeholders demand for; a justified abandonment of ethical principle. Before the commencement of business ventures, companies and institutions conduct what is commonly referred to as market research; the attempt to determine whether the targeted market has the hallmarks of participating in significant sales, therefore returns. This study is conducted in the aim of determining the motivations, needs and priorities of potential buyers, therefore creating a scale that would guide a possible response to a sales campaign. The information collected during market research can be viewed from a moral standpoint, where prevailing cultural practices affect the moral value of the targeted demographics, thereby inadvertently proving the value of moral inclinations in the business process, for instance, a highly religious market group would not buy in to products which they find religiously offensive [15, p. 6], or those that infringe on their cultural values. To Sum up, the value of ethics cannot be denied, it prevails when businesses and institutions make business decisions, and also in the design, manufacture and marketing of products. Chances are, business models that abandon the moral value in processes will eventually need to apply the same principles in profit defying situations, especially when dealing with the human factor[16, p. 2].

Ethical Hacking: Varied Perspectives

4 The Ethics of Hacking

Simpson[8, p. 2] describes this term as an oxymoron, in regard to the ethics of doing what is perceived to be generally wrong. The act of hacking in itself is evaluated to determine the moral position that leads to the act, subjective on all affected parties in the process. From a business perspective, profits indeed prevail in this decision, but they cannot be justified morally after the fact, the case needs to be made and well defined before the hacking attempt is initiated. Bansal [17] says that "White Hat Hackers are authorized and paid persons by the companies, with good intends and moral standing" thereby asserting that 'White Hat' hackers (white hat referring to the intent for good) work within the bounds of procedural consistency. Norfolk [18, p. 1] introduces the concept with three main questions that would evaluate the ethics of the hacking process: 1. How do you know they have reformed? - If they find a really major vulnerability, how do you know that they wont exploit it, or boast about it on the Internet? 2. How do you know that they are any good? - A good number of hackers arent that bright but just got lucky once. The key to success as an unethical hacker is single-minded patience and some aptitude for problem-solving, rather than intelligence. Others are script kiddies, following other peoples exploit recipes. Do you know enough about breaking security to distinguish a clever hacker from someone who just knows the jargon? 3. Do you really want to encourage the idea that a life of crime is a short-cut to a well-paid job in the world of corporate computing? Obviously, there seems to be a lack of ethical dispensation in the hacker community to find the ideal candidate that would not introduce moral challenges but would enforce business ethics and produce the required results. To put it plainly, most hackers lack the requisite ethic and would therefore be disqualified from the process. Yurcik [19, p. 9] proposes that hacking is a matter of intent rather than a technical problem, in fact, he boldly states that technical solutions would get better results through behavioral modification. By this argument, if human intent was sufficiently divulged, hacking attempts would be expected, thereby disqualifying the negative quality that hackers currently present through their ambitious intrusive actions. To sum up these thoughts, a perspective where compromising a system can be deemed ethical is a matter of moral contention, and therefore would raise more differing ethical perspectives than a unified moral code among hackers.

Ethical Hacking: Varied Perspectives

5 The Varying Perspectives of Ethics

Since ethical hacking is equated to a sanctioned compromise of a system in the attempt to determine a security risk [19, p. 8], it is therefore safe to presume that there are more than one affected parties in the ethical hacking attempt, therefore raising multiple ethical positions that would probably need to be addressed before the ethical hacking procedure is initiated. Since times past, ethical hacking has been compared to Beta Testing [19, p. 6] and differing Legal Perspectives due to jurisdictional differences [20] [21, p. 5] , but is now creating a scenario where there are a a lot more stakeholders than there used to be in a single ethical hacking session, compounded further with the increasing scope of penetration in regard to the finite quantity, quality of processes and forms of information: An increase in partnerships between companies has given rise to complex operational business to business models, therefore an increased affect of the hacking attempt, sanctioning it would imply that all partners sign off on any hacking attempt intentionally orchestrated through internal security efforts. Increased market shares unbound by geography and demographics where jurisdictional issues are too complicated to apply legal positions, for instance, the Internet as a global market is conceptually a very extensive scope, too big to comprehend, therefore a seemingly infinite number of perspectives from a moral position owing to global cultural diversity. The intention of contemporary hacking attempts keeps blurring the lines that demarcate clarity, introducing an element of general mistrust with hacking experts, ethical or otherwise. The scope of ethical hacking cannot be sufficiently quantified if all factors are considered, for instance, a list of international customer information, partnering companies and their networks, software products and all subscribed users.

