As you know, Cybersecurity is a huge field to be in. There are many different areas in which
somebody can specialize in, depending upon what you are most interested in, and
where your skill set is at. As for me, I
landed in the writing aspect of it, because writing is something I have always
loved doing, even back in college.
And I also love the sense that hopefully through my books, eBooks,
blogs, podcasts, tweets, etc. that I am educating people.
But apart from this, one area of Cyber that has always intrigued
me was Penetration Testing. Essentially,
this is where a hired firm or contractor takes the mindset of a Cyberattacker,
and tears down everything that they can.
From here, all of the known and unknown vulnerabilities are
then discovered. From here, a final report
is then complied and given to the client as the remediative steps that they
need to take, though it is entirely up to them to do that.
But now, the question I get asked and I even ask myself
(especially during the podcasts) is how far can this kind of hacking can go. Well, there are legal limits. Meaning, before any kind of Penetration
Testing can take place, the client has to sign a contract which stipulates what
can and cannot be tested.
These are the limits that can be pushed. If the Pen Tester wants to go beyond this,
they then have to explicit and written consent of the client to do so.
Also in these contracts, there are usually clauses that state
the client bears all of the risks for any data loss, and they will have backups
created just in case. In the end, this is
what is known as “Ethical Hacking”.
Technically, it can be defined as follows:
“It is the process of assessing a computer system, network,
infrastructure, or application with good intentions, to find vulnerabilities
and security flaws that developers might have overlooked. It’s finding the weak
spots before the bad guys do and alerting the organization, so it can avoid any
big reputational or financial loss.”
(SOURCE: https://www.darkreading.com/vulnerabilities-threats/should-hacking-have-a-code-of-conduct-).
So, now you can see why these kinds of testers are called “White
Hats”. Their profession is clean hacking,
and they have taken that oath not only to themselves and to the company that
they work for, but to the client as well.
But while most Pen Testers is
honest in what they do, they are also the “Grey Hats” and the “Black Hats”.
The former refers to those hackers who were once on the dark
side, but now have turned over a new leaf, and the latter refers to those individuals
who are on the dark side still, and hack for illegal purposes, but it may not
be to hurt people directly.
For example, a Black Hat may just hack into a system out of
curiosity. Or they may try to hack into
something big, in order to get a huge rush out of it, and so which will give
them a badge of honor in their own circles. Then, there are those who hack for malicious
gains, and have no sense of what from wrong, whatsoever.
But there is some evidence coming into light recently that
even the worst of the Black Hat hackers have a sense of scruples amongst themselves.
For example, during the peak of the COVID-19 pandemic, many
of the Black Hatters poo pooed on the idea of creating phony and fictitious
websites in order to give out false information about the virus to the public,
all in an effort to capture the login credentials of the unsuspecting victim.
Given some attacks recently on high profile companies, the Black
Hatters even banded together the punish the group that the launched the threat variants. Because of this sense of right from wrong,
this particular hacking group eventually disbanded from the Dark Web, and were
later apprehended and brought to justice.
Heck, there have even been some stories where Ransomware
groups have even provided the decryption keys to the victim after they have
been paid via Bitcoin from the victim.
So given all of this, and just how important to Pen Testing is, there
seems to be a call now in the Cyber industry that all hackers, no matter what
their status is (White or Grey or Black Hat) should now abide by a set of an
ethical set of standards.
It is as follows:
1)
Hack with good intentions:
Yes, even the White Hatters can
turn at a flip of the switch, but the bottom line here is that you hack to find
what is wrong with the lines of defenses for the client that has hired you to
do this task. No more and no less. If you feel that you need to do more, then
you need to get permission, as stated before.
Finally, be straightforward in reporting your findings. Avoid as far as possible any kind of techno
jargon. That won’t impress the client. But what will is in how you describe the remediative
actions that need to be taken.
2)
Tell them how to go further:
After their present their findings
to the client, most White Hatters will not deploy the needed controls to remediate
any weaknesses and gaps. Usually, the
client will be referred either to an MSP or MSSP for this step to take place. A good White Hatter will not pick anybody out
of the blue for this, rather, they will refer them to others whom they trust
and feel comfortable with. Also, a good
White Hatter will always follow up with the chosen MSP or MSSP to make sure
that the work is being done, and that the client is satisfied.
3)
Documentation is a must:
Throughout every step of the way, a
good White Hatter will always document all of the key steps that have been
taken during the Pen Testing exercise. This
serves two key reasons: If in the off
chance something does go wrong during a Pen Test, the White Hatter will have proof
that they did everything by the book.
Second, this set of detailed documentation, along with the log files,
will form the backbone for the report to be given to the client. So the more you can capture, the better.
4)
Always keep an open line of communication:
A good White Hatter will always
keep the client informed of what is going on, even before the final is even
delivered. In this regard, the client
does not need to sit next to you, but rather, even simple communications via
email every few hours will be great. It
is very important to remember that in this line of business you never, ever
want to ghost your clients.
My Thoughts On This:
What I envision down the road is that some kind of hackers
forum or union will be established, in which all of kinds of Hatters will have
to sign and abide by this ethical set of standards as just described. Of course, this will list will have to be
revised over time, but the four tenets of it will be starting point of it.
Who knows in the end, perhaps more the Black Hatters will
then be convinced to turn to the good side?
Whenever I ask this question, the thoughts of how Darth Vader turning
over a new leaf in Return of the Jedi comes to mind. But hopefully everybody’s sake, it will not
be too late.
No comments:
Post a Comment