Three principles that ethical hackers can use as ethical guidelines

Three principles that ethical hackers can use as ethical guidelines

As cyber attacks have increased in frequency and sophistication, businesses have been forced to take a more proactive approach to countering cyber security threats.

In response, the ethical hacking industry has witnessed a growth of 350% so far, and the industry is set to grow at 21% per year. Right now, ethical hackers are sought out more than ever to work against cybercriminals to beat them at their own game.

But earlier this year when the international cyber gang Lapsus$ attacked major tech brands and were punished by the cybercriminal community as a result – a new debate was born. Can there be honor among thieves? Is there at least some unspoken code of conduct followed by cybercriminals?

If so, this raises a question for the wider law abiding hacker community, should we have our own code of ethics?

Ethical Hacking 101

Ethical hackers assess a computer system, network, infrastructure or application with good intentions, to find vulnerabilities and security flaws that developers may have overlooked. Essentially, it’s finding the weak points before the bad guys do and fixing any bugs before they fall into the wrong hands.

Ethical hacking requires knowledge and permission from the business before infiltration. However, it is only one part of a wider set of actions that white hat hackers must consider so that they do not fall into the black hat category. Here are some guiding principles for white hat hackers to protect themselves and the companies they work for:

It is critical that hackers have permission and understand the scope of access the company provides, as well as the scope of the work they do. Targeted knowledge and a clear scope help prevent accidental compromises and establish solid lines of communication if the hacker uncovers something alarming. Responsibility, timely communication and transparency are important ethical principles to follow, and clearly distinguish a hacker from a cybercriminal. Ethical hackers don’t steal. Rather, create awareness in every organization about the human, process and technology level.

See also  Fallen Order, Fallout 76, Axiom Verge 2 - PlayStation.Blog

All good hackers keep detailed notes of everything they do during an assessment. First and foremost, they must protect themselves. For example, if a problem occurs during a penetration test, the employer will approach the hacker first. Having a time-stamped log of the activities performed, whether exploiting a system or scanning for malware, assures businesses that hackers are working with them instead of against them. Detailed notes also maintain the ethical and legal side of the equation. They form the basis of the reports hackers produce, even when there are no major discoveries. The notes will allow them to highlight the problems they have identified, the steps needed to reproduce the problems, and detailed suggestions on how to fix them.

  • Practice constant communication.

Ethical hackers should clearly define open and timely communication and establish it when drafting a contract. For example, it is good practice to always notify when assessments are running: it is important to send a daily email with the assessment run times. While hackers may not need to report every vulnerability they find immediately to their customer contact, they should flag any critical or show-stopping bugs during an external penetration test. This could present itself as an exploitable unauthenticated RCE or SQLi, a malicious code execution or sensitive data disclosure vulnerability. When they encounter these, hackers should stop testing, issue a written vulnerability alert via email, and follow up with a phone call. This gives the business a chance to pause and fix the problem immediately if they wish. It is irresponsible to let an error of this magnitude slip away. Hackers should keep their main points of contact aware of their progress and any major issues they discover. This ensures that all parties are aware of any problems ahead of the final report.

See also  10 Best Video Games Set in the Wild West, According to Metacritic

All hackers are driven by the curiosity to discover how computer systems work and find innovative ways to solve complex problems. Hackers must continue to develop this curiosity and never stop learning. This allows them to think from both a defensive and an offensive perspective without blurring the lines between. By following best practices, understanding the target, and crafting attack paths, a hacker can deliver amazing results on the right side of the law.

A hacker code of conduct can make all the difference in separating the good players from the bad. First and foremost, this can protect white hats and avoid unnecessary lawsuits. Ultimately, these security experts are there to help businesses and do everything in their power to keep them as protected as possible. Having a set of guidelines separates the good guys from the cybercriminals, and also allows businesses to hire hackers with more confidence.

Haris Pylarinos, Founder and CEO, Hack The Box

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *