Issues In Ethical Hacking And Penetration Testing Information Technology Essay

In this fast growing business world the growth of Information Technology is sky-scraping. Information is a business asset, therefore it is very important to protect the Business Intelligence and the confidential information. It may protect its availability, privacy and integrity. Information Security is more than protecting computer data security; it is the process of protecting the intellectual property of an organization which engages with Network Security.

The availability of access to stored information on server databases has increased to a great extent. Most of the companies store their business and individual information on their computer than ever before. Many businesses are exclusively stand on information stored in their data centers. Personal staff details, client lists, salaries, bank account details, marketing, sales information and more importantly their research and development secret recipe or marketing strategies may all be stored on a database. If they lack this information, it would directly affect the business operations. Therefore powerful Information security systems needed to be executed to protect this information.

The biggest threat to businesses may be the people who make a living from hacking or breaching through information security systems. By using their technological skills, they are brave enough to break into computer system and access secured information. “Hackers can even turn your home computer into a bomb” (Randy Jefferies, 2005). Firewalls, which are intended to prevent access to a computer network, can be easily bypassed by a black hat namely a hacker with the right tools and skills. The breach can result a heavy loss of crucial information, or a virus could be planted and delete all secured information as an intruder.

So that is why Information Security Professionals plays a vast role in this Business Industry, because of this, there is an important position for ethical hackers, who can defend and protect the organization against cybercriminals and even they are capable of penetrating their own system for the testing purposes .When the question arise that, is hacking actually bad? Or is it possible that there are times when hacking can be seen as good? Before addressing these scenarios, the term hackers and ethics needs to be defined. So this is where ethical hacker comes in.

Ethical Hacking and Penetration Testing

Ethical Hacking can be defined as hacking a network or a system to seek and test vulnerabilities that a hacker could exploit and take advantage of the system. This implies, doing it for the betterment of the firm. This process is done to secure and defend the system from cybercriminals known as black hats with a legally authorized way. The people who involve in ethical hacking are called as white hats who are professionally trained security experts. Most of the firms employ one these White Hats to protect their information systems whilst some firm’s hires.

The Computer crime is where the computer is the place of the crime and the criminal activities can range from fraud, theft, and forgery. Businesses who try to approach the problem have independent computer security professionals who attempt to break into the computer systems and penetrate as mentioned above. Both of these people, crackers and professionals are ethical hackers, but they have different ethics. Negative observation of hacking, When is hacking bad? In recent news, a certain hacker who claims to be known as Gwerdna hacked into a Mac computer, He even made comments on how easy it was for him to hack into the security and he has stated to break into that library machine he only took 10 minutes. (Micheal Harvey, 2006).

The term Ethical Hacking can be addressed as penetration testing. This is a method of evaluating the network or computer system by simulating an attack from a malicious source, a White Hat Hacker but act as a Black Hat Hacker (Wikipedia, 2010). These ethical hackers use these methods which can be identified and clarified as malicious software’s namely Buffer Overflow, Logic Bomb, Parasite, Sniffer, Spoof, Trojan Horse, Virus, Worms.

Importance and Benefits of Ethical Hacking

As mentioned above the reason for conducting an ethical hack, obviously, is to keep information assets secure. One survey conducted by Rick Blum, stated that “It (ethical hacking) is very important and helps save you money and reputation in the long run.” (Rick Blum, 2009).Network testing is the most important type of ethical hack, because it is obvious the hacker can easily break the firewall and get into the network. So network should be highly secured.

That’s a reason why it is considered as a very important fact for organization because of the rising cyber crime rates and the high growth of cyber criminals. Since computer technology has developed, the crime rates also increased. The intellectual hackers have made mass destructions and losses for

many companies and they have damaged their database and leaked information. Had exploited the brand image of most of the firms and damaged their trust on their clientele. Hackers have transferred millions of dollars without any awareness of the banks and their involvement. Even hacked into police department’s emergency help desks.

For example a group of hackers called Vandals hacked the New York City Police Departments voice- mail system and replaced the usual polite announcements with “You have reached the New York City Police Department. For any real emergencies, dial 119.Anyone else – we’re a little busy right now eating some donuts and having coffee.” It continued “You can just hold the line. We’ll get back to you.We’re little slow, if you know what I mean. Thank You”. The bogus messages continued for 12 hours before they were investigated and corrected by ethical hackers (Donald Pimkins, 2000)

Some time ethical hacking will not reveal vulnerabilities of a network or a system. But there are a number of consequence benefits that can be derived from an ethical hacking process. The picture below will give a clear idea of what are the benefits available in this process and how it can be prioritized.

