Professional Documents
Culture Documents
Ethical Hacking: Varied Perspectives by Tito Ndoka is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
Table of Contents
1 Introduction............................................................................................................................................................................ 2 2 Understanding The Position of Ethical Hacking................................................................................................. 3 2.1 What Drives Ethical Hacking?............................................................................................................................. 3 2.2 Common Processes in Penetration Testing................................................................................................. 4 2.2.1 Reconnaissance ................................................................................................................................................ 4 2.2.2 Scanning ............................................................................................................................................................... 5 2.2.3 Exploitation ........................................................................................................................................................ 5 2.2.4 Maintaining Access ......................................................................................................................................... 5 2.3 The Implication of These Processes................................................................................................................. 5 3 General Business Case Ethics........................................................................................................................................ 7 4 The Ethics of Hacking........................................................................................................................................................ 9 5 The Varying Perspectives of Ethics.......................................................................................................................... 10 5.1 That The Company is of Utmost Importance........................................................................................... 10 5.2 That the records (information or data) are of utmost importance..............................................11 5.3 That the Customers, the Vendors and the Staff are of Utmost importance............................12 5.4 That The Ethical Hacker Is Right..................................................................................................................... 13 6 Positive Moves Towards Ethical Procedure........................................................................................................ 14 6.1 CERT(Computer Emergency Response Team)......................................................................................... 14 6.2 Getnetwise.org.......................................................................................................................................................... 14 6.3 My Secure Cyberspace.......................................................................................................................................... 15 6.4 Internet Industry Association of Australia.................................................................................................. 15 6.5 Wired Safety............................................................................................................................................................... 15 7 Conclusion............................................................................................................................................................................ 16 8 References............................................................................................................................................................................ 17
Abstract
Ethical Hacking has already been established as a Discipline in the Information Technology Industry in resolving security challenges created by the current and increasing threat of Intrusive hackers, anonymous and aggressive in cyberspace. The worry of many companies with something to lose should their systems be compromised is the possibility that their security measures may not suffice, which is why penetration testing is utilized to determine just how susceptible the system is. In doing so, actual, privileged information has to be compromised in a controlled process, regarded as ethical hacking, which aims to demonstrate areas of weakness by getting to the information which is supposed to be secured from public or unauthorized access. Due to the significant number of players likely to get affected by the controlled hacking process, ethical perspectives arise where the affected parties can reserve the right to protest against the action, claiming ethical violations. But how can the moral perspective be practically implemented when this action is aimed at securing the system further? How can the ethical component be applied when ethics are based on prevailing cultural and moral values? Is there an ethical opinion in ethical hacking that can prevail in the prevention of the ethical violation? Does the organization's information and processes take precedence over the data hosted in their systems which was entrusted to them under the premise of privacy? Can ethical hackers be trusted, and if they are that good at hacking systems, what are the possibilities that they are the very compromise that the company seeks to prevent? How can they be vetted? Is it not possible that they hone their skills by hacking other systems anonymously without the permission of the subject company? Many ethical issues arise, and they are all based on the differing points of view from the varied stakeholders Perhaps the real ethical dilemma is in the name 'ethical hacking, , and it should be defined from a technical point of view, or comprehensively restructured to accommodate prevailing cultural values.
