Sunday, October 2, 2022

To All Black, Grey, & White Hatters: The Time For Ethical Standards Has Come

 


As you know, Cybersecurity is a huge field to be in.  There are many different areas in which somebody can specialize in, depending upon what you are most interested in, and where your skill set is at.  As for me, I landed in the writing aspect of it, because writing is something I have always loved doing, even back in college. 

And I also love the sense that hopefully through my books, eBooks, blogs, podcasts, tweets, etc. that I am educating people.

But apart from this, one area of Cyber that has always intrigued me was Penetration Testing.  Essentially, this is where a hired firm or contractor takes the mindset of a Cyberattacker, and tears down everything that they can. 

From here, all of the known and unknown vulnerabilities are then discovered.  From here, a final report is then complied and given to the client as the remediative steps that they need to take, though it is entirely up to them to do that.

But now, the question I get asked and I even ask myself (especially during the podcasts) is how far can this kind of hacking can go.  Well, there are legal limits.  Meaning, before any kind of Penetration Testing can take place, the client has to sign a contract which stipulates what can and cannot be tested. 

These are the limits that can be pushed.  If the Pen Tester wants to go beyond this, they then have to explicit and written consent of the client to do so.

Also in these contracts, there are usually clauses that state the client bears all of the risks for any data loss, and they will have backups created just in case.  In the end, this is what is known as “Ethical Hacking”.  Technically, it can be defined as follows:

“It is the process of assessing a computer system, network, infrastructure, or application with good intentions, to find vulnerabilities and security flaws that developers might have overlooked. It’s finding the weak spots before the bad guys do and alerting the organization, so it can avoid any big reputational or financial loss.”

(SOURCE:  https://www.darkreading.com/vulnerabilities-threats/should-hacking-have-a-code-of-conduct-).

So, now you can see why these kinds of testers are called “White Hats”.  Their profession is clean hacking, and they have taken that oath not only to themselves and to the company that they work for, but to the client as well.   But while most Pen Testers is honest in what they do, they are also the “Grey Hats” and the “Black Hats”.

The former refers to those hackers who were once on the dark side, but now have turned over a new leaf, and the latter refers to those individuals who are on the dark side still, and hack for illegal purposes, but it may not be to hurt people directly.

For example, a Black Hat may just hack into a system out of curiosity.  Or they may try to hack into something big, in order to get a huge rush out of it, and so which will give them a badge of honor in their own circles. Then, there are those who hack for malicious gains, and have no sense of what from wrong, whatsoever. 

But there is some evidence coming into light recently that even the worst of the Black Hat hackers have a sense of scruples amongst themselves. 

For example, during the peak of the COVID-19 pandemic, many of the Black Hatters poo pooed on the idea of creating phony and fictitious websites in order to give out false information about the virus to the public, all in an effort to capture the login credentials of the unsuspecting victim.

Given some attacks recently on high profile companies, the Black Hatters even banded together the punish the group that the launched the threat variants.  Because of this sense of right from wrong, this particular hacking group eventually disbanded from the Dark Web, and were later apprehended and brought to justice.

Heck, there have even been some stories where Ransomware groups have even provided the decryption keys to the victim after they have been paid via Bitcoin from the victim.  So given all of this, and just how important to Pen Testing is, there seems to be a call now in the Cyber industry that all hackers, no matter what their status is (White or Grey or Black Hat) should now abide by a set of an ethical set of standards.

It is as follows:

1)     Hack with good intentions:

Yes, even the White Hatters can turn at a flip of the switch, but the bottom line here is that you hack to find what is wrong with the lines of defenses for the client that has hired you to do this task.  No more and no less.  If you feel that you need to do more, then you need to get permission, as stated before.  Finally, be straightforward in reporting your findings.  Avoid as far as possible any kind of techno jargon.  That won’t impress the client.  But what will is in how you describe the remediative actions that need to be taken.

2)     Tell them how to go further:

After their present their findings to the client, most White Hatters will not deploy the needed controls to remediate any weaknesses and gaps.  Usually, the client will be referred either to an MSP or MSSP for this step to take place.  A good White Hatter will not pick anybody out of the blue for this, rather, they will refer them to others whom they trust and feel comfortable with.  Also, a good White Hatter will always follow up with the chosen MSP or MSSP to make sure that the work is being done, and that the client is satisfied.

3)     Documentation is a must:

Throughout every step of the way, a good White Hatter will always document all of the key steps that have been taken during the Pen Testing exercise.  This serves two key reasons:  If in the off chance something does go wrong during a Pen Test, the White Hatter will have proof that they did everything by the book.  Second, this set of detailed documentation, along with the log files, will form the backbone for the report to be given to the client.  So the more you can capture, the better.

4)     Always keep an open line of communication:

A good White Hatter will always keep the client informed of what is going on, even before the final is even delivered.  In this regard, the client does not need to sit next to you, but rather, even simple communications via email every few hours will be great.  It is very important to remember that in this line of business you never, ever want to ghost your clients.

My Thoughts On This:

What I envision down the road is that some kind of hackers forum or union will be established, in which all of kinds of Hatters will have to sign and abide by this ethical set of standards as just described.  Of course, this will list will have to be revised over time, but the four tenets of it will be starting point of it.

Who knows in the end, perhaps more the Black Hatters will then be convinced to turn to the good side?  Whenever I ask this question, the thoughts of how Darth Vader turning over a new leaf in Return of the Jedi comes to mind.  But hopefully everybody’s sake, it will not be too late.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...