Ref: http://www.isaca.org/Images/journal/jrnlv2-06-red-teams-audit-tool-2.jpg

The size of the threat depends on the type of the business and how its fits with hacker’s motives. Therefore to prevent these kinds of issues and threats in future firms employ ethical hackers.

The term ethics will be clearly structured in the following paragraphs with the support of ethical principles, ethical issues, ethical dilemmas and ethical theories.

Business Ethics

According to the study Business ethics can be defined as a form of applied ethics that examine ethical principles and moral or ethical problems that occur in a business environment (Gwendolyn Cuizon, 2009). Many businesses have gained a bad reputation just by being in business. By not being stick to business ethics policy firms may fall in trouble, if a business is damaged by an ethical disaster it affects the bottom line which implies profit. It is agreed that IT systems are put in place to support the strategic planes of an organization which would be in lined with business ethics. So that is why organizations see ethics as, a bringing competitive edge to their business.

In my point of view in business, the perspective view of stakeholders are different , they see there’s what’s illegal, what’s legal but unethical, ethical but against company policy, not against policy but not in the client’s best interests, and finally what’s not really opposite to the client’s best interests but isn’t really going to benefit them moreover. Which can be understood by the below image.

http://www.gryphonshafer.com/blog/2008/08/business_ethics.png

Ethical Principles and Ethical Issues

Ethical principles can be defined as the foundation of ethical behavior. An ethical principle arrives from the social Context, from religious beliefs, and from ethical theory. These ethical principles can applied to computer technologies that have an impact on people’s daily lives where they interacts in government, in education, at work, at play ground and workout) (Penny Duquenoy, 2010)

Some general ethical principles can be listed as

Respecting others

Consider others as equal

Keep promises

Respect the property of others

Act honestly

The principles can be addressed as below which relevant to Information Systems professionals and related technologies officers.

The Royal Academy of Engineering, in collaboration with Engineering Council (UK) and a number of the leading professional engineering institutions, has developed a Statement of Ethical Principles to which it believes all professional engineers and Information Professionals should follow.

• Accuracy and Rigor

• Honesty and Integrity

• Respect for Life, Law and the Public Good

• Responsible Leadership: Listening and Informing (Engineering Ethics, 2007)

Ethical issues can be addressed as whatever threatens or breaks an ethical principle is an ethical issue. For example – ethical principle – “Respect the property of others”

Ethical Issue – “Hack someone’s computer without their permission and steal information and destroy it by sending a virus or a worm” So by understanding this example an ethical issue can be clearly understood. And to assess these kinds of ethical issues in different perspectives ethical theories should be applied.

Ethical Theories

As discussed above an ethical issue can be identified and evaluated by using ethical theories .These theories can be used as tools for making ethical decisions, and they may also helpful in providing a basis for critical thinking. An issue can be taken in different perspectives and formed opinions with helpful of ethical theories.

There are two main ethical theories,

Kantianism

Consequentialism

Kantianism

The Kants theory can be defined summarized without going in deep. Kant says that “how we behave ethically comes from within us, and the things that we decide are “good” or “bad” are based on whether we could imagine everyone doing them. “(Immanuel Kant)

So for example, it would be logically conflicting to say that breaking a promise is good – because if everyone broke their promises there would be a loss of trust in promises, and the whole nature of a promise would be lost. Therefore, he says, that certain things cannot be “universalized” which means they would not work if everyone did them, and those things are wrong.

Examples are: killing others, lying, stealing, breaking promises. Moreover, in Kant’s point of view, things that we view as wrong are “essentially wrong” – that is, they are always wrong and there is never any reason situation where they would be right. This conflicts directly with the theory of consequentialism, which will be addressed next.

Consequentialism

Consequentialism theory can be defined as, a theory which deals with consequences of actions rather than the actions themselves .So, and for example, it could be argued that stealing could sometimes be the right action to take provided the outcome is for the “good”. Theory says that a good outcome is that which brings “the greatest benefit to the greatest number of people”. Therefore stealing, for example, is a morally acceptable act if it brings greater benefit to the greatest number.

For example, if a king has a warehouse full of food when most of the people in the country are starving. In this instance stealing the food to distribute it to the starving people would be the right thing to do. So by this act a great number of people get benefited. So in this case according to consequentialism theory stealing is not bad while it fully contradicts with Kantians theory.