ii
1 Introduction
Ethical Hacking is currently established as a recognized discipline with some training and educational institutions around the world[1], [2] and will eventually take its place in the management of information systems in the assurance of strategic measures in data and information security. Hacking is a somewhat ambiguous term and formerly positive in its implication, pointing to an enthusiastic software developer whose interest and ambition is in the innovative effort of creating versatile and trending software and other computing solutions, mostly out of interest[3, p. 4]. The term 'hacking' is now associated with unauthorized or intrusive access of electronic information, regardless of the purpose or intent; perhaps from an innovative standpoint, it is a creatively different way of accessing information, data or processes. Security becomes a major aspect in the Business and Trade communities due to increased on-line transactions in operations, financial administration and management. Liability spreads to the flow of information, privileged client details, privacy; all aspects expected and required to be upheld in integrity by all stakeholders. Generally, US Law, for instance, regards hacking as the access of privileged electronic systems or devices through varied electronic means without proper authorization with the intent to defraud or out of ambition or malice[4, p. 26]. Ethical hacking therefore finds relevance due to the increasing efforts and sophistication of hackers around the world in the compromise and/or access of information and proprietary intelligent property hosted in electronic form. It is a responsive effort of engaging the same hacking procedures (generally and initially unwanted or perceived illegal) in the testing and securing of information and/or information systems. The term 'Ethical Hacking' still begs for clarity, with the meaning left to ambiguous interpretation, many taking a comparative position. In this view, it has been compared to Financial Auditing[5, p. 2] where integrity, procedure and operational structure are verified in an internally sanctioned activity[6] . Ethical hacking has also been compared to the tactics of war as asserted by Harper[4, pp. 319] in that Ethical Hacking, and the moral therein, are similar to military application where the enemy has to be fully defined before and during the engagement of offensive or defensive activity. The main issue with ethical hacking is therefore not its productivity, since it has been evaluated and proven to be effective [7, pp. 1722] , but rather in the implication of the actions engaged which lead to the desired results; the predefined procedures that lead to the revelation of possible compromise or the occurrence of threat, commonly referred to as Penetration Testing[8, p. 3], [9, p. 10]. This contentious implication is ethical in nature, with many assumptions made on behalf of all stakeholders[4, p. 50]. While the intention of ethical hacking may be qualified, it may not necessarily be clarified in terms of the scope of compromise, and therefore, the ethical standpoint, which presumably guides the hackers towards a predefined and supervised path similar to which hackers would take, as Tiller [9, p. 22] would say "...there are rules, time limitations, access restrictions, motive differences, and consequences associated with assuming the role of a hacker to which the real hacker is not confined..., thereby Introducing a number of varying ethical perspectives. 2
These memorably infamous examples prove that a hacker's intrusive efforts affect financial profitability, hence the need to step up in the prevention or the response of an attack that compromises the integrity of information, or the process. It is important to understand the full scope of a risk before mitigating it, and moreso when the 3
risk cannot be fully understood other than through observation. Ethical hacking can therefore be viewed as an experimental process where observation offers proof of impenetrability. There are, however, situations where a hacker needs to be identified for varied reasons, therefore a calculated traceback would be initiated in mitigating specific risks[11, p. 2]. This differers from the determination of system susceptibility, and addresses specific risks involved with an exclusive hacking attempt. As long as a product or process holds financial value, any and all measures are expected to be taken in the prevention of the loss of that value in the expectation of maximum returns for the investing company or companies; ethical hacking is therefore expected to grow as innovation presents sophistication in products and processes, and the associated need to secure them for a return on investments.
Since most hackers prove their prowess by penetrating a system without perceived luck, they assume that an organization has put in place measures to prevent the most obvious of intrusive action, which is why elaborate methods of penetration are employed. A good hacking makes sure that one can access the system at will, and not by sheer luck, and in the ability to remain anonymous long enough to maintain the upper hand. The following are the common practices in ethical hacking encompass four steps according to Engebretson[9, pp. 10144]:
2.2.1 Reconnaissance
This step involves collecting as much information as possible about the target of the test. A more comprehensive research usually leads for more successful attempts in later stages.
This stage involves the collection and sorting information without necessarily intruding on the target, though some active reconnaissance strategies involve intrusive action with an aim of collecting information without the primary concern of being detected[9, p. 16] Once the process is complete, a list of IP addresses and the various levels of difficulty in getting access to each is generated. The tools used at this stage are anything between a web search engine to a Name Server lookup, business directories, emails, social engineering among others.
2.2.2 Scanning
This stage utilizes the list generated from the first stage to determine whether the target IP addresses are active, and if they are, whether there is a point of penetration using ports (port scanning). The standard operation of Internet transmission protocols dictates that for all valid software applications, ports are utilized in appropriating applications and processes, for instance, accessing web pages uses port 80, and therefore most of all applications that tend to access that port are Internet browsers. A port scan checks the targets for ports which have been left open, and checks for ways of using the open ports to access the system other than the prescribed purpose of the port in what is called a vulnerability scan[9, p. 58]. There are many tools for accomplishing the objectives of this stage, and they have to do with programs that deliver Ping Requests, Port Scans, Syn Scans for UDP and TCP transactions over the target network.