Most people tend to fall toward their ethical framework in the determination of fair treatment [12, p. 26] , the challenge is that moral standards have no universal framework [7, p. 91] , and this is a point of weakness should the principle be brought to bear when attempting to compromise a system in the name of securing it. Nevertheless, it does not disqualify the contextual need to adopt a moral model in Ethical Hacking. The following are the ethical perspectives that arise from the diversified stakeholder context:

5.1 That The Company is of Utmost Importance

The composition of the company will give a clearer picture of all the stakeholders. Typically, a company comprises of both human and non human assets*, where each is a valued part in the production process. Human assets normally comprise of:
* Not meant in a derogatory manner, but to put things into perspective when describing the compromise involved in ethical hacking

10

Ethical Hacking: Varied Perspectives

1. Owners or Proprietors 2. Employees 3. Employee Dependents 4. Customers 5. Vendors As long as the business is legal, the involvement of each of these assets is documented for proving the legal position of each transaction. The records are kept to monitor the performance of the business and to ensure that all party interests are upheld. Without these records, there is no proof that all regulatory requirements, which are put in place to protect the customers primarily [7, p. 119], then the business. These records or documentation can be used to extract value hence make a profit at the company's expense, for instance, using the customer information to make financial commitments, or using product information to build replicas, or exploit the proprietary value in an undisclosed process. Assuming that the only regulatory requirement the business has is to protect the records of all these stakeholders, and the methods and ways of doing so are not specified, then the company would justified in performing the ethical hacking. While it is clear that the company is made up of varied resources, only the profitable end is upheld, which has the least ethical inclination [12, p. 62] . From this perspective, ethical hacking would be justified by proving the technical requirement of upholding privacy, or limited access of privileged information. It is possible for the company to justify informational compromise with the promise of security, which is proven by the subject compromise, for instance, penetration testing can be done with sample invaluable records, but the point would be made better by hacking actual information. In this scenario, the company perceives that it has the least ethical obligation, and their concern is defined as a technical one, as Spaord [13] generally concludes that the application of the hacker ethic implies that the infringement of privacy is conditional to the end result, which would be a betrayal of some or all of the stakeholders regarding information entrusted out of a presumption of upheld privacy. Should the company take this position, their ethical obligation would be to disclose the hacking results selectively, so as not to imply an infringement of privacy.

5.2 That the records (information or data) are of utmost importance

This perspective assumes that the informational entries hold more value than the people mentioned in those records. From this perspective, ethical hacking would be completely justified, both morally and legally (the technical requirement of the law). Since the information is regarded with a high priority, intrusive, invasive and exploratory efforts in ethical hacking, whether testing for susceptibility or responding to an attack, would circumvent the initial prerogative of protecting the same records that need to be 'ethically hacked'. Should an ethical agenda be upheld, the company would find itself in a 'catch 22' situation[22] , where hacking the customer, employee, vendor or other stakeholder information would compromise the ethical value they wish to instill with protecting their 11

Ethical Hacking: Varied Perspectives

records; its easy to go round in circles describing this situation. Harper [4] stipulates to what disclosure following the hacking would mean to the product or company owner, regardless of the impending compromise. How would an ethical hacker determine what information to access, and the extent of sanctioned access?; Some risks or vulnerabilities cannot be quantified, and therefore a complete breach must be expected. Without the expectation and the definition of the scope of hacking for all stakeholders, public disclosure* of the results, though popular in soliciting a definitive response from the product owner, cannot be considered fair play, since the very people claiming to increase the protection of others are inadvertently increasing the risk of compromise [4, p. 49]. So what would the ethical process be? The ethical hackers would need to disclose all their intentions before the hacking process, and all stakeholders involved or affected by the process need to be updated and advised on what the hacking entails, and the risks it prevents and presents. This objective step seems hard to swallow, and it might throw in a lot more red tape constraints.