Ethical Dilemmas

Ethical dilemmas can be addressed as moral dilemmas. An ethical dilemma is a situation where in moral principle or ethical obligations conflict in such a way as to make any possible resolution to the dilemma morally intolerable. In other words, an ethical dilemma is any situation in which guiding moral principles cannot determine which course of action is right or wrong. Can simplified as you will have issue and you will have a solution which will leads you to an unethical way.(Lee Flamand, 2007).

Ethical, Legal, Professional, Social and Cultural Issues in Ethical Hacking

When we discuss about ethical hacking there are many issues which can be listed, which will arise in many circumstances. For evaluating these issues and come up with a good solution or opinions the above discussed, structured ethical principles and ethical theories can be taken off. This will obviously give a clear picture to the reader. In this study for further more analysis two important incidents will be assessed by me using the both ethical theories.

A Dutch hacker who copied patient files from a University of Washington medical center (and was not caught) said in an online interview that he did it to publicize the system’s vulnerability not to use the information. He disclosed portions of the files to a journalist after the medical center said that no patient files had been copied. (Sara Baase, A Gift of Fire, 2003.)

If we critically evaluate the above scenario, it is obvious that the hacker has committed a cyber crime and he should be punished according to the Kantianism theory which tells “some actions are always wrong”. Even though the Dutch hacker didn’t misused the copied files he has break into the network and penetrated it. So it’s ethically wrong when we see in the perspective of Kant’s theory. But if we evaluate this using Consequentialism theory it will completely contradict with Kantianism theory. Though the hacker was not get caught he has came to an online interview to announce that there is vulnerability in University of Washington’s medical centre’s network which can be easily attacked. So this good behavior of the hacker shows that he has came to this decision concerning about the betterment of the patients. which direct the theory “an action is good If the consequences bring greatest benefit to number of people “.If he has published all the copied files through the internet the both parties will be get affected, the patients and the University. The files may contain confidential information of patients and which they never want to expose. So although this act can be identified as ethically correct whilst its legally wrong. Therefore by this action the Medical centre gets a chance to secure and defend their systems from future attacks.

But a according to the statement “A solution to an ethical issue can raise another issue”

Anonymous. May be this act is ethically correct according to the theory of Consequentialism. But what if the hacker found some medical information about his friend? Which information is a kept secret? What if he tells him? What if the friends get to know that his confidential medical information has got leaked through the internet? These kinds of issues can arise which will sometimes take into an ethical dilemma.

If we move to the next case which is,

A 17 year old hacker know as YTcracker, who penetrated several government and military web sites (including those belongings to the Bureau of Land Management’s National Training Center, NASA’s Goddard Space Flight Center and the Defense Contracts Audit Agency) said he routinely sends messages to government web site administrators insisting that they address vulnerabilities and adopt Unix or other more secure systems can be penetrated, but the messages largely go ignored. YTcracker said in his defacement of website he targeted systems the government would look at and take seriously and secure it. (Federal Computer Week, 1999)

Though this case is Similar to the above discussed one, it provides a different idea. The hacker who has penetrated all these sites called YTcracker has only one intention that is to alert and notify the government organizations to protect their valuable information’s, Which can be easily breached and gained access. If critically evaluate this case according to the Kantianism theory. The act of YTcracker is ethically wrong as it threatens the ethical principles go beyond the theory.

But according to the point of Consequentialism theory the act is ethical. Because the hacker hasn’t done any damage to the government organizations using their web sites. He has only warned and notified them to make them more secured. So greater amount of people gets benefited, because there are most sensitive information’s are available in government sites such as National Security, Military and NASA. So if the hacker leaks the information from their databases what will happen there are would be a huge problem for the US government.

But both of these incidents are illegal according to the Computer Misuse Act 1990 even they are ethical according to the theories. Because the hackers have offended unauthorized access to computer material (Misuse Act 1990)

Ethical Concerns and Professional Issues

When implementing an ethical hack in an organization there are ethical issues which engages with information systems professionals can be addressed as,

Ethical Hackers have to break the organizations security policy and procedures.

Violating the code of conduct.

Privacy of the employer and employees

Secret Business strategy, Marketing Strategy and product recipe leakage

If we further analyze above ethical issues a question may arise, Does ethical hacking is ethical? Before address the issues, we are tend to find a solution for the above question so if, we evaluate the question by putting into Kantianism theory somehow its breaking the rules and regulation, braking the firms security policies and procedures, penetrating the code of conduct. So this act of ethical hacking can cannot be ethical. Even though the professional hackers do it legally it can be unethical, According to Kant’s point of view.