2.2.3 Exploitation
This stage is where the ethical hacker takes over the target system by achieving administrative level on key computers on the network. Internally networked computers have more relaxed security restrictions, which makes them easy to target in the implementation of administrative level tasks. The stage therefore encompasses cracking passwords in order to achieve access to a platform where commands can be executed using the target machine which is within the network. Similar to other steps is the availability of numerous tools that can be used to crack passwords, guess user names, and send remote commands to the compromised computer.
getting the best results, which is the access of information that would otherwise be privileged. Each of these processes has the following characteristics: 1. Disclosure of unpublicized information 2. Using private and personal information to gain access to privileged information 3. Infringing on implied privacy by rendering a system open for preview 4. An inadvertent widening of scope While the main intention may be upheld, there are many issues that arise from the engagement of ethical hacking procedures in the protection of information, processes and systems, namely the ethical compromise and the extent at which tolerance will be surpassed.
misled consumers who could not easily follow the jargon of long and complex agreements." [13, p. 19]. This being the case, there is a greater need other than the applied legal obligation. In many cases, business operations are not sanctioned before a demonstrated Return on Investment(ROI), which means that with each step forward, all stakeholders have to be assured that their desired results will be met before they commit more funding towards business operations. In the situation where profitability is negatively affected, business executives have to demonstrate control and mitigation processes that will protect the aversion from profits, some of these actions may seem to circumvent moral implications, but in the long run demonstrate what the stakeholders demand for; a justified abandonment of ethical principle. Before the commencement of business ventures, companies and institutions conduct what is commonly referred to as market research; the attempt to determine whether the targeted market has the hallmarks of participating in significant sales, therefore returns. This study is conducted in the aim of determining the motivations, needs and priorities of potential buyers, therefore creating a scale that would guide a possible response to a sales campaign. The information collected during market research can be viewed from a moral standpoint, where prevailing cultural practices affect the moral value of the targeted demographics, thereby inadvertently proving the value of moral inclinations in the business process, for instance, a highly religious market group would not buy in to products which they find religiously offensive [15, p. 6], or those that infringe on their cultural values. To Sum up, the value of ethics cannot be denied, it prevails when businesses and institutions make business decisions, and also in the design, manufacture and marketing of products. Chances are, business models that abandon the moral value in processes will eventually need to apply the same principles in profit defying situations, especially when dealing with the human factor[16, p. 2].
Most people tend to fall toward their ethical framework in the determination of fair treatment [12, p. 26] , the challenge is that moral standards have no universal framework [7, p. 91] , and this is a point of weakness should the principle be brought to bear when attempting to compromise a system in the name of securing it. Nevertheless, it does not disqualify the contextual need to adopt a moral model in Ethical Hacking. The following are the ethical perspectives that arise from the diversified stakeholder context:
10
1. Owners or Proprietors 2. Employees 3. Employee Dependents 4. Customers 5. Vendors As long as the business is legal, the involvement of each of these assets is documented for proving the legal position of each transaction. The records are kept to monitor the performance of the business and to ensure that all party interests are upheld. Without these records, there is no proof that all regulatory requirements, which are put in place to protect the customers primarily [7, p. 119], then the business. These records or documentation can be used to extract value hence make a profit at the company's expense, for instance, using the customer information to make financial commitments, or using product information to build replicas, or exploit the proprietary value in an undisclosed process. Assuming that the only regulatory requirement the business has is to protect the records of all these stakeholders, and the methods and ways of doing so are not specified, then the company would justified in performing the ethical hacking. While it is clear that the company is made up of varied resources, only the profitable end is upheld, which has the least ethical inclination [12, p. 62] . From this perspective, ethical hacking would be justified by proving the technical requirement of upholding privacy, or limited access of privileged information. It is possible for the company to justify informational compromise with the promise of security, which is proven by the subject compromise, for instance, penetration testing can be done with sample invaluable records, but the point would be made better by hacking actual information. In this scenario, the company perceives that it has the least ethical obligation, and their concern is defined as a technical one, as Spaord [13] generally concludes that the application of the hacker ethic implies that the infringement of privacy is conditional to the end result, which would be a betrayal of some or all of the stakeholders regarding information entrusted out of a presumption of upheld privacy. Should the company take this position, their ethical obligation would be to disclose the hacking results selectively, so as not to imply an infringement of privacy.
records; its easy to go round in circles describing this situation. Harper [4] stipulates to what disclosure following the hacking would mean to the product or company owner, regardless of the impending compromise. How would an ethical hacker determine what information to access, and the extent of sanctioned access?; Some risks or vulnerabilities cannot be quantified, and therefore a complete breach must be expected. Without the expectation and the definition of the scope of hacking for all stakeholders, public disclosure* of the results, though popular in soliciting a definitive response from the product owner, cannot be considered fair play, since the very people claiming to increase the protection of others are inadvertently increasing the risk of compromise [4, p. 49]. So what would the ethical process be? The ethical hackers would need to disclose all their intentions before the hacking process, and all stakeholders involved or affected by the process need to be updated and advised on what the hacking entails, and the risks it prevents and presents. This objective step seems hard to swallow, and it might throw in a lot more red tape constraints.