5.3 That the Customers, the Vendors and the Staff are of Utmost importance
This perspective would prove difficulty in the sanctioning of ethical hacking since privacy is of key importance for all human entities, and should be upheld at all times, especially in companies and institutions with autonomy instilled as the company culture. Moral conflicts arise from information disclosure, and should all acts and words be done in privacy, the ethical provocation would be lacking, for instance, in an autonomous office environment, there is bound to be information proving that an act by one of the employees would be against company policy, but such environments are upheld because for their ability to reduce the ethical imbalance, also known as decentralized management [7, p. 119]. Since morality plays on individual values [7, p. 57] , upholding privacy is important in the protection of individual moral inclination, for instance, should an ethical hacking process reveal that vendor information can be accessed, details of a transaction might shed light on their operational model. The vendor would then be justifiably offended that they were not informed of this process, since all transactions are done in confidence, apart from situations that have the legal obligation toward disclosure. The scope of the ethical hacking process cannot be defined in this perspective, it would mean the enumeration of the ethical inclinations of all the customers, vendors and employees, and editing the framework in a way that does not compromise any of these values. It would be a big undertaking, and most considerations would fall out of the technical scope, which has in itself nothing to do with moral values, rather the result [10, p. 22] . It suffices to say that ethical hacking would be a pointless effort from this perspective, if its objective is to secure information and processes by a compromise. In order to perform ethical hacking, the hackers would have to adopt the values of the subject customers, employees and vendors whose information is exposed in the process, "...White Hat Hackers are authorized and paid person by the companies, with good intends and moral standing..." Says Bansal [17, p. 6] , asserting that White Hat hackers would work within the bounds of procedural consistency.
* This meaning that the expected ethical hackers are not in-house, thereby implying a public disclosure.

12

Ethical Hacking: Varied Perspectives

5.4 That The Ethical Hacker Is Right

Hackers normally test their malware and malicious products against popular security solutions to mitigate possible challenges, hence always a step ahead [4, p. 5], from this perspective are the actions of ethical hacking justifiable, since the very systems and professional solutions which protect processes and information are subject to compromise? This approach is similar to the rules of war, where homicide is acceptable if it advances the objective of a war campaign. From this perspective, there are two issues to address: 1. Who is the Ethical Hacker?-It would obviously be someone the company can trust, since they lay waste security measures to prove susceptibility, odds are they are the very hackers who would have caused the initial compromise. How would the company go about vetting a person who knows how to compromise systems? Where does the line lie? In this case, the ethical hacker needs to demonstrate moral principles that align with the company objective to test the secured information. 2. What is the Scope of the Ethical Hacker?-This would be hard to define, since chances are the initial situation starts from speculation of the possibility of compromise, even in the case where weaknesses have been detected, it would be hard to determine the extent of the susceptibility, considering that the hacking procedure would define the scope in a post-hoc declaration. In other words, the hacker is sent in for an exploratory visit inside a system possibly composed entirely of privileged information. The requisite characteristics of the ethical hacker would suggest someone or a group of people with a strong moral conviction, defending what they perceive to be good and adopting a general moral model that would defend all the parties involved-sounds like an ideal. This perspective also suggests that there is no clear agenda for protection. Harper [4] says the question of who is being protected in ethical hacking comes into play, since the enhancement of security means access to real data. [4, p. 50] This is fueled by the increasing lack of coordination between stakeholders which would include the hackers, security agencies and the owners of the process or data, therein the client. If the hackers actions are justifiable based on the general need of security, then there is no need to involve any of the parties, since they would need to limit the penetration testing to what the stakeholders perceive is their scope of operation.

13

Ethical Hacking: Varied Perspectives

6 Positive Moves Towards Ethical Procedure

The ethical influence in hacking is one of great consequence, for in certain situations, it can stall the process altogether, which is why regulatory bodies have arisen to address the moderation of ethical hacking processes. The following are some examples that tend to direct the efforts of ethical hacking toward more positive outcomes, thereby resolving some or all of the issues, both ethical and technical. Most of these bodies use literacy models which tend to educate all parties affected by unscrupulous activities on-line in order to reduce the level of infringement of privacy and property rights from varied dimensions.

6.1 CERT(Computer Emergency Response Team)

Established in 1988 to deal with initial virus attacks on the Internet.[4, p. 50] Initially, hackers would solicit responses from discovery of a vulnerability in an electronic system by publicizing hacking results to the general public. This would place the target institution, companies or systems in a contingent situation, thereby resolving or removing the vulnerability. This is a popular move by hackers following the release of new software products, which are subjected to thorough intrusive testing by hackers, later publishing the results on the public domain for all to see. CERT, seeing the possibility of this unmoderated process reaching to uncontrollable proportions, set up a framework to ensure that ethical hacking would not compromise all parties through the following processes [23] : Moderate full disclosure of vulnerabilities Notification of Vendors of impending compromise possibilities Accords credit to the ethical hacker Offering resources for sustainable and ethical cyber security