Considering with view point of consequentialism theory this process can be identified as ethically correct, because it’s all done for the betterment of the organization. So there is no way of criticizing it. Firms do these to seek the vulnerabilities and defend the entire network there should be a testing procedure. So this can be taken as that. In this point of view we can decide it’s all ethically correct, even though they break their own code of conduct.

As information systems professionals point of view ethical hacking can be identified as a complete mess. Because they have to stick to a code of conduct. Then only they are professionals. But when they are being forced to violate these terms when they involve in penetration tests there are in trouble as professionals. Therefore as professionals who are expected to comply with local laws, sometimes they may have to assess and evaluate ethical and legal issues against their personnel values.

There can be privacy invasion takes place when they do a ethical hack. Most of the firms hire an ethical since they don’t employ one. So when he penetrate their systems and network he can get whatever the information he needs from the organizations databases and networks. All confidential employee and partner documents and information can be seen. The ethical hacker is able to view all the weak points of the firewall. If the ethical hacker is not a professional he may attack the organization later when he needs. Or he will be a big threat. So these issues may arise. And even the secret marketing and business strategy of a leading company leaks the hacker can sell it for the competitors. So this would be a threat for some firms to conduct and penetrations test using an

Legal Issues and Laws

When considering about legal aspects, the issues which was discussed in the above paragraphs can be brought up since it involves legal issues. Even though those incidents were ethical, it’s completely illegal, because it breaks the Computer Misuse Act 1990. This Act will be clearly discussed below,

The Computer Misuse Act 1990

The Computer Misuse Act 1990 is an Act of the UK Parliament. The Bill eventually became the Computer Misuse Act in August 1990.The Act introduced three new criminal offences:

Unauthorized access to computer material

Unauthorized access to computer material with the intent to commit or facilitate commission of further offences

Unauthorized modification of computer material.(Statuelaw, 1990)

What if an ethical hacker pretends to be an inside intruder? He who knows the entire network and secrets of a company. So he can easily damage and destroy the entire information system. When these situations occur according to the misuse act legal issues can be identified.

For an example a disgruntled computer technician at Reuters in Hong Kong detonated logic bombs at five investment-bank clients, causing 36 hours of downtime in networks providing market information crucial for trading. The banks switched immediately to alternative services and reported no significant effects on their work; however, Reuters was deeply embarrassed by the incident (Financial Times Limited, November 1996) so looking into these factors the organization should be fully aware of these kinds of threat which can be aroused.

Sometimes Internal politics may force the ethical hacker to make huge losses for the firm. When they employ for and public company. There are so many people in a director board. So what if the ethical hacker gets an order from higher management to plant a logic bomb or do a parasite for important information of the firm and put the blame on another person. For the ethical hacker this job is not that much difficult. Even they may ask him to steal other companies’ confidential documents. This might cause legal issues which will entirely damage the firm’s reputation. These kinds of issues can arise without the awareness of the management.

Social and Cultural Concerns

It is agreed that in business ethics there are loads of issues as deeply addressed in above paragraphs and social and cultural issues can also identified as one of them. Social issues are about to impact on the society. IT depends on the society’s reaction and behavior. According to the ethical principles firms should negotiate with the society. If an Information System of a Hospital or a School got hacked, there would be huge issues in the society. As their sensitive information contain on those Information Systems. Similarly this case may occur in a firm. So when an ethical hacker gets involved in this process he has to keep the trust on them if not the blame can be put on him by the society. So both parties get affected. The brand image can be get spoilt in the society when their information’s get leaked out. They will lose the trust and faith on their employer.

And when the ethical hacking process gets leaked out there are chances of affecting the company’s culture. If there is a culture there are certain values to be respected. And if this values get exploited by the penetration testers issues may arise. And when they design these IS system they should respect the values without harming it. For e.g. Pornography.

Conclusion

From the clearly structured study, it is understood ethical hacking consideration is crucial to maintaining a verifiable level of information security. Even though there are lots of issues in certain aspects of Ethical hacking; it is a critical component of our overall security program which keeps the internal, contracted security.

Ethical hacking is a necessity in order to protect company assets and stay close to the reality of unethical hacking. It ethical hacking is very important and helps save you money and reputation in the long run. Ethical Hacking is the best way to assess the network from an outsider’s perspective.

To reduce the addressed issues above organizations can have their own ethical hacking team or hacker to prevent outside information leakage and to get rid of the fear of that.

I think ethical hacking is a must have for any serious organization today in this fast moving business world. It should be a critical part of any proactive organization in today’s global competitive market.