5.3 That the Customers, the Vendors and the Staff are of Utmost importance
This perspective would prove difficulty in the sanctioning of ethical hacking since privacy is of key importance for all human entities, and should be upheld at all times, especially in companies and institutions with autonomy instilled as the company culture. Moral conflicts arise from information disclosure, and should all acts and words be done in privacy, the ethical provocation would be lacking, for instance, in an autonomous office environment, there is bound to be information proving that an act by one of the employees would be against company policy, but such environments are upheld because for their ability to reduce the ethical imbalance, also known as decentralized management [7, p. 119]. Since morality plays on individual values [7, p. 57] , upholding privacy is important in the protection of individual moral inclination, for instance, should an ethical hacking process reveal that vendor information can be accessed, details of a transaction might shed light on their operational model. The vendor would then be justifiably offended that they were not informed of this process, since all transactions are done in confidence, apart from situations that have the legal obligation toward disclosure. The scope of the ethical hacking process cannot be defined in this perspective, it would mean the enumeration of the ethical inclinations of all the customers, vendors and employees, and editing the framework in a way that does not compromise any of these values. It would be a big undertaking, and most considerations would fall out of the technical scope, which has in itself nothing to do with moral values, rather the result [10, p. 22] . It suffices to say that ethical hacking would be a pointless effort from this perspective, if its objective is to secure information and processes by a compromise. In order to perform ethical hacking, the hackers would have to adopt the values of the subject customers, employees and vendors whose information is exposed in the process, "...White Hat Hackers are authorized and paid person by the companies, with good intends and moral standing..." Says Bansal [17, p. 6] , asserting that White Hat hackers would work within the bounds of procedural consistency.
* This meaning that the expected ethical hackers are not in-house, thereby implying a public disclosure.
12
13
CERT accords vendors, data and process owners the required time frame to respond to the vulnerability without compromising stakeholders. [4, p. 51]
6.2 Getnetwise.org
This is a service oriented organization based in Washington DC that was created by Industry corporations and other Public Interest Organizations to instill a safe Internet environment through the following Information oriented services[24] : Online Child Safety Privacy Security and Spam Issues Apart from business oriented safety, a good portion of hacking attempts aim at the privacy of individuals and families with the intent to defraud or harm, especially in most western cultures. The ethical compromise is daunting, which is why informing the general public on 14
the implications of submitting information over the Internet is a critical step in curbing a possible compromise. A more informed population would know what to ask for when they submit their information to a company for business or in the access of varied services.
15
7 Conclusion
Ethics, morals and cultural implications in technology are subjective, especially in an era where individual identities are extended to Internet virtual contexts. This makes the on-line environment just as significant to human interaction as the real world, therefore, the purpose and function of ethics cannot be ignored. Ethical hacking as a security measure clearly raises more questions than answers ethically, and perhaps should rightfully not be called ethical hacking. From a technical perspective, penetration testing is plausible, but ethical hacking defines a scope too wide to comprehend. In order to conduct an act that is universally ethical, one would need to abide by prevailing global morals in a comprehensive and inclusive manner. This is especially true for the use of the Internet, which by default is culturally diversified. Perhaps a different approach in ethical hacking would be to develop a vetting process where the ethical hacker demonstrates morals standing which is subject to regional cultural inclinations apart from the technical knowhow. This would prove that the ethical hacker is able to comprehend the effect of the hacking attempt to all the parties involved, and would therefore be qualified to act on behalf of them. While ethical hacking is how widely practiced, it is doubtful that all the parties involved would sanction the processes should they be educated on the implication of a typical hacking process. Inasmuch as there are regulations and laws that govern sanctioned hacking practices, they hardly compliment what each act means for each of the stakeholders. Considering that the perceived basic requirements are met, where the storage of personal information and the processes and protocols that protect the same data are clearly defined and regulated as a minimum, there would be a clarified need to instill moral values in the process, how else is this new group of hackers supposed to be trusted? In order for a society to thrive, cultural perspectives are woven into legislative acts, making laws that create a common moral standpoint, where all issues that would violate the letter of the law are resolved in a fair and amicable way. Since this cannot be applied to a global network that thrives in anonymity and freedom of expression, perhaps the solution would be the exclusion of proprietary, personal and privileged information from the Internet, or the isolation of host systems, a rather far-fetched and impractical solution. What will probably happen is the fleshing out of disclaimer agreements, where parties submitting potentially valuable information to a proprietary system are advised of the privacy risks involved, which will probably be an extensive and tiresome fine-print which hardly anyone would have the time to study. The disclaimer would include the intent to subject the host system for possible vulnerability from time to time, thereby creating a possibility of disclosure in an uncontrolled hacking event. In any case, the responsibility is shared among all parties, who are liable for all the information they want to share or store for use in processes, software products and communication systems. The moral guarantee of how this information is treated and secured is anyone's guess, since a lawful declaration is a post hoc ergo propter hoc argument, and does not prevail with personal or institutional ethical value.