CERT accords vendors, data and process owners the required time frame to respond to the vulnerability without compromising stakeholders. [4, p. 51]

6.2 Getnetwise.org
This is a service oriented organization based in Washington DC that was created by Industry corporations and other Public Interest Organizations to instill a safe Internet environment through the following Information oriented services[24] : Online Child Safety Privacy Security and Spam Issues Apart from business oriented safety, a good portion of hacking attempts aim at the privacy of individuals and families with the intent to defraud or harm, especially in most western cultures. The ethical compromise is daunting, which is why informing the general public on 14

Ethical Hacking: Varied Perspectives

the implications of submitting information over the Internet is a critical step in curbing a possible compromise. A more informed population would know what to ask for when they submit their information to a company for business or in the access of varied services.

6.3 My Secure Cyberspace

This was created as a measure to empower the general population to take measures to secure their networking environment . This was created as a response to the American National Strategy to Secure Cyberspace, a strategy created ten years ago in order to prevent cyber attacks on American Infrastructure, Reduce the National Vulnerability to Cyber attacks and to minimize the damage and recovery time from cyber attacks[25, p. 9] My Secure Cyberspace [26]creates an environment where one does not need to have the technical prowess in order to take measures to protect their information and property from compromise through the Internet. Hosted at Arnegie Mellon University, the organization through training and service provision, aims to create a partnership between public and private sectors in developing a measurable, accessible, safe and trustworthy computing and communication systems.

6.4 Internet Industry Association of Australia

This Australian Organization was formed to increase the confidence of using the Internet in Australia by promoting (Among Many other Objectives)[27]: The distribution of Information to all parties An equal and fair participation of all parties in using the Internet as a resource The use of open architecture to network designs and protocols Compliance to international standards like the Internet Engineering Task Force The reduction of monopoly with Internet content The use of strong encryption technologies over the Internet Laws that protect the unrestricted use of the Internet

6.5 Wired Safety

Wired Safety is one of the oldest organizations that was initiated by volunteers who provided personalized information and education to Internet users over safety, privacy and security issues. They do this through[28]: Helping and Supporting Victims of Cybercrime Training and Advising Law Enforcement agencies Worldwide on Cybercrimes Education for communities and individuals Resources and activities geared towards Internet safety and security

15

Ethical Hacking: Varied Perspectives

7 Conclusion
Ethics, morals and cultural implications in technology are subjective, especially in an era where individual identities are extended to Internet virtual contexts. This makes the on-line environment just as significant to human interaction as the real world, therefore, the purpose and function of ethics cannot be ignored. Ethical hacking as a security measure clearly raises more questions than answers ethically, and perhaps should rightfully not be called ethical hacking. From a technical perspective, penetration testing is plausible, but ethical hacking defines a scope too wide to comprehend. In order to conduct an act that is universally ethical, one would need to abide by prevailing global morals in a comprehensive and inclusive manner. This is especially true for the use of the Internet, which by default is culturally diversified. Perhaps a different approach in ethical hacking would be to develop a vetting process where the ethical hacker demonstrates morals standing which is subject to regional cultural inclinations apart from the technical knowhow. This would prove that the ethical hacker is able to comprehend the effect of the hacking attempt to all the parties involved, and would therefore be qualified to act on behalf of them. While ethical hacking is how widely practiced, it is doubtful that all the parties involved would sanction the processes should they be educated on the implication of a typical hacking process. Inasmuch as there are regulations and laws that govern sanctioned hacking practices, they hardly compliment what each act means for each of the stakeholders. Considering that the perceived basic requirements are met, where the storage of personal information and the processes and protocols that protect the same data are clearly defined and regulated as a minimum, there would be a clarified need to instill moral values in the process, how else is this new group of hackers supposed to be trusted? In order for a society to thrive, cultural perspectives are woven into legislative acts, making laws that create a common moral standpoint, where all issues that would violate the letter of the law are resolved in a fair and amicable way. Since this cannot be applied to a global network that thrives in anonymity and freedom of expression, perhaps the solution would be the exclusion of proprietary, personal and privileged information from the Internet, or the isolation of host systems, a rather far-fetched and impractical solution. What will probably happen is the fleshing out of disclaimer agreements, where parties submitting potentially valuable information to a proprietary system are advised of the privacy risks involved, which will probably be an extensive and tiresome fine-print which hardly anyone would have the time to study. The disclaimer would include the intent to subject the host system for possible vulnerability from time to time, thereby creating a possibility of disclosure in an uncontrolled hacking event. In any case, the responsibility is shared among all parties, who are liable for all the information they want to share or store for use in processes, software products and communication systems. The moral guarantee of how this information is treated and secured is anyone's guess, since a lawful declaration is a post hoc ergo propter hoc argument, and does not prevail with personal or institutional ethical value.