16
8 References
[1] Ethical Hacking & Countermeasures | University of Abertay Dundee. [Online]. Available: http://www.abertay.ac.uk/studying/find/ug/ethhaccount/. [Accessed: 27-May-2013]. [2] Ethical Hacking for Computer Security - Northumbria University, Newcastle UK. [Online]. Available: http://www.northumbria.ac.uk/? view=CourseDetail&code=UUSETH1&page=apply. [Accessed: 27-May-2013]. [3] P. Himanen, The hacker ethic, and the spirit of the information age. New York: Random House, 2001. [4] Gray hat hacking: the ethical hackers handbook, 3rd ed. New York: McGraw-Hill, 2011. [5] C. C. Palmer, Ethical hacking, Ibm Syst. J., vol. 40, no. 3, pp. 769780, 2001. [6] S. Seethu and P. S. Smijesh, Ethical Hacking, 2006. [7] O. C. Ferrell, Business ethics: ethical decision making and cases. Mason, OH: South-Western Cengage Learning, 2011. [8] M. T. Simpson, Hands-on ethical hacking and network defense. Boston, MA: Course Technology, Cengage Learning, 2011. [9] P. Engebretson, The basics of hacking and penetration testing: ethical hacking and penetration testing made easy. Waltham, MA: Syngress, 2011. [10] J. S. Tiller, Ethical Hack: A Framework for Business Value Penetration Testing . Boca Raton, FL: Auerbach Publications, 2003. [11] K. E. Himma, The ethics of tracing hacker attacks through the machines of innocent persons, Int. J. Inf. Ethics, vol. 2, no. 11, pp. 113, 2004. [12] M. G. Velasquez, Business ethics: concepts and cases. Upper Saddle River, N.J.: Pearson, 2012. [13] E. H. Spaord, Are Computer Hacker Break-ins Ethical?, 1990. [14] M. Jennings, Business ethics: case studies and selected readings. Australia; Mason, OH: South-Western, Cengage Learning, 2012. [15] R. B. Young and R. G. Javalgi, International marketing research: A global project management perspective, Bus. Horiz., vol. 50, no. 2, pp. 113122, Mar. 2007. [16] M. R. Lissack and K. A. Richardson, Models without morals: toward the ethical use of business models, Emergence, vol. 5, no. 2, pp. 72102, 2003. [17] A. Bansal and M. Arora, ETHICAL HACKING AND SOCIAL SECURITY. [18] D. Norfolk, Understanding Ethical Hacking, Pc Netw. Advis., vol. Management and Strategy:Overview, no. Issue 128, Mar. 2001. [19] B. S. W. Yurcik and D. Doss, Ethical hacking: The security justification, 2001. [20] V. Rajendran, Hacking: Illegal butEthical, 2012. [21] S. N. Narayanan, Ethical Hacking, 2008. [22] The definition of catch-22, Dictionary.com. [Online]. Available: http://dictionary.reference.com/browse/catch-22. [Accessed: 30-May-2013]. [23] CERT Coordination Center (CERT/CC). [Online]. Available: http://www.cert.org/certcc.html. [Accessed: 01-Jun-2013]. [24] GetNetWise | About GetNetWise. [Online]. Available: 17
http://www.getnetwise.org/about/. [Accessed: 01-Jun-2013]. [25] Department of Homeland Security, The National Strategy to Secure Cyberspace. 2003. [26] MySecureCyberspace: Home. [Online]. Available: https://www.mysecurecyberspace.com/. [Accessed: 01-Jun-2013]. [27] What are the objectives of the Association? | Internet Industry Association of Australia. [Online]. Available: http://iia.net.au/About%20the%20IIA/objectives.html. [Accessed: 01-Jun-2013]. [28] .:. WiredSafety. [Online]. Available: https://www.wiredsafety.org/about/. [Accessed: 01-Jun-2013].
18