16

Ethical Hacking: Varied Perspectives

8 References
[1] Ethical Hacking & Countermeasures | University of Abertay Dundee. [Online]. Available: http://www.abertay.ac.uk/studying/find/ug/ethhaccount/. [Accessed: 27-May-2013]. [2] Ethical Hacking for Computer Security - Northumbria University, Newcastle UK. [Online]. Available: http://www.northumbria.ac.uk/? view=CourseDetail&code=UUSETH1&page=apply. [Accessed: 27-May-2013]. [3] P. Himanen, The hacker ethic, and the spirit of the information age. New York: Random House, 2001. [4] Gray hat hacking: the ethical hackers handbook, 3rd ed. New York: McGraw-Hill, 2011. [5] C. C. Palmer, Ethical hacking, Ibm Syst. J., vol. 40, no. 3, pp. 769780, 2001. [6] S. Seethu and P. S. Smijesh, Ethical Hacking, 2006. [7] O. C. Ferrell, Business ethics: ethical decision making and cases. Mason, OH: South-Western Cengage Learning, 2011. [8] M. T. Simpson, Hands-on ethical hacking and network defense. Boston, MA: Course Technology, Cengage Learning, 2011. [9] P. Engebretson, The basics of hacking and penetration testing: ethical hacking and penetration testing made easy. Waltham, MA: Syngress, 2011. [10] J. S. Tiller, Ethical Hack: A Framework for Business Value Penetration Testing . Boca Raton, FL: Auerbach Publications, 2003. [11] K. E. Himma, The ethics of tracing hacker attacks through the machines of innocent persons, Int. J. Inf. Ethics, vol. 2, no. 11, pp. 113, 2004. [12] M. G. Velasquez, Business ethics: concepts and cases. Upper Saddle River, N.J.: Pearson, 2012. [13] E. H. Spaord, Are Computer Hacker Break-ins Ethical?, 1990. [14] M. Jennings, Business ethics: case studies and selected readings. Australia; Mason, OH: South-Western, Cengage Learning, 2012. [15] R. B. Young and R. G. Javalgi, International marketing research: A global project management perspective, Bus. Horiz., vol. 50, no. 2, pp. 113122, Mar. 2007. [16] M. R. Lissack and K. A. Richardson, Models without morals: toward the ethical use of business models, Emergence, vol. 5, no. 2, pp. 72102, 2003. [17] A. Bansal and M. Arora, ETHICAL HACKING AND SOCIAL SECURITY. [18] D. Norfolk, Understanding Ethical Hacking, Pc Netw. Advis., vol. Management and Strategy:Overview, no. Issue 128, Mar. 2001. [19] B. S. W. Yurcik and D. Doss, Ethical hacking: The security justification, 2001. [20] V. Rajendran, Hacking: Illegal butEthical, 2012. [21] S. N. Narayanan, Ethical Hacking, 2008. [22] The definition of catch-22, Dictionary.com. [Online]. Available: http://dictionary.reference.com/browse/catch-22. [Accessed: 30-May-2013]. [23] CERT Coordination Center (CERT/CC). [Online]. Available: http://www.cert.org/certcc.html. [Accessed: 01-Jun-2013]. [24] GetNetWise | About GetNetWise. [Online]. Available: 17

Ethical Hacking: Varied Perspectives

http://www.getnetwise.org/about/. [Accessed: 01-Jun-2013]. [25] Department of Homeland Security, The National Strategy to Secure Cyberspace. 2003. [26] MySecureCyberspace: Home. [Online]. Available: https://www.mysecurecyberspace.com/. [Accessed: 01-Jun-2013]. [27] What are the objectives of the Association? | Internet Industry Association of Australia. [Online]. Available: http://iia.net.au/About%20the%20IIA/objectives.html. [Accessed: 01-Jun-2013]. [28] .:. WiredSafety. [Online]. Available: https://www.wiredsafety.org/about/. [Accessed: 01-Jun-2013